key: add fingerprint to key config

and set/generate it on - key creation - key passphrase change - key decryption if not already set - key encryption with master key Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-11-20 17:38:32 +01:00
parent 05cdc05347
commit 37e60ddcde
8 changed files with 88 additions and 17 deletions
--- a/src/backup/crypt_config.rs
+++ b/src/backup/crypt_config.rs
@ -17,6 +17,8 @@ use openssl::pkcs5::pbkdf2_hmac;
 use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
 use serde::{Deserialize, Serialize};

+use crate::tools::format::{as_fingerprint, bytes_as_fingerprint};
+
 use proxmox::api::api;

 // openssl::sha::sha256(b"Proxmox Backup Encryption Key Fingerprint")
@ -37,14 +39,18 @@ pub enum CryptMode {
    SignOnly,
 }

+#[derive(Debug, Eq, PartialEq, Deserialize, Serialize)]
+#[serde(transparent)]
 /// 32-byte fingerprint, usually calculated with SHA256.
 pub struct Fingerprint {
+    #[serde(with = "bytes_as_fingerprint")]
    bytes: [u8; 32],
 }

+/// Display as short key ID
 impl Display for Fingerprint {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "{:?}", self.bytes)
+        write!(f, "{}", as_fingerprint(&self.bytes[0..8]))
    }
 }

@ -243,7 +249,13 @@ impl CryptConfig {
    ) -> Result<Vec<u8>, Error> {

        let modified = proxmox::tools::time::epoch_i64();
-        let key_config = super::KeyConfig { kdf: None, created, modified, data: self.enc_key.to_vec() };
+        let key_config = super::KeyConfig {
+            kdf: None,
+            created,
+            modified,
+            data: self.enc_key.to_vec(),
+            fingerprint: Some(self.fingerprint()),
+        };
        let data = serde_json::to_string(&key_config)?.as_bytes().to_vec();

        let mut buffer = vec![0u8; rsa.size() as usize];
--- a/src/backup/key_derivation.rs
+++ b/src/backup/key_derivation.rs
@ -2,6 +2,8 @@ use anyhow::{bail, format_err, Context, Error};

 use serde::{Deserialize, Serialize};

+use crate::backup::{CryptConfig, Fingerprint};
+
 use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
 use proxmox::try_block;

@ -66,6 +68,9 @@ pub struct KeyConfig {
    pub modified: i64,
    #[serde(with = "proxmox::tools::serde::bytes_as_base64")]
    pub data: Vec<u8>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(default)]
+    pub fingerprint: Option<Fingerprint>,
 }

 pub fn store_key_config(
@ -142,13 +147,14 @@ pub fn encrypt_key_with_passphrase(
        created,
        modified: created,
        data: enc_data,
+        fingerprint: None,
    })
 }

 pub fn load_and_decrypt_key(
    path: &std::path::Path,
    passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
-) -> Result<([u8;32], i64), Error> {
+) -> Result<([u8;32], i64, Fingerprint), Error> {
    do_load_and_decrypt_key(path, passphrase)
        .with_context(|| format!("failed to load decryption key from {:?}", path))
 }
@ -156,14 +162,14 @@ pub fn load_and_decrypt_key(
 fn do_load_and_decrypt_key(
    path: &std::path::Path,
    passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
-) -> Result<([u8;32], i64), Error> {
+) -> Result<([u8;32], i64, Fingerprint), Error> {
    decrypt_key(&file_get_contents(&path)?, passphrase)
 }

 pub fn decrypt_key(
    mut keydata: &[u8],
    passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
-) -> Result<([u8;32], i64), Error> {
+) -> Result<([u8;32], i64, Fingerprint), Error> {
    let key_config: KeyConfig = serde_json::from_reader(&mut keydata)?;

    let raw_data = key_config.data;
@ -203,5 +209,13 @@ pub fn decrypt_key(
    let mut result = [0u8; 32];
    result.copy_from_slice(&key);

-    Ok((result, created))
+    let fingerprint = match key_config.fingerprint {
+        Some(fingerprint) => fingerprint,
+        None => {
+            let crypt_config = CryptConfig::new(result.clone())?;
+            crypt_config.fingerprint()
+        },
+    };
+
+    Ok((result, created, fingerprint))
 }