Fix RSA->Ed25519 crosscert: use raw RSA signing to match Tor's format

Tor's rsa_ed25519_crosscert_check uses RSA_public_decrypt (raw RSA) to
recover a 32-byte SHA256 hash from the signature, then compares it with
SHA256(prefix || ed_key || expiration).

Our code was using EVP_DigestSign(SHA-256) which produces a PKCS#1v1.5
signature with DigestInfo wrapping (~51 bytes when decrypted), causing
Tor to report: "The signature was good, but it didn't match the data".

Fix: compute SHA256 ourselves, then sign the raw 32-byte hash using
EVP_PKEY_sign with RSA_PKCS1_PADDING and no digest (equivalent to Tor's
crypto_pk_private_sign / RSA_private_encrypt).

Also removes diagnostic debug logging from CERTS cell creation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: gpuhashcracker

include/tor/crypto/keys.hpp

@@ -177,6 +177,11 @@ class Rsa1024Identity {
     [[nodiscard]] std::expected<std::vector<uint8_t>, KeyError>
     sign_sha256(std::span<const uint8_t> data) const;
 
+    // Raw RSA signature (PKCS1 padding, no digest wrapping)
+    // Equivalent to Tor's crypto_pk_private_sign / RSA_private_encrypt
+    [[nodiscard]] std::expected<std::vector<uint8_t>, KeyError>
+    sign_raw(std::span<const uint8_t> data) const;
+
     // Create self-signed X.509 identity cert (Type 2)
     [[nodiscard]] std::expected<std::vector<uint8_t>, KeyError>
     create_identity_cert() const;

src/crypto/keys.cpp

@@ -5,6 +5,7 @@
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/rsa.h>
+#include <openssl/sha.h>
 #include <cstring>
 #include <chrono>
 #include <iomanip>
@@ -647,6 +648,50 @@ Rsa1024Identity::create_link_cert(EVP_PKEY* tls_pkey) const {
     return der;
 }
 
+std::expected<std::vector<uint8_t>, KeyError>
+Rsa1024Identity::sign_raw(std::span<const uint8_t> data) const {
+    if (!pkey_) {
+        return std::unexpected(KeyError::InvalidKey);
+    }
+
+    // Raw RSA signing with PKCS1 padding (no digest wrapping).
+    // Equivalent to Tor's crypto_pk_private_sign which calls
+    // RSA_private_encrypt(data, RSA_PKCS1_PADDING).
+    EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new(pkey_, nullptr);
+    if (!ctx) {
+        return std::unexpected(KeyError::SigningFailed);
+    }
+
+    if (EVP_PKEY_sign_init(ctx) <= 0) {
+        EVP_PKEY_CTX_free(ctx);
+        return std::unexpected(KeyError::SigningFailed);
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) {
+        EVP_PKEY_CTX_free(ctx);
+        return std::unexpected(KeyError::SigningFailed);
+    }
+
+    // No digest set — signs the raw data directly
+
+    // Get required signature length
+    size_t sig_len = 0;
+    if (EVP_PKEY_sign(ctx, nullptr, &sig_len, data.data(), data.size()) <= 0) {
+        EVP_PKEY_CTX_free(ctx);
+        return std::unexpected(KeyError::SigningFailed);
+    }
+
+    std::vector<uint8_t> sig(sig_len);
+    if (EVP_PKEY_sign(ctx, sig.data(), &sig_len, data.data(), data.size()) <= 0) {
+        EVP_PKEY_CTX_free(ctx);
+        return std::unexpected(KeyError::SigningFailed);
+    }
+
+    EVP_PKEY_CTX_free(ctx);
+    sig.resize(sig_len);
+    return sig;
+}
+
 std::expected<std::vector<uint8_t>, KeyError>
 Rsa1024Identity::create_ed25519_cross_cert(const Ed25519PublicKey& ed_pub) const {
     if (!pkey_) {
@@ -657,28 +702,33 @@ Rsa1024Identity::create_ed25519_cross_cert(const Ed25519PublicKey& ed_pub) const
     // ED25519_KEY (32 bytes) || EXPIRATION_DATE (4 bytes, hours since epoch)
     // || SIGLEN (1 byte) || RSA_SIG (variable, 128 bytes for 1024-bit key)
     //
-    // Signature covers:
-    // "Tor TLS RSA/Ed25519 cross-certificate" || ED25519_KEY || EXPIRATION
+    // Tor signs SHA256(prefix || ED25519_KEY || EXPIRATION) with raw RSA
+    // (RSA_private_encrypt of the 32-byte hash, NOT RSA-SHA256 DigestInfo).
 
     auto now = std::chrono::system_clock::now();
     auto secs = std::chrono::duration_cast<std::chrono::seconds>(
         now.time_since_epoch()).count();
     uint32_t exp_hours = static_cast<uint32_t>((secs / 3600) + 24);
 
