[proxmox-backup.git] / src / bin / proxmox_backup_client / key.rs

use std::convert::TryFrom;
use std::path::PathBuf;

use anyhow::{bail, format_err, Error};
use serde_json::Value;

use proxmox::api::api;
use proxmox::api::cli::{
    format_and_print_result_full, get_output_format, CliCommand, CliCommandMap, ColumnConfig,
    OUTPUT_FORMAT,
};
use proxmox::api::router::ReturnType;
use proxmox::sys::linux::tty;
use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};

use proxmox_backup::{
    api2::types::{Kdf, KeyInfo, RsaPubKeyInfo, PASSWORD_HINT_SCHEMA},
    backup::{rsa_decrypt_key_config, KeyConfig},
    tools,
    tools::paperkey::{generate_paper_key, PaperkeyFormat},
};

use crate::KeyWithSource;

pub const DEFAULT_ENCRYPTION_KEY_FILE_NAME: &str = "encryption-key.json";
pub const DEFAULT_MASTER_PUBKEY_FILE_NAME: &str = "master-public.pem";

pub fn find_default_master_pubkey() -> Result<Option<PathBuf>, Error> {
    super::find_xdg_file(
        DEFAULT_MASTER_PUBKEY_FILE_NAME,
        "default master public key file",
    )
}

pub fn place_default_master_pubkey() -> Result<PathBuf, Error> {
    super::place_xdg_file(
        DEFAULT_MASTER_PUBKEY_FILE_NAME,
        "default master public key file",
    )
}

pub fn find_default_encryption_key() -> Result<Option<PathBuf>, Error> {
    super::find_xdg_file(
        DEFAULT_ENCRYPTION_KEY_FILE_NAME,
        "default encryption key file",
    )
}

pub fn place_default_encryption_key() -> Result<PathBuf, Error> {
    super::place_xdg_file(
        DEFAULT_ENCRYPTION_KEY_FILE_NAME,
        "default encryption key file",
    )
}

#[cfg(not(test))]
pub(crate) fn read_optional_default_encryption_key() -> Result<Option<KeyWithSource>, Error> {
    find_default_encryption_key()?
        .map(|path| file_get_contents(path).map(KeyWithSource::from_default))
        .transpose()
}

#[cfg(not(test))]
pub(crate) fn read_optional_default_master_pubkey() -> Result<Option<KeyWithSource>, Error> {
    find_default_master_pubkey()?
        .map(|path| file_get_contents(path).map(KeyWithSource::from_default))
        .transpose()
}

#[cfg(test)]
static mut TEST_DEFAULT_ENCRYPTION_KEY: Result<Option<Vec<u8>>, Error> = Ok(None);

#[cfg(test)]
pub(crate) fn read_optional_default_encryption_key() -> Result<Option<KeyWithSource>, Error> {
    // not safe when multiple concurrent test cases end up here!
    unsafe {
        match &TEST_DEFAULT_ENCRYPTION_KEY {
            Ok(Some(key)) => Ok(Some(KeyWithSource::from_default(key.clone()))),
            Ok(None) => Ok(None),
            Err(_) => bail!("test error"),
        }
    }
}

#[cfg(test)]
// not safe when multiple concurrent test cases end up here!
pub(crate) unsafe fn set_test_encryption_key(value: Result<Option<Vec<u8>>, Error>) {
    TEST_DEFAULT_ENCRYPTION_KEY = value;
}

#[cfg(test)]
static mut TEST_DEFAULT_MASTER_PUBKEY: Result<Option<Vec<u8>>, Error> = Ok(None);

#[cfg(test)]
pub(crate) fn read_optional_default_master_pubkey() -> Result<Option<KeyWithSource>, Error> {
    // not safe when multiple concurrent test cases end up here!
    unsafe {
        match &TEST_DEFAULT_MASTER_PUBKEY {
            Ok(Some(key)) => Ok(Some(KeyWithSource::from_default(key.clone()))),
            Ok(None) => Ok(None),
            Err(_) => bail!("test error"),
        }
    }
}

#[cfg(test)]
// not safe when multiple concurrent test cases end up here!
pub(crate) unsafe fn set_test_default_master_pubkey(value: Result<Option<Vec<u8>>, Error>) {
    TEST_DEFAULT_MASTER_PUBKEY = value;
}

pub fn get_encryption_key_password() -> Result<Vec<u8>, Error> {
    // fixme: implement other input methods

    use std::env::VarError::*;
    match std::env::var("PBS_ENCRYPTION_PASSWORD") {
        Ok(p) => return Ok(p.as_bytes().to_vec()),
        Err(NotUnicode(_)) => bail!("PBS_ENCRYPTION_PASSWORD contains bad characters"),
        Err(NotPresent) => {
            // Try another method
        }
    }

    // If we're on a TTY, query the user for a password
    if tty::stdin_isatty() {
        return Ok(tty::read_password("Encryption Key Password: ")?);
    }

    bail!("no password input mechanism available");
}

#[api(
    input: {
        properties: {
            kdf: {
                type: Kdf,
                optional: true,
            },
            path: {
                description:
                    "Output file. Without this the key will become the new default encryption key.",
                optional: true,
            },
            hint: {
                schema: PASSWORD_HINT_SCHEMA,
                optional: true,
            },
        },
    },
)]
/// Create a new encryption key.
fn create(kdf: Option<Kdf>, path: Option<String>, hint: Option<String>) -> Result<(), Error> {
    let path = match path {
        Some(path) => PathBuf::from(path),
        None => {
            let path = place_default_encryption_key()?;
            println!("creating default key at: {:?}", path);
            path
        }
    };

    let kdf = kdf.unwrap_or_default();

