auth: move to auth-api's private and public keys when loading keys

this commit moves away from using openssl's `PKey` and uses the
wrappers from proxmox-auth-api. this allows us to handle keys in a
more flexible way and enables as to move to ec based crypto for the
authkey in the future.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>

diff --git a/src/auth.rs b/src/auth.rs
index bada973a609d245bc5ab4788496a0617cd117b5f..21468d4bb175cfa7d5c0da880f1a2e09f751a29e 100644 (file)
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -349,9 +349,9 @@ pub(crate) fn authenticate_user<'a>(
 }
 
 static PRIVATE_KEYRING: Lazy<Keyring> =
-    Lazy::new(|| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into()));
+    Lazy::new(|| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone()));
 static PUBLIC_KEYRING: Lazy<Keyring> =
-    Lazy::new(|| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into()));
+    Lazy::new(|| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone()));
 static AUTH_CONTEXT: OnceCell<PbsAuthContext> = OnceCell::new();
 
 pub fn setup_auth_context(use_private_key: bool) {

diff --git a/src/auth_helpers.rs b/src/auth_helpers.rs
index 1a483d841c7d28ac94ba53d474887a36a79eaa69..bbe3001dbacd3d0d1687de1efda93b613a2d0fcd 100644 (file)
--- a/src/auth_helpers.rs
+++ b/src/auth_helpers.rs
@@ -2,12 +2,10 @@ use std::path::PathBuf;
 use std::sync::OnceLock;
 
 use anyhow::Error;
-use lazy_static::lazy_static;
-use openssl::pkey::{PKey, Private, Public};
 use openssl::rsa::Rsa;
 
 use pbs_config::BackupLockGuard;
-use proxmox_auth_api::HMACKey;
+use proxmox_auth_api::{HMACKey, PrivateKey, PublicKey};
 use proxmox_sys::fs::{file_get_contents, replace_file, CreateOptions};
 
 use pbs_buildcfg::configdir;
@@ -98,36 +96,22 @@ pub fn csrf_secret() -> &'static HMACKey {
     })
 }
 
-fn load_public_auth_key() -> Result<PKey<Public>, Error> {
-    let pem = file_get_contents(configdir!("/authkey.pub"))?;
-    let rsa = Rsa::public_key_from_pem(&pem)?;
-    let key = PKey::from_rsa(rsa)?;
+pub fn public_auth_key() -> &'static PublicKey {
+    static KEY: OnceLock<PublicKey> = OnceLock::new();
 
-    Ok(key)
-}
-
-pub fn public_auth_key() -> &'static PKey<Public> {
-    lazy_static! {
-        static ref KEY: PKey<Public> = load_public_auth_key().unwrap();
-    }
-
-    &KEY
-}
-
-fn load_private_auth_key() -> Result<PKey<Private>, Error> {
-    let pem = file_get_contents(configdir!("/authkey.key"))?;
-    let rsa = Rsa::private_key_from_pem(&pem)?;
-    let key = PKey::from_rsa(rsa)?;
-
-    Ok(key)
+    KEY.get_or_init(|| {
+        let pem = file_get_contents(configdir!("/authkey.pub")).unwrap();
+        PublicKey::from_pem(&pem).unwrap()
+    })
 }
 
-pub fn private_auth_key() -> &'static PKey<Private> {
-    lazy_static! {
-        static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
-    }
+pub fn private_auth_key() -> &'static PrivateKey {
+    static KEY: OnceLock<PrivateKey> = OnceLock::new();
 
-    &KEY
+    KEY.get_or_init(|| {
+        let pem = file_get_contents(configdir!("/authkey.key")).unwrap();
+        PrivateKey::from_pem(&pem).unwrap()
+    })
 }
 
 const LDAP_PASSWORDS_FILENAME: &str = configdir!("/ldap_passwords.json");