]> git.proxmox.com Git - proxmox-backup.git/blob - pbs-datastore/src/manifest.rs
projects / proxmox-backup.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
move to/write_canonical_json to proxmox-serde
[proxmox-backup.git] / pbs-datastore / src / manifest.rs
1 use std::convert::TryFrom;
2 use std::path::Path;
3
4 use anyhow::{bail, format_err, Error};
5
6 use serde::{Deserialize, Serialize};
7 use serde_json::{json, Value};
8
9 use pbs_api_types::{BackupType, CryptMode, Fingerprint};
10 use pbs_tools::crypt_config::CryptConfig;
11
12 pub const MANIFEST_BLOB_NAME: &str = "index.json.blob";
13 pub const MANIFEST_LOCK_NAME: &str = ".index.json.lck";
14 pub const CLIENT_LOG_BLOB_NAME: &str = "client.log.blob";
15 pub const ENCRYPTED_KEY_BLOB_NAME: &str = "rsa-encrypted.key.blob";
16
17 fn crypt_mode_none() -> CryptMode {
18 CryptMode::None
19 }
20 fn empty_value() -> Value {
21 json!({})
22 }
23
24 #[derive(Serialize, Deserialize)]
25 #[serde(rename_all = "kebab-case")]
26 pub struct FileInfo {
27 pub filename: String,
28 #[serde(default = "crypt_mode_none")] // to be compatible with < 0.8.0 backups
29 pub crypt_mode: CryptMode,
30 pub size: u64,
31 #[serde(with = "hex::serde")]
32 pub csum: [u8; 32],
33 }
34
35 impl FileInfo {
36 /// Return expected CryptMode of referenced chunks
37 ///
38 /// Encrypted Indices should only reference encrypted chunks, while signed or plain indices
39 /// should only reference plain chunks.
40 pub fn chunk_crypt_mode(&self) -> CryptMode {
41 match self.crypt_mode {
42 CryptMode::Encrypt => CryptMode::Encrypt,
43 CryptMode::SignOnly | CryptMode::None => CryptMode::None,
44 }
45 }
46 }
47
48 #[derive(Serialize, Deserialize)]
49 #[serde(rename_all = "kebab-case")]
50 pub struct BackupManifest {
51 backup_type: BackupType,
52 backup_id: String,
53 backup_time: i64,
54 files: Vec<FileInfo>,
55 #[serde(default = "empty_value")] // to be compatible with < 0.8.0 backups
56 pub unprotected: Value,
57 pub signature: Option<String>,
58 }
59
60 #[derive(PartialEq)]
61 pub enum ArchiveType {
62 FixedIndex,
63 DynamicIndex,
64 Blob,
65 }
66
67 impl ArchiveType {
68 pub fn from_path(archive_name: impl AsRef<Path>) -> Result<Self, Error> {
69 let archive_name = archive_name.as_ref();
70 let archive_type = match archive_name.extension().and_then(|ext| ext.to_str()) {
71 Some("didx") => ArchiveType::DynamicIndex,
72 Some("fidx") => ArchiveType::FixedIndex,
73 Some("blob") => ArchiveType::Blob,
74 _ => bail!("unknown archive type: {:?}", archive_name),
75 };
76 Ok(archive_type)
77 }
78 }
79
80 //#[deprecated(note = "use ArchivType::from_path instead")] later...
81 pub fn archive_type<P: AsRef<Path>>(archive_name: P) -> Result<ArchiveType, Error> {
82 ArchiveType::from_path(archive_name)
83 }
84
85 impl BackupManifest {
86 pub fn new(snapshot: pbs_api_types::BackupDir) -> Self {
87 Self {
88 backup_type: snapshot.group.ty,
89 backup_id: snapshot.group.id,
90 backup_time: snapshot.time,
91 files: Vec::new(),
92 unprotected: json!({}),
93 signature: None,
94 }
95 }
96
97 pub fn add_file(
98 &mut self,
99 filename: String,
100 size: u64,
101 csum: [u8; 32],
102 crypt_mode: CryptMode,
103 ) -> Result<(), Error> {
104 let _archive_type = ArchiveType::from_path(&filename)?; // check type
105 self.files.push(FileInfo {
106 filename,
107 size,
108 csum,
109 crypt_mode,
110 });
111 Ok(())
112 }
113
114 pub fn files(&self) -> &[FileInfo] {
115 &self.files[..]