    let mut key = [0u8; 32];
    proxmox::sys::linux::fill_with_random_data(&mut key)?;

    match kdf {
        Kdf::None => {
            if hint.is_some() {
                bail!("password hint not allowed for Kdf::None");
            }

            let key_config = KeyConfig::without_password(key)?;

            key_config.store(path, false)?;
        }
        Kdf::Scrypt | Kdf::PBKDF2 => {
            // always read passphrase from tty
            if !tty::stdin_isatty() {
                bail!("unable to read passphrase - no tty");
            }

            let password = tty::read_and_verify_password("Encryption Key Password: ")?;

            let mut key_config = KeyConfig::with_key(&key, &password, kdf)?;
            key_config.hint = hint;

            key_config.store(&path, false)?;
        }
    }

    Ok(())
}

#[api(
    input: {
        properties: {
            "master-keyfile": {
                description: "(Private) master key to use.",
            },
            "encrypted-keyfile": {
                description: "RSA-encrypted keyfile to import.",
            },
            kdf: {
                type: Kdf,
                optional: true,
            },
            "path": {
                description:
                    "Output file. Without this the key will become the new default encryption key.",
                optional: true,
            },
            hint: {
                schema: PASSWORD_HINT_SCHEMA,
                optional: true,
            },
        },
    },
)]
/// Import an encrypted backup of an encryption key using a (private) master key.
async fn import_with_master_key(
    master_keyfile: String,
    encrypted_keyfile: String,
    kdf: Option<Kdf>,
    path: Option<String>,
    hint: Option<String>,
) -> Result<(), Error> {
    let path = match path {
        Some(path) => PathBuf::from(path),
        None => {
            let path = place_default_encryption_key()?;
            if path.exists() {
                bail!("Please remove default encryption key at {:?} before importing to default location (or choose a non-default one).", path);
            }
            println!("Importing key to default location at: {:?}", path);
            path
        }
    };

    let encrypted_key = file_get_contents(&encrypted_keyfile)?;
    let master_key = file_get_contents(&master_keyfile)?;
    let password = tty::read_password("Master Key Password: ")?;

    let master_key = openssl::pkey::PKey::private_key_from_pem_passphrase(&master_key, &password)
        .map_err(|err| format_err!("failed to read PEM-formatted private key - {}", err))?
        .rsa()
        .map_err(|err| format_err!("not a valid private RSA key - {}", err))?;

    let (key, created, _fingerprint) =
        rsa_decrypt_key_config(master_key, &encrypted_key, &get_encryption_key_password)?;

    let kdf = kdf.unwrap_or_default();
    match kdf {
        Kdf::None => {
            if hint.is_some() {
                bail!("password hint not allowed for Kdf::None");
            }

            let mut key_config = KeyConfig::without_password(key)?;
            key_config.created = created; // keep original value

            key_config.store(path, true)?;
        }
        Kdf::Scrypt | Kdf::PBKDF2 => {
            let password = tty::read_and_verify_password("New Password: ")?;

            let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?;
            new_key_config.created = created; // keep original value
            new_key_config.hint = hint;

            new_key_config.store(path, true)?;
        }
    }

    Ok(())
}

#[api(
    input: {
        properties: {
            kdf: {
                type: Kdf,
                optional: true,
            },
            path: {
                description: "Key file. Without this the default key's password will be changed.",
                optional: true,
            },
            hint: {
                schema: PASSWORD_HINT_SCHEMA,
                optional: true,
            },
        },
    },
)]
/// Change the encryption key's password.
fn change_passphrase(
    kdf: Option<Kdf>,
    path: Option<String>,
    hint: Option<String>,
) -> Result<(), Error> {
    let path = match path {
        Some(path) => PathBuf::from(path),
        None => {
            let path = find_default_encryption_key()?.ok_or_else(|| {
                format_err!("no encryption file provided and no default file found")
            })?;
            println!("updating default key at: {:?}", path);
            path
        }
    };

    let kdf = kdf.unwrap_or_default();

    if !tty::stdin_isatty() {
        bail!("unable to change passphrase - no tty");
    }

    let key_config = KeyConfig::load(&path)?;
    let (key, created, _fingerprint) = key_config.decrypt(&get_encryption_key_password)?;

    match kdf {
        Kdf::None => {
            if hint.is_some() {
                bail!("password hint not allowed for Kdf::None");
            }

            let mut key_config = KeyConfig::without_password(key)?;
            key_config.created = created; // keep original value

            key_config.store(&path, true)?;
        }
        Kdf::Scrypt | Kdf::PBKDF2 => {
            let password = tty::read_and_verify_password("New Password: ")?;

            let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?;
            new_key_config.created = created; // keep original value
            new_key_config.hint = hint;

            new_key_config.store(&path, true)?;
        }
    }

    Ok(())
}

#[api(
    input: {
        properties: {
            path: {
                description: "Key file. Without this the default key's metadata will be shown.",
                optional: true,
            },
            "output-format": {
                schema: OUTPUT_FORMAT,
                optional: true,
            },
        },
    },
)]
/// Print the encryption key's metadata.
fn show_key(path: Option<String>, param: Value) -> Result<(), Error> {
    let path = match path {
        Some(path) => PathBuf::from(path),
        None => find_default_encryption_key()?
            .ok_or_else(|| format_err!("no encryption file provided and no default file found"))?,
    };

    let config: KeyConfig = serde_json::from_slice(&file_get_contents(path.clone())?)?;

    let output_format = get_output_format(&param);

    let mut info: KeyInfo = (&config).into();
    info.path = Some(format!("{:?}", path));

    let options = proxmox::api::cli::default_table_format_options()
        .column(ColumnConfig::new("path"))
        .column(ColumnConfig::new("kdf"))
        .column(ColumnConfig::new("created").renderer(tools::format::render_epoch))
        .column(ColumnConfig::new("modified").renderer(tools::format::render_epoch))
        .column(ColumnConfig::new("fingerprint"))
        .column(ColumnConfig::new("hint"));

    let return_type = ReturnType::new(false, &KeyInfo::API_SCHEMA);

    format_and_print_result_full(
        &mut serde_json::to_value(info)?,
        &return_type,
        &output_format,
        &options,
    );

