improve code docs
This commit is contained in:
Dietmar Maurer
parent
69b8bc3bfa
commit
8abe51b71d
|
|
@ -11,6 +11,7 @@ use proxmox::try_block;
|
||||||
|
|
||||||
use crate::api2::types::{KeyInfo, Kdf};
|
use crate::api2::types::{KeyInfo, Kdf};
|
||||||
|
|
||||||
|
/// Key derivation function configuration
|
||||||
#[derive(Deserialize, Serialize, Clone, Debug)]
|
#[derive(Deserialize, Serialize, Clone, Debug)]
|
||||||
pub enum KeyDerivationConfig {
|
pub enum KeyDerivationConfig {
|
||||||
Scrypt {
|
Scrypt {
|
||||||
|
|
@ -63,6 +64,11 @@ impl KeyDerivationConfig {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Encryption Key Configuration
|
||||||
|
///
|
||||||
|
/// We use this struct to store secret keys. When used with a key
|
||||||
|
/// derivation function, the key data is encrypted (AES-CGM), and you
|
||||||
|
/// need the password to restore the plain key.
|
||||||
#[derive(Deserialize, Serialize, Clone, Debug)]
|
#[derive(Deserialize, Serialize, Clone, Debug)]
|
||||||
pub struct KeyConfig {
|
pub struct KeyConfig {
|
||||||
pub kdf: Option<KeyDerivationConfig>,
|
pub kdf: Option<KeyDerivationConfig>,
|
||||||
|
|
@ -102,6 +108,7 @@ impl From<&KeyConfig> for KeyInfo {
|
||||||
|
|
||||||
impl KeyConfig {
|
impl KeyConfig {
|
||||||
|
|
||||||
|
/// Creates a new key using random data, protected by passphrase.
|
||||||
pub fn new(passphrase: &[u8], kdf: Kdf) -> Result<([u8;32], Self), Error> {
|
pub fn new(passphrase: &[u8], kdf: Kdf) -> Result<([u8;32], Self), Error> {
|
||||||
let mut key = [0u8; 32];
|
let mut key = [0u8; 32];
|
||||||
proxmox::sys::linux::fill_with_random_data(&mut key)?;
|
proxmox::sys::linux::fill_with_random_data(&mut key)?;
|
||||||
|
|
@ -109,6 +116,7 @@ impl KeyConfig {
|
||||||
Ok((key, key_config))
|
Ok((key, key_config))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Creates a new, unencrypted key.
|
||||||
pub fn without_password(raw_key: [u8; 32]) -> Self {
|
pub fn without_password(raw_key: [u8; 32]) -> Self {
|
||||||
let created = proxmox::tools::time::epoch_i64();
|
let created = proxmox::tools::time::epoch_i64();
|
||||||
Self {
|
Self {
|
||||||
|
|
@ -121,6 +129,7 @@ impl KeyConfig {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Creates a new instance, protect raw_key with passphrase.
|
||||||
pub fn with_key(
|
pub fn with_key(
|
||||||
raw_key: &[u8],
|
raw_key: &[u8],
|
||||||
passphrase: &[u8],
|
passphrase: &[u8],
|
||||||
|
|
@ -189,6 +198,7 @@ impl KeyConfig {
|
||||||
Ok(key_config)
|
Ok(key_config)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Decrypt key to get raw key data.
|
||||||
pub fn decrypt(
|
pub fn decrypt(
|
||||||
&self,
|
&self,
|
||||||
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
||||||
|
|
@ -244,6 +254,7 @@ impl KeyConfig {
|
||||||
Ok((result, self.created, fingerprint))
|
Ok((result, self.created, fingerprint))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Store a KeyConfig to path
|
||||||
pub fn store<P: AsRef<Path>>(&self, path: P, replace: bool) -> Result<(), Error> {
|
pub fn store<P: AsRef<Path>>(&self, path: P, replace: bool) -> Result<(), Error> {
|
||||||
|
|
||||||
let path: &Path = path.as_ref();
|
let path: &Path = path.as_ref();
|
||||||
|
|
@ -273,7 +284,7 @@ impl KeyConfig {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Loads a KeyConfig from path and decrypt it.
|
||||||
pub fn load_and_decrypt_key(
|
pub fn load_and_decrypt_key(
|
||||||
path: &std::path::Path,
|
path: &std::path::Path,
|
||||||
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
||||||
|
|
@ -282,6 +293,7 @@ pub fn load_and_decrypt_key(
|
||||||
.with_context(|| format!("failed to load decryption key from {:?}", path))
|
.with_context(|| format!("failed to load decryption key from {:?}", path))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Decrypt a KeyConfig from raw keydata.
|
||||||
pub fn decrypt_key(
|
pub fn decrypt_key(
|
||||||
mut keydata: &[u8],
|
mut keydata: &[u8],
|
||||||
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
||||||
|
|
@ -290,6 +302,7 @@ pub fn decrypt_key(
|
||||||
key_config.decrypt(passphrase)
|
key_config.decrypt(passphrase)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// RSA encrypt a KeyConfig using a public key
|
||||||
pub fn rsa_encrypt_key_config(
|
pub fn rsa_encrypt_key_config(
|
||||||
rsa: openssl::rsa::Rsa<openssl::pkey::Public>,
|
rsa: openssl::rsa::Rsa<openssl::pkey::Public>,
|
||||||
key: &KeyConfig,
|
key: &KeyConfig,
|
||||||
|
|
@ -304,6 +317,7 @@ pub fn rsa_encrypt_key_config(
|
||||||
Ok(buffer)
|
Ok(buffer)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// RSA deccrypt a KeyConfig using a private key
|
||||||
pub fn rsa_decrypt_key_config(
|
pub fn rsa_decrypt_key_config(
|
||||||
rsa: openssl::rsa::Rsa<openssl::pkey::Private>,
|
rsa: openssl::rsa::Rsa<openssl::pkey::Private>,
|
||||||
key: &[u8],
|
key: &[u8],
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue