From bb8231409e244589a5197dd00439bc098d17fef9 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Wed, 26 Jun 2019 07:32:34 +0200 Subject: [PATCH] src/backup/crypt_config.rs - generate_rsa_encoded_key: store as json Use the KeyConfig serialization with kdf = None. --- src/backup/crypt_config.rs | 8 +++++- src/bin/proxmox-backup-client.rs | 49 ++++++++++++++++++-------------- 2 files changed, 34 insertions(+), 23 deletions(-) diff --git a/src/backup/crypt_config.rs b/src/backup/crypt_config.rs index e22ffbce..f826d65b 100644 --- a/src/backup/crypt_config.rs +++ b/src/backup/crypt_config.rs @@ -12,6 +12,7 @@ use openssl::pkcs5::pbkdf2_hmac; use openssl::hash::MessageDigest; use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode}; use std::io::Write; +use chrono::{Local, TimeZone, DateTime}; /// Encryption Configuration with secret key /// @@ -171,10 +172,15 @@ impl CryptConfig { pub fn generate_rsa_encoded_key( &self, rsa: openssl::rsa::Rsa, + created: DateTime, ) -> Result, Error> { + let modified = Local.timestamp(Local::now().timestamp(), 0); + let key_config = super::KeyConfig { kdf: None, created, modified, data: self.enc_key.to_vec() }; + let data = serde_json::to_string(&key_config)?.as_bytes().to_vec(); + let mut buffer = vec![0u8; rsa.size() as usize]; - let len = rsa.public_encrypt(&self.enc_key, &mut buffer, openssl::rsa::Padding::PKCS1)?; + let len = rsa.public_encrypt(&data, &mut buffer, openssl::rsa::Padding::PKCS1)?; if len != buffer.len() { bail!("got unexpected length from rsa.public_encrypt()."); } diff --git a/src/bin/proxmox-backup-client.rs b/src/bin/proxmox-backup-client.rs index 93b1dde3..15d56471 100644 --- a/src/bin/proxmox-backup-client.rs +++ b/src/bin/proxmox-backup-client.rs @@ -470,11 +470,22 @@ fn create_backup( println!("Client name: {}", tools::nodename()); println!("Start Time: {}", backup_time.to_rfc3339()); - let crypt_config = match keyfile { - None => None, + let (crypt_config, rsa_encrypted_key) = match keyfile { + None => (None, None), Some(path) => { - let (key, _) = load_and_decrtypt_key(&path, get_encryption_key_password)?; - Some(Arc::new(CryptConfig::new(key)?)) + let (key, created) = load_and_decrtypt_key(&path, get_encryption_key_password)?; + + let crypt_config = CryptConfig::new(key)?; + + let path = master_pubkey_path()?; + if path.exists() { + let pem_data = proxmox_backup::tools::file_get_contents(&path)?; + let rsa = openssl::rsa::Rsa::public_key_from_pem(&pem_data)?; + let enc_key = crypt_config.generate_rsa_encoded_key(rsa, created)?; + (Some(Arc::new(crypt_config)), Some(enc_key)) + } else { + (Some(Arc::new(crypt_config)), None) + } } }; @@ -513,25 +524,19 @@ fn create_backup( } } - if let Some(crypt_config) = crypt_config { - let path = master_pubkey_path()?; - if path.exists() { - let pem_data = proxmox_backup::tools::file_get_contents(&path)?; - let rsa = openssl::rsa::Rsa::public_key_from_pem(&pem_data)?; - let enc_key = crypt_config.generate_rsa_encoded_key(rsa)?; - let target = "rsa-encrypted.key"; - println!("Upload RSA encoded key to '{:?}' as {}", repo, target); - client.upload_blob_from_data(enc_key, target, None, false).wait()?; + if let Some(rsa_encrypted_key) = rsa_encrypted_key { + let target = "rsa-encrypted.key"; + println!("Upload RSA encoded key to '{:?}' as {}", repo, target); + client.upload_blob_from_data(rsa_encrypted_key, target, None, false).wait()?; - // openssl rsautl -decrypt -inkey master-private.pem -in rsa-encrypted.key -out t - /* - let mut buffer2 = vec![0u8; rsa.size() as usize]; - let pem_data = proxmox_backup::tools::file_get_contents("master-private.pem")?; - let rsa = openssl::rsa::Rsa::private_key_from_pem(&pem_data)?; - let len = rsa.private_decrypt(&buffer, &mut buffer2, openssl::rsa::Padding::PKCS1)?; - println!("TEST {} {:?}", len, buffer2); - */ - } + // openssl rsautl -decrypt -inkey master-private.pem -in rsa-encrypted.key -out t + /* + let mut buffer2 = vec![0u8; rsa.size() as usize]; + let pem_data = proxmox_backup::tools::file_get_contents("master-private.pem")?; + let rsa = openssl::rsa::Rsa::private_key_from_pem(&pem_data)?; + let len = rsa.private_decrypt(&buffer, &mut buffer2, openssl::rsa::Padding::PKCS1)?; + println!("TEST {} {:?}", len, buffer2); + */ } client.finish().wait()?;