    Ok(())
}

#[api(
    input: {
        properties: {
            path: {
                description: "Path to the PEM formatted RSA public key.",
            },
        },
    },
)]
/// Import an RSA public key used to put an encrypted version of the symmetric backup encryption
/// key onto the backup server along with each backup.
///
/// The imported key will be used as default master key for future invocations by the same local
/// user.
fn import_master_pubkey(path: String) -> Result<(), Error> {
    let pem_data = file_get_contents(&path)?;

    match openssl::pkey::PKey::public_key_from_pem(&pem_data) {
        Ok(key) => {
            let info = RsaPubKeyInfo::try_from(key.rsa()?)?;
            println!("Found following key at {:?}", path);
            println!("Modulus: {}", info.modulus);
            println!("Exponent: {}", info.exponent);
            println!("Length: {}", info.length);
        }
        Err(err) => bail!("Unable to decode PEM data - {}", err),
    };

    let target_path = place_default_master_pubkey()?;

    replace_file(&target_path, &pem_data, CreateOptions::new())?;

    println!("Imported public master key to {:?}", target_path);

    Ok(())
}

#[api]
/// Create an RSA public/private key pair used to put an encrypted version of the symmetric backup
/// encryption key onto the backup server along with each backup.
fn create_master_key() -> Result<(), Error> {
    // we need a TTY to query the new password
    if !tty::stdin_isatty() {
        bail!("unable to create master key - no tty");
    }

    let bits = 4096;
    println!("Generating {}-bit RSA key..", bits);
    let rsa = openssl::rsa::Rsa::generate(bits)?;
    let public =
        openssl::rsa::Rsa::from_public_components(rsa.n().to_owned()?, rsa.e().to_owned()?)?;
    let info = RsaPubKeyInfo::try_from(public)?;
    println!("Modulus: {}", info.modulus);
    println!("Exponent: {}", info.exponent);
    println!();

    let pkey = openssl::pkey::PKey::from_rsa(rsa)?;

    let password = String::from_utf8(tty::read_and_verify_password("Master Key Password: ")?)?;

    let pub_key: Vec<u8> = pkey.public_key_to_pem()?;
    let filename_pub = "master-public.pem";
    println!("Writing public master key to {}", filename_pub);
    replace_file(filename_pub, pub_key.as_slice(), CreateOptions::new())?;

    let cipher = openssl::symm::Cipher::aes_256_cbc();
    let priv_key: Vec<u8> =
        pkey.private_key_to_pem_pkcs8_passphrase(cipher, password.as_bytes())?;

    let filename_priv = "master-private.pem";
    println!("Writing private master key to {}", filename_priv);
    replace_file(filename_priv, priv_key.as_slice(), CreateOptions::new())?;

    Ok(())
}

#[api(
    input: {
        properties: {
            path: {
                description: "Path to the PEM formatted RSA public key. Default location will be used if not specified.",
                optional: true,
            },
            "output-format": {
                schema: OUTPUT_FORMAT,
                optional: true,
            },
        },
    },
)]
/// List information about master key
fn show_master_pubkey(path: Option<String>, param: Value) -> Result<(), Error> {
    let path = match path {
        Some(path) => PathBuf::from(path),
        None => find_default_master_pubkey()?
            .ok_or_else(|| format_err!("No path specified and no default master key available."))?,
    };

    let path = path.canonicalize()?;

    let output_format = get_output_format(&param);

    let pem_data = file_get_contents(path.clone())?;
    let rsa = openssl::rsa::Rsa::public_key_from_pem(&pem_data)?;

    let mut info = RsaPubKeyInfo::try_from(rsa)?;
    info.path = Some(path.display().to_string());

    let options = proxmox::api::cli::default_table_format_options()
        .column(ColumnConfig::new("path"))
        .column(ColumnConfig::new("modulus"))
        .column(ColumnConfig::new("exponent"))
        .column(ColumnConfig::new("length"));

    let return_type = ReturnType::new(false, &RsaPubKeyInfo::API_SCHEMA);

    format_and_print_result_full(
        &mut serde_json::to_value(info)?,
        &return_type,
        &output_format,
        &options,
    );

    Ok(())
}

#[api(
    input: {
        properties: {
            path: {
                description: "Key file. Without this the default key's will be used.",
                optional: true,
            },
            subject: {
                description: "Include the specified subject as title text.",
                optional: true,
            },
            "output-format": {
                type: PaperkeyFormat,
                optional: true,
            },
        },
    },
)]
/// Generate a printable, human readable text file containing the encryption key.
///
/// This also includes a scanable QR code for fast key restore.
fn paper_key(
    path: Option<String>,
    subject: Option<String>,
    output_format: Option<PaperkeyFormat>,
) -> Result<(), Error> {
    let path = match path {
        Some(path) => PathBuf::from(path),
        None => find_default_encryption_key()?
            .ok_or_else(|| format_err!("no encryption file provided and no default file found"))?,
    };

    let data = file_get_contents(&path)?;
    let data = String::from_utf8(data)?;

    generate_paper_key(std::io::stdout(), &data, subject, output_format)
}

pub fn cli() -> CliCommandMap {
    let key_create_cmd_def = CliCommand::new(&API_METHOD_CREATE)
        .arg_param(&["path"])
        .completion_cb("path", tools::complete_file_name);

