tape: add hardware encryption key managenent api

src/config/tape_encryption_keys.rs

@@ -0,0 +1,126 @@
+use std::collections::HashMap;
+
+use anyhow::{bail, Error};
+use serde::{Deserialize, Serialize};
+use openssl::sha::sha256;
+
+use proxmox::tools::fs::{
+    file_read_optional_string,
+    replace_file,
+    CreateOptions,
+};
+
+use crate::{
+    backup::{
+        Fingerprint,
+    },
+};
+
+mod hex_key {
+    use serde::{self, Deserialize, Serializer, Deserializer};
+
+    pub fn serialize<S>(
+        csum: &[u8; 32],
+        serializer: S,
+    ) -> Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        let s = proxmox::tools::digest_to_hex(csum);
+        serializer.serialize_str(&s)
+    }
+
+    pub fn deserialize<'de, D>(
+        deserializer: D,
+    ) -> Result<[u8; 32], D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let s = String::deserialize(deserializer)?;
+        proxmox::tools::hex_to_digest(&s).map_err(serde::de::Error::custom)
+    }
+}
+
+/// Store Hardware Encryption keys
+#[derive(Deserialize, Serialize)]
+pub struct EncryptionKeyInfo {
+    pub hint: String,
+    #[serde(with = "hex_key")]
+    pub key: [u8; 32],
+    pub fingerprint: Fingerprint,
+}
+
+impl EncryptionKeyInfo {
+
+    pub fn new(key: &[u8; 32], hint: String) -> Self {
+        Self {
+            hint,
+            key: key.clone(),
+            fingerprint: Fingerprint::new(sha256(key)),
+        }
+    }
+}
+
+pub const TAPE_KEYS_FILENAME: &str = "/etc/proxmox-backup/tape-encryption-keys.json";
+pub const TAPE_KEYS_LOCKFILE: &str = "/etc/proxmox-backup/.tape-encryption-keys.lck";
+
+pub fn load_keys() -> Result<(HashMap<Fingerprint, EncryptionKeyInfo>,  [u8;32]), Error> {
+
+    let content = file_read_optional_string(TAPE_KEYS_FILENAME)?;
+    let content = content.unwrap_or_else(|| String::from("[]"));
+
+    let digest = openssl::sha::sha256(content.as_bytes());
+
+    let list: Vec<EncryptionKeyInfo> = serde_json::from_str(&content)?;
+
+    let mut map = HashMap::new();
+    
+    for item in list {
+        let expected_fingerprint = Fingerprint::new(sha256(&item.key));
+        if item.fingerprint != expected_fingerprint {
+            bail!(
+                "inconsistent fingerprint ({} != {})",
+                item.fingerprint,
+                expected_fingerprint,
+            );
+        }
+        
+        map.insert(item.fingerprint.clone(), item);
+    }
+   
+    Ok((map, digest))
+}
+
+pub fn save_keys(map: HashMap<Fingerprint, EncryptionKeyInfo>) -> Result<(), Error> {
+
+    let mut list = Vec::new();
+
+    for (_fp, item) in map {
+        list.push(item);
+    }
+
+    let raw = serde_json::to_string_pretty(&list)?;
+    
+    let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
+    // set the correct owner/group/permissions while saving file
+    // owner(rw) = root, group(r)= root
+    let options = CreateOptions::new()
+        .perm(mode)
+        .owner(nix::unistd::ROOT)
+        .group(nix::unistd::Gid::from_raw(0));
+
+    replace_file(TAPE_KEYS_FILENAME, raw.as_bytes(), options)?;
+    
+    Ok(())
+}
+
+// shell completion helper
+pub fn complete_key_fingerprint(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
+    let data = match load_keys() {
+        Ok((data, _digest)) => data,
+        Err(_) => return Vec::new(),
+    };
+
+    data.keys().map(|fp| crate::tools::format::as_fingerprint(fp.bytes())).collect()
+}
+