From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 862206107F for ; Tue, 8 Feb 2022 12:52:27 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7C0EF2E0CC for ; Tue, 8 Feb 2022 12:52:27 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id BD5782E0C3 for ; Tue, 8 Feb 2022 12:52:26 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 8EFD3424A0 for ; Tue, 8 Feb 2022 12:52:26 +0100 (CET) From: Markus Frank To: pbs-devel@lists.proxmox.com Date: Tue, 8 Feb 2022 12:51:19 +0100 Message-Id: <20220208115119.74931-1-m.frank@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.003 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pbs-devel] [PATCH proxmox-backup] fix #3854 paperkey import to proxmox-tape X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2022 11:52:27 -0000 added a parameter to the cli for reading a old paperkeyfile to restore the key from it. For that i added a json parameter for the api and made hint optional because hint is already in the proxmox-backupkey-json. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key create --paperkeyfile paperkey.backup for importing the key it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank --- src/api2/config/tape_encryption_keys.rs | 41 +++++++++++++++++++------ src/bin/proxmox_tape/encryption_key.rs | 28 +++++++++++++++++ 2 files changed, 60 insertions(+), 9 deletions(-) diff --git a/src/api2/config/tape_encryption_keys.rs b/src/api2/config/tape_encryption_keys.rs index 1ad99377..23de4acc 100644 --- a/src/api2/config/tape_encryption_keys.rs +++ b/src/api2/config/tape_encryption_keys.rs @@ -145,6 +145,12 @@ pub fn change_passphrase( }, hint: { schema: PASSWORD_HINT_SCHEMA, + optional: true, + }, + backupkey: { + description: "json parameter for importing old backupkey", + type: String, + optional: true, }, }, }, @@ -159,7 +165,8 @@ pub fn change_passphrase( pub fn create_key( kdf: Option, password: String, - hint: String, + hint: Option, + backupkey: Option, _rpcenv: &mut dyn RpcEnvironment ) -> Result { @@ -169,14 +176,30 @@ pub fn create_key( bail!("Please specify a key derivation function (none is not allowed here)."); } - let (key, mut key_config) = KeyConfig::new(password.as_bytes(), kdf)?; - key_config.hint = Some(hint); - - let fingerprint = key_config.fingerprint.clone().unwrap(); - - insert_key(key, key_config, false)?; - - Ok(fingerprint) + if let Some(ref backupkey) = backupkey { + match serde_json::from_str::(backupkey) { + Ok(key_config) => { + let password_fn = || { Ok(password.as_bytes().to_vec()) }; + let (key, _created, fingerprint) = key_config.decrypt(&password_fn)?; + insert_key(key, key_config, false)?; + Ok(fingerprint) + } + Err(err) => { + eprintln!("Couldn't parse data as KeyConfig - {}", err); + bail!("Neither a PEM-formatted private key, nor a PBS key file."); + } + } + } else { + if hint.is_none() { + bail!("Please specify either a hint or a backupkey."); + } else { + let (key, mut key_config) = KeyConfig::new(password.as_bytes(), kdf)?; + key_config.hint = hint; + let fingerprint = key_config.fingerprint.clone().unwrap(); + insert_key(key, key_config, false)?; + Ok(fingerprint) + } + } } diff --git a/src/bin/proxmox_tape/encryption_key.rs b/src/bin/proxmox_tape/encryption_key.rs index 156295fd..1863c9bc 100644 --- a/src/bin/proxmox_tape/encryption_key.rs +++ b/src/bin/proxmox_tape/encryption_key.rs @@ -15,6 +15,8 @@ use pbs_config::tape_encryption_keys::{load_key_configs,complete_key_fingerprint use proxmox_backup::api2; +use std::fs; + pub fn encryption_key_commands() -> CommandLineInterface { let cmd_def = CliCommandMap::new() @@ -222,6 +224,12 @@ async fn restore_key( type: String, min_length: 1, max_length: 32, + optional: true, + }, + paperkeyfile: { + description: "Paperkeyfile location for importing old backupkey", + type: String, + optional: true, }, }, }, @@ -230,12 +238,32 @@ async fn restore_key( fn create_key( mut param: Value, rpcenv: &mut dyn RpcEnvironment, + paperkeyfile: Option, ) -> Result<(), Error> { if !tty::stdin_isatty() { bail!("no password input mechanism available"); } + if param["hint"].is_null() && paperkeyfile.is_none(){ + bail!("Please specify either a hint or a paperkeyfile."); + } + + // searching for PROXMOX BACKUP KEY if a paperkeyfile is defined + if let Some(paperkeyfile) = paperkeyfile { + let data = fs::read_to_string(paperkeyfile)?; + let begin = "-----BEGIN PROXMOX BACKUP KEY-----"; + let start = data.find(begin); + let end = data.find("-----END PROXMOX BACKUP KEY-----"); + if let Some(start) = start { + if let Some(end) = end { + let backupkey = &data[start+begin.len()..end]; + param["backupkey"]=backupkey.into(); + println!("backupkey to import: {}", backupkey); + } + } + } + let password = tty::read_and_verify_password("Tape Encryption Key Password: ")?; param["password"] = String::from_utf8(password)?.into(); -- 2.30.2