aboutsummaryrefslogtreecommitdiff
path: root/cryptech
diff options
context:
space:
mode:
authorPaul Selkirk <paul@psgd.org>2019-11-06 14:34:00 -0500
committerPaul Selkirk <paul@psgd.org>2019-11-06 14:34:00 -0500
commit323bc8ade3eae73174961bbf604257a1b099fe55 (patch)
tree1559cea03677438ca9a7cb0313b65aa0cfb8f7b5 /cryptech
parent9e6edd6082cc8d501e2b062983ed58b01ef677d7 (diff)
Export/import "raw" keys for external storage.
Exported keys are wrapped with the MKM KEK, not a transit KEK, and can only be imported back to the same HSM. The idea is to support operators who have more keys than will fit on the HSM, so they will cycle keys into and out of the HSM as needed. NOTE that hashsig is, as always, special. The hashsig key has an internal index that is updated on every signature. To prevent a hashsig key from being re-imported with an old index (which would compromise the security of the key), the hashsig key is disabled on export, and must be deleted from the HSM before being re-imported.
Diffstat (limited to 'cryptech')
-rw-r--r--cryptech/libhal.py20
1 files changed, 20 insertions, 0 deletions
diff --git a/cryptech/libhal.py b/cryptech/libhal.py
index 647dbd6..1899102 100644
--- a/cryptech/libhal.py
+++ b/cryptech/libhal.py
@@ -191,6 +191,8 @@ RPCFunc.define('''
RPC_FUNC_PKEY_EXPORT,
RPC_FUNC_PKEY_IMPORT,
RPC_FUNC_PKEY_GENERATE_HASHSIG,
+ RPC_FUNC_PKEY_EXPORT_RAW,
+ RPC_FUNC_PKEY_IMPORT_RAW,
''')
class HALDigestAlgorithm(Enum): pass
@@ -434,6 +436,12 @@ class PKey(Handle):
def import_pkey(self, pkcs8, kek, flags = 0):
return self.hsm.pkey_import(kekek = self, pkcs8 = pkcs8, kek = kek, flags = flags)
+ def export_raw_pkey(self, pkey):
+ return self.hsm.pkey_export_raw(pkey = pkey, der_max = 5480)
+
+ def import_raw_pkey(self, der, flags = 0):
+ return self.hsm.pkey_import_raw(der = der, flags = flags)
+
class ContextManagedUnpacker(xdrlib.Unpacker):
def __enter__(self):
@@ -710,3 +718,15 @@ class HSM(object):
pkey = PKey(self, r.unpack_uint(), UUID(bytes = r.unpack_bytes()))
logger.debug("Imported pkey %s", pkey.uuid)
return pkey
+
+ def pkey_export_raw(self, pkey, der_max = 2560):
+ with self.rpc(RPC_FUNC_PKEY_EXPORT_RAW, pkey, der_max) as r:
+ der = r.unpack_bytes(), r.unpack_bytes()
+ logger.debug("Exported raw pkey %s", pkey.uuid)
+ return der
+
+ def pkey_import_raw(self, der, flags = 0, client = 0, session = 0):
+ with self.rpc(RPC_FUNC_PKEY_IMPORT_RAW, session, der, flags, client = client) as r:
+ pkey = PKey(self, r.unpack_uint(), UUID(bytes = r.unpack_bytes()))
+ logger.debug("Imported raw pkey %s", pkey.uuid)
+ return pkey