[Cryptech-Commits] [sw/libhal] 01/03: After some thought, I'd rather make raw export/import a sub-function of key export/import (kekek = none, kek_len = 0), rather than separate RPCs.
git at cryptech.is
git at cryptech.is
Tue Dec 3 16:38:15 UTC 2019
This is an automated email from the git hooks/post-receive script.
paul at psgd.org pushed a commit to branch import_export_raw
in repository sw/libhal.
commit 4fd9d1186efed0de8e3ae1d1e2fa5a0e5c46c2fb
Author: Paul Selkirk <paul at psgd.org>
AuthorDate: Mon Dec 2 15:38:58 2019 -0500
After some thought, I'd rather make raw export/import a sub-function of
key export/import (kekek = none, kek_len = 0), rather than separate RPCs.
---
cryptech/libhal.py | 20 -----
hal.h | 10 ---
hal_internal.h | 12 ---
rpc_api.c | 26 +------
rpc_client.c | 66 +----------------
rpc_pkey.c | 213 +++++++++++++++++++++++++++--------------------------
rpc_server.c | 60 ---------------
utils/pkey.c | 58 +++++----------
8 files changed, 134 insertions(+), 331 deletions(-)
diff --git a/cryptech/libhal.py b/cryptech/libhal.py
index 1899102..647dbd6 100644
--- a/cryptech/libhal.py
+++ b/cryptech/libhal.py
@@ -191,8 +191,6 @@ RPCFunc.define('''
RPC_FUNC_PKEY_EXPORT,
RPC_FUNC_PKEY_IMPORT,
RPC_FUNC_PKEY_GENERATE_HASHSIG,
- RPC_FUNC_PKEY_EXPORT_RAW,
- RPC_FUNC_PKEY_IMPORT_RAW,
''')
class HALDigestAlgorithm(Enum): pass
@@ -436,12 +434,6 @@ class PKey(Handle):
def import_pkey(self, pkcs8, kek, flags = 0):
return self.hsm.pkey_import(kekek = self, pkcs8 = pkcs8, kek = kek, flags = flags)
- def export_raw_pkey(self, pkey):
- return self.hsm.pkey_export_raw(pkey = pkey, der_max = 5480)
-
- def import_raw_pkey(self, der, flags = 0):
- return self.hsm.pkey_import_raw(der = der, flags = flags)
-
class ContextManagedUnpacker(xdrlib.Unpacker):
def __enter__(self):
@@ -718,15 +710,3 @@ class HSM(object):
pkey = PKey(self, r.unpack_uint(), UUID(bytes = r.unpack_bytes()))
logger.debug("Imported pkey %s", pkey.uuid)
return pkey
-
- def pkey_export_raw(self, pkey, der_max = 2560):
- with self.rpc(RPC_FUNC_PKEY_EXPORT_RAW, pkey, der_max) as r:
- der = r.unpack_bytes(), r.unpack_bytes()
- logger.debug("Exported raw pkey %s", pkey.uuid)
- return der
-
- def pkey_import_raw(self, der, flags = 0, client = 0, session = 0):
- with self.rpc(RPC_FUNC_PKEY_IMPORT_RAW, session, der, flags, client = client) as r:
- pkey = PKey(self, r.unpack_uint(), UUID(bytes = r.unpack_bytes()))
- logger.debug("Imported raw pkey %s", pkey.uuid)
- return pkey
diff --git a/hal.h b/hal.h
index 1a08690..e2cb3ac 100644
--- a/hal.h
+++ b/hal.h
@@ -893,9 +893,6 @@ extern hal_error_t hal_rpc_pkey_export(const hal_pkey_handle_t pkey,
uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max,
uint8_t *kek, size_t *kek_len, const size_t kek_max);
-extern hal_error_t hal_rpc_pkey_export_raw(const hal_pkey_handle_t pkey,
- uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max);
-
extern hal_error_t hal_rpc_pkey_import(const hal_client_handle_t client,
const hal_session_handle_t session,
hal_pkey_handle_t *pkey,
@@ -905,13 +902,6 @@ extern hal_error_t hal_rpc_pkey_import(const hal_client_handle_t client,
const uint8_t * const kek, const size_t kek_len,
const hal_key_flags_t flags);
-extern hal_error_t hal_rpc_pkey_import_raw(const hal_client_handle_t client,
- const hal_session_handle_t session,
- hal_pkey_handle_t *pkey,
- hal_uuid_t *name,
- const uint8_t * const pkcs8, const size_t pkcs8_len,
