[pbs-devel] [PATCH proxmox-backup 5/7] add key fingerprint to manifest
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Nov 17 18:57:23 CET 2020
if the manifest is signed/the contained archives/blobs are encrypted.
stored in 'unprotected' area, since there is already a strong binding
between key and manifest via the signature, and this avoids breaking
backwards compatibility for a simple usability improvement.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
src/backup/manifest.rs | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/src/backup/manifest.rs b/src/backup/manifest.rs
index 51980a07..5922144d 100644
--- a/src/backup/manifest.rs
+++ b/src/backup/manifest.rs
@@ -223,12 +223,40 @@ impl BackupManifest {
if let Some(crypt_config) = crypt_config {
let sig = self.signature(crypt_config)?;
manifest["signature"] = proxmox::tools::digest_to_hex(&sig).into();
+ let fingerprint = crate::tools::format::as_fingerprint(&crypt_config.fingerprint());
+ manifest["unprotected"]["key-fingerprint"] = fingerprint.into();
}
let manifest = serde_json::to_string_pretty(&manifest).unwrap().into();
Ok(manifest)
}
+ fn check_fingerprint_value(value: &Value, crypt_config: &CryptConfig) -> Result<(), Error> {
+ let config_fp = crate::tools::format::as_fingerprint(&crypt_config.fingerprint());
+ if *value == config_fp {
+ Ok(())
+ } else {
+ bail!("wrong key - manifest fingerprint {} does not match key fingerprint '{}'",
+ value,
+ config_fp)
+ }
+ }
+
+ /// Checks if a BackupManifest and a CryptConfig share a valid fingerprint combination.
+ ///
+ /// An unsigned manifest is valid with any or no CryptConfig.
+ /// A signed manifest is only valid with a matching CryptConfig.
+ pub fn check_fingerprint(&self, crypt_config: Option<&CryptConfig>) -> Result<(), Error> {
+ match (&self.unprotected["key-fingerprint"], crypt_config) {
+ (Value::Null, _) => Ok(()),
+ (manifest_fp, None) => bail!("missing key - manifest was created with key {}",
+ manifest_fp),
+ (manifest_fp, Some(crypt_config)) => {
+ BackupManifest::check_fingerprint_value(manifest_fp, crypt_config)
+ },
+ }
+ }
+
/// Try to read the manifest. This verifies the signature if there is a crypt_config.
pub fn from_data(data: &[u8], crypt_config: Option<&CryptConfig>) -> Result<BackupManifest, Error> {
let json: Value = serde_json::from_slice(data)?;
--
2.20.1
More information about the pbs-devel
mailing list