[pbs-devel] [PATCH proxmox-backup 5/7] add key fingerprint to manifest

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Nov 17 18:57:23 CET 2020 

if the manifest is signed/the contained archives/blobs are encrypted.
stored in 'unprotected' area, since there is already a strong binding
between key and manifest via the signature, and this avoids breaking
backwards compatibility for a simple usability improvement.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 src/backup/manifest.rs | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/src/backup/manifest.rs b/src/backup/manifest.rs
index 51980a07..5922144d 100644
--- a/src/backup/manifest.rs
+++ b/src/backup/manifest.rs
@@ -223,12 +223,40 @@ impl BackupManifest {
         if let Some(crypt_config) = crypt_config {
             let sig = self.signature(crypt_config)?;
             manifest["signature"] = proxmox::tools::digest_to_hex(&sig).into();
+            let fingerprint = crate::tools::format::as_fingerprint(&crypt_config.fingerprint());
+            manifest["unprotected"]["key-fingerprint"] = fingerprint.into();
         }
 
         let manifest = serde_json::to_string_pretty(&manifest).unwrap().into();
         Ok(manifest)
     }
 
+    fn check_fingerprint_value(value: &Value, crypt_config: &CryptConfig) -> Result<(), Error> {
+        let config_fp = crate::tools::format::as_fingerprint(&crypt_config.fingerprint());
+        if *value == config_fp {
+            Ok(())
+        } else {
+            bail!("wrong key - manifest fingerprint {} does not match key fingerprint '{}'",
+                  value,
+                  config_fp)
+        }
+    }
+
+    /// Checks if a BackupManifest and a CryptConfig share a valid fingerprint combination.
+    ///
+    /// An unsigned manifest is valid with any or no CryptConfig.
+    /// A signed manifest is only valid with a matching CryptConfig.
+    pub fn check_fingerprint(&self, crypt_config: Option<&CryptConfig>) -> Result<(), Error> {
+        match (&self.unprotected["key-fingerprint"], crypt_config) {
+            (Value::Null, _) => Ok(()),
+            (manifest_fp, None) => bail!("missing key - manifest was created with key {}",
+                                         manifest_fp),
+            (manifest_fp, Some(crypt_config)) => {
+                BackupManifest::check_fingerprint_value(manifest_fp, crypt_config)
+            },
+        }
+    }
+
     /// Try to read the manifest. This verifies the signature if there is a crypt_config.
     pub fn from_data(data: &[u8], crypt_config: Option<&CryptConfig>) -> Result<BackupManifest, Error> {
         let json: Value = serde_json::from_slice(data)?;
-- 
2.20.1

More information about the pbs-devel mailing list