I am working on a project that will basically sell .Onion (TOR) domain names. The process of generating the domains is similar to mining bitcoins - RSA private keys are generated en mass and if one randomly matches something in my wordlist - then it gets saved off somewhere and added to a database.
The problem here is that this is still a slow process to do solo - so in order for me to try and make it a collaborate exercise - I want to create an online API / Rest API that will allow people to upload their domains and private keys for them to sell on the site.
The problem is - I don't quite know how to verify their domain name against the private key.
Eg: They would be providing a domain like
abcdabcdabcdabcd.onion
and the key would be:
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCb+wlPxR8VoUJsYcEFsPX+LfB3jorW9QlH1N38itQvMs0RyTCB
+c7hfYQH2f8Z67lobWvveYct51ykhB8n3AluMYIF3OxGlmQJuMIFQmKFryLexzPj
LEPREB7+KmeL9Sx1sL4a2Z0qJL4501Ij0T5C3cDEMOvUQBpBttpuUbj1RQIEZTIY
AQKBgBwWDEMOYKaSO17xJRuf32CDYJcDKtkJ1GlWROHxREo68J+74DqF55rnoYl/
4OkfjUMA2WjjjASVRmviBD79vni3eB9MFNzDEMOYa6EIyo1vDEMOzEnfrszkPGEj
vOCHbDiG/FlZsCKsADEMOEAuAUQ3W8669Du4FrO9/al+1IudhAkEAy+KBk8HFsO8Z
UttdlsLt8//l+NbEMmWF/I588EGyYWUuPUVJd5Xv6iSaDMdecjeW/xf4Wja5C91n
lCfb/lxhsQJBAMPZ2fzcUpyKhk6JretSyoq0iVQCO5Pn/0QwTwRUbKreXnnVBYY+
uco2ocfRwsmVK4LUwPgict5qw10bZfl8vdUCQATUV/S0zNc+DEMOw/7p5oJk5hwa
+Hrhcf5aVw1AOqySGs0e9V+qDYIjrbkg/BDEMOD00bTTV9a9h3poFrm+DEMOQF2t
lgqYbgDEMOZbE+PgebFB6swKfx9Px7+PnNsBK+Mld6pRyldfQ2DEMOr/cy4JQDYA
oyX51SNWUMJzkYgeMEUCQQC8i6b3e06B9+++NGADEMO9F5KhlDr1wwSQqnNccDX5
N5vnlhJ/0DGxIMm/bP1ZPUK4/bmvKjNYd7D8zuz2cPor
-----END RSA PRIVATE KEY-----
Could someone point me in the direction of some .Net code that can take a private key, and verify that the domain also provided is authentic? https://github.com/lachesis/scallion This github project (one of the tools I use - has the code to 'generate' the domains and private keys - I am just not sure how to perform the verification after the fact)
Never got an answer for this, but I did find a way, using Scallions on source code to verify a Private Key against an Onion Address.
RSAWrapper rsaWrapper = new RSAWrapper("d:\\pk.txt");
Console.WriteLine(rsaWrapper.OnionHash);
Not ideal - as it requires the private key. Inside the RSAWrapper - it does some unsafe code to do 'something' to the public key to determine a DER encoded value. This is the important part of getting the onion address.
public string OnionHash
{
get {
return tobase32str(this.get_der_hash(),10);
}
}
private byte[] get_der_hash()
{
var sha1 = new System.Security.Cryptography.SHA1Managed();
return sha1.ComputeHash(this.DER);
//return tobase32str(hash);
}
public byte[] DER {
get {
byte[] der;
int buf_size = Rsa.Size + 100;
int size = 0;
unsafe // must be a better way to do this!
{
IntPtr hglob = Marshal.AllocHGlobal(buf_size);
void* ptr = hglob.ToPointer();
void** ptr2 = &ptr;
size = Native.i2d_RSAPublicKey(Rsa.Handle, (byte**)ptr2);
if(size > buf_size)
throw new IndexOutOfRangeException("DER was too large!");
der = new byte[size];
Marshal.Copy(hglob,der,0,size);
Marshal.FreeHGlobal(hglob);
}
return der;
}
}
Edit - Woot : Looks like the RSAWrapper class is very cohesive and modular. I was able to copy it out - it only needs access to the OpenSSL library, and it also has an RSA.FromPublicKey(string s); method for creating the RSA.
So now, I am able to do
RSAWrapper rsaWrapper = new RSAWrapper("d:\\pubkey.txt", true);
Console.WriteLine(rsaWrapper.OnionHash);
Took a few months - but got a better answer than I set out to get. Now I can take public keys, and verify that the Onion address matches the public key. This would verify ownership of an Onion address, without the risk of having to send a private key across the network.