config::{
tape_encryption_keys::{
TAPE_KEYS_LOCKFILE,
- generate_tape_encryption_key,
load_keys,
load_key_configs,
save_keys,
let (key, created, fingerprint) = key_config.decrypt(&|| Ok(password.as_bytes().to_vec()))?;
let mut new_key_config = KeyConfig::with_key(&key, new_password.as_bytes(), kdf)?;
new_key_config.created = created; // keep original value
- new_key_config.fingerprint = Some(fingerprint.clone());
new_key_config.hint = Some(hint);
config_map.insert(fingerprint, new_key_config);
bail!("Please specify a key derivation funktion (none is not allowed here).");
}
- let (key, mut key_config) = generate_tape_encryption_key(password.as_bytes(), kdf)?;
+ let (key, mut key_config) = KeyConfig::new(password.as_bytes(), kdf)?;
key_config.hint = Some(hint);
let fingerprint = key_config.fingerprint.clone().unwrap();
}
/// Creates a new, unencrypted key.
- pub fn without_password(raw_key: [u8; 32]) -> Self {
+ pub fn without_password(raw_key: [u8; 32]) -> Result<Self, Error> {
+ // always compute fingerprint
+ let crypt_config = CryptConfig::new(raw_key.clone())?;
+ let fingerprint = Some(crypt_config.fingerprint());
+
let created = proxmox::tools::time::epoch_i64();
- Self {
+ Ok(Self {
kdf: None,
created,
modified: created,
data: raw_key.to_vec(),
- fingerprint: None,
+ fingerprint,
hint: None,
- }
+ })
}
/// Creates a new instance, protect raw_key with passphrase.
pub fn with_key(
- raw_key: &[u8],
+ raw_key: &[u8; 32],
passphrase: &[u8],
kdf: Kdf,
) -> Result<Self, Error> {
&derived_key,
Some(&iv),
b"",
- &raw_key,
+ raw_key,
&mut tag,
)?;
let created = proxmox::tools::time::epoch_i64();
+ // always compute fingerprint
+ let crypt_config = CryptConfig::new(raw_key.clone())?;
+ let fingerprint = Some(crypt_config.fingerprint());
+
Ok(Self {
kdf: Some(kdf),
created,
modified: created,
data: enc_data,
- fingerprint: None,
+ fingerprint,
hint: None,
})
}
let pem_data = file_get_contents(path)?;
let rsa = openssl::rsa::Rsa::public_key_from_pem(&pem_data)?;
- let mut key_config = KeyConfig::without_password(key);
+ let mut key_config = KeyConfig::without_password(key)?;
key_config.created = created; // keep original value
- key_config.fingerprint = Some(fingerprint);
let enc_key = rsa_encrypt_key_config(rsa, &key_config)?;
println!("Master key '{:?}'", path);
},
backup::{
rsa_decrypt_key_config,
- CryptConfig,
KeyConfig,
},
tools,
let mut key = [0u8; 32];
proxmox::sys::linux::fill_with_random_data(&mut key)?;
- let crypt_config = CryptConfig::new(key.clone())?;
match kdf {
Kdf::None => {
bail!("password hint not allowed for Kdf::None");
}
- let mut key_config = KeyConfig::without_password(key);
- key_config.fingerprint = Some(crypt_config.fingerprint());
+ let key_config = KeyConfig::without_password(key)?;
key_config.store(path, false)?;
}
let password = tty::read_and_verify_password("Encryption Key Password: ")?;
let mut key_config = KeyConfig::with_key(&key, &password, kdf)?;
- key_config.fingerprint = Some(crypt_config.fingerprint());
key_config.hint = hint;
key_config.store(&path, false)?;
.rsa()
.map_err(|err| format_err!("not a valid private RSA key - {}", err))?;
- let (key, created, fingerprint) =
+ let (key, created, _fingerprint) =
rsa_decrypt_key_config(master_key, &encrypted_key, &get_encryption_key_password)?;
let kdf = kdf.unwrap_or_default();
bail!("password hint not allowed for Kdf::None");
}
- let mut key_config = KeyConfig::without_password(key);
+ let mut key_config = KeyConfig::without_password(key)?;
key_config.created = created; // keep original value
- key_config.fingerprint = Some(fingerprint);
key_config.store(path, true)?;
let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?;
new_key_config.created = created; // keep original value
- new_key_config.fingerprint = Some(fingerprint);
new_key_config.hint = hint;
new_key_config.store(path, true)?;
}
let key_config = KeyConfig::load(&path)?;
- let (key, created, fingerprint) = key_config.decrypt(&get_encryption_key_password)?;
+ let (key, created, _fingerprint) = key_config.decrypt(&get_encryption_key_password)?;
match kdf {
Kdf::None => {
bail!("password hint not allowed for Kdf::None");
}
- let mut key_config = KeyConfig::without_password(key);
+ let mut key_config = KeyConfig::without_password(key)?;
key_config.created = created; // keep original value
- key_config.fingerprint = Some(fingerprint);
key_config.store(&path, true)?;
}
let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?;
new_key_config.created = created; // keep original value
- new_key_config.fingerprint = Some(fingerprint);
new_key_config.hint = hint;
new_key_config.store(&path, true)?;
};
use crate::{
- api2::types::Kdf,
backup::{
Fingerprint,
KeyConfig,
- CryptConfig,
},
};
pub key: [u8; 32],
}
-pub fn compute_tape_key_fingerprint(key: &[u8; 32]) -> Result<Fingerprint, Error> {
- let crypt_config = CryptConfig::new(*key)?;
- Ok(crypt_config.fingerprint())
-}
-
-pub fn generate_tape_encryption_key(password: &[u8], kdf: Kdf) -> Result<([u8; 32], KeyConfig), Error> {
- let (key, mut key_config) = KeyConfig::new(password, kdf)?;
- key_config.fingerprint = Some(compute_tape_key_fingerprint(&key)?);
- Ok((key, key_config))
-}
-
impl EncryptionKeyInfo {
pub fn new(key: [u8; 32], fingerprint: Fingerprint) -> Self {
Self { fingerprint, key }
let mut map = HashMap::new();
for item in key_list {
- let expected_fingerprint = compute_tape_key_fingerprint(&item.key)?;
+ let key_config = KeyConfig::without_password(item.key)?; // to compute fingerprint
+ let expected_fingerprint = key_config.fingerprint.unwrap();
if item.fingerprint != expected_fingerprint {
bail!(
"inconsistent fingerprint ({} != {})",