- const hal_key_flags_t flags);
-
extern hal_error_t hal_rpc_client_init(void);
extern hal_error_t hal_rpc_client_close(void);
diff --git a/hal_internal.h b/hal_internal.h
index 1885595..1297b98 100644
--- a/hal_internal.h
+++ b/hal_internal.h
@@ -380,16 +380,6 @@ typedef struct {
const uint8_t * const kek, const size_t kek_len,
const hal_key_flags_t flags);
- hal_error_t (*export_raw)(const hal_pkey_handle_t pkey_handle,
- uint8_t *der, size_t *der_len, const size_t der_max);
-
- hal_error_t (*import_raw)(const hal_client_handle_t client,
- const hal_session_handle_t session,
- hal_pkey_handle_t *pkey,
- hal_uuid_t *name,
- const uint8_t * const der, const size_t der_len,
- const hal_key_flags_t flags);
-
} hal_rpc_pkey_dispatch_t;
@@ -672,8 +662,6 @@ typedef enum {
RPC_FUNC_PKEY_EXPORT,
RPC_FUNC_PKEY_IMPORT,
RPC_FUNC_PKEY_GENERATE_HASHSIG,
- RPC_FUNC_PKEY_EXPORT_RAW,
- RPC_FUNC_PKEY_IMPORT_RAW,
} rpc_func_num_t;
#define RPC_VERSION 0x01010200 /* 1.1.2.0 */
diff --git a/rpc_api.c b/rpc_api.c
index 155cb30..5f32a22 100644
--- a/rpc_api.c
+++ b/rpc_api.c
@@ -413,7 +413,8 @@ hal_error_t hal_rpc_pkey_export(const hal_pkey_handle_t pkey,
uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max,
uint8_t *kek, size_t *kek_len, const size_t kek_max)
{
- if (pkcs8 == NULL || pkcs8_len == NULL || kek == NULL || kek_len == NULL || kek_max <= KEK_LENGTH)
+ if (pkcs8 == NULL || pkcs8_len == NULL ||
+ (kekek.handle != HAL_HANDLE_NONE && (kek == NULL || kek_len == NULL || kek_max <= KEK_LENGTH)))
return HAL_ERROR_BAD_ARGUMENTS;
return hal_rpc_pkey_dispatch->export(pkey, kekek, pkcs8, pkcs8_len, pkcs8_max, kek, kek_len, kek_max);
}
@@ -427,31 +428,12 @@ hal_error_t hal_rpc_pkey_import(const hal_client_handle_t client,
const uint8_t * const kek, const size_t kek_len,
const hal_key_flags_t flags)
{
- if (pkey == NULL || name == NULL || pkcs8 == NULL || kek == NULL || kek_len <= 2)
+ if (pkey == NULL || name == NULL || pkcs8 == NULL ||
+ (kekek.handle != HAL_HANDLE_NONE && (kek == NULL || kek_len <= 2)))
return HAL_ERROR_BAD_ARGUMENTS;
return hal_rpc_pkey_dispatch->import(client, session, pkey, name, kekek, pkcs8, pkcs8_len, kek, kek_len, flags);
}
-hal_error_t hal_rpc_pkey_export_raw(const hal_pkey_handle_t pkey,
- uint8_t *der, size_t *der_len, const size_t der_max)
-{
- if (der == NULL || der_len == NULL)
- return HAL_ERROR_BAD_ARGUMENTS;
- return hal_rpc_pkey_dispatch->export_raw(pkey, der, der_len, der_max);
-}
-
-hal_error_t hal_rpc_pkey_import_raw(const hal_client_handle_t client,
- const hal_session_handle_t session,
- hal_pkey_handle_t *pkey,
- hal_uuid_t *name,
- const uint8_t * const der, const size_t der_len,
- const hal_key_flags_t flags)
-{
- if (pkey == NULL || name == NULL || der == NULL)
- return HAL_ERROR_BAD_ARGUMENTS;
- return hal_rpc_pkey_dispatch->import_raw(client, session, pkey, name, der, der_len, flags);
-}
-
/*
* Local variables:
* indent-tabs-mode: nil
diff --git a/rpc_client.c b/rpc_client.c
index face70f..c9ac9b7 100644
--- a/rpc_client.c
+++ b/rpc_client.c
@@ -1018,64 +1018,6 @@ static hal_error_t pkey_remote_import(const hal_client_handle_t client,
return rpc_ret;
}
-static hal_error_t pkey_remote_export_raw(const hal_pkey_handle_t pkey,
- uint8_t *der, size_t *der_len, const size_t der_max)
-{
- uint8_t outbuf[nargs(4)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
- uint8_t inbuf[nargs(3) + pad(der_max)];
