add two new functions when manually calling --keygen for better management
Currently when --keygen is automatically called by Tor, it will define the variables (datadirectory, SigningKeyLifetime, etc.) from torrc and/or init.d/rc scripts and use those values to look for the master ID key and save output files (signing cert and signing key). This is working excellent in ed25519_keygen branch and we should not change anything.
What we need to do is add more functions to --keygen when it is manuall called by the user, in order to make it possible to do simple things, such as: generating a signing cert and signing key from master ID key backed up on a non-writeable media. Also, since we offer the possibility to password protect the master ID key, we should also offer the possibility to change the password in future.
Again: all these should be only used when user manually calls --keygen. Tor knows what to do when it is called automatically. Currently, when manually calling tor --keygen Tor, will only care about a --datadirectory argument, where it will look for the ed25519_master_id_secret_key(_encrypted) and also save the output files (ed25519_master_id_public_key; ed25519_signing_cert; ed25519_signing_secret_key). The current behavior when we call --keygen with --datadirectory is good and doesn't require any change. Few more functions needed:
1. Specify the exact location of the master ID key and location for the output files separately:
_tor --masterkey /mnt/cdrom/relay_x_master_id_key --out /var/lib/tor/keys/ --keygen_
-
The master ID secret key file can have any name, as opposite to --datadirectory (where Tor will only look for ed25519_master_id_secret_key(_encrypted)). Tor will detect if the key is encrypted or not and ask for the password if it is.
-
--out /path/to/folder will tell Tor the folder where it should save the output files (ed25519_master_id_public_key; ed25519_signing_cert; ed25519_signing_secret_key). In case there is no --out specified, save to current working directory where the command is run. The output files will be saved with their default filenames, ready to be moved to keys folder.
-
We create the files with the default lifetime of 30 days, unless user also specifies --SigningKeyLifetime 'n days/weeks/months' when calling, for example: _tor --masterkey /mnt/cdrom/relay_x_master_id_key --out /var/lib/tor/keys/ --SigningKeyLifetime '10 days' --keygen_
2. Add a feature to add/remove or change password:
_tor --masterkey /path/to/master_id_key --newpass --keygen_
- Here we can specify the exact master ID key file, it isn't a must to have the exact name: ed25519_master_id_secret_key(_encrypted).
_tor --datadirectory /path/to/foolder --newpass --keygen_
- Here Tor will look for ed25519_master_id_secret_key(_encrypted) in the folder specified with --datadirectory.
If it is encrypted, we ask for the current password to decrypt it and 2 times for a new password. If new password and confirm new password fields are left blank, it means the user wants to decrypt it permanently. Vice versa, if it is not encrypted, and the user provides a password and confirms it, encrypt it with that password. Here we modify the file in place, we delete the old one and save the new one with the same name (append _encrypted at the end of the filename if we just encrypted it or remove this suffix if we just decrypted it). Warn and exit in case we couldn't modify the file.