Merge pull request #2043 from greenbone/add-encryption-key-config

New options to set a new credential encryption key + Fixes for --encrypt-all-credentials
greenbone · Jul 21, 2023 · e12a123 · e12a123
2 parents 94f9c6b + 1cd8021
commit e12a123
Show file tree

Hide file tree

Showing 10 changed files with 803 additions and 103 deletions.
diff --git a/doc/gvmd.8 b/doc/gvmd.8
@@ -22,6 +22,9 @@ Check SecInfo alerts.
 \fB--client-watch-interval=\fINUMBER\fB\f1
 Check if client connection was closed every NUMBER seconds. 0 to disable. Defaults to 1 second.
 .TP
+\fB--create-encryption-key\f1
+Create a new credential encryption key, set it as the new default and exit. With no other options given, a 4096 bit RSA key is created. 
+.TP
 \fB--create-scanner=\fISCANNER\fB\f1
 Create global scanner SCANNER and exit.
 .TP
@@ -58,6 +61,12 @@ Do not restrict passwords to the policy.
 \fB--disable-scheduling\f1
 Disable task scheduling.
 .TP
+\fB--encryption-key-length=\fILENGTH\fB\f1
+Set key length to LENGTH bits when creating a new RSA credential encryption key. Defaults to 4096. 
+.TP
+\fB--encryption-key-type=\fITYPE\fB\f1
+Use the key type TYPE when creating a new credential encryption key. Currently only RSA is supported. 
+.TP
 \fB--encrypt-all-credentials\f1
 (Re-)Encrypt all credentials.
 .TP

diff --git a/doc/gvmd.8.xml b/doc/gvmd.8.xml
@@ -74,6 +74,16 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
            0 to disable. Defaults to 1 second.</p>
       </optdesc>
     </option>
+    <option>
+      <p><opt>--create-encryption-key</opt></p>
+      <optdesc>
+        <p>
+          Create a new credential encryption key, set it as the new default
+           and exit.
+          With no other options given, a 4096 bit RSA key is created.
+        </p>
+      </optdesc>
+    </option>
     <option>
       <p><opt>--create-scanner=<arg>SCANNER</arg></opt></p>
       <optdesc>
@@ -146,6 +156,24 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
         <p>Disable task scheduling.</p>
       </optdesc>
     </option>
+    <option>
+      <p><opt>--encryption-key-length=<arg>LENGTH</arg></opt></p>
+      <optdesc>
+        <p>
+          Set key length to LENGTH bits when creating a new RSA
+          credential encryption key. Defaults to 4096.
+        </p>
+      </optdesc>
+    </option>
+    <option>
+      <p><opt>--encryption-key-type=<arg>TYPE</arg></opt></p>
+      <optdesc>
+        <p>
+          Use the key type TYPE when creating a new credential
+          encryption key. Currently only RSA is supported.
+        </p>
+      </optdesc>
+    </option>
     <option>
       <p><opt>--encrypt-all-credentials</opt></p>
       <optdesc>

diff --git a/doc/gvmd.html b/doc/gvmd.html
@@ -57,6 +57,14 @@ <h2>Options</h2>
 
 
 
+      <p><b>--create-encryption-key</b></p>
+
+        <p>Create a new credential encryption key, set it as the new default
+           and exit. With no other options given, a 4096 bit RSA key is
+           created.</p>
+
+
+
       <p><b>--create-scanner=<em>SCANNER</em></b></p>
 
         <p>Create global scanner SCANNER and exit.</p>
@@ -117,6 +125,20 @@ <h2>Options</h2>
 
 
 
+      <p><b>--encryption-key-length=<em>LENGTH</em></b></p>
+
+        <p>Set key length to LENGTH bits when creating a new RSA credential
+        encryption key. Defaults to 4096.</p>
+
+
+
+      <p><b>--encryption-key-type=<em>TYPE</em></b></p>
+
+        <p>Use the key type TYPE when creating a new credential encryption key.
+           Currently only RSA is supported.</p>
+
+
+
       <p><b>--encrypt-all-credentials</b></p>
 
