Implement offline encrypted master keys for Ed25519 identities
The ed25519 identity key proposal is written so that master identity keys are used only to certify medium-term signing keys, and medium-term signing keys are used to sign everything else.
To implement this on top of my branch for #12498 (moved), I'd suggest the following interface:
Have a 'tor --encrypt-master-key' command that you can run while a Tor server is not running. It should prompt for a password, generate a new master key, and encrypt it with the crypto_pwbox functionality. It should have an option that says where to store the master key. It should refuse to run if the master key is already present. It should have an option to change the passphrase.
Have a 'tor --new-signing-key' command that generates a new signing key and certificate for our master key. It should take a number of days that the signing key should be value, with a default around 30 days. It shouldn't require that the Tor server not be running. It should have an option that says where to store the signing keys and certificates.
Every command that takes a password should:
- Use the standard safety features for reading passwords securely from the command line. (There should be a wrapper function for doing this across different platforms in src/common.)
- Have an option that specifies an fd on which a password will be provided.
- Have documented error codes that can be used for shell scripts.
- Call tor_mlockall() before doing anything.
- Have a --no-passphrase option that uses an empty string for the passphrase.
Have a running Tor server check for a new signing key periodically, and on sighup.
Have a running Tor server warn the user periodically when the signing key certificate is going to expire soon.