From 2dda9c779e7b18acdd274b1133a0f115e73c7c7d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 15 Jan 2024 13:44:39 +0100
Subject: [PATCH] mime: expose a mime type for encrypted credentials

Let's make things nice for desktops, and provide a mime type for
credential files.

This uses the 128bit header identifier that our credential files start
with. However, the files are always base64 encoded, hence we have to
match the base64 string, hence add a small test case that generates them
properly for us, and truncates them at the right place (since 128 is not
evently divisable by 6).
---
 mime/io.systemd.xml   | 12 ++++++++++++
 src/test/test-creds.c | 28 ++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/mime/io.systemd.xml b/mime/io.systemd.xml
index 8b95cef9a5..cd36f8116c 100644
--- a/mime/io.systemd.xml
+++ b/mime/io.systemd.xml
@@ -10,4 +10,16 @@
     <comment>Configuration Extension DDI</comment>
     <glob pattern="*.confext.raw"/>
   </mime-type>
+  <mime-type type="application/x.systemd-credential">
+    <comment>Encrypted Credential</comment>
+    <generic-icon name="security-high"/>
+    <magic>
+      <match type="string" value="Whxqht+dQJax1aZeCGLxm" offset="0"/>
+      <match type="string" value="DHzAexF2RZGcSwvqCLwg/" offset="0"/>
+      <match type="string" value="+vfrk0HjQSyhpDb5Wik2L" offset="0"/>
+      <match type="string" value="k6iUCUh0RJCQyvL8k8q1U" offset="0"/>
+      <match type="string" value="r0lQqEkTTrGnOEYwT/MMB" offset="0"/>
+      <match type="string" value="BYRp2vb1QySABUnaD46i+" offset="0"/>
+    </magic>
+  </mime-type>
 </mime-info>
diff --git a/src/test/test-creds.c b/src/test/test-creds.c
index e56a2f38e3..e65aa819dd 100644
--- a/src/test/test-creds.c
+++ b/src/test/test-creds.c
@@ -2,6 +2,8 @@
 
 #include "creds-util.h"
 #include "fileio.h"
+#include "format-util.h"
+#include "hexdecoct.h"
 #include "id128-util.h"
 #include "iovec-util.h"
 #include "path-util.h"
@@ -213,7 +215,33 @@ TEST(credential_encrypt_decrypt) {
 
         if (ec)
                 assert_se(setenv("SYSTEMD_CREDENTIAL_SECRET", ec, true) >= 0);
+}
+
+TEST(mime_type_matches) {
+
+        static const sd_id128_t tags[] = {
+                CRED_AES256_GCM_BY_HOST,
+                CRED_AES256_GCM_BY_TPM2_HMAC,
+                CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
+                CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
+                CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK,
+                CRED_AES256_GCM_BY_NULL,
+        };
+
+        /* Generates the right <match/> expressions for these credentials according to the shared mime-info spec */
+        FOREACH_ARRAY(t, tags, ELEMENTSOF(tags)) {
+                _cleanup_free_ char *encoded = NULL;
 
+                assert_se(base64mem(t, sizeof(sd_id128_t), &encoded) >= 0);
+
+                /* Validate that the size matches expectations for the 4/3 factor size increase (rounding up) */
+                assert_se(strlen(encoded) == DIV_ROUND_UP((128U / 8U), 3U) * 4U);
+
+                /* Cut off rounded string where the ID ends, but now round down to get rid of characters that might contain follow-up data */
+                encoded[128 / 6] = 0;
+
+                printf("<match type=\"string\" value=\"%s\" offset=\"0\"/>\n", encoded);
+        }
 }
 
 DEFINE_TEST_MAIN(LOG_INFO);
-- 
2.25.1