From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 54B2D97D53 for ; Wed, 6 Mar 2024 13:36:22 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 254C217013 for ; Wed, 6 Mar 2024 13:36:21 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 6 Mar 2024 13:36:19 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id E69FE48848 for ; Wed, 6 Mar 2024 13:36:18 +0100 (CET) From: Stefan Sterz To: pbs-devel@lists.proxmox.com Date: Wed, 6 Mar 2024 13:36:08 +0100 Message-Id: <20240306123609.164021-12-s.sterz@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240306123609.164021-1-s.sterz@proxmox.com> References: <20240306123609.164021-1-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.075 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pbs-devel] [PATCH proxmox-backup v2 11/12] auth: move to auth-api's private and public keys when loading keys X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Mar 2024 12:36:22 -0000 this commit moves away from using openssl's `PKey` and uses the wrappers from proxmox-auth-api. this allows us to handle keys in a more flexible way and enables as to move to ec based crypto for the authkey in the future. Signed-off-by: Stefan Sterz --- src/auth.rs | 4 ++-- src/auth_helpers.rs | 42 +++++++++++++----------------------------- 2 files changed, 15 insertions(+), 31 deletions(-) diff --git a/src/auth.rs b/src/auth.rs index 5c45c331..35ed249c 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -265,9 +265,9 @@ pub(crate) fn authenticate_user<'a>( } static PRIVATE_KEYRING: Lazy = - Lazy::new(|| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into())); + Lazy::new(|| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone())); static PUBLIC_KEYRING: Lazy = - Lazy::new(|| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into())); + Lazy::new(|| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone())); static AUTH_CONTEXT: OnceCell = OnceCell::new(); pub fn setup_auth_context(use_private_key: bool) { diff --git a/src/auth_helpers.rs b/src/auth_helpers.rs index 1a483d84..bbe3001d 100644 --- a/src/auth_helpers.rs +++ b/src/auth_helpers.rs @@ -2,12 +2,10 @@ use std::path::PathBuf; use std::sync::OnceLock; use anyhow::Error; -use lazy_static::lazy_static; -use openssl::pkey::{PKey, Private, Public}; use openssl::rsa::Rsa; use pbs_config::BackupLockGuard; -use proxmox_auth_api::HMACKey; +use proxmox_auth_api::{HMACKey, PrivateKey, PublicKey}; use proxmox_sys::fs::{file_get_contents, replace_file, CreateOptions}; use pbs_buildcfg::configdir; @@ -98,36 +96,22 @@ pub fn csrf_secret() -> &'static HMACKey { }) } -fn load_public_auth_key() -> Result, Error> { - let pem = file_get_contents(configdir!("/authkey.pub"))?; - let rsa = Rsa::public_key_from_pem(&pem)?; - let key = PKey::from_rsa(rsa)?; +pub fn public_auth_key() -> &'static PublicKey { + static KEY: OnceLock = OnceLock::new(); - Ok(key) -} - -pub fn public_auth_key() -> &'static PKey { - lazy_static! { - static ref KEY: PKey = load_public_auth_key().unwrap(); - } - - &KEY -} - -fn load_private_auth_key() -> Result, Error> { - let pem = file_get_contents(configdir!("/authkey.key"))?; - let rsa = Rsa::private_key_from_pem(&pem)?; - let key = PKey::from_rsa(rsa)?; - - Ok(key) + KEY.get_or_init(|| { + let pem = file_get_contents(configdir!("/authkey.pub")).unwrap(); + PublicKey::from_pem(&pem).unwrap() + }) } -pub fn private_auth_key() -> &'static PKey { - lazy_static! { - static ref KEY: PKey = load_private_auth_key().unwrap(); - } +pub fn private_auth_key() -> &'static PrivateKey { + static KEY: OnceLock = OnceLock::new(); - &KEY + KEY.get_or_init(|| { + let pem = file_get_contents(configdir!("/authkey.key")).unwrap(); + PrivateKey::from_pem(&pem).unwrap() + }) } const LDAP_PASSWORDS_FILENAME: &str = configdir!("/ldap_passwords.json"); -- 2.39.2