    let key_import_with_master_key_cmd_def = CliCommand::new(&API_METHOD_IMPORT_WITH_MASTER_KEY)
        .arg_param(&["master-keyfile"])
        .completion_cb("master-keyfile", tools::complete_file_name)
        .arg_param(&["encrypted-keyfile"])
        .completion_cb("encrypted-keyfile", tools::complete_file_name)
        .arg_param(&["path"])
        .completion_cb("path", tools::complete_file_name);

    let key_change_passphrase_cmd_def = CliCommand::new(&API_METHOD_CHANGE_PASSPHRASE)
        .arg_param(&["path"])
        .completion_cb("path", tools::complete_file_name);

    let key_create_master_key_cmd_def = CliCommand::new(&API_METHOD_CREATE_MASTER_KEY);
    let key_import_master_pubkey_cmd_def = CliCommand::new(&API_METHOD_IMPORT_MASTER_PUBKEY)
        .arg_param(&["path"])
        .completion_cb("path", tools::complete_file_name);
    let key_show_master_pubkey_cmd_def = CliCommand::new(&API_METHOD_SHOW_MASTER_PUBKEY)
        .arg_param(&["path"])
        .completion_cb("path", tools::complete_file_name);

    let key_show_cmd_def = CliCommand::new(&API_METHOD_SHOW_KEY)
        .arg_param(&["path"])
        .completion_cb("path", tools::complete_file_name);

    let paper_key_cmd_def = CliCommand::new(&API_METHOD_PAPER_KEY)
        .arg_param(&["path"])
        .completion_cb("path", tools::complete_file_name);