116 }
117
118 pub fn lookup_file_info(&self, name: &str) -> Result<&FileInfo, Error> {
119 let info = self.files.iter().find(|item| item.filename == name);
120
121 match info {
122 None => bail!("manifest does not contain file '{}'", name),
123 Some(info) => Ok(info),
124 }
125 }
126
127 pub fn verify_file(&self, name: &str, csum: &[u8; 32], size: u64) -> Result<(), Error> {
128 let info = self.lookup_file_info(name)?;
129
130 if size != info.size {
131 bail!("wrong size for file '{}' ({} != {})", name, info.size, size);
132 }
133
134 if csum != &info.csum {
135 bail!("wrong checksum for file '{}'", name);
136 }
137
138 Ok(())
139 }
140
141 // Generate canonical json
142 fn to_canonical_json(value: &Value) -> Result<Vec<u8>, Error> {
143 proxmox_serde::json::to_canonical_json(value)
144 }
145
146 /// Compute manifest signature
147 ///
148 /// By generating a HMAC SHA256 over the canonical json
149 /// representation, The 'unpreotected' property is excluded.
150 pub fn signature(&self, crypt_config: &CryptConfig) -> Result<[u8; 32], Error> {
151 Self::json_signature(&serde_json::to_value(&self)?, crypt_config)
152 }
153
154 fn json_signature(data: &Value, crypt_config: &CryptConfig) -> Result<[u8; 32], Error> {
155 let mut signed_data = data.clone();
156
157 signed_data.as_object_mut().unwrap().remove("unprotected"); // exclude
158 signed_data.as_object_mut().unwrap().remove("signature"); // exclude
159
160 let canonical = Self::to_canonical_json(&signed_data)?;
161
162 let sig = crypt_config.compute_auth_tag(&canonical);
163
164 Ok(sig)
165 }
166
167 /// Converts the Manifest into json string, and add a signature if there is a crypt_config.
168 pub fn to_string(&self, crypt_config: Option<&CryptConfig>) -> Result<String, Error> {
169 let mut manifest = serde_json::to_value(&self)?;
170
171 if let Some(crypt_config) = crypt_config {
172 let sig = self.signature(crypt_config)?;
173 manifest["signature"] = hex::encode(&sig).into();
174 let fingerprint = &Fingerprint::new(crypt_config.fingerprint());
175 manifest["unprotected"]["key-fingerprint"] = serde_json::to_value(fingerprint)?;
176 }
177
178 let manifest = serde_json::to_string_pretty(&manifest).unwrap();
179 Ok(manifest)
180 }
181
182 pub fn fingerprint(&self) -> Result<Option<Fingerprint>, Error> {
183 match &self.unprotected["key-fingerprint"] {
184 Value::Null => Ok(None),
185 value => Ok(Some(Deserialize::deserialize(value)?)),
186 }
187 }
188
189 /// Checks if a BackupManifest and a CryptConfig share a valid fingerprint combination.
190 ///
191 /// An unsigned manifest is valid with any or no CryptConfig.
192 /// A signed manifest is only valid with a matching CryptConfig.
