Add: New options to set a new credential encryption key

This adds new command line options to create a new credential encryption
key, select an existing ones by UID and change parameters for new keys
(currently only the RSA key length).

This makes it simpler to implement new recommendation regarding the
secure key length and adds interfaces for supporting other key types
like elliptic curve based ones.

doc/gvmd.8

@@ -22,6 +22,9 @@ Check SecInfo alerts.
 \fB--client-watch-interval=\fINUMBER\fB\f1
 Check if client connection was closed every NUMBER seconds. 0 to disable. Defaults to 1 second.
 .TP
+\fB--create-encryption-key\f1
+Create a new credential encryption key, set it as the new default and exit. With no other options given, a 4096 bit RSA key is created. 
+.TP
 \fB--create-scanner=\fISCANNER\fB\f1
 Create global scanner SCANNER and exit.
 .TP
@@ -58,6 +61,12 @@ Do not restrict passwords to the policy.
 \fB--disable-scheduling\f1
 Disable task scheduling.
 .TP
+\fB--encryption-key-length=\fILENGTH\fB\f1
+Set key length to LENGTH bits when creating a new RSA credential encryption key. Defaults to 4096. 
+.TP
+\fB--encryption-key-type=\fITYPE\fB\f1
+Use the key type TYPE when creating a new credential encryption key. Currently only RSA is supported. 
+.TP
 \fB--encrypt-all-credentials\f1
 (Re-)Encrypt all credentials.
 .TP

doc/gvmd.8.xml

@@ -74,6 +74,16 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
            0 to disable. Defaults to 1 second.</p>
       </optdesc>
     </option>
+    <option>
+      <p><opt>--create-encryption-key</opt></p>
+      <optdesc>
+        <p>
+          Create a new credential encryption key, set it as the new default
+           and exit.
+          With no other options given, a 4096 bit RSA key is created.
+        </p>
+      </optdesc>
+    </option>
     <option>
       <p><opt>--create-scanner=<arg>SCANNER</arg></opt></p>
       <optdesc>
@@ -146,6 +156,24 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
         <p>Disable task scheduling.</p>
       </optdesc>
     </option>
+    <option>
+      <p><opt>--encryption-key-length=<arg>LENGTH</arg></opt></p>
+      <optdesc>
+        <p>
+          Set key length to LENGTH bits when creating a new RSA
+          credential encryption key. Defaults to 4096.
+        </p>
+      </optdesc>
+    </option>
+    <option>
+      <p><opt>--encryption-key-type=<arg>TYPE</arg></opt></p>
+      <optdesc>
+        <p>
+          Use the key type TYPE when creating a new credential
+          encryption key. Currently only RSA is supported.
+        </p>
+      </optdesc>
+    </option>
     <option>
       <p><opt>--encrypt-all-credentials</opt></p>
       <optdesc>

doc/gvmd.html

@@ -57,6 +57,14 @@ <h2>Options</h2>
 
 
 
+      <p><b>--create-encryption-key</b></p>
+
+        <p>Create a new credential encryption key, set it as the new default
+           and exit. With no other options given, a 4096 bit RSA key is
+           created.</p>
+
+
+
       <p><b>--create-scanner=<em>SCANNER</em></b></p>
 
         <p>Create global scanner SCANNER and exit.</p>
@@ -117,6 +125,20 @@ <h2>Options</h2>
 
 
 
+      <p><b>--encryption-key-length=<em>LENGTH</em></b></p>
+
+        <p>Set key length to LENGTH bits when creating a new RSA credential
+        encryption key. Defaults to 4096.</p>
+
+
+
+      <p><b>--encryption-key-type=<em>TYPE</em></b></p>
+
+        <p>Use the key type TYPE when creating a new credential encryption key.
+           Currently only RSA is supported.</p>
+
+
+
       <p><b>--encrypt-all-credentials</b></p>
 
