From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 8C437623EA for ; Fri, 11 Feb 2022 13:28:20 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 83041290E5 for ; Fri, 11 Feb 2022 13:28:20 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 96DA6290DB for ; Fri, 11 Feb 2022 13:28:19 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 67E2C46DE9 for ; Fri, 11 Feb 2022 13:28:13 +0100 (CET) From: Markus Frank To: pbs-devel@lists.proxmox.com Date: Fri, 11 Feb 2022 13:27:55 +0100 Message-Id: <20220211122755.85926-1-m.frank@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.002 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pbs-devel] [PATCH proxmox-backup v2] fix #3854 paperkey import to proxmox-tape X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2022 12:28:20 -0000 added a parameter to the cli for reading a old paperkeyfile to restore the key from it. For that i added a json parameter for the api and made hint optional because hint is already in the proxmox-backupkey-json. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key create --paperkey_file paperkey.backup for importing the key it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank --- version 2: * added format_err! and ParameterError * changed a few "ifs" to "match" src/api2/config/tape_encryption_keys.rs | 48 +++++++++++++++++++------ src/bin/proxmox_tape/encryption_key.rs | 42 ++++++++++++++++++++-- 2 files changed, 77 insertions(+), 13 deletions(-) diff --git a/src/api2/config/tape_encryption_keys.rs b/src/api2/config/tape_encryption_keys.rs index 1ad99377..c16919d2 100644 --- a/src/api2/config/tape_encryption_keys.rs +++ b/src/api2/config/tape_encryption_keys.rs @@ -1,9 +1,9 @@ -use anyhow::{bail, Error}; +use anyhow::{bail, format_err, Error}; use serde_json::Value; use hex::FromHex; use proxmox_router::{ApiMethod, Router, RpcEnvironment, Permission}; -use proxmox_schema::api; +use proxmox_schema::{api, ParameterError}; use pbs_api_types::{ Fingerprint, KeyInfo, Kdf, @@ -145,6 +145,14 @@ pub fn change_passphrase( }, hint: { schema: PASSWORD_HINT_SCHEMA, + optional: true, + }, + backupkey: { + description: "A previously exported paperkey in JSON format.", + type: String, + min_length: 300, + max_length: 600, + optional: true, }, }, }, @@ -159,7 +167,8 @@ pub fn change_passphrase( pub fn create_key( kdf: Option, password: String, - hint: String, + hint: Option, + backupkey: Option, _rpcenv: &mut dyn RpcEnvironment ) -> Result { @@ -169,14 +178,31 @@ pub fn create_key( bail!("Please specify a key derivation function (none is not allowed here)."); } - let (key, mut key_config) = KeyConfig::new(password.as_bytes(), kdf)?; - key_config.hint = Some(hint); - - let fingerprint = key_config.fingerprint.clone().unwrap(); - - insert_key(key, key_config, false)?; - - Ok(fingerprint) + match (hint, backupkey) { + (_, Some(backupkey)) => { + let key_config: KeyConfig = + serde_json::from_str(&backupkey).map_err(|err| format_err!(": {}", err))?; + let password_fn = || Ok(password.as_bytes().to_vec()); + let (key, _created, fingerprint) = key_config.decrypt(&password_fn)?; + insert_key(key, key_config, false)?; + Ok(fingerprint) + } + (Some(hint), _) => { + let (key, mut key_config) = KeyConfig::new(password.as_bytes(), kdf)?; + key_config.hint = Some(hint); + let fingerprint = key_config.fingerprint.clone().unwrap(); + insert_key(key, key_config, false)?; + Ok(fingerprint) + } + (None, None) => { + let mut err = ParameterError::new(); + err.push( + "hint".to_string(), + format_err!("Please specify either a hint or a backupkey"), + ); + return Err(err.into()); + } + } } diff --git a/src/bin/proxmox_tape/encryption_key.rs b/src/bin/proxmox_tape/encryption_key.rs index 156295fd..af47fef9 100644 --- a/src/bin/proxmox_tape/encryption_key.rs +++ b/src/bin/proxmox_tape/encryption_key.rs @@ -1,8 +1,8 @@ -use anyhow::{bail, Error}; +use anyhow::{bail, format_err, Error}; use serde_json::Value; use proxmox_router::{cli::*, ApiHandler, RpcEnvironment}; -use proxmox_schema::api; +use proxmox_schema::{api, ParameterError}; use proxmox_sys::linux::tty; use pbs_api_types::{ @@ -222,6 +222,12 @@ async fn restore_key( type: String, min_length: 1, max_length: 32, + optional: true, + }, + paperkey_file: { + description: "Paperkeyfile location for importing old backupkey", + type: String, + optional: true, }, }, }, @@ -230,12 +236,44 @@ async fn restore_key( fn create_key( mut param: Value, rpcenv: &mut dyn RpcEnvironment, + paperkey_file: Option, ) -> Result<(), Error> { if !tty::stdin_isatty() { bail!("no password input mechanism available"); } + if param["hint"].is_null() && paperkey_file.is_none() { + let mut err = ParameterError::new(); + err.push( + "hint".to_string(), + format_err!("Please specify either a hint or a paperkey_file"), + ); + return Err(err.into()); + } + + // searching for PROXMOX BACKUP KEY if a paperkeyfile is defined + if let Some(paperkey_file) = paperkey_file { + let data = proxmox_sys::fs::file_read_string(paperkey_file)?; + let begin = "-----BEGIN PROXMOX BACKUP KEY-----"; + let start = data.find(begin); + let end = data.find("-----END PROXMOX BACKUP KEY-----"); + match (start, end) { + (Some(start), Some(end)) => { + if start < end { + let backupkey = &data[start + begin.len()..end]; + param["backupkey"] = backupkey.into(); + println!("backupkey to import: {}", backupkey); + } else { + bail!("paperkey-file is incorrect: End-Marker of backupkey is before Begin-Marker"); + } + } + (_, _) => { + bail!("Begin/End-Marker of backupkey in paperkey-file is missing"); + } + } + } + let password = tty::read_and_verify_password("Tape Encryption Key Password: ")?; param["password"] = String::from_utf8(password)?.into(); -- 2.30.2