193 pub fn check_fingerprint(&self, crypt_config: Option<&CryptConfig>) -> Result<(), Error> {
194 if let Some(fingerprint) = self.fingerprint()? {
195 match crypt_config {
196 None => bail!(
197 "missing key - manifest was created with key {}",
198 fingerprint,
199 ),
200 Some(crypt_config) => {
201 let config_fp = Fingerprint::new(crypt_config.fingerprint());
202 if config_fp != fingerprint {
203 bail!(
204 "wrong key - manifest's key {} does not match provided key {}",
205 fingerprint,
206 config_fp
207 );
208 }
209 }
210 }
211 };
212
213 Ok(())
214 }
215
216 /// Try to read the manifest. This verifies the signature if there is a crypt_config.
217 pub fn from_data(
218 data: &[u8],
219 crypt_config: Option<&CryptConfig>,
220 ) -> Result<BackupManifest, Error> {
221 let json: Value = serde_json::from_slice(data)?;
222 let signature = json["signature"].as_str().map(String::from);
223
224 if let Some(crypt_config) = crypt_config {
225 if let Some(signature) = signature {
226 let expected_signature = hex::encode(&Self::json_signature(&json, crypt_config)?);
227
228 let fingerprint = &json["unprotected"]["key-fingerprint"];
229 if fingerprint != &Value::Null {
230 let fingerprint = Fingerprint::deserialize(fingerprint)?;
231 let config_fp = Fingerprint::new(crypt_config.fingerprint());
232 if config_fp != fingerprint {
233 bail!(
234 "wrong key - unable to verify signature since manifest's key {} does not match provided key {}",
235 fingerprint,
236 config_fp
237 );
238 }
239 }
240 if signature != expected_signature {
241 bail!("wrong signature in manifest");
242 }
243 } else {
244 // not signed: warn/fail?
245 }
246 }
247
248 let manifest: BackupManifest = serde_json::from_value(json)?;
249 Ok(manifest)
250 }
251 }
252
253 impl TryFrom<super::DataBlob> for BackupManifest {
254 type Error = Error;
255
256 fn try_from(blob: super::DataBlob) -> Result<Self, Error> {
257 // no expected digest available
258 let data = blob
259 .decode(None, None)
260 .map_err(|err| format_err!("decode backup manifest blob failed - {}", err))?;
261 let json: Value = serde_json::from_slice(&data[..])
262 .map_err(|err| format_err!("unable to parse backup manifest json - {}", err))?;
263 let manifest: BackupManifest = serde_json::from_value(json)?;
264 Ok(manifest)
265 }
266 }
267
268 #[test]
269 fn test_manifest_signature() -> Result<(), Error> {
270 use pbs_config::key_config::KeyDerivationConfig;
271
272 let pw = b"test";
273
274 let kdf = KeyDerivationConfig::Scrypt {
275 n: 65536,
276 r: 8,
277 p: 1,
278 salt: Vec::new(),
279 };
280
281 let testkey = kdf.derive_key(pw)?;
282
283 let crypt_config = CryptConfig::new(testkey)?;
284
285 let mut manifest = BackupManifest::new("host/elsa/2020-06-26T13:56:05Z".parse()?);
286
287 manifest.add_file("test1.img.fidx".into(), 200, [1u8; 32], CryptMode::Encrypt)?;
288 manifest.add_file("abc.blob".into(), 200, [2u8; 32], CryptMode::None)?;
289
290 manifest.unprotected["note"] = "This is not protected by the signature.".into();
291
292 let text = manifest.to_string(Some(&crypt_config))?;
293
294 let manifest: Value = serde_json::from_str(&text)?;
295 let signature = manifest["signature"].as_str().unwrap().to_string();
296
297 assert_eq!(
298 signature,
299 "d7b446fb7db081662081d4b40fedd858a1d6307a5aff4ecff7d5bf4fd35679e9"
300 );
301
302 let manifest: BackupManifest = serde_json::from_value(manifest)?;
303 let expected_signature = hex::encode(&manifest.signature(&crypt_config)?);
304
305 assert_eq!(signature, expected_signature);
306
307 Ok(())
308 }
Proxmox Backup Server and Client