-    // Build the data to sign
+    // Build the data to hash
     const std::string prefix = "Tor TLS RSA/Ed25519 cross-certificate";
-    std::vector<uint8_t> to_sign;
-    to_sign.insert(to_sign.end(), prefix.begin(), prefix.end());
+    std::vector<uint8_t> to_hash;
+    to_hash.insert(to_hash.end(), prefix.begin(), prefix.end());
     auto ed_data = ed_pub.as_span();
-    to_sign.insert(to_sign.end(), ed_data.begin(), ed_data.end());
+    to_hash.insert(to_hash.end(), ed_data.begin(), ed_data.end());
     // Expiration in network byte order (big-endian)
-    to_sign.push_back(static_cast<uint8_t>((exp_hours >> 24) & 0xFF));
-    to_sign.push_back(static_cast<uint8_t>((exp_hours >> 16) & 0xFF));
-    to_sign.push_back(static_cast<uint8_t>((exp_hours >> 8) & 0xFF));
-    to_sign.push_back(static_cast<uint8_t>(exp_hours & 0xFF));
-
-    // RSA-PKCS1v1.5-SHA256 signature
-    auto sig = sign_sha256(to_sign);
+    to_hash.push_back(static_cast<uint8_t>((exp_hours >> 24) & 0xFF));
+    to_hash.push_back(static_cast<uint8_t>((exp_hours >> 16) & 0xFF));
+    to_hash.push_back(static_cast<uint8_t>((exp_hours >> 8) & 0xFF));
+    to_hash.push_back(static_cast<uint8_t>(exp_hours & 0xFF));
+
+    // Compute SHA256 digest
+    std::array<uint8_t, 32> digest;
+    SHA256(to_hash.data(), to_hash.size(), digest.data());
+
+    // Raw RSA signature of the 32-byte SHA256 hash
+    // (matches Tor's crypto_pk_private_sign which uses RSA_private_encrypt)
+    auto sig = sign_raw(digest);
     if (!sig) {
         return std::unexpected(sig.error());
     }

src/protocol/link_protocol.cpp

@@ -4,10 +4,8 @@
 #include <algorithm>
 #include <chrono>
 #include <cstring>
-#include <openssl/evp.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
-#include <openssl/x509.h>
 
 namespace tor::protocol {
 
@@ -162,27 +160,6 @@ CertsHandler::create_certs_cell(
         LOG_WARN("OR CERTS: failed to create RSA identity cert");
         return std::unexpected(LinkProtocolError::CertificateError);
     }
-    LOG_INFO("OR CERTS: Type 2 RSA identity cert: {} bytes", cert2->size());
-
-    // Debug: verify the cert round-trips correctly
-    {
-        const unsigned char* p = cert2->data();
-        X509* x509_check = d2i_X509(nullptr, &p, static_cast<long>(cert2->size()));
-        if (x509_check) {
-            EVP_PKEY* pk = X509_get0_pubkey(x509_check);
-            if (pk) {
-                int key_type = EVP_PKEY_base_id(pk);
-                int key_bits = EVP_PKEY_bits(pk);
-                LOG_INFO("OR CERTS: Type 2 cert key: type={} bits={} (expect type=6[RSA] bits=1024)",
-                         key_type, key_bits);
-            } else {
-                LOG_WARN("OR CERTS: Type 2 cert has NULL public key!");
-            }
-            X509_free(x509_check);
-        } else {
-            LOG_WARN("OR CERTS: Type 2 cert failed DER parse!");
-        }
-    }
 
     // Type 4: Ed25519 signing key, certified by identity key
     auto cert4 = build_ed25519_cert(
@@ -227,23 +204,7 @@ CertsHandler::create_certs_cell(
     payload.write_u16(static_cast<uint16_t>(cert7->size()));
     payload.write_bytes(*cert7);
 
-    auto payload_data = payload.take();
-    LOG_INFO("OR CERTS: total payload {} bytes: N={} cert2={} cert4={} cert5={} cert7={}",
-             payload_data.size(), 4, cert2->size(), cert4.size(), cert5.size(), cert7->size());
-
-    // Dump first 20 hex bytes of the payload for debugging
-    {
-        std::string hex;
-        for (size_t i = 0; i < std::min(payload_data.size(), size_t(40)); ++i) {
-            char buf[4];
-            snprintf(buf, sizeof(buf), "%02x", payload_data[i]);
-            hex += buf;
-            if (i < 39) hex += " ";
-        }
-        LOG_INFO("OR CERTS: payload hex: {}", hex);
-    }
-
-    return core::VariableCell(0, core::CellCommand::CERTS, std::move(payload_data));
+    return core::VariableCell(0, core::CellCommand::CERTS, payload.take());
 }
 
 std::expected<std::vector<crypto::TorCertificate>, LinkProtocolError>