src/backup/key_derivation.rs: add modified field to key file
This commit is contained in:
parent
6d0983dbe1
commit
ab44acff57
@ -60,6 +60,8 @@ pub struct KeyConfig {
|
|||||||
pub kdf: Option<KeyDerivationConfig>,
|
pub kdf: Option<KeyDerivationConfig>,
|
||||||
#[serde(with = "proxmox::tools::serde::date_time_as_rfc3339")]
|
#[serde(with = "proxmox::tools::serde::date_time_as_rfc3339")]
|
||||||
pub created: DateTime<Local>,
|
pub created: DateTime<Local>,
|
||||||
|
#[serde(with = "proxmox::tools::serde::date_time_as_rfc3339")]
|
||||||
|
pub modified: DateTime<Local>,
|
||||||
#[serde(with = "proxmox::tools::serde::bytes_as_base64")]
|
#[serde(with = "proxmox::tools::serde::bytes_as_base64")]
|
||||||
pub data: Vec<u8>,
|
pub data: Vec<u8>,
|
||||||
}
|
}
|
||||||
@ -96,12 +98,10 @@ pub fn store_key_config(
|
|||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn store_key_with_passphrase(
|
pub fn encrypt_key_with_passphrase(
|
||||||
path: &std::path::Path,
|
|
||||||
raw_key: &[u8],
|
raw_key: &[u8],
|
||||||
passphrase: &[u8],
|
passphrase: &[u8],
|
||||||
replace: bool,
|
) -> Result<KeyConfig, Error> {
|
||||||
) -> Result<(), Error> {
|
|
||||||
|
|
||||||
let salt = proxmox::sys::linux::random_data(32)?;
|
let salt = proxmox::sys::linux::random_data(32)?;
|
||||||
|
|
||||||
@ -135,14 +135,15 @@ pub fn store_key_with_passphrase(
|
|||||||
|
|
||||||
let created = Local.timestamp(Local::now().timestamp(), 0);
|
let created = Local.timestamp(Local::now().timestamp(), 0);
|
||||||
|
|
||||||
store_key_config(path, replace, KeyConfig {
|
Ok(KeyConfig {
|
||||||
kdf: Some(kdf),
|
kdf: Some(kdf),
|
||||||
created,
|
created,
|
||||||
|
modified: created,
|
||||||
data: enc_data,
|
data: enc_data,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn load_and_decrtypt_key(path: &std::path::Path, passphrase: fn() -> Result<Vec<u8>, Error>) -> Result<[u8;32], Error> {
|
pub fn load_and_decrtypt_key(path: &std::path::Path, passphrase: fn() -> Result<Vec<u8>, Error>) -> Result<([u8;32], DateTime<Local>), Error> {
|
||||||
|
|
||||||
let raw = crate::tools::file_get_contents(&path)?;
|
let raw = crate::tools::file_get_contents(&path)?;
|
||||||
let data = String::from_utf8(raw)?;
|
let data = String::from_utf8(raw)?;
|
||||||
@ -150,6 +151,7 @@ pub fn load_and_decrtypt_key(path: &std::path::Path, passphrase: fn() -> Result<
|
|||||||
let key_config: KeyConfig = serde_json::from_str(&data)?;
|
let key_config: KeyConfig = serde_json::from_str(&data)?;
|
||||||
|
|
||||||
let raw_data = key_config.data;
|
let raw_data = key_config.data;
|
||||||
|
let created = key_config.created;
|
||||||
|
|
||||||
let key = if let Some(kdf) = key_config.kdf {
|
let key = if let Some(kdf) = key_config.kdf {
|
||||||
|
|
||||||
@ -186,5 +188,5 @@ pub fn load_and_decrtypt_key(path: &std::path::Path, passphrase: fn() -> Result<
|
|||||||
let mut result = [0u8; 32];
|
let mut result = [0u8; 32];
|
||||||
result.copy_from_slice(&key);
|
result.copy_from_slice(&key);
|
||||||
|
|
||||||
Ok(result)
|
Ok((result, created))
|
||||||
}
|
}
|
||||||
|
@ -471,7 +471,7 @@ fn create_backup(
|
|||||||
let crypt_config = match keyfile {
|
let crypt_config = match keyfile {
|
||||||
None => None,
|
None => None,
|
||||||
Some(path) => {
|
Some(path) => {
|
||||||
let key = load_and_decrtypt_key(&path, get_encryption_key_password)?;
|
let (key, _) = load_and_decrtypt_key(&path, get_encryption_key_password)?;
|
||||||
Some(Arc::new(CryptConfig::new(key)?))
|
Some(Arc::new(CryptConfig::new(key)?))
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
@ -832,7 +832,9 @@ fn key_create(
|
|||||||
|
|
||||||
let password = crate::tools::tty::read_password("Encryption Key Password: ")?;
|
let password = crate::tools::tty::read_password("Encryption Key Password: ")?;
|
||||||
|
|
||||||
store_key_with_passphrase(&path, &key, &password, false)?;
|
let key_config = encrypt_key_with_passphrase(&key, &password)?;
|
||||||
|
|
||||||
|
store_key_config(&path, false, key_config)?;
|
||||||
|
|
||||||
Ok(Value::Null)
|
Ok(Value::Null)
|
||||||
} else if kdf == "none" {
|
} else if kdf == "none" {
|
||||||
@ -841,6 +843,7 @@ fn key_create(
|
|||||||
store_key_config(&path, false, KeyConfig {
|
store_key_config(&path, false, KeyConfig {
|
||||||
kdf: None,
|
kdf: None,
|
||||||
created,
|
created,
|
||||||
|
modified: created,
|
||||||
data: key,
|
data: key,
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
@ -867,7 +870,7 @@ fn key_change_passphrase(
|
|||||||
bail!("unable to change passphrase - no tty");
|
bail!("unable to change passphrase - no tty");
|
||||||
}
|
}
|
||||||
|
|
||||||
let key = load_and_decrtypt_key(&path, get_encryption_key_password)?;
|
let (key, created) = load_and_decrtypt_key(&path, get_encryption_key_password)?;
|
||||||
|
|
||||||
if kdf == "scrypt" {
|
if kdf == "scrypt" {
|
||||||
|
|
||||||
@ -882,16 +885,19 @@ fn key_change_passphrase(
|
|||||||
bail!("Password is too short!");
|
bail!("Password is too short!");
|
||||||
}
|
}
|
||||||
|
|
||||||
store_key_with_passphrase(&path, &key, new_pw.as_bytes(), true)?;
|
let mut new_key_config = encrypt_key_with_passphrase(&key, new_pw.as_bytes())?;
|
||||||
|
new_key_config.created = created; // keep original value
|
||||||
|
|
||||||
|
store_key_config(&path, true, new_key_config)?;
|
||||||
|
|
||||||
Ok(Value::Null)
|
Ok(Value::Null)
|
||||||
} else if kdf == "none" {
|
} else if kdf == "none" {
|
||||||
// fixme: keep original creation time, add modified timestamp ??
|
let modified = Local.timestamp(Local::now().timestamp(), 0);
|
||||||
let created = Local.timestamp(Local::now().timestamp(), 0);
|
|
||||||
|
|
||||||
store_key_config(&path, true, KeyConfig {
|
store_key_config(&path, true, KeyConfig {
|
||||||
kdf: None,
|
kdf: None,
|
||||||
created,
|
created, // keep original value
|
||||||
|
modified,
|
||||||
data: key.to_vec(),
|
data: key.to_vec(),
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user