From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id C802591A01 for ; Thu, 15 Feb 2024 16:20:44 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A91AD1664F for ; Thu, 15 Feb 2024 16:20:14 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 15 Feb 2024 16:20:13 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 689714841D for ; Thu, 15 Feb 2024 16:20:13 +0100 (CET) From: Stefan Sterz To: pbs-devel@lists.proxmox.com Date: Thu, 15 Feb 2024 16:19:50 +0100 Message-Id: <20240215152001.269490-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240215152001.269490-1-s.sterz@proxmox.com> References: <20240215152001.269490-1-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.084 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [ticket.rs] Subject: [pbs-devel] [PATCH proxmox 01/12] auth-api: move signing into the private key X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Feb 2024 15:20:44 -0000 this commit moves the current ticket signing code into the private key implementation. the upside is that the caller does not need to deal with openssl's `Signer` directly. it also simplifies and unifies the code by using the same helper for verifying a signature and creating it. also derive `Clone` on `PrivateKey` and `PublicKey`. as they are essentially thin wrappers around `openssl::pkey::PKey` and `openssl::pkey::PKey`, which can be cloned, deriving `Clone` just makes them easier to use. Signed-off-by: Stefan Sterz --- proxmox-auth-api/src/auth_key.rs | 26 ++++++++++++++++---------- proxmox-auth-api/src/ticket.rs | 21 ++------------------- 2 files changed, 18 insertions(+), 29 deletions(-) diff --git a/proxmox-auth-api/src/auth_key.rs b/proxmox-auth-api/src/auth_key.rs index cec7360..32120a3 100644 --- a/proxmox-auth-api/src/auth_key.rs +++ b/proxmox-auth-api/src/auth_key.rs @@ -9,11 +9,13 @@ use openssl::rsa::Rsa; use openssl::sign::{Signer, Verifier}; /// A private auth key used for API ticket signing and verification. +#[derive(Clone)] pub struct PrivateKey { pub(crate) key: PKey, } /// A private auth key used for API ticket verification. +#[derive(Clone)] pub struct PublicKey { pub(crate) key: PKey, } @@ -88,6 +90,13 @@ impl PrivateKey { pub fn public_key(&self) -> Result { PublicKey::from_pem(&self.public_key_to_pem()?) } + + pub(self) fn sign(&self, digest: MessageDigest, data: &[u8]) -> Result, Error> { + Signer::new(digest, &self.key) + .map_err(|e| format_err!("could not create private key signer - {e}"))? + .sign_oneshot_to_vec(data) + .map_err(|e| format_err!("could not sign with private key - {e}")) + } } impl From> for PrivateKey { @@ -204,15 +213,12 @@ impl Keyring { Ok(false) } - pub(crate) fn signer(&self, digest: MessageDigest) -> Result { - Signer::new( - digest, - &self - .signing_key - .as_ref() - .ok_or_else(|| format_err!("no private key available for signing"))? - .key, - ) - .map_err(|err| format_err!("failed to create openssl signer - {err}")) + pub(crate) fn sign(&self, digest: MessageDigest, data: &[u8]) -> Result, Error> { + let key = self + .signing_key + .as_ref() + .ok_or_else(|| format_err!("no private key available for signing"))?; + + key.sign(digest, data) } } diff --git a/proxmox-auth-api/src/ticket.rs b/proxmox-auth-api/src/ticket.rs index 1737912..81054f8 100644 --- a/proxmox-auth-api/src/ticket.rs +++ b/proxmox-auth-api/src/ticket.rs @@ -116,27 +116,10 @@ where /// Sign the ticket. pub fn sign(&mut self, keyring: &Keyring, aad: Option<&str>) -> Result { let mut output = self.ticket_data(); - let mut signer = keyring.signer(MessageDigest::sha256())?; - - signer - .update(output.as_bytes()) - .map_err(Error::from) - .and_then(|()| { - if let Some(aad) = aad { - signer - .update(b":") - .and_then(|()| signer.update(aad.as_bytes())) - .map_err(Error::from) - } else { - Ok::<_, Error>(()) - } - }) + let signature = keyring + .sign(MessageDigest::sha256(), &self.verification_data(aad)) .map_err(|err| format_err!("error signing ticket: {}", err))?; - let signature = signer - .sign_to_vec() - .map_err(|err| format_err!("error finishing ticket signature: {}", err))?; - use std::fmt::Write; write!( &mut output, -- 2.39.2