- const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
- hal_client_handle_t dummy_client = {0};
- hal_error_t rpc_ret;
-
- check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_EXPORT_RAW));
- check(hal_xdr_encode_int(&optr, olimit, dummy_client.handle));
- check(hal_xdr_encode_int(&optr, olimit, pkey.handle));
- check(hal_xdr_encode_int(&optr, olimit, der_max));
- check(hal_rpc_send(outbuf, optr - outbuf));
-
- check(read_matching_packet(RPC_FUNC_PKEY_EXPORT_RAW, inbuf, sizeof(inbuf), &iptr, &ilimit));
-
- check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
- if (rpc_ret == HAL_OK) {
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, der, der_len, der_max));
- }
- return rpc_ret;
-}
-
-static hal_error_t pkey_remote_import_raw(const hal_client_handle_t client,
- const hal_session_handle_t session,
- hal_pkey_handle_t *pkey,
- hal_uuid_t *name,
- const uint8_t * const der, const size_t der_len,
- const hal_key_flags_t flags)
-{
- uint8_t outbuf[nargs(5) + pad(der_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
- uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))];
- const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
- size_t name_len;
- hal_error_t rpc_ret;
-
- check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_IMPORT_RAW));
- check(hal_xdr_encode_int(&optr, olimit, client.handle));
- check(hal_xdr_encode_int(&optr, olimit, session.handle));
- check(hal_xdr_encode_variable_opaque(&optr, olimit, der, der_len));
- check(hal_xdr_encode_int(&optr, olimit, flags));
- check(hal_rpc_send(outbuf, optr - outbuf));
-
- check(read_matching_packet(RPC_FUNC_PKEY_IMPORT_RAW, inbuf, sizeof(inbuf), &iptr, &ilimit));
-
- check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
-
- if (rpc_ret == HAL_OK) {
- check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle));
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len, sizeof(name->uuid)));
- if (name_len != sizeof(name->uuid))
- return HAL_ERROR_KEY_NAME_TOO_LONG;
- }
-
- return rpc_ret;
-}
-
#if RPC_CLIENT == RPC_CLIENT_MIXED
/*
@@ -1207,9 +1149,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_remote_pkey_dispatch = {
.set_attributes = pkey_remote_set_attributes,
.get_attributes = pkey_remote_get_attributes,
.export = pkey_remote_export,
- .import = pkey_remote_import,
- .export_raw = pkey_remote_export_raw,
- .import_raw = pkey_remote_import_raw
+ .import = pkey_remote_import
};
#if RPC_CLIENT == RPC_CLIENT_MIXED
@@ -1232,9 +1172,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_mixed_pkey_dispatch = {
.set_attributes = pkey_remote_set_attributes,
.get_attributes = pkey_remote_get_attributes,
.export = pkey_remote_export,
- .import = pkey_remote_import,
- .export_raw = pkey_remote_export_raw,
- .import_raw = pkey_remote_import_raw
+ .import = pkey_remote_import
};
#endif /* RPC_CLIENT == RPC_CLIENT_MIXED */
diff --git a/rpc_pkey.c b/rpc_pkey.c
index 67732ad..3f2b5f5 100644
--- a/rpc_pkey.c
+++ b/rpc_pkey.c
@@ -1287,11 +1287,70 @@ static hal_error_t pkey_local_get_attributes(const hal_pkey_handle_t pkey,
attributes_buffer, attributes_buffer_len);
}
+static hal_error_t pkey_local_export_raw(const hal_pkey_handle_t pkey_handle,
+ uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max)
+{
+ hal_assert(pkcs8 != NULL && pkcs8_len != NULL);
+
+ uint8_t kek[KEK_LENGTH];
+ size_t kek_len;
+ hal_error_t err;
+ size_t len;
+
