crypt config: add fingerprint mechanism

by computing the ID digest of a hash of a static string.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2020-11-20 17:38:31 +01:00 committed by Dietmar Maurer
parent 6364115b4b
commit 05cdc05347

View File

@ -7,6 +7,8 @@
//! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption) //! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption)
//! for a short introduction. //! for a short introduction.
use std::fmt;
use std::fmt::Display;
use std::io::Write; use std::io::Write;
use anyhow::{bail, Error}; use anyhow::{bail, Error};
@ -17,6 +19,11 @@ use serde::{Deserialize, Serialize};
use proxmox::api::api; use proxmox::api::api;
// openssl::sha::sha256(b"Proxmox Backup Encryption Key Fingerprint")
const FINGERPRINT_INPUT: [u8; 32] = [ 110, 208, 239, 119, 71, 31, 255, 77,
85, 199, 168, 254, 74, 157, 182, 33,
97, 64, 127, 19, 76, 114, 93, 223,
48, 153, 45, 37, 236, 69, 237, 38, ];
#[api(default: "encrypt")] #[api(default: "encrypt")]
#[derive(Copy, Clone, Debug, Eq, PartialEq, Deserialize, Serialize)] #[derive(Copy, Clone, Debug, Eq, PartialEq, Deserialize, Serialize)]
#[serde(rename_all = "kebab-case")] #[serde(rename_all = "kebab-case")]
@ -30,6 +37,17 @@ pub enum CryptMode {
SignOnly, SignOnly,
} }
/// 32-byte fingerprint, usually calculated with SHA256.
pub struct Fingerprint {
bytes: [u8; 32],
}
impl Display for Fingerprint {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(f, "{:?}", self.bytes)
}
}
/// Encryption Configuration with secret key /// Encryption Configuration with secret key
/// ///
/// This structure stores the secret key and provides helpers for /// This structure stores the secret key and provides helpers for
@ -101,6 +119,12 @@ impl CryptConfig {
tag tag
} }
pub fn fingerprint(&self) -> Fingerprint {
Fingerprint {
bytes: self.compute_digest(&FINGERPRINT_INPUT)
}
}
pub fn data_crypter(&self, iv: &[u8; 16], mode: Mode) -> Result<Crypter, Error> { pub fn data_crypter(&self, iv: &[u8; 16], mode: Mode) -> Result<Crypter, Error> {
let mut crypter = openssl::symm::Crypter::new(self.cipher, mode, &self.enc_key, Some(iv))?; let mut crypter = openssl::symm::Crypter::new(self.cipher, mode, &self.enc_key, Some(iv))?;
crypter.aad_update(b"")?; //?? crypter.aad_update(b"")?; //??