    CliCommandMap::new()
        .insert("create", key_create_cmd_def)
        .insert("import-with-master-key", key_import_with_master_key_cmd_def)
        .insert("create-master-key", key_create_master_key_cmd_def)
        .insert("import-master-pubkey", key_import_master_pubkey_cmd_def)
        .insert("change-passphrase", key_change_passphrase_cmd_def)
        .insert("show", key_show_cmd_def)
        .insert("show-master-pubkey", key_show_master_pubkey_cmd_def)
        .insert("paperkey", paper_key_cmd_def)
}
Commit	Line	Data
42c0f784	1	use std::convert::TryFrom;
2924b37d	2	use std::path::PathBuf;
9696f519	3
05389a01	4	use anyhow::{bail, format_err, Error};
dfb04575	5	use serde_json::Value;
9696f519 WB	6
9696f519 WB	7	use proxmox::api::api;
dfb04575	8	use proxmox::api::cli::{
2924b37d	9	format_and_print_result_full, get_output_format, CliCommand, CliCommandMap, ColumnConfig,
dfb04575 FG	10	OUTPUT_FORMAT,
dfb04575 FG	11	};
b2362a12	12	use proxmox::api::router::ReturnType;
9696f519 WB	13	use proxmox::sys::linux::tty;
	14	use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
	15
82a103c8	16	use proxmox_backup::{
2924b37d FG	17	api2::types::{Kdf, KeyInfo, RsaPubKeyInfo, PASSWORD_HINT_SCHEMA},
2924b37d FG	18	backup::{rsa_decrypt_key_config, KeyConfig},
82a103c8	19	tools,
2924b37d	20	tools::paperkey::{generate_paper_key, PaperkeyFormat},
9696f519	21	};
7137630d	22
2f26b866 FG	23	use crate::KeyWithSource;
2f26b866 FG	24
b65390eb	25	pub const DEFAULT_ENCRYPTION_KEY_FILE_NAME: &str = "encryption-key.json";
05f17d1e	26	pub const DEFAULT_MASTER_PUBKEY_FILE_NAME: &str = "master-public.pem";
b65390eb	27
05f17d1e	28	pub fn find_default_master_pubkey() -> Result<Option<PathBuf>, Error> {
2924b37d FG	29	super::find_xdg_file(
	30	DEFAULT_MASTER_PUBKEY_FILE_NAME,
	31	"default master public key file",
	32	)
05389a01	33	}
9696f519	34
05f17d1e	35	pub fn place_default_master_pubkey() -> Result<PathBuf, Error> {
2924b37d FG	36	super::place_xdg_file(
	37	DEFAULT_MASTER_PUBKEY_FILE_NAME,
	38	"default master public key file",
	39	)
9696f519 WB	40	}
9696f519 WB	41
b65390eb	42	pub fn find_default_encryption_key() -> Result<Option<PathBuf>, Error> {
2924b37d FG	43	super::find_xdg_file(
	44	DEFAULT_ENCRYPTION_KEY_FILE_NAME,
	45	"default encryption key file",
	46	)
b65390eb	47	}
9696f519	48
b65390eb	49	pub fn place_default_encryption_key() -> Result<PathBuf, Error> {
2924b37d FG	50	super::place_xdg_file(
	51	DEFAULT_ENCRYPTION_KEY_FILE_NAME,
	52	"default encryption key file",
	53	)
9696f519 WB	54	}
9696f519 WB	55
5bb057e5	56	#[cfg(not(test))]
2f26b866	57	pub(crate) fn read_optional_default_encryption_key() -> Result<Option<KeyWithSource>, Error> {
0351f23b	58	find_default_encryption_key()?
2f26b866	59	.map(\|path\| file_get_contents(path).map(KeyWithSource::from_default))
0351f23b WB	60	.transpose()
	61	}
	62
c0a87c12	63	#[cfg(not(test))]
2f26b866	64	pub(crate) fn read_optional_default_master_pubkey() -> Result<Option<KeyWithSource>, Error> {
c0a87c12	65	find_default_master_pubkey()?
2f26b866	66	.map(\|path\| file_get_contents(path).map(KeyWithSource::from_default))
c0a87c12 FG	67	.transpose()
	68	}
	69
5bb057e5 FG	70	#[cfg(test)]
	71	static mut TEST_DEFAULT_ENCRYPTION_KEY: Result<Option<Vec<u8>>, Error> = Ok(None);
	72
	73	#[cfg(test)]
2f26b866	74	pub(crate) fn read_optional_default_encryption_key() -> Result<Option<KeyWithSource>, Error> {
5bb057e5 FG	75	// not safe when multiple concurrent test cases end up here!
	76	unsafe {
	77	match &TEST_DEFAULT_ENCRYPTION_KEY {
2f26b866 FG	78	Ok(Some(key)) => Ok(Some(KeyWithSource::from_default(key.clone()))),
2f26b866 FG	79	Ok(None) => Ok(None),
5bb057e5 FG	80	Err(_) => bail!("test error"),
	81	}
	82	}
	83	}
	84
	85	#[cfg(test)]
	86	// not safe when multiple concurrent test cases end up here!
2f26b866	87	pub(crate) unsafe fn set_test_encryption_key(value: Result<Option<Vec<u8>>, Error>) {
5bb057e5 FG	88	TEST_DEFAULT_ENCRYPTION_KEY = value;
	89	}
	90
c0a87c12 FG	91	#[cfg(test)]
	92	static mut TEST_DEFAULT_MASTER_PUBKEY: Result<Option<Vec<u8>>, Error> = Ok(None);
	93
	94	#[cfg(test)]
2f26b866	95	pub(crate) fn read_optional_default_master_pubkey() -> Result<Option<KeyWithSource>, Error> {
c0a87c12 FG	96	// not safe when multiple concurrent test cases end up here!
	97	unsafe {
	98	match &TEST_DEFAULT_MASTER_PUBKEY {
2f26b866 FG	99	Ok(Some(key)) => Ok(Some(KeyWithSource::from_default(key.clone()))),
2f26b866 FG	100	Ok(None) => Ok(None),
c0a87c12 FG	101	Err(_) => bail!("test error"),
	102	}
	103	}
	104	}
	105
	106	#[cfg(test)]
	107	// not safe when multiple concurrent test cases end up here!
2f26b866	108	pub(crate) unsafe fn set_test_default_master_pubkey(value: Result<Option<Vec<u8>>, Error>) {
c0a87c12 FG	109	TEST_DEFAULT_MASTER_PUBKEY = value;
	110	}
	111
9696f519 WB	112	pub fn get_encryption_key_password() -> Result<Vec<u8>, Error> {
	113	// fixme: implement other input methods
	114
	115	use std::env::VarError::*;
	116	match std::env::var("PBS_ENCRYPTION_PASSWORD") {
	117	Ok(p) => return Ok(p.as_bytes().to_vec()),
	118	Err(NotUnicode(_)) => bail!("PBS_ENCRYPTION_PASSWORD contains bad characters"),
	119	Err(NotPresent) => {
	120	// Try another method
	121	}
	122	}
	123
	124	// If we're on a TTY, query the user for a password
	125	if tty::stdin_isatty() {
	126	return Ok(tty::read_password("Encryption Key Password: ")?);
	127	}
	128
	129	bail!("no password input mechanism available");
