src/backup/crypt_config.rs - generate_rsa_encoded_key: store as json
Use the KeyConfig serialization with kdf = None.
This commit is contained in:
parent
3031e44c58
commit
bb8231409e
@ -12,6 +12,7 @@ use openssl::pkcs5::pbkdf2_hmac;
|
|||||||
use openssl::hash::MessageDigest;
|
use openssl::hash::MessageDigest;
|
||||||
use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
|
use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
|
||||||
use std::io::Write;
|
use std::io::Write;
|
||||||
|
use chrono::{Local, TimeZone, DateTime};
|
||||||
|
|
||||||
/// Encryption Configuration with secret key
|
/// Encryption Configuration with secret key
|
||||||
///
|
///
|
||||||
@ -171,10 +172,15 @@ impl CryptConfig {
|
|||||||
pub fn generate_rsa_encoded_key(
|
pub fn generate_rsa_encoded_key(
|
||||||
&self,
|
&self,
|
||||||
rsa: openssl::rsa::Rsa<openssl::pkey::Public>,
|
rsa: openssl::rsa::Rsa<openssl::pkey::Public>,
|
||||||
|
created: DateTime<Local>,
|
||||||
) -> Result<Vec<u8>, Error> {
|
) -> Result<Vec<u8>, Error> {
|
||||||
|
|
||||||
|
let modified = Local.timestamp(Local::now().timestamp(), 0);
|
||||||
|
let key_config = super::KeyConfig { kdf: None, created, modified, data: self.enc_key.to_vec() };
|
||||||
|
let data = serde_json::to_string(&key_config)?.as_bytes().to_vec();
|
||||||
|
|
||||||
let mut buffer = vec![0u8; rsa.size() as usize];
|
let mut buffer = vec![0u8; rsa.size() as usize];
|
||||||
let len = rsa.public_encrypt(&self.enc_key, &mut buffer, openssl::rsa::Padding::PKCS1)?;
|
let len = rsa.public_encrypt(&data, &mut buffer, openssl::rsa::Padding::PKCS1)?;
|
||||||
if len != buffer.len() {
|
if len != buffer.len() {
|
||||||
bail!("got unexpected length from rsa.public_encrypt().");
|
bail!("got unexpected length from rsa.public_encrypt().");
|
||||||
}
|
}
|
||||||
|
@ -470,11 +470,22 @@ fn create_backup(
|
|||||||
println!("Client name: {}", tools::nodename());
|
println!("Client name: {}", tools::nodename());
|
||||||
println!("Start Time: {}", backup_time.to_rfc3339());
|
println!("Start Time: {}", backup_time.to_rfc3339());
|
||||||
|
|
||||||
let crypt_config = match keyfile {
|
let (crypt_config, rsa_encrypted_key) = match keyfile {
|
||||||
None => None,
|
None => (None, None),
|
||||||
Some(path) => {
|
Some(path) => {
|
||||||
let (key, _) = load_and_decrtypt_key(&path, get_encryption_key_password)?;
|
let (key, created) = load_and_decrtypt_key(&path, get_encryption_key_password)?;
|
||||||
Some(Arc::new(CryptConfig::new(key)?))
|
|
||||||
|
let crypt_config = CryptConfig::new(key)?;
|
||||||
|
|
||||||
|
let path = master_pubkey_path()?;
|
||||||
|
if path.exists() {
|
||||||
|
let pem_data = proxmox_backup::tools::file_get_contents(&path)?;
|
||||||
|
let rsa = openssl::rsa::Rsa::public_key_from_pem(&pem_data)?;
|
||||||
|
let enc_key = crypt_config.generate_rsa_encoded_key(rsa, created)?;
|
||||||
|
(Some(Arc::new(crypt_config)), Some(enc_key))
|
||||||
|
} else {
|
||||||
|
(Some(Arc::new(crypt_config)), None)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -513,15 +524,10 @@ fn create_backup(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if let Some(crypt_config) = crypt_config {
|
if let Some(rsa_encrypted_key) = rsa_encrypted_key {
|
||||||
let path = master_pubkey_path()?;
|
|
||||||
if path.exists() {
|
|
||||||
let pem_data = proxmox_backup::tools::file_get_contents(&path)?;
|
|
||||||
let rsa = openssl::rsa::Rsa::public_key_from_pem(&pem_data)?;
|
|
||||||
let enc_key = crypt_config.generate_rsa_encoded_key(rsa)?;
|
|
||||||
let target = "rsa-encrypted.key";
|
let target = "rsa-encrypted.key";
|
||||||
println!("Upload RSA encoded key to '{:?}' as {}", repo, target);
|
println!("Upload RSA encoded key to '{:?}' as {}", repo, target);
|
||||||
client.upload_blob_from_data(enc_key, target, None, false).wait()?;
|
client.upload_blob_from_data(rsa_encrypted_key, target, None, false).wait()?;
|
||||||
|
|
||||||
// openssl rsautl -decrypt -inkey master-private.pem -in rsa-encrypted.key -out t
|
// openssl rsautl -decrypt -inkey master-private.pem -in rsa-encrypted.key -out t
|
||||||
/*
|
/*
|
||||||
@ -532,7 +538,6 @@ fn create_backup(
|
|||||||
println!("TEST {} {:?}", len, buffer2);
|
println!("TEST {} {:?}", len, buffer2);
|
||||||
*/
|
*/
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
client.finish().wait()?;
|
client.finish().wait()?;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user