+ hal_pkey_slot_t * const pkey = find_handle(pkey_handle);
+
+ if (pkey == NULL)
+ return HAL_ERROR_KEY_NOT_FOUND;
+
+ if ((pkey->flags & HAL_KEY_FLAG_EXPORTABLE) == 0)
+ return HAL_ERROR_FORBIDDEN;
+
+ if (pkcs8_max < HAL_KS_WRAPPED_KEYSIZE)
+ return HAL_ERROR_RESULT_TOO_LONG;
+
+ if ((err = ks_fetch_from_flags(pkey, pkcs8, &len, pkcs8_max)) != HAL_OK)
+ goto fail;
+
+ /* if hashsig, update internal parameters and disable further use */
+ if (pkey->type == HAL_KEY_TYPE_HASHSIG_PRIVATE) {
+ if ((err = hal_hashsig_export_raw(&pkey->name, pkcs8, &len, pkcs8_max)) != HAL_OK)
+ goto fail;
+ pkey->flags &= ~HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE;
+ }
+
+ if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK)
+ goto fail;
+
+ *pkcs8_len = pkcs8_max;
+ if ((err = hal_aes_keywrap(NULL, kek, KEK_LENGTH, pkcs8, len, pkcs8, pkcs8_len)) != HAL_OK)
+ goto fail;
+
+ if ((err = hal_asn1_encode_pkcs8_encryptedprivatekeyinfo(hal_asn1_oid_aesKeyWrap,
+ hal_asn1_oid_aesKeyWrap_len,
+ pkcs8, *pkcs8_len,
+ pkcs8, pkcs8_len, pkcs8_max)) != HAL_OK)
+ goto fail;
+
+ return HAL_OK;
+
+ fail:
+ memset(pkcs8, 0, pkcs8_max);
+ memset(kek, 0, sizeof(kek));
+ *pkcs8_len = 0;
+ return err;
+}
+
static hal_error_t pkey_local_export(const hal_pkey_handle_t pkey_handle,
const hal_pkey_handle_t kekek_handle,
uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max,
uint8_t *kek, size_t *kek_len, const size_t kek_max)
{
+ if (kekek_handle.handle == HAL_HANDLE_NONE) {
+ if (kek_len != NULL)
+ *kek_len = 0;
+ return pkey_local_export_raw(pkey_handle, pkcs8, pkcs8_len, pkcs8_max);
+ }
+
hal_assert(pkcs8 != NULL && pkcs8_len != NULL && kek != NULL && kek_len != NULL && kek_max > KEK_LENGTH);
uint8_t rsabuf[hal_rsa_key_t_size];
@@ -1385,6 +1444,53 @@ static hal_error_t pkey_local_export(const hal_pkey_handle_t pkey_handle,
return err;
}
+static hal_error_t pkey_local_import_raw(const hal_client_handle_t client,
+ const hal_session_handle_t session,
+ hal_pkey_handle_t *pkey,
+ hal_uuid_t *name,
+ const uint8_t * const pkcs8, const size_t pkcs8_len,
+ const hal_key_flags_t flags)
+{
+ hal_assert(pkey != NULL && name != NULL && pkcs8 != NULL);
+
+ uint8_t kek[KEK_LENGTH], der[HAL_KS_WRAPPED_KEYSIZE];
+ size_t der_len, oid_len, data_len, kek_len;
+ const uint8_t *oid, *data;
+ hal_error_t err;
+
+ if ((err = hal_asn1_decode_pkcs8_encryptedprivatekeyinfo(&oid, &oid_len, &data, &data_len,
+ pkcs8, pkcs8_len)) != HAL_OK)
+ goto fail;
+
+ if (oid_len != hal_asn1_oid_aesKeyWrap_len ||
+ memcmp(oid, hal_asn1_oid_aesKeyWrap, oid_len) != 0 ||
+ data_len > sizeof(der)) {
+ err = HAL_ERROR_ASN1_PARSE_FAILED;
+ goto fail;
+ }
+
+ if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK)
+ goto fail;
+
+ der_len = sizeof(der);
+ if ((err = hal_aes_keyunwrap(NULL, kek, kek_len, data, data_len, der, &der_len)) != HAL_OK)
+ goto fail;
+
+ hal_key_type_t type;
+ hal_curve_name_t curve;
+ if ((err = hal_asn1_guess_key_type(&type, &curve, der, der_len)) == HAL_OK &&
+ type == HAL_KEY_TYPE_HASHSIG_PRIVATE &&
+ (err = hal_hashsig_import(der, der_len, flags)) != HAL_OK)
+ goto fail;
+
+ err = hal_rpc_pkey_load(client, session, pkey, name, der, der_len, flags);
+
+ fail:
+ memset(kek, 0, sizeof(kek));
+ memset(der, 0, sizeof(der));
+ return err;
+}
+
static hal_error_t pkey_local_import(const hal_client_handle_t client,
const hal_session_handle_t session,
hal_pkey_handle_t *pkey,