	130	}
	131
9696f519 WB	132	#[api(
	133	input: {
	134	properties: {
	135	kdf: {
	136	type: Kdf,
	137	optional: true,
	138	},
	139	path: {
	140	description:
	141	"Output file. Without this the key will become the new default encryption key.",
	142	optional: true,
82a103c8 DM	143	},
	144	hint: {
	145	schema: PASSWORD_HINT_SCHEMA,
	146	optional: true,
	147	},
9696f519 WB	148	},
	149	},
	150	)]
	151	/// Create a new encryption key.
2924b37d	152	fn create(kdf: Option<Kdf>, path: Option<String>, hint: Option<String>) -> Result<(), Error> {
9696f519 WB	153	let path = match path {
9696f519 WB	154	Some(path) => PathBuf::from(path),
0eaef8eb WB	155	None => {
	156	let path = place_default_encryption_key()?;
	157	println!("creating default key at: {:?}", path);
	158	path
	159	}
9696f519 WB	160	};
	161
	162	let kdf = kdf.unwrap_or_default();
	163
9a045790 DM	164	let mut key = [0u8; 32];
9a045790 DM	165	proxmox::sys::linux::fill_with_random_data(&mut key)?;
9696f519 WB	166
	167	match kdf {
	168	Kdf::None => {
82a103c8 DM	169	if hint.is_some() {
	170	bail!("password hint not allowed for Kdf::None");
	171	}
	172
1c86893d	173	let key_config = KeyConfig::without_password(key)?;
9a045790 DM	174
9a045790 DM	175	key_config.store(path, false)?;
9696f519	176	}
5e17dbf2	177	Kdf::Scrypt \| Kdf::PBKDF2 => {
9696f519 WB	178	// always read passphrase from tty
	179	if !tty::stdin_isatty() {
	180	bail!("unable to read passphrase - no tty");
	181	}
	182
	183	let password = tty::read_and_verify_password("Encryption Key Password: ")?;
	184
9a045790	185	let mut key_config = KeyConfig::with_key(&key, &password, kdf)?;
82a103c8	186	key_config.hint = hint;
9696f519	187
9a045790	188	key_config.store(&path, false)?;
9696f519 WB	189	}
	190	}
	191
	192	Ok(())
	193	}
	194
7137630d FG	195	#[api(
	196	input: {
	197	properties: {
	198	"master-keyfile": {
	199	description: "(Private) master key to use.",
	200	},
	201	"encrypted-keyfile": {
	202	description: "RSA-encrypted keyfile to import.",
	203	},
	204	kdf: {
	205	type: Kdf,
	206	optional: true,
	207	},
	208	"path": {
	209	description:
	210	"Output file. Without this the key will become the new default encryption key.",
	211	optional: true,
82a103c8 DM	212	},
	213	hint: {
	214	schema: PASSWORD_HINT_SCHEMA,
	215	optional: true,
	216	},
7137630d FG	217	},
	218	},
	219	)]
	220	/// Import an encrypted backup of an encryption key using a (private) master key.
	221	async fn import_with_master_key(
	222	master_keyfile: String,
	223	encrypted_keyfile: String,
	224	kdf: Option<Kdf>,
	225	path: Option<String>,
82a103c8	226	hint: Option<String>,
7137630d FG	227	) -> Result<(), Error> {
	228	let path = match path {
	229	Some(path) => PathBuf::from(path),
	230	None => {
	231	let path = place_default_encryption_key()?;
	232	if path.exists() {
	233	bail!("Please remove default encryption key at {:?} before importing to default location (or choose a non-default one).", path);
	234	}
	235	println!("Importing key to default location at: {:?}", path);
	236	path
	237	}
	238	};
	239
	240	let encrypted_key = file_get_contents(&encrypted_keyfile)?;
	241	let master_key = file_get_contents(&master_keyfile)?;
	242	let password = tty::read_password("Master Key Password: ")?;
	243
2924b37d	244	let master_key = openssl::pkey::PKey::private_key_from_pem_passphrase(&master_key, &password)
7137630d FG	245	.map_err(\|err\| format_err!("failed to read PEM-formatted private key - {}", err))?
	246	.rsa()
	247	.map_err(\|err\| format_err!("not a valid private RSA key - {}", err))?;
	248
1c86893d	249	let (key, created, _fingerprint) =
7137630d FG	250	rsa_decrypt_key_config(master_key, &encrypted_key, &get_encryption_key_password)?;
	251
	252	let kdf = kdf.unwrap_or_default();
	253	match kdf {
	254	Kdf::None => {
82a103c8 DM	255	if hint.is_some() {
	256	bail!("password hint not allowed for Kdf::None");
	257	}
	258
1c86893d	259	let mut key_config = KeyConfig::without_password(key)?;
9a045790	260	key_config.created = created; // keep original value
9a045790 DM	261
9a045790 DM	262	key_config.store(path, true)?;
7137630d FG	263	}
	264	Kdf::Scrypt \| Kdf::PBKDF2 => {
	265	let password = tty::read_and_verify_password("New Password: ")?;
	266
9a045790	267	let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?;
7137630d	268	new_key_config.created = created; // keep original value
82a103c8	269	new_key_config.hint = hint;
7137630d	270
9a045790	271	new_key_config.store(path, true)?;
7137630d FG	272	}
	273	}
	274
	275	Ok(())
	276	}
	277
9696f519 WB	278	#[api(
	279	input: {
	280	properties: {
	281	kdf: {
	282	type: Kdf,
	283	optional: true,
	284	},
	285	path: {
	286	description: "Key file. Without this the default key's password will be changed.",
	287	optional: true,
82a103c8 DM	288	},
	289	hint: {
	290	schema: PASSWORD_HINT_SCHEMA,
	291	optional: true,
	292	},
9696f519 WB	293	},
	294	},
	295	)]
	296	/// Change the encryption key's password.
82a103c8 DM	297	fn change_passphrase(
	298	kdf: Option<Kdf>,
	299	path: Option<String>,
	300	hint: Option<String>,
	301	) -> Result<(), Error> {
9696f519 WB	302	let path = match path {
9696f519 WB	303	Some(path) => PathBuf::from(path),
0eaef8eb	304	None => {
2924b37d FG	305	let path = find_default_encryption_key()?.ok_or_else(\|\| {
	306	format_err!("no encryption file provided and no default file found")
	307	})?;
0eaef8eb WB	308	println!("updating default key at: {:?}", path);