         <p>(Re-)Encrypt all credentials.</p>

diff --git a/src/gvmd.c b/src/gvmd.c
@@ -1824,12 +1824,16 @@ gvmd (int argc, char** argv, char *env[])
 
   static int auth_timeout = 15;
   static gboolean check_alerts = FALSE;
+  static gboolean create_encryption_key = FALSE;
   static gboolean migrate_database = FALSE;
   static gboolean encrypt_all_credentials = FALSE;
   static gboolean decrypt_all_credentials = FALSE;
   static gboolean disable_password_policy = FALSE;
   static gboolean disable_scheduling = FALSE;
   static gboolean dump_vt_verification = FALSE;
+  static gchar *encryption_key_type = NULL;
+  static int encryption_key_length = 0;
+  static gchar *set_encryption_key = NULL;
   static gboolean get_roles = FALSE;
   static gboolean get_users = FALSE;
   static gboolean get_scanners = FALSE;
@@ -1918,6 +1922,12 @@ gvmd (int argc, char** argv, char *env[])
           " 0 to disable. Defaults to "
           G_STRINGIFY (DEFAULT_CLIENT_WATCH_INTERVAL) " seconds.",
           "<number>" },
+        { "create-encryption-key", '\0', 0, G_OPTION_ARG_NONE,
+          &create_encryption_key,
+          "Create a new credential encryption key, set it as the new default"
+          " and exit."
+          " With no other options given, a 4096 bit RSA key is created.",
+          NULL },
         { "create-scanner", '\0', 0, G_OPTION_ARG_STRING,
           &create_scanner,
           "Create global scanner <scanner> and exit.",
@@ -1979,6 +1989,17 @@ gvmd (int argc, char** argv, char *env[])
           &dump_vt_verification,
           "Dump the string the VTs verification hash is calculated from.",
           NULL },
+        { "encryption-key-length", '\0', 0, G_OPTION_ARG_INT,
+          &encryption_key_length,
+          "Set key length to <length> bits when creating a new RSA"
+          " credential encryption key. Defaults to "
+          G_STRINGIFY (DEFAULT_ENCRYPTION_KEY_LENGTH) ".",
+          "<length>" },
+        { "encryption-key-type", '\0', 0, G_OPTION_ARG_STRING,
+          &encryption_key_type,
+          "Use the key type <type> when creating a new credential"
+          " encryption key. Currently only RSA is supported.",
+          "<type>" },
         { "encrypt-all-credentials", '\0', 0, G_OPTION_ARG_NONE,
           &encrypt_all_credentials,
           "(Re-)Encrypt all credentials.",
@@ -2180,6 +2201,11 @@ gvmd (int argc, char** argv, char *env[])
           "During CERT and SCAP sync, commit updates to the database every"
           " <number> items, 0 for unlimited, default: "
           G_STRINGIFY (SECINFO_COMMIT_SIZE_DEFAULT), "<number>" },
+        { "set-encryption-key", '\0', 0, G_OPTION_ARG_STRING,
+          &set_encryption_key,
+          "Set the encryption key with the given UID as the new default"
+          " and exit.",
+          "<uid>" },
         { "unix-socket", 'c', 0, G_OPTION_ARG_STRING,
           &manager_address_string_unix,
           "Listen on UNIX socket at <filename>.",
@@ -2438,6 +2464,17 @@ gvmd (int argc, char** argv, char *env[])
         g_debug ("No default relay mapper found.");
     }
 
+  /*
+   * Parameters for new credential encryption keys
+   */
+  if (lsc_crypt_enckey_parms_init (encryption_key_type,
+                                   encryption_key_length))
+    {
+      g_critical ("%s: failed to set encryption key parameters", __func__);
+      gvm_close_sentry ();
+      exit (EXIT_FAILURE);
+    }
+
   /**
    * LDAP debugging
    */
@@ -2834,6 +2871,37 @@ gvmd (int argc, char** argv, char *env[])
       return EXIT_SUCCESS;
     }
 
+  if (create_encryption_key)
+    {
+      int ret;
+      setproctitle ("gvmd: Creating encryption key");
+
+      if (option_lock (&lockfile_checking))
+        return EXIT_FAILURE;
+
+      ret = manage_create_encryption_key (log_config, &database);
+      log_config_free ();
+      if (ret)
+        return EXIT_FAILURE;
+      return EXIT_SUCCESS;
+    }
+
+  if (set_encryption_key)
+    {
+      int ret;
+      setproctitle ("gvmd: Setting encryption key");
+
+      if (option_lock (&lockfile_checking))
+        return EXIT_FAILURE;
+
+      ret = manage_set_encryption_key (log_config, &database,
+                                       set_encryption_key);
+      log_config_free ();
+      if (ret)
+        return EXIT_FAILURE;
+      return EXIT_SUCCESS;
+    }
+
   if (create_user)
     {
       int ret;