@@ -1394,6 +1500,9 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client,
const uint8_t * const kek_, const size_t kek_len,
const hal_key_flags_t flags)
{
+ if (kekek_handle.handle == HAL_HANDLE_NONE)
+ return pkey_local_import_raw(client, session, pkey, name, pkcs8, pkcs8_len, flags);
+
hal_assert(pkey != NULL && name != NULL && pkcs8 != NULL && kek_ != NULL && kek_len > 2);
uint8_t kek[KEK_LENGTH], rsabuf[hal_rsa_key_t_size], der[HAL_KS_WRAPPED_KEYSIZE], *d;
@@ -1474,106 +1583,6 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client,
return err;
}
-static hal_error_t pkey_local_export_raw(const hal_pkey_handle_t pkey_handle,
- uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max)
-{
- hal_assert(pkcs8 != NULL && pkcs8_len != NULL);
-
- uint8_t kek[KEK_LENGTH];
- size_t kek_len;
- hal_error_t err;
- size_t len;
-
- hal_pkey_slot_t * const pkey = find_handle(pkey_handle);
-
- if (pkey == NULL)
- return HAL_ERROR_KEY_NOT_FOUND;
-
- if ((pkey->flags & HAL_KEY_FLAG_EXPORTABLE) == 0)
- return HAL_ERROR_FORBIDDEN;
-
- if (pkcs8_max < HAL_KS_WRAPPED_KEYSIZE)
- return HAL_ERROR_RESULT_TOO_LONG;
-
- if ((err = ks_fetch_from_flags(pkey, pkcs8, &len, pkcs8_max)) != HAL_OK)
- goto fail;
-
- /* if hashsig, update internal parameters and disable further use */
- if (pkey->type == HAL_KEY_TYPE_HASHSIG_PRIVATE) {
- if ((err = hal_hashsig_export_raw(&pkey->name, pkcs8, &len, pkcs8_max)) != HAL_OK)
- goto fail;
- pkey->flags &= ~HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE;
- }
-
- if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK)
- goto fail;
-
- *pkcs8_len = pkcs8_max;
- if ((err = hal_aes_keywrap(NULL, kek, KEK_LENGTH, pkcs8, len, pkcs8, pkcs8_len)) != HAL_OK)
- goto fail;
-
- if ((err = hal_asn1_encode_pkcs8_encryptedprivatekeyinfo(hal_asn1_oid_aesKeyWrap,
- hal_asn1_oid_aesKeyWrap_len,
- pkcs8, *pkcs8_len,
- pkcs8, pkcs8_len, pkcs8_max)) != HAL_OK)
- goto fail;
-
- return HAL_OK;
-
- fail:
- memset(pkcs8, 0, pkcs8_max);
- memset(kek, 0, sizeof(kek));
- *pkcs8_len = 0;
- return err;
-}
-
-static hal_error_t pkey_local_import_raw(const hal_client_handle_t client,
- const hal_session_handle_t session,
- hal_pkey_handle_t *pkey,
- hal_uuid_t *name,
- const uint8_t * const pkcs8, const size_t pkcs8_len,
- const hal_key_flags_t flags)
-{
- hal_assert(pkey != NULL && name != NULL && pkcs8 != NULL);
-
- uint8_t kek[KEK_LENGTH], der[HAL_KS_WRAPPED_KEYSIZE];
- size_t der_len, oid_len, data_len, kek_len;
- const uint8_t *oid, *data;
- hal_error_t err;
-
- if ((err = hal_asn1_decode_pkcs8_encryptedprivatekeyinfo(&oid, &oid_len, &data, &data_len,
- pkcs8, pkcs8_len)) != HAL_OK)
- goto fail;
-
- if (oid_len != hal_asn1_oid_aesKeyWrap_len ||
- memcmp(oid, hal_asn1_oid_aesKeyWrap, oid_len) != 0 ||
- data_len > sizeof(der)) {
- err = HAL_ERROR_ASN1_PARSE_FAILED;
- goto fail;
- }
-
- if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK)
- goto fail;
-
- der_len = sizeof(der);
- if ((err = hal_aes_keyunwrap(NULL, kek, kek_len, data, data_len, der, &der_len)) != HAL_OK)
- goto fail;
-
- hal_key_type_t type;
- hal_curve_name_t curve;
- if ((err = hal_asn1_guess_key_type(&type, &curve, der, der_len)) == HAL_OK &&
- type == HAL_KEY_TYPE_HASHSIG_PRIVATE &&
- (err = hal_hashsig_import(der, der_len, flags)) != HAL_OK)
- goto fail;
-
- err = hal_rpc_pkey_load(client, session, pkey, name, der, der_len, flags);
-
- fail:
- memset(kek, 0, sizeof(kek));
