[tor-bugs] #16769 [Tor]: add two new functions when manually calling --keygen for better management

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 1 23:45:36 UTC 2015 

#16769: add two new functions when manually calling --keygen for better management
-------------------------+-------------------------------------------------
     Reporter:  s7r      |      Owner:  nickm
         Type:  defect   |     Status:  needs_review
     Priority:  normal   |  Milestone:  Tor: 0.2.7.x-final
    Component:  Tor      |    Version:  Tor: 0.2.7.2-alpha
   Resolution:           |   Keywords:  ed25519, relay, keys,
Actual Points:           |  TorCoreTeam201509, PostFreeze027
       Points:           |  Parent ID:  #16645
-------------------------+-------------------------------------------------

Comment (by s7r):

 `--newpass`:

 Works, but I have noticed that whenever it encrypts/decrypts or changes
 the passphrase of the master key, it also generates new signing cert and
 medium term secret signing key, regardless if it still has valid ones or
 not. I think we should make --newpass care only about
 encrypting/decrypting or changing the passphrase of the master identity
 key and shouldn't generate cert/medium term signing key.

 1. Encryption (it kept the same ed25519_master_id_public_key the same
 [OK], and generated new cert and medium term signing key):
 a) Before encryption (sha256sum):
 {{{
 589f0546da8bb3ae3b663c77fe21fca1609fbde28584b21945bb58adb543dbe6
 ed25519_master_id_public_key
 051525483aeaf7e82e4354576bf1def4d5312541be9dadb247ab808ec165aa66
 ed25519_master_id_secret_key
 6fc98db31dda5e018e20b02abc4f073809a8ee98fc3b18101455570689ebc543
 ed25519_signing_cert
 dd5b996913814e910a01cbe639169796dab9587d6a782318635b38896ffc2fa0
 ed25519_signing_secret_key
 }}}
 b) After encryption (sha256sum):
 {{{
 589f0546da8bb3ae3b663c77fe21fca1609fbde28584b21945bb58adb543dbe6
 ed25519_master_id_public_key
 f0c2790507ccc93e17b9c86abade3c50371f4b95e8760282b9c84e2d30b2d900
 ed25519_master_id_secret_key_encrypted
 20df926d3bcf7f2da1068018f5a6e8066f403514fad1c7538d1ce35f95227c1a
 ed25519_signing_cert
 37e203316e3cd63a948ce5e40a92776abaf675bafe681a94d66f2ddd498c20c8
 ed25519_signing_secret_key
 }}}

 2. Decryption (it kept the same ed25519_master_id_public_key [OK], again
 generated new cert and medium term signing key):

 {{{
 589f0546da8bb3ae3b663c77fe21fca1609fbde28584b21945bb58adb543dbe6
 ed25519_master_id_public_key
 051525483aeaf7e82e4354576bf1def4d5312541be9dadb247ab808ec165aa66
 ed25519_master_id_secret_key
 f0c2790507ccc93e17b9c86abade3c50371f4b95e8760282b9c84e2d30b2d900
 ed25519_master_id_secret_key_encrypted
 844b4401b3b070a88aab32af5c5c78328ffd3a97122ce18492ded51dcb6a3c99
 ed25519_signing_cert
 84c8309c3eab316f1e27b97f2e02aefa79aa5f6c77fa39ebcd33dd23109a926a
 ed25519_signing_secret_key
 }}}

 '''When --newpass is specified with --keygen, Tor should:'''
 a) only modify the master id key file accordingly, don't generate cert and
 medium term signing key (it currently changes them every time we modify
 the master id key);
 b) delete the _encrypted version of the master id key when we decrypt and
 vice versa delete the plaintext version when we encrypt (it already does
 this, maybe it's enough this way?).

 `--master-key`:
 Doesn't work as expected. Tor thinks that it should have the name
 ed25519_master_id_secret_key - while this is true for when we look for it
 in $datadirectory, when we manually specify `--master-key` it could have
 the any name, like 'apple'.

 Example:
 I had my ed25519_master_id_secret_key in /root named 'apple'
 (/root/apple).

 Did a '''tor --master-key /root/apple --keygen''' (in working directory
 /root). Tor generated a file called ''apple_public_key'' in /root and
 created the folder ''$HOME/.tor/keys'' where it stored
 ''ed25519_signing_cert and ed25519_signing_secret_key''.

 If I specify '''tor --master-key /root/apple --datadirectory /root
 --keygen''' it creates a file called ''apple_public_key'' in /root and a
 ''/root/keys'' folder where it saves ''ed25519_signing_cert and
 ed25519_signing_secret_key''.

 '''When --master-key is specified with --keygen, Tor should:'''
 a) only generate cert and medium term signing key, valid for 30 days
 unless otherwise specified with --SigningKeyLifetime. Tor knows how to
 generate this one by itself when started as a relay. If it is simpler for
 symmetry to let Tor generate it as well, so be it, it's not something
 wrong, but we have to save it in the same location with the cert and
 medium term signing key;
 b) don't care what's the file name, only care if it's a valid ed25519 key
 file and further do not apply the name as a prefix for the master id
 public key. If the master ID secret key file name is 'apple' and we decide
 to also generate ed25519_master_id_public_key and not skip it, do not name
 it apple_public_key, name it ed25519_master_id_public_key and save it in
 the same location with the cert and medium term signing key;

 `--master-key` + `--newpass`
 Doesn't work at all. Doesn't save anything when I try to encrypt a master
 key, and because it's angry with us it also deletes the plaintext version.

 '''General''':
 Tor still uses $HOME/.tor folder if --datadirectory is not specified with
 --keygen. Can we make it use the working directory where we run the
 command as a default if nothing else is specified?

 `--out` shouldn't have to be redundant with --datadirectory.
 --datadirectory requires a keys subfolder, while --out should not, --out
 should just save the files there.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16769#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list