	309	path
	310	}
9696f519 WB	311	};
	312
	313	let kdf = kdf.unwrap_or_default();
	314
	315	if !tty::stdin_isatty() {
	316	bail!("unable to change passphrase - no tty");
	317	}
	318
9a045790	319	let key_config = KeyConfig::load(&path)?;
1c86893d	320	let (key, created, _fingerprint) = key_config.decrypt(&get_encryption_key_password)?;
9696f519 WB	321
	322	match kdf {
	323	Kdf::None => {
82a103c8 DM	324	if hint.is_some() {
	325	bail!("password hint not allowed for Kdf::None");
	326	}
	327
1c86893d	328	let mut key_config = KeyConfig::without_password(key)?;
2924b37d	329	key_config.created = created; // keep original value
9a045790 DM	330
9a045790 DM	331	key_config.store(&path, true)?;
9696f519	332	}
5e17dbf2	333	Kdf::Scrypt \| Kdf::PBKDF2 => {
9696f519 WB	334	let password = tty::read_and_verify_password("New Password: ")?;
9696f519 WB	335
9a045790	336	let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?;
9696f519	337	new_key_config.created = created; // keep original value
82a103c8	338	new_key_config.hint = hint;
9a045790 DM	339
9a045790 DM	340	new_key_config.store(&path, true)?;
9696f519 WB	341	}
	342	}
	343
	344	Ok(())
	345	}
	346
dfb04575 FG	347	#[api(
	348	input: {
	349	properties: {
	350	path: {
	351	description: "Key file. Without this the default key's metadata will be shown.",
	352	optional: true,
	353	},
	354	"output-format": {
	355	schema: OUTPUT_FORMAT,
	356	optional: true,
	357	},
	358	},
	359	},
	360	)]
	361	/// Print the encryption key's metadata.
4d104cd4	362	fn show_key(path: Option<String>, param: Value) -> Result<(), Error> {
dfb04575 FG	363	let path = match path {
dfb04575 FG	364	Some(path) => PathBuf::from(path),
4d104cd4 FG	365	None => find_default_encryption_key()?
4d104cd4 FG	366	.ok_or_else(\|\| format_err!("no encryption file provided and no default file found"))?,
dfb04575 FG	367	};
dfb04575 FG	368
dfb04575 FG	369	let config: KeyConfig = serde_json::from_slice(&file_get_contents(path.clone())?)?;
dfb04575 FG	370
5e17dbf2 DM	371	let output_format = get_output_format(&param);
5e17dbf2 DM	372
69b8bc3b DM	373	let mut info: KeyInfo = (&config).into();
69b8bc3b DM	374	info.path = Some(format!("{:?}", path));
5e17dbf2 DM	375
	376	let options = proxmox::api::cli::default_table_format_options()
	377	.column(ColumnConfig::new("path"))
	378	.column(ColumnConfig::new("kdf"))
	379	.column(ColumnConfig::new("created").renderer(tools::format::render_epoch))
	380	.column(ColumnConfig::new("modified").renderer(tools::format::render_epoch))
82a103c8 DM	381	.column(ColumnConfig::new("fingerprint"))
82a103c8 DM	382	.column(ColumnConfig::new("hint"));
5e17dbf2	383
b2362a12	384	let return_type = ReturnType::new(false, &KeyInfo::API_SCHEMA);
5e17dbf2	385
b2362a12 WB	386	format_and_print_result_full(
	387	&mut serde_json::to_value(info)?,
	388	&return_type,
	389	&output_format,
	390	&options,
	391	);
dfb04575 FG	392
	393	Ok(())
	394	}
	395
9696f519 WB	396	#[api(
	397	input: {
	398	properties: {
	399	path: {
	400	description: "Path to the PEM formatted RSA public key.",
	401	},
	402	},
	403	},
	404	)]
	405	/// Import an RSA public key used to put an encrypted version of the symmetric backup encryption
	406	/// key onto the backup server along with each backup.
05f17d1e FG	407	///
	408	/// The imported key will be used as default master key for future invocations by the same local
	409	/// user.
9696f519 WB	410	fn import_master_pubkey(path: String) -> Result<(), Error> {
	411	let pem_data = file_get_contents(&path)?;
	412
42c0f784 FG	413	match openssl::pkey::PKey::public_key_from_pem(&pem_data) {
	414	Ok(key) => {
	415	let info = RsaPubKeyInfo::try_from(key.rsa()?)?;
	416	println!("Found following key at {:?}", path);
	417	println!("Modulus: {}", info.modulus);
	418	println!("Exponent: {}", info.exponent);
	419	println!("Length: {}", info.length);
2924b37d	420	}
42c0f784 FG	421	Err(err) => bail!("Unable to decode PEM data - {}", err),
42c0f784 FG	422	};
9696f519	423
05f17d1e	424	let target_path = place_default_master_pubkey()?;
9696f519 WB	425
	426	replace_file(&target_path, &pem_data, CreateOptions::new())?;
	427
	428	println!("Imported public master key to {:?}", target_path);
	429
	430	Ok(())
	431	}
	432
	433	#[api]
	434	/// Create an RSA public/private key pair used to put an encrypted version of the symmetric backup
	435	/// encryption key onto the backup server along with each backup.
	436	fn create_master_key() -> Result<(), Error> {
	437	// we need a TTY to query the new password
	438	if !tty::stdin_isatty() {
	439	bail!("unable to create master key - no tty");
	440	}
	441
42c0f784 FG	442	let bits = 4096;
	443	println!("Generating {}-bit RSA key..", bits);
	444	let rsa = openssl::rsa::Rsa::generate(bits)?;
2924b37d FG	445	let public =
2924b37d FG	446	openssl::rsa::Rsa::from_public_components(rsa.n().to_owned()?, rsa.e().to_owned()?)?;
42c0f784 FG	447	let info = RsaPubKeyInfo::try_from(public)?;
	448	println!("Modulus: {}", info.modulus);
	449	println!("Exponent: {}", info.exponent);
	450	println!();
	451
9696f519 WB	452	let pkey = openssl::pkey::PKey::from_rsa(rsa)?;
	453
	454	let password = String::from_utf8(tty::read_and_verify_password("Master Key Password: ")?)?;
	455
	456	let pub_key: Vec<u8> = pkey.public_key_to_pem()?;
	457	let filename_pub = "master-public.pem";
	458	println!("Writing public master key to {}", filename_pub);
