[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #16769 [Tor]: add two new functions when manually calling --keygen for better management
#16769: add two new functions when manually calling --keygen for better management
-------------------------------------------------+-------------------------
Reporter: s7r | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor:
Component: Tor | 0.2.7.x-final
Keywords: | Version: Tor:
ed25519,relay,keys,TorCoreTeam201508 | 0.2.7.2-alpha
Parent ID: #16645 | Actual Points:
| Points:
-------------------------------------------------+-------------------------
Currently when --keygen is automatically called by Tor, it will define the
variables (datadirectory, SigningKeyLifetime, etc.) from torrc and/or
init.d/rc scripts and use those values to look for the master ID key and
save output files (signing cert and signing key). This is working
excellent in ed25519_keygen branch and we should not change anything.
What we need to do is add more functions to --keygen when it is manuall
called by the user, in order to make it possible to do simple things, such
as: generating a signing cert and signing key from master ID key backed up
on a non-writeable media. Also, since we offer the possibility to password
protect the master ID key, we should also offer the possibility to change
the password in future.
Again: all these should be only used when user manually calls --keygen.
Tor knows what to do when it is called automatically.
Currently, when manually calling '''tor --keygen''' Tor, will only care
about a '''--datadirectory''' argument, where it will look for the
'''ed25519_master_id_secret_key(_encrypted)''' and also save the output
files '''(ed25519_master_id_public_key; ed25519_signing_cert;
ed25519_signing_secret_key)'''. The current behavior when we call --keygen
with --datadirectory is good and doesn't require any change. Few more
functions needed:
'''1. Specify the exact location of the master ID key and location for the
output files separately:'''
'''''tor --masterkey /mnt/cdrom/relay_x_master_id_key --out
/var/lib/tor/keys/ --keygen'''''
- The master ID secret key file can have any name, as opposite to
--datadirectory (where Tor will only look for
ed25519_master_id_secret_key(_encrypted)). Tor will detect if the key is
encrypted or not and ask for the password if it is.
- --out /path/to/folder will tell Tor the folder where it should save the
output files (ed25519_master_id_public_key; ed25519_signing_cert;
ed25519_signing_secret_key). In case there is no --out specified, save to
current working directory where the command is run. The output files will
be saved with their default filenames, ready to be moved to keys folder.
- We create the files with the default lifetime of 30 days, unless user
also specifies --SigningKeyLifetime 'n days/weeks/months' when calling,
for example:
'''''tor --masterkey /mnt/cdrom/relay_x_master_id_key --out
/var/lib/tor/keys/ --SigningKeyLifetime '10 days' --keygen'''''
'''2. Add a feature to add/remove or change password:'''
'''''tor --masterkey /path/to/master_id_key --newpass --keygen'''''
- Here we can specify the exact master ID key file, it isn't a must to
have the exact name: ed25519_master_id_secret_key(_encrypted).
'''''tor --datadirectory /path/to/foolder --newpass --keygen'''''
- Here Tor will look for ed25519_master_id_secret_key(_encrypted) in the
folder specified with --datadirectory.
If it is encrypted, we ask for the current password to decrypt it and 2
times for a new password. If new password and confirm new password fields
are left blank, it means the user wants to decrypt it permanently. Vice
versa, if it is not encrypted, and the user provides a password and
confirms it, encrypt it with that password.
Here we modify the file in place, we delete the old one and save the new
one with the same name (append _encrypted at the end of the filename if we
just encrypted it or remove this suffix if we just decrypted it). Warn and
exit in case we couldn't modify the file.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16769>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs