mime: expose a mime type for encrypted credentials

Let's make things nice for desktops, and provide a mime type for credential files. This uses the 128bit header identifier that our credential files start with. However, the files are always base64 encoded, hence we have to match the base64 string, hence add a small test case that generates them properly for us, and truncates them at the right place (since 128 is not evently divisable by 6).
2026-04-14 00:14:32 +09:00 · 2024-01-15 13:44:39 +01:00
parent b9e2d83b75
commit 2dda9c779e
2 changed files with 40 additions and 0 deletions
--- a/mime/io.systemd.xml
+++ b/mime/io.systemd.xml
@@ -10,4 +10,16 @@
    <comment>Configuration Extension DDI</comment>
    <glob pattern="*.confext.raw"/>
  </mime-type>
+  <mime-type type="application/x.systemd-credential">
+    <comment>Encrypted Credential</comment>
+    <generic-icon name="security-high"/>
+    <magic>
+      <match type="string" value="Whxqht+dQJax1aZeCGLxm" offset="0"/>
+      <match type="string" value="DHzAexF2RZGcSwvqCLwg/" offset="0"/>
+      <match type="string" value="+vfrk0HjQSyhpDb5Wik2L" offset="0"/>
+      <match type="string" value="k6iUCUh0RJCQyvL8k8q1U" offset="0"/>
+      <match type="string" value="r0lQqEkTTrGnOEYwT/MMB" offset="0"/>
+      <match type="string" value="BYRp2vb1QySABUnaD46i+" offset="0"/>
+    </magic>
+  </mime-type>
 </mime-info>
--- a/src/test/test-creds.c
+++ b/src/test/test-creds.c
@@ -2,6 +2,8 @@

 #include "creds-util.h"
 #include "fileio.h"
+#include "format-util.h"
+#include "hexdecoct.h"
 #include "id128-util.h"
 #include "iovec-util.h"
 #include "path-util.h"
@@ -213,7 +215,33 @@ TEST(credential_encrypt_decrypt) {

        if (ec)
                assert_se(setenv("SYSTEMD_CREDENTIAL_SECRET", ec, true) >= 0);
+}

+TEST(mime_type_matches) {
+
+        static const sd_id128_t tags[] = {
+                CRED_AES256_GCM_BY_HOST,
+                CRED_AES256_GCM_BY_TPM2_HMAC,
+                CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
+                CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
+                CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK,
+                CRED_AES256_GCM_BY_NULL,
+        };
+
+        /* Generates the right <match/> expressions for these credentials according to the shared mime-info spec */
+        FOREACH_ARRAY(t, tags, ELEMENTSOF(tags)) {
+                _cleanup_free_ char *encoded = NULL;
+
+                assert_se(base64mem(t, sizeof(sd_id128_t), &encoded) >= 0);
+
+                /* Validate that the size matches expectations for the 4/3 factor size increase (rounding up) */
+                assert_se(strlen(encoded) == DIV_ROUND_UP((128U / 8U), 3U) * 4U);
+
+                /* Cut off rounded string where the ID ends, but now round down to get rid of characters that might contain follow-up data */
+                encoded[128 / 6] = 0;
+
+                printf("<match type=\"string\" value=\"%s\" offset=\"0\"/>\n", encoded);
+        }
 }

 DEFINE_TEST_MAIN(LOG_INFO);