         <p>(Re-)Encrypt all credentials.</p>

src/gvmd.c

@@ -1824,12 +1824,16 @@ gvmd (int argc, char** argv, char *env[])
 
   static int auth_timeout = 15;
   static gboolean check_alerts = FALSE;
+  static gboolean create_encryption_key = FALSE;
   static gboolean migrate_database = FALSE;
   static gboolean encrypt_all_credentials = FALSE;
   static gboolean decrypt_all_credentials = FALSE;
   static gboolean disable_password_policy = FALSE;
   static gboolean disable_scheduling = FALSE;
   static gboolean dump_vt_verification = FALSE;
+  static gchar *encryption_key_type = NULL;
+  static int encryption_key_length = 0;
+  static gchar *set_encryption_key = NULL;
   static gboolean get_roles = FALSE;
   static gboolean get_users = FALSE;
   static gboolean get_scanners = FALSE;
@@ -1918,6 +1922,12 @@ gvmd (int argc, char** argv, char *env[])
           " 0 to disable. Defaults to "
           G_STRINGIFY (DEFAULT_CLIENT_WATCH_INTERVAL) " seconds.",
           "<number>" },
+        { "create-encryption-key", '\0', 0, G_OPTION_ARG_NONE,
+          &create_encryption_key,
+          "Create a new credential encryption key, set it as the new default"
+          " and exit."
+          " With no other options given, a 4096 bit RSA key is created.",
+          NULL },
         { "create-scanner", '\0', 0, G_OPTION_ARG_STRING,
           &create_scanner,
           "Create global scanner <scanner> and exit.",
@@ -1979,6 +1989,17 @@ gvmd (int argc, char** argv, char *env[])
           &dump_vt_verification,
           "Dump the string the VTs verification hash is calculated from.",
           NULL },
+        { "encryption-key-length", '\0', 0, G_OPTION_ARG_INT,
+          &encryption_key_length,
+          "Set key length to <length> bits when creating a new RSA"
+          " credential encryption key. Defaults to "
+          G_STRINGIFY (DEFAULT_ENCRYPTION_KEY_LENGTH) ".",
+          "<length>" },
+        { "encryption-key-type", '\0', 0, G_OPTION_ARG_STRING,
+          &encryption_key_type,
+          "Use the key type <type> when creating a new credential"
+          " encryption key. Currently only RSA is supported.",
+          "<type>" },
         { "encrypt-all-credentials", '\0', 0, G_OPTION_ARG_NONE,
           &encrypt_all_credentials,
           "(Re-)Encrypt all credentials.",
@@ -2180,6 +2201,11 @@ gvmd (int argc, char** argv, char *env[])
           "During CERT and SCAP sync, commit updates to the database every"
           " <number> items, 0 for unlimited, default: "
           G_STRINGIFY (SECINFO_COMMIT_SIZE_DEFAULT), "<number>" },
+        { "set-encryption-key", '\0', 0, G_OPTION_ARG_STRING,
+          &set_encryption_key,
+          "Set the encryption key with the given UID as the new default"
+          " and exit.",
+          "<uid>" },
         { "unix-socket", 'c', 0, G_OPTION_ARG_STRING,
           &manager_address_string_unix,
           "Listen on UNIX socket at <filename>.",
@@ -2438,6 +2464,17 @@ gvmd (int argc, char** argv, char *env[])
         g_debug ("No default relay mapper found.");
     }
 
+  /*
+   * Parameters for new credential encryption keys
+   */
+  if (lsc_crypt_enckey_parms_init (encryption_key_type,
+                                   encryption_key_length))
+    {
+      g_critical ("%s: failed to set encryption key parameters", __func__);
+      gvm_close_sentry ();
+      exit (EXIT_FAILURE);
+    }
+
   /**
    * LDAP debugging
    */
@@ -2834,6 +2871,37 @@ gvmd (int argc, char** argv, char *env[])
       return EXIT_SUCCESS;
     }
 
+  if (create_encryption_key)
+    {
+      int ret;
+      setproctitle ("gvmd: Creating encryption key");
+
+      if (option_lock (&lockfile_checking))
+        return EXIT_FAILURE;
+
+      ret = manage_create_encryption_key (log_config, &database);
+      log_config_free ();
+      if (ret)
+        return EXIT_FAILURE;
+      return EXIT_SUCCESS;
+    }
+
+  if (set_encryption_key)
+    {
+      int ret;
+      setproctitle ("gvmd: Setting encryption key");
+
+      if (option_lock (&lockfile_checking))
+        return EXIT_FAILURE;
+
+      ret = manage_set_encryption_key (log_config, &database,
+                                       set_encryption_key);
+      log_config_free ();
+      if (ret)
+        return EXIT_FAILURE;
+      return EXIT_SUCCESS;
+    }
+
   if (create_user)
     {
       int ret;