key: move RSA-encryption to KeyConfig
since that is what gets encrypted, and not a CryptConfig. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler
committed by
Dietmar Maurer
Dietmar Maurer
parent
48fbbfeb7e
commit
8acfd15d6e
@ -11,7 +11,7 @@ use std::fmt;
|
||||
use std::fmt::Display;
|
||||
use std::io::Write;
|
||||
|
||||
use anyhow::{bail, Error};
|
||||
use anyhow::{Error};
|
||||
use openssl::hash::MessageDigest;
|
||||
use openssl::pkcs5::pbkdf2_hmac;
|
||||
use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
|
||||
@ -248,28 +248,4 @@ impl CryptConfig {
|
||||
|
||||
Ok(decr_data)
|
||||
}
|
||||
|
||||
pub fn generate_rsa_encoded_key(
|
||||
&self,
|
||||
rsa: openssl::rsa::Rsa<openssl::pkey::Public>,
|
||||
created: i64,
|
||||
) -> Result<Vec<u8>, Error> {
|
||||
|
||||
let modified = proxmox::tools::time::epoch_i64();
|
||||
let key_config = super::KeyConfig {
|
||||
kdf: None,
|
||||
created,
|
||||
modified,
|
||||
data: self.enc_key.to_vec(),
|
||||
fingerprint: Some(self.fingerprint()),
|
||||
};
|
||||
let data = serde_json::to_string(&key_config)?.as_bytes().to_vec();
|
||||
|
||||
let mut buffer = vec![0u8; rsa.size() as usize];
|
||||
let len = rsa.public_encrypt(&data, &mut buffer, openssl::rsa::Padding::PKCS1)?;
|
||||
if len != buffer.len() {
|
||||
bail!("got unexpected length from rsa.public_encrypt().");
|
||||
}
|
||||
Ok(buffer)
|
||||
}
|
||||
}
|
||||
|
||||
@ -245,3 +245,17 @@ pub fn decrypt_key(
|
||||
|
||||
Ok((result, created, fingerprint))
|
||||
}
|
||||
|
||||
pub fn rsa_encrypt_key_config(
|
||||
rsa: openssl::rsa::Rsa<openssl::pkey::Public>,
|
||||
key: &KeyConfig,
|
||||
) -> Result<Vec<u8>, Error> {
|
||||
let data = serde_json::to_string(key)?.as_bytes().to_vec();
|
||||
|
||||
let mut buffer = vec![0u8; rsa.size() as usize];
|
||||
let len = rsa.public_encrypt(&data, &mut buffer, openssl::rsa::Padding::PKCS1)?;
|
||||
if len != buffer.len() {
|
||||
bail!("got unexpected length from rsa.public_encrypt().");
|
||||
}
|
||||
Ok(buffer)
|
||||
}
|
||||
|
||||
@ -40,6 +40,7 @@ use proxmox_backup::pxar::catalog::*;
|
||||
use proxmox_backup::backup::{
|
||||
archive_type,
|
||||
decrypt_key,
|
||||
rsa_encrypt_key_config,
|
||||
verify_chunk_size,
|
||||
ArchiveType,
|
||||
AsyncReadChunk,
|
||||
@ -57,6 +58,7 @@ use proxmox_backup::backup::{
|
||||
ENCRYPTED_KEY_BLOB_NAME,
|
||||
FixedChunkStream,
|
||||
FixedIndexReader,
|
||||
KeyConfig,
|
||||
IndexFile,
|
||||
MANIFEST_BLOB_NAME,
|
||||
Shell,
|
||||
@ -914,13 +916,20 @@ async fn create_backup(
|
||||
let (key, created, fingerprint) = decrypt_key(&key, &key::get_encryption_key_password)?;
|
||||
println!("Encryption key fingerprint: {}", fingerprint);
|
||||
|
||||
let crypt_config = CryptConfig::new(key)?;
|
||||
let crypt_config = CryptConfig::new(key.clone())?;
|
||||
|
||||
match key::find_master_pubkey()? {
|
||||
Some(ref path) if path.exists() => {
|
||||
let pem_data = file_get_contents(path)?;
|
||||
let rsa = openssl::rsa::Rsa::public_key_from_pem(&pem_data)?;
|
||||
let enc_key = crypt_config.generate_rsa_encoded_key(rsa, created)?;
|
||||
let key_config = KeyConfig {
|
||||
kdf: None,
|
||||
created,
|
||||
modified: proxmox::tools::time::epoch_i64(),
|
||||
data: key.to_vec(),
|
||||
fingerprint: Some(fingerprint),
|
||||
};
|
||||
let enc_key = rsa_encrypt_key_config(rsa, &key_config)?;
|
||||
println!("Master key '{:?}'", path);
|
||||
|
||||
(Some(Arc::new(crypt_config)), Some(enc_key))
|
||||
|
||||
Reference in New Issue
Block a user