Feature #13323: Use ciphertext to store and retrive password

2025-12-10 07:44:39 +01:00 · 2024-03-21 12:27:24 +00:00 · 2024-03-21 12:27:24 +00:00 · ae765a8f8f
commit ae765a8f8f
parent de0c8c93b0
3 changed files with 79 additions and 0 deletions
--- a/gitlab-ci/shared.sh
+++ b/gitlab-ci/shared.sh
@ -68,6 +68,7 @@ function install_libbbf()
 	echo "installing libbbf"
 	exec_cmd_verbose make install
 	ln -sf /usr/share/bbfdm/bbf.diag /usr/libexec/rpcd/bbf.diag
+	echo "371d530c95a17d1ca223a29b7a6cdc97e1135c1e0959b51106cca91a0b148b5e42742d372a359760742803f2a44bd88fca67ccdcfaeed26d02ce3b6049cb1e04" > /etc/bbfdm/.secure_hash
 	cd ..
 }

--- a/libbbfdm-api/CMakeLists.txt
+++ b/libbbfdm-api/CMakeLists.txt
@ -33,3 +33,8 @@ FILE(GLOB libbbfdm-api_include_headers include/*.h)
 INSTALL(FILES ${libbbfdm-api_include_headers}
 	DESTINATION usr/include
 )
+
+INSTALL(FILES scripts/bbf.secure
+	PERMISSIONS OWNER_EXECUTE
+	DESTINATION usr/libexec/rpcd
+)
--- a/libbbfdm-api/scripts/bbf.secure
+++ b/libbbfdm-api/scripts/bbf.secure
@ -0,0 +1,73 @@
+#!/bin/sh
+
+. /usr/share/libubox/jshn.sh
+
+# Path to the private key certificate
+PRIVATE_KEY_CERT="/etc/bbfdm/certificates/private_key.pem"
+
+case "$1" in
+	list)
+
+		echo '{ "encode" : { "data": "str" }, "decode" : { "data": "str" } }'
+	;;
+	call)
+		# Read the arguments from standard input
+		read -r input
+
+		# Parse the input JSON
+		json_load "${input}"
+
+		# Get the 'data' value from the input JSON
+		json_get_var data data
+		
+		# Check if 'data' is provided
+		if [ -z "${data}" ]; then
+			echo '{ "error": "Data should be defined !!!" }'
+			return
+		fi
+
+		# Check if private key exists
+		if [ -f "${PRIVATE_KEY_CERT}" ]; then
+			case "$2" in
+				encode)
+					# Path to the public key certificate
+					PUBLIC_KEY_CERT="/etc/bbfdm/certificates/public_key.pem"
+					
+					# Generate public key if not exists
+					if [ ! -f "${PUBLIC_KEY_CERT}" ]; then
+						openssl rsa -pubout -in "${PRIVATE_KEY_CERT}" -out "${PUBLIC_KEY_CERT}" || {
+							 echo '{ "error": "Cannot generate public key !!!" }'
+							 return
+						}
+					fi
+					
+					res=$(echo -n "${data}" | openssl pkeyutl -encrypt -pubin -inkey "${PUBLIC_KEY_CERT}" | openssl base64)
+					echo "{ \"value\": \"${res}\" }"
+				;;
+				decode)
+					# Decrypt the data with private key
+					res=$(echo -n "${data}" | openssl base64 -d | openssl pkeyutl -decrypt -inkey "${PRIVATE_KEY_CERT}")
+					echo "{ \"value\": \"${res}\" }"
+				;;
+			esac
+		else
+			# Read the BBF_HASH from the secure hash file(/etc/bbfdm/.secure_hash)
+			BBF_HASH=$(cat /etc/bbfdm/.secure_hash)
+			if [ -z "${BBF_HASH}" ]; then
+				echo '{ "error": "bbf hash should not be blank !!!" }'
+				return
+			fi
+	
+			case "$2" in
+				encode)
+					res=$(echo "${data}" | openssl enc -base64 -e -aes-256-cbc -salt -pass pass:${BBF_HASH} -pbkdf2)
+					echo "{ \"value\": \"${res}\" }"
+				;;
+				decode)
+					res=$(echo "${data}" | openssl enc -base64 -d -aes-256-cbc -salt -pass pass:${BBF_HASH} -pbkdf2)
+					echo "{ \"value\": \"${res}\" }"
+				;;
+			esac
+		fi
+	;;
+esac