tyler
/
proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cli: cleanup 'key show' - use format_and_print_result_full 

We now expose all key derivation functions on the cli, so users can
choose between scrypt or pbkdf2.
This commit is contained in:
Dietmar Maurer 2020-11-24 07:19:15 +01:00
parent dfb04575ad
commit 5e17dbf2bb
2 changed files with 94 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
src/backup/key_derivation.rs
View File

@ -4,9 +4,32 @@ use serde::{Deserialize, Serialize};
use crate::backup::{CryptConfig, Fingerprint}; use crate::backup::{CryptConfig, Fingerprint};
use proxmox::api::api;
use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions}; use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
use proxmox::try_block; use proxmox::try_block;
#[api(default: "scrypt")]
#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
#[serde(rename_all = "lowercase")]
/// Key derivation function for password protected encryption keys.
pub enum Kdf {
/// Do not encrypt the key.
None,
/// Encrypt they key with a password using SCrypt.
Scrypt,
/// Encrtypt the Key with a password using PBKDF2
PBKDF2,
}
impl Default for Kdf {
#[inline]
fn default() -> Self {
Kdf::Scrypt
}
}
#[derive(Deserialize, Serialize, Debug)] #[derive(Deserialize, Serialize, Debug)]
pub enum KeyDerivationConfig { pub enum KeyDerivationConfig {
Scrypt { Scrypt {
@ -108,15 +131,25 @@ pub fn store_key_config(
pub fn encrypt_key_with_passphrase( pub fn encrypt_key_with_passphrase(
raw_key: &[u8], raw_key: &[u8],
passphrase: &[u8], passphrase: &[u8],
kdf: Kdf,
) -> Result<KeyConfig, Error> { ) -> Result<KeyConfig, Error> {
let salt = proxmox::sys::linux::random_data(32)?; let salt = proxmox::sys::linux::random_data(32)?;
let kdf = KeyDerivationConfig::Scrypt { let kdf = match kdf {
n: 65536, Kdf::Scrypt => KeyDerivationConfig::Scrypt {
r: 8, n: 65536,
p: 1, r: 8,
salt, p: 1,
salt,
},
Kdf::PBKDF2 => KeyDerivationConfig::PBKDF2 {
iter: 65535,
salt,
},
Kdf::None => {
bail!("No key derivation function specified");
}
}; };
let derived_key = kdf.derive_key(passphrase)?; let derived_key = kdf.derive_key(passphrase)?;

