[pbs-devel] [PATCH proxmox-backup 6/7] fix #3139: manifest: check fingerprint when loading with key

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Nov 17 18:57:24 CET 2020


otherwise loading will run into the signature mismatch which is
technically true, but not the complete picture in this case.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 src/backup/manifest.rs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/backup/manifest.rs b/src/backup/manifest.rs
index 5922144d..eb204c96 100644
--- a/src/backup/manifest.rs
+++ b/src/backup/manifest.rs
@@ -265,6 +265,11 @@ impl BackupManifest {
         if let Some(ref crypt_config) = crypt_config {
             if let Some(signature) = signature {
                 let expected_signature = proxmox::tools::digest_to_hex(&Self::json_signature(&json, crypt_config)?);
+
+                let fingerprint = &json["unprotected"]["key-fingerprint"];
+                if fingerprint != &Value::Null {
+                    BackupManifest::check_fingerprint_value(fingerprint, crypt_config)?;
+                }
                 if signature != expected_signature {
                     bail!("wrong signature in manifest");
                 }
-- 
2.20.1






More information about the pbs-devel mailing list