From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 15 Jan 2024 12:44:39 +0000 (+0100)
Subject: mime: expose a mime type for encrypted credentials
X-Git-Tag: v256-rc1~1115^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2dda9c779e7b18acdd274b1133a0f115e73c7c7d;p=thirdparty%2Fsystemd.git

mime: expose a mime type for encrypted credentials

Let's make things nice for desktops, and provide a mime type for
credential files.

This uses the 128bit header identifier that our credential files start
with. However, the files are always base64 encoded, hence we have to
match the base64 string, hence add a small test case that generates them
properly for us, and truncates them at the right place (since 128 is not
evently divisable by 6).
---

diff --git a/mime/io.systemd.xml b/mime/io.systemd.xml
index 8b95cef9a53..cd36f8116c3 100644
--- a/mime/io.systemd.xml
+++ b/mime/io.systemd.xml
@@ -10,4 +10,16 @@
     <comment>Configuration Extension DDI</comment>
     <glob pattern="*.confext.raw"/>
   </mime-type>
+  <mime-type type="application/x.systemd-credential">
+    <comment>Encrypted Credential</comment>
+    <generic-icon name="security-high"/>
+    <magic>
+      <match type="string" value="Whxqht+dQJax1aZeCGLxm" offset="0"/>
+      <match type="string" value="DHzAexF2RZGcSwvqCLwg/" offset="0"/>
+      <match type="string" value="+vfrk0HjQSyhpDb5Wik2L" offset="0"/>
+      <match type="string" value="k6iUCUh0RJCQyvL8k8q1U" offset="0"/>
+      <match type="string" value="r0lQqEkTTrGnOEYwT/MMB" offset="0"/>
+      <match type="string" value="BYRp2vb1QySABUnaD46i+" offset="0"/>
+    </magic>
+  </mime-type>
 </mime-info>
diff --git a/src/test/test-creds.c b/src/test/test-creds.c
index e56a2f38e38..e65aa819dd5 100644
--- a/src/test/test-creds.c
+++ b/src/test/test-creds.c
@@ -2,6 +2,8 @@
 
 #include "creds-util.h"
 #include "fileio.h"
+#include "format-util.h"
+#include "hexdecoct.h"
 #include "id128-util.h"
 #include "iovec-util.h"
 #include "path-util.h"
@@ -213,7 +215,33 @@ TEST(credential_encrypt_decrypt) {
 
         if (ec)
                 assert_se(setenv("SYSTEMD_CREDENTIAL_SECRET", ec, true) >= 0);
+}
+
+TEST(mime_type_matches) {
+
+        static const sd_id128_t tags[] = {
+                CRED_AES256_GCM_BY_HOST,
+                CRED_AES256_GCM_BY_TPM2_HMAC,
+                CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
+                CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
+                CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK,
+                CRED_AES256_GCM_BY_NULL,
+        };
+
+        /* Generates the right <match/> expressions for these credentials according to the shared mime-info spec */
+        FOREACH_ARRAY(t, tags, ELEMENTSOF(tags)) {
+                _cleanup_free_ char *encoded = NULL;
 
+                assert_se(base64mem(t, sizeof(sd_id128_t), &encoded) >= 0);
+
+                /* Validate that the size matches expectations for the 4/3 factor size increase (rounding up) */
+                assert_se(strlen(encoded) == DIV_ROUND_UP((128U / 8U), 3U) * 4U);
+
+                /* Cut off rounded string where the ID ends, but now round down to get rid of characters that might contain follow-up data */
+                encoded[128 / 6] = 0;
+
+                printf("<match type=\"string\" value=\"%s\" offset=\"0\"/>\n", encoded);
+        }
 }
 
 DEFINE_TEST_MAIN(LOG_INFO);