	459	replace_file(filename_pub, pub_key.as_slice(), CreateOptions::new())?;
	460
	461	let cipher = openssl::symm::Cipher::aes_256_cbc();
2924b37d FG	462	let priv_key: Vec<u8> =
2924b37d FG	463	pkey.private_key_to_pem_pkcs8_passphrase(cipher, password.as_bytes())?;
9696f519 WB	464
	465	let filename_priv = "master-private.pem";
	466	println!("Writing private master key to {}", filename_priv);
	467	replace_file(filename_priv, priv_key.as_slice(), CreateOptions::new())?;
	468
	469	Ok(())
	470	}
	471
42c0f784 FG	472	#[api(
	473	input: {
	474	properties: {
	475	path: {
	476	description: "Path to the PEM formatted RSA public key. Default location will be used if not specified.",
	477	optional: true,
	478	},
	479	"output-format": {
	480	schema: OUTPUT_FORMAT,
	481	optional: true,
	482	},
	483	},
	484	},
	485	)]
	486	/// List information about master key
	487	fn show_master_pubkey(path: Option<String>, param: Value) -> Result<(), Error> {
	488	let path = match path {
	489	Some(path) => PathBuf::from(path),
	490	None => find_default_master_pubkey()?
	491	.ok_or_else(\|\| format_err!("No path specified and no default master key available."))?,
	492	};
	493
	494	let path = path.canonicalize()?;
	495
	496	let output_format = get_output_format(&param);
	497
	498	let pem_data = file_get_contents(path.clone())?;
	499	let rsa = openssl::rsa::Rsa::public_key_from_pem(&pem_data)?;
	500
	501	let mut info = RsaPubKeyInfo::try_from(rsa)?;
	502	info.path = Some(path.display().to_string());
	503
	504	let options = proxmox::api::cli::default_table_format_options()
	505	.column(ColumnConfig::new("path"))
	506	.column(ColumnConfig::new("modulus"))
	507	.column(ColumnConfig::new("exponent"))
	508	.column(ColumnConfig::new("length"));
	509
	510	let return_type = ReturnType::new(false, &RsaPubKeyInfo::API_SCHEMA);
	511
	512	format_and_print_result_full(
	513	&mut serde_json::to_value(info)?,
	514	&return_type,
	515	&output_format,
	516	&options,
	517	);
	518
	519	Ok(())
	520	}
	521
82a0cd2a DM	522	#[api(
	523	input: {
	524	properties: {
	525	path: {
	526	description: "Key file. Without this the default key's will be used.",
	527	optional: true,
	528	},
	529	subject: {
d1d74c43	530	description: "Include the specified subject as title text.",
82a0cd2a DM	531	optional: true,
82a0cd2a DM	532	},
ef1b4363 DM	533	"output-format": {
ef1b4363 DM	534	type: PaperkeyFormat,
ef1b4363 DM	535	optional: true,
ef1b4363 DM	536	},
82a0cd2a DM	537	},
	538	},
	539	)]
	540	/// Generate a printable, human readable text file containing the encryption key.
	541	///
	542	/// This also includes a scanable QR code for fast key restore.
ef1b4363 DM	543	fn paper_key(
	544	path: Option<String>,
	545	subject: Option<String>,
	546	output_format: Option<PaperkeyFormat>,
	547	) -> Result<(), Error> {
82a0cd2a DM	548	let path = match path {
82a0cd2a DM	549	Some(path) => PathBuf::from(path),
4d104cd4 FG	550	None => find_default_encryption_key()?
4d104cd4 FG	551	.ok_or_else(\|\| format_err!("no encryption file provided and no default file found"))?,
82a0cd2a DM	552	};
	553
	554	let data = file_get_contents(&path)?;
f1e29041 FG	555	let data = String::from_utf8(data)?;
f1e29041 FG	556
639a6782	557	generate_paper_key(std::io::stdout(), &data, subject, output_format)
ef1b4363 DM	558	}
	559
	560	pub fn cli() -> CliCommandMap {
	561	let key_create_cmd_def = CliCommand::new(&API_METHOD_CREATE)
	562	.arg_param(&["path"])
	563	.completion_cb("path", tools::complete_file_name);
	564
7137630d FG	565	let key_import_with_master_key_cmd_def = CliCommand::new(&API_METHOD_IMPORT_WITH_MASTER_KEY)
	566	.arg_param(&["master-keyfile"])
	567	.completion_cb("master-keyfile", tools::complete_file_name)
	568	.arg_param(&["encrypted-keyfile"])
	569	.completion_cb("encrypted-keyfile", tools::complete_file_name)
	570	.arg_param(&["path"])
	571	.completion_cb("path", tools::complete_file_name);
	572
ef1b4363 DM	573	let key_change_passphrase_cmd_def = CliCommand::new(&API_METHOD_CHANGE_PASSPHRASE)
	574	.arg_param(&["path"])
	575	.completion_cb("path", tools::complete_file_name);
	576
	577	let key_create_master_key_cmd_def = CliCommand::new(&API_METHOD_CREATE_MASTER_KEY);
	578	let key_import_master_pubkey_cmd_def = CliCommand::new(&API_METHOD_IMPORT_MASTER_PUBKEY)
	579	.arg_param(&["path"])
	580	.completion_cb("path", tools::complete_file_name);
42c0f784 FG	581	let key_show_master_pubkey_cmd_def = CliCommand::new(&API_METHOD_SHOW_MASTER_PUBKEY)
	582	.arg_param(&["path"])
	583	.completion_cb("path", tools::complete_file_name);
ef1b4363	584
dfb04575 FG	585	let key_show_cmd_def = CliCommand::new(&API_METHOD_SHOW_KEY)
	586	.arg_param(&["path"])
	587	.completion_cb("path", tools::complete_file_name);
	588
ef1b4363 DM	589	let paper_key_cmd_def = CliCommand::new(&API_METHOD_PAPER_KEY)
	590	.arg_param(&["path"])
	591	.completion_cb("path", tools::complete_file_name);
	592
	593	CliCommandMap::new()
	594	.insert("create", key_create_cmd_def)
7137630d	595	.insert("import-with-master-key", key_import_with_master_key_cmd_def)
ef1b4363 DM	596	.insert("create-master-key", key_create_master_key_cmd_def)
	597	.insert("import-master-pubkey", key_import_master_pubkey_cmd_def)
	598	.insert("change-passphrase", key_change_passphrase_cmd_def)
dfb04575	599	.insert("show", key_show_cmd_def)
42c0f784	600	.insert("show-master-pubkey", key_show_master_pubkey_cmd_def)
fdc00811	601	.insert("paperkey", paper_key_cmd_def)
ef1b4363	602	}