cli: cleanup 'key show' - use format_and_print_result_full

We now expose all key derivation functions on the cli, so users can
choose between scrypt or pbkdf2.
This commit is contained in:
Dietmar Maurer 2020-11-24 07:19:15 +01:00
parent dfb04575ad
commit 5e17dbf2bb
2 changed files with 94 additions and 48 deletions

View File

@ -4,9 +4,32 @@ use serde::{Deserialize, Serialize};
use crate::backup::{CryptConfig, Fingerprint};
use proxmox::api::api;
use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
use proxmox::try_block;
#[api(default: "scrypt")]
#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
#[serde(rename_all = "lowercase")]
/// Key derivation function for password protected encryption keys.
pub enum Kdf {
/// Do not encrypt the key.
None,
/// Encrypt they key with a password using SCrypt.
Scrypt,
/// Encrtypt the Key with a password using PBKDF2
PBKDF2,
}
impl Default for Kdf {
#[inline]
fn default() -> Self {
Kdf::Scrypt
}
}
#[derive(Deserialize, Serialize, Debug)]
pub enum KeyDerivationConfig {
Scrypt {
@ -108,15 +131,25 @@ pub fn store_key_config(
pub fn encrypt_key_with_passphrase(
raw_key: &[u8],
passphrase: &[u8],
kdf: Kdf,
) -> Result<KeyConfig, Error> {
let salt = proxmox::sys::linux::random_data(32)?;
let kdf = KeyDerivationConfig::Scrypt {
let kdf = match kdf {
Kdf::Scrypt => KeyDerivationConfig::Scrypt {
n: 65536,
r: 8,
p: 1,
salt,
},
Kdf::PBKDF2 => KeyDerivationConfig::PBKDF2 {
iter: 65535,
salt,
},
Kdf::None => {
bail!("No key derivation function specified");
}
};
let derived_key = kdf.derive_key(passphrase)?;

View File

@ -8,9 +8,10 @@ use serde_json::Value;
use proxmox::api::api;
use proxmox::api::cli::{
ColumnConfig,
CliCommand,
CliCommandMap,
format_and_print_result,
format_and_print_result_full,
get_output_format,
OUTPUT_FORMAT,
};
@ -22,6 +23,7 @@ use proxmox_backup::backup::{
load_and_decrypt_key,
store_key_config,
CryptConfig,
Kdf,
KeyConfig,
KeyDerivationConfig,
};
@ -83,27 +85,6 @@ pub fn get_encryption_key_password() -> Result<Vec<u8>, Error> {
bail!("no password input mechanism available");
}
#[api(
default: "scrypt",
)]
#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
#[serde(rename_all = "kebab-case")]
/// Key derivation function for password protected encryption keys.
pub enum Kdf {
/// Do not encrypt the key.
None,
/// Encrypt they key with a password using SCrypt.
Scrypt,
}
impl Default for Kdf {
#[inline]
fn default() -> Self {
Kdf::Scrypt
}
}
#[api(
input: {
properties: {
@ -153,7 +134,7 @@ fn create(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error> {
},
)?;
}
Kdf::Scrypt => {
Kdf::Scrypt | Kdf::PBKDF2 => {
// always read passphrase from tty
if !tty::stdin_isatty() {
bail!("unable to read passphrase - no tty");
@ -161,7 +142,7 @@ fn create(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error> {
let password = tty::read_and_verify_password("Encryption Key Password: ")?;
let mut key_config = encrypt_key_with_passphrase(&key, &password)?;
let mut key_config = encrypt_key_with_passphrase(&key, &password, kdf)?;
key_config.fingerprint = Some(crypt_config.fingerprint());
store_key_config(&path, false, key_config)?;
@ -223,10 +204,10 @@ fn change_passphrase(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error
},
)?;
}
Kdf::Scrypt => {
Kdf::Scrypt | Kdf::PBKDF2 => {
let password = tty::read_and_verify_password("New Password: ")?;
let mut new_key_config = encrypt_key_with_passphrase(&key, &password)?;
let mut new_key_config = encrypt_key_with_passphrase(&key, &password, kdf)?;
new_key_config.created = created; // keep original value
new_key_config.fingerprint = Some(fingerprint);
@ -237,6 +218,27 @@ fn change_passphrase(kdf: Option<Kdf>, path: Option<String>) -> Result<(), Error
Ok(())
}
#[api(
properties: {
kdf: {
type: Kdf,
},
},
)]
#[derive(Deserialize, Serialize)]
/// Encryption Key Information
struct KeyInfo {
/// Path to key
path: String,
kdf: Kdf,
/// Key creation time
pub created: i64,
/// Key modification time
pub modified: i64,
/// Key fingerprint
pub fingerprint: Option<String>,
}
#[api(
input: {
properties: {
@ -267,25 +269,36 @@ fn show_key(
}
};
let output_format = get_output_format(&param);
let config: KeyConfig = serde_json::from_slice(&file_get_contents(path.clone())?)?;
if output_format == "text" {
println!("Path: {:?}", path);
match config.kdf {
Some(KeyDerivationConfig::PBKDF2 { .. }) => println!("KDF: pbkdf2"),
Some(KeyDerivationConfig::Scrypt { .. }) => println!("KDF: scrypt"),
None => println!("KDF: none (plaintext key)"),
let output_format = get_output_format(&param);
let info = KeyInfo {
path: format!("{:?}", path),
kdf: match config.kdf {
Some(KeyDerivationConfig::PBKDF2 { .. }) => Kdf::PBKDF2,
Some(KeyDerivationConfig::Scrypt { .. }) => Kdf::Scrypt,
None => Kdf::None,
},
created: config.created,
modified: config.modified,
fingerprint: match config.fingerprint {
Some(ref fp) => Some(format!("{}", fp)),
None => None,
},
};
println!("Created: {}", proxmox::tools::time::epoch_to_rfc3339_utc(config.created)?);
println!("Modified: {}", proxmox::tools::time::epoch_to_rfc3339_utc(config.modified)?);
match config.fingerprint {
Some(fp) => println!("Fingerprint: {}", fp),
None => println!("Fingerprint: none (legacy key)"),
};
} else {
format_and_print_result(&serde_json::to_value(config)?, &output_format);
}
let options = proxmox::api::cli::default_table_format_options()
.column(ColumnConfig::new("path"))
.column(ColumnConfig::new("kdf"))
.column(ColumnConfig::new("created").renderer(tools::format::render_epoch))
.column(ColumnConfig::new("modified").renderer(tools::format::render_epoch))
.column(ColumnConfig::new("fingerprint"));
let schema = &KeyInfo::API_SCHEMA;
format_and_print_result_full(&mut serde_json::to_value(info)?, schema, &output_format, &options);
Ok(())
}