- memset(der, 0, sizeof(der));
- return err;
-}
-
const hal_rpc_pkey_dispatch_t hal_rpc_local_pkey_dispatch = {
.load = pkey_local_load,
.open = pkey_local_open,
@@ -1593,9 +1602,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_local_pkey_dispatch = {
.set_attributes = pkey_local_set_attributes,
.get_attributes = pkey_local_get_attributes,
.export = pkey_local_export,
- .import = pkey_local_import,
- .export_raw = pkey_local_export_raw,
- .import_raw = pkey_local_import_raw
+ .import = pkey_local_import
};
/*
diff --git a/rpc_server.c b/rpc_server.c
index aa7e936..9598413 100644
--- a/rpc_server.c
+++ b/rpc_server.c
@@ -776,60 +776,6 @@ static hal_error_t pkey_import(const uint8_t **iptr, const uint8_t * const ilimi
return err;
}
-static hal_error_t pkey_export_raw(const uint8_t **iptr, const uint8_t * const ilimit,
- uint8_t **optr, const uint8_t * const olimit)
-{
- hal_client_handle_t client;
- hal_pkey_handle_t pkey;
- size_t der_len;
- uint32_t der_max;
- uint8_t *optr_orig = *optr;
- hal_error_t err;
-
- check(hal_xdr_decode_int(iptr, ilimit, &client.handle));
- check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle));
- check(hal_xdr_decode_int(iptr, ilimit, &der_max));
-
- if (nargs(1) + pad(der_max) > (uint32_t)(olimit - *optr))
- return HAL_ERROR_RPC_PACKET_OVERFLOW;
-
- uint8_t der[der_max];
-
- check(hal_rpc_pkey_export_raw(pkey, der, &der_len, sizeof(der)));
-
- if ((err = hal_xdr_encode_variable_opaque(optr, olimit, der, der_len)) != HAL_OK)
- *optr = optr_orig;
-
- return err;
-}
-
-static hal_error_t pkey_import_raw(const uint8_t **iptr, const uint8_t * const ilimit,
- uint8_t **optr, const uint8_t * const olimit)
-{
- hal_client_handle_t client;
- hal_session_handle_t session;
- hal_pkey_handle_t pkey;
- hal_uuid_t name;
- const uint8_t *der;
- size_t der_len;
- uint8_t *optr_orig = *optr;
- hal_key_flags_t flags;
- hal_error_t err;
-
- check(hal_xdr_decode_int(iptr, ilimit, &client.handle));
- check(hal_xdr_decode_int(iptr, ilimit, &session.handle));
- check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &der, &der_len));
- check(hal_xdr_decode_int(iptr, ilimit, &flags));
-
- check(hal_rpc_pkey_import_raw(client, session, &pkey, &name, der, der_len, flags));
-
- if ((err = hal_xdr_encode_int(optr, olimit, pkey.handle)) != HAL_OK ||
- (err = hal_xdr_encode_variable_opaque(optr, olimit, name.uuid, sizeof(name.uuid))) != HAL_OK)
- *optr = optr_orig;
-
- return err;
-}
-
hal_error_t hal_rpc_server_dispatch(const uint8_t * const ibuf, const size_t ilen,
uint8_t * const obuf, size_t * const olen)
@@ -944,12 +890,6 @@ hal_error_t hal_rpc_server_dispatch(const uint8_t * const ibuf, const size_t ile
case RPC_FUNC_PKEY_IMPORT:
handler = pkey_import;
break;
- case RPC_FUNC_PKEY_EXPORT_RAW:
- handler = pkey_export_raw;
- break;
- case RPC_FUNC_PKEY_IMPORT_RAW:
- handler = pkey_import_raw;
- break;
}
if (handler)
diff --git a/utils/pkey.c b/utils/pkey.c
index efd360d..d1a8b07 100644
--- a/utils/pkey.c
+++ b/utils/pkey.c
@@ -62,7 +62,7 @@
* list [-t type]
* sign [-h (hash)] [-k keyname] [-m msgfile] [-s sigfile] [-n iterations]
* verify [-h (hash)] [-k keyname] [-m msgfile] [-s sigfile]
- * export [-k keyname] [-r (raw) | -K kekekfile] [-o outfile]
+ * export [-k keyname] <-r (raw) | -K kekekfile> [-o outfile]
* import [-r (raw) | -K kekekfile] [-i infile] [-x (exportable)] [-v (volatile keystore)]
* delete [-k keyname] ...
