[Cryptech Tech] export/import of "raw" keys

Paul Selkirk paul at psgd.org
Thu Nov 7 18:55:20 UTC 2019


One additional note, to avoid surprise when you read the code. (Mostly
aimed at Rob, but others might have opinions.)

The initial implementation does not pull the wrapped key out of the
keystore and ship it directly to the caller. Instead, it calls
hal_ks_fetch (which unwraps the key), then it fetches the MKM KEK and
re-wraps the key. On import, it doesn't write the wrapped key directly
into the keystore, but it unwraps the key with the MKM KEK, and calls
hal_rpc_pkey_load, which re-wraps the key before storing it.

While this is inefficient, it means not having to modify the keystore
code (fewer little-used, little-tested code paths), and it isolates the
changes to rpc_pkey.c. Also, on import, we have to determine the key
type (by unwrapping and checking the ASN.1 wrapper), 1) because we need
it for the slot structure and the key block header structure, and 2)
because importing a hashsig key requires rebuilding the hash tree.

It would be possible to export the whole keystore block (or the key
block header + der), but if we ever change the keystore implementation,
it could invalidate not only the keys currently in flash, but any keys
in external storage. Maybe not a big deal? Also, it would expose the key
metadata (key block header) in plaintext. Bigger deal or no big deal?

As it is now, a "raw" exported key has the exact same structure (ASN.1
wrapper) as a "normal" exported key, except that it doesn't come with an
encrypted wrapping key. We could also get that by pulling just the der
from the key block, but we'd still need to unwrap the key on import, for
reasons above.

				paul



More information about the Tech mailing list