[Open Crypto Project] #58: Fix libhal pkey "mixed mode"

[Open Crypto Project]

#58: Fix libhal pkey "mixed mode"
----------------------+----------------------------------------
 Reporter:  sra       |       Owner:  randy
     Type:  defect    |      Status:  new
 Priority:  critical  |   Milestone:  Alpha board DNSSEC signer
Component:  HAL       |     Version:
 Keywords:            |  Blocked By:
 Blocking:            |
----------------------+----------------------------------------
 Paul sort-of-broke "mixed mode" in the libhal RPC code, except that the
 reason he did it was that it was already kind of broken and was in his way
 for other needed work.

 Underlying problem (from memory) was that even local (client-side) pkeys
 had a dependency on AES-keywrap, which in turn has a dependency on the
 (HSM-only) AES core.

 Possible fixes for the underlying problem:

 1. Add a software AES core for the client-side case;

 2. Don't try to wrap private keys stored in memory on client side; or

 3. Don't allow client-side private keys at all.

 I'm currently leaning towards (3), as client-side private keys are a dumb
 idea in any case.  We currently support them because PKCS !#11 does, but
 this may be a case where we should decline to supply the user with as much
 rope as PKCS !#11 does.

--
Ticket URL: <https://trac.cryptech.is/ticket/58>
Open Crypto Project <https://wiki.cryptech.is/>