*/
@@ -233,10 +233,7 @@ fail:
static int pkey_load(const char * const fn, hal_pkey_handle_t *key_handle)
{
- size_t der_len = file_size(fn);
- if (der_len == SIZE_MAX)
- return -1;
- uint8_t der[der_len];
+ uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len;
if (file_read(fn, der, &der_len, sizeof(der)) == -1)
return -1;
@@ -925,7 +922,7 @@ fail:
static int pkey_export(int argc, char *argv[])
{
- char usage[] = "Usage: export [-k keyname] [-r | -K kekekfile] [-o outfile]";
+ char usage[] = "Usage: export [-k keyname] <-r | -K kekekfile> [-o outfile]";
hal_pkey_handle_t kekek_handle = {HAL_HANDLE_NONE};
char *kekek_fn = NULL;
@@ -987,17 +984,10 @@ done:
uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len;
uint8_t kek[HAL_KS_WRAPPED_KEYSIZE]; size_t kek_len;
- if (!raw) {
- if ((err = hal_rpc_pkey_export(key_handle, kekek_handle,
- der, &der_len, sizeof(der),
- kek, &kek_len, sizeof(kek))) != HAL_OK)
- lose("Error exporting private key: %s\n", hal_error_string(err));
- }
- else {
- if ((err = hal_rpc_pkey_export_raw(key_handle,
- der, &der_len, sizeof(der))) != HAL_OK)
- lose("Error exporting private key: %s\n", hal_error_string(err));
- }
+ if ((err = hal_rpc_pkey_export(key_handle, kekek_handle,
+ der, &der_len, sizeof(der),
+ kek, &kek_len, sizeof(kek))) != HAL_OK)
+ lose("Error exporting private key: %s\n", hal_error_string(err));
char fn[strlen(out_fn) + 5];
strcpy(fn, out_fn); strcat(fn, ".der");
@@ -1078,40 +1068,28 @@ done:
goto fail;
{
+ uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len;
+ uint8_t kek[HAL_KS_WRAPPED_KEYSIZE]; size_t kek_len = 0;
+
hal_error_t err;
char fn[strlen(in_fn) + 5];
strcpy(fn, in_fn); strcat(fn, ".der");
- size_t der_len = file_size(fn);
- if (der_len == SIZE_MAX)
- goto fail;
- uint8_t der[der_len];
if (file_read(fn, der, &der_len, sizeof(der)) != 0)
goto fail;
if (!raw) {
strcpy(fn, in_fn); strcat(fn, ".kek");
- size_t kek_len = file_size(fn);
- if (kek_len == SIZE_MAX)
- goto fail;
- uint8_t kek[kek_len];
if (file_read(fn, kek, &kek_len, sizeof(kek)) != 0)
goto fail;
-
- if ((err = hal_rpc_pkey_import(client, session,
- &key_handle, &key_uuid,
- kekek_handle,
- der, der_len,
- kek, kek_len,
- flags)) != HAL_OK)
- lose("Error importing private key: %s\n", hal_error_string(err));
}
- else {
- if ((err = hal_rpc_pkey_import_raw(client, session,
- &key_handle, &key_uuid,
- der, der_len,
- flags)) != HAL_OK)
- lose("Error importing private key: %s\n", hal_error_string(err));
- }
+
+ if ((err = hal_rpc_pkey_import(client, session,
+ &key_handle, &key_uuid,
+ kekek_handle,
+ der, der_len,
+ kek, kek_len,
+ flags)) != HAL_OK)
+ lose("Error importing private key: %s\n", hal_error_string(err));
char name_str[HAL_UUID_TEXT_SIZE];
if ((err = hal_uuid_format(&key_uuid, name_str, sizeof(name_str))) != HAL_OK)
More information about the Commits
mailing list