Clean up and document cryptech_backup.

1 files changed, 78 insertions, 35 deletions

diff --git a/cryptech_backup b/cryptech_backup
index 18441a3..f14f119 100755
--- a/cryptech_backup
+++ b/cryptech_backup
@@ -1,18 +1,38 @@
 #!/usr/bin/env python
 
-#    KEY SOURCE                            KEY BACKUP
+"""
+Securely back up private keys from one Cryptech HSM to another.
+
+This works by having the destination HSM (the one importing keys)
+create an RSA keypair (the "KEKEK"), the public key of which can then
+be imported into the source HSM (the one exporting keys) and used to
+encrypt AES key encryption keys (KEKs) which in turn can be used to
+wrap the private keys being transfered.  Transfers are encoded in
+JSON; the underlying ASN.1 formats are SubjectPublicKeyInfo (KEKEK
+public key) and PKCS #8 EncryptedPrivateKeyInfo (everything else).
+
+NOTE WELL: while this process makes it POSSIBLE to back up keys
+securely, it is not sufficient by itself: the operator MUST make
+sure only to export keys using a KEKEK known to have been generated by
+the target HSM.  See the unit tests in the source repository for
+an example of how to fake this in a few lines of Python.
+
+YOU HAVE BEEN WARNED.  Be careful out there.
+"""
+
+# Diagram of the trivial protocol we're using:
+#
+#    SOURCE HSM                            DESTINATION HSM
 #
 #                                          Generate and export KEKEK:
 #                                               hal_rpc_pkey_generate_rsa()
 #                                               hal_rpc_pkey_get_public_key()
 #
-#   Load KEKEK public   <----------------  Export KEKEK public
-#
-#       hal_rpc_pkey_load()
-#       hal_rpc_pkey_export()
+#   Load KEKEK public        <---------    Export KEKEK public
+#        hal_rpc_pkey_load()
+#        hal_rpc_pkey_export()
 #
 #   Export PKCS #8 and KEK   ---------->   Load PKCS #8 and KEK, import key
-#
 #                                               hal_rpc_pkey_import()
 
 import sys
@@ -27,42 +47,63 @@ from cryptech.libhal import *
 def main():
 
     parser = argparse.ArgumentParser(
-        formatter_class = argparse.ArgumentDefaultsHelpFormatter,
+        formatter_class = argparse.RawDescriptionHelpFormatter,
         description = __doc__)
     subparsers = parser.add_subparsers(
         title = "Commands (use \"--help\" after command name for help with individual commands)",
         metavar = "")
+    setup_parser  = defcmd(subparsers, cmd_setup)
+    export_parser = defcmd(subparsers, cmd_export)
+    import_parser = defcmd(subparsers, cmd_import)
+    setup_mutex_group = setup_parser.add_mutually_exclusive_group()
+
+
     parser.add_argument(
         "-p", "--pin",
-        help = "wheel PIN")
-
-    subparser = defcmd(subparsers, cmd_setup)
-    group = subparser.add_mutually_exclusive_group()
-    group.add_argument(
-        "-n", "--new", action = "store_true",
-        help = "force creation of new KEKEK")
-    group.add_argument(
+        help    = "wheel PIN")
+
+
+    setup_mutex_group.add_argument(
+        "-n", "--new",
+        action  = "store_true",
+        help    = "force creation of new KEKEK")
+
+    setup_mutex_group.add_argument(
         "-u", "--uuid",
-        help = "UUID of existing KEKEK to use")
-    subparser.add_argument(
-        "-k", "--keylen", type = int, default = 2048,
-        help = "length of new KEKEK if we need to create one")
-    subparser.add_argument(
-        "-o", "--output", type = argparse.FileType("w"), default = "-",
-        help = "output file")
-
-    subparser = defcmd(subparsers, cmd_export)
-    subparser.add_argument(
-        "-i", "--input", type = argparse.FileType("r"), default = "-",
-        help = "input file")
-    subparser.add_argument(
-        "-o", "--output", type = argparse.FileType("w"), default = "-",
-        help = "output file")
-
-    subparser = defcmd(subparsers, cmd_import)
-    subparser.add_argument(
-        "-i", "--input", type = argparse.FileType("r"), default = "-",
-        help = "input file")
+        help    = "UUID of existing KEKEK to use")
+
+    setup_parser.add_argument(
+        "-k", "--keylen",
+        type    = int,
+        default = 2048,
+        help    = "length of new KEKEK if we need to create one")
+
+    setup_parser.add_argument(
+        "-o", "--output",
+        type    = argparse.FileType("w"),
+        default = "-",
+        help    = "output file")
+
+
+    export_parser.add_argument(
+        "-i", "--input",
+        type    = argparse.FileType("r"),
+        default = "-",
+        help    = "input file")
+
+    export_parser.add_argument(
+        "-o", "--output",
+        type    = argparse.FileType("w"),
+        default = "-",
+        help    = "output file")
+
+
+    import_parser.add_argument(
+        "-i", "--input",
+        type    = argparse.FileType("r"),
+        default = "-",
+        help    = "input file")
+
 
     args = parser.