99
src/bin/proxmox_backup_client/key.rs
View File

@ -8,9 +8,10 @@ use serde_json::Value;
use proxmox::api::api; use proxmox::api::api;
use proxmox::api::cli::{ use proxmox::api::cli::{
ColumnConfig,
CliCommand, CliCommand,
CliCommandMap, CliCommandMap,
format_and_print_result, format_and_print_result_full,
get_output_format, get_output_format,
OUTPUT_FORMAT, OUTPUT_FORMAT,
}; };
@ -22,6 +23,7 @@ use proxmox_backup::backup::{
load_and_decrypt_key, load_and_decrypt_key,
store_key_config, store_key_config,
CryptConfig, CryptConfig,
Kdf,
KeyConfig, KeyConfig,
KeyDerivationConfig, KeyDerivationConfig,
}; };
@ -83,27 +85,6 @@ pub fn get_encryption_key_password() -> Result<Vec<u8>, Error> {
bail!("no password input mechanism available"); bail!("no password input mechanism available");
} }
#[api(
default: "scrypt",
)]
#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
#[serde(rename_all = "kebab-case")]
/// Key derivation function for password protected encryption keys.
pub enum Kdf {
/// Do not encrypt the key.
None,
/// Encrypt they key with a password using SCrypt.
Scrypt,
}
impl Default for Kdf {
#[inline]
fn default() -> Self {
Kdf::Scrypt
}
}
#[api( #[api(
input: { input: {
properties: { properties: {
@ -153,7 +134,7 @@ fn create(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error> {
}, },
)?; )?;
} }
Kdf::Scrypt => { Kdf::Scrypt | Kdf::PBKDF2 => {
// always read passphrase from tty // always read passphrase from tty
if !tty::stdin_isatty() { if !tty::stdin_isatty() {
bail!("unable to read passphrase - no tty"); bail!("unable to read passphrase - no tty");
@ -161,7 +142,7 @@ fn create(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error> {
let password = tty::read_and_verify_password("Encryption Key Password: ")?; let password = tty::read_and_verify_password("Encryption Key Password: ")?;
let mut key_config = encrypt_key_with_passphrase(&key, &password)?; let mut key_config = encrypt_key_with_passphrase(&key, &password, kdf)?;
key_config.fingerprint = Some(crypt_config.fingerprint()); key_config.fingerprint = Some(crypt_config.fingerprint());
store_key_config(&path, false, key_config)?; store_key_config(&path, false, key_config)?;
@ -223,10 +204,10 @@ fn change_passphrase(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error
}, },
)?; )?;
} }
Kdf::Scrypt => { Kdf::Scrypt | Kdf::PBKDF2 => {
let password = tty::read_and_verify_password("New Password: ")?; let password = tty::read_and_verify_password("New Password: ")?;
let mut new_key_config = encrypt_key_with_passphrase(&key, &password)?; let mut new_key_config = encrypt_key_with_passphrase(&key, &password, kdf)?;
new_key_config.created = created; // keep original value new_key_config.created = created; // keep original value
new_key_config.fingerprint = Some(fingerprint); new_key_config.fingerprint = Some(fingerprint);
@ -237,6 +218,27 @@ fn change_passphrase(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error
Ok(()) Ok(())
} }
#[api(
properties: {
kdf: {
type: Kdf,
},
},
)]
#[derive(Deserialize, Serialize)]
/// Encryption Key Information
struct KeyInfo {
/// Path to key
path: String,
kdf: Kdf,
/// Key creation time
pub created: i64,
/// Key modification time
pub modified: i64,
/// Key fingerprint
pub fingerprint: Option<String>,
}
#[api( #[api(
input: { input: {
properties: { properties: {
@ -267,25 +269,36 @@ fn show_key(
} }
}; };
let output_format = get_output_format(&param);
let config: KeyConfig = serde_json::from_slice(&file_get_contents(path.clone())?)?; let config: KeyConfig = serde_json::from_slice(&file_get_contents(path.clone())?)?;
if output_format == "text" { let output_format = get_output_format(&param);
println!("Path: {:?}", path);
match config.kdf { let info = KeyInfo {
Some(KeyDerivationConfig::PBKDF2 { .. }) => println!("KDF: pbkdf2"), path: format!("{:?}", path),
Some(KeyDerivationConfig::Scrypt { .. }) => println!("KDF: scrypt"), kdf: match config.kdf {
None => println!("KDF: none (plaintext key)"), Some(KeyDerivationConfig::PBKDF2 { .. }) => Kdf::PBKDF2,
}; Some(KeyDerivationConfig::Scrypt { .. }) => Kdf::Scrypt,
println!("Created: {}", proxmox::tools::time::epoch_to_rfc3339_utc(config.created)?); None => Kdf::None,
println!("Modified: {}", proxmox::tools::time::epoch_to_rfc3339_utc(config.modified)?); },
match config.fingerprint { created: config.created,
Some(fp) => println!("Fingerprint: {}", fp), modified: config.modified,
None => println!("Fingerprint: none (legacy key)"), fingerprint: match config.fingerprint {
}; Some(ref fp) => Some(format!("{}", fp)),
} else { None => None,
format_and_print_result(&serde_json::to_value(config)?, &output_format); },
} };
let options = proxmox::api::cli::default_table_format_options()
.column(ColumnConfig::new("path"))
.column(ColumnConfig::new("kdf"))
.column(ColumnConfig::new("created").renderer(tools::format::render_epoch))
.column(ColumnConfig::new("modified").renderer(tools::format::render_epoch))
.column(ColumnConfig::new("fingerprint"));
let schema = &KeyInfo::API_SCHEMA;
format_and_print_result_full(&mut serde_json::to_value(info)?, schema, &output_format, &options);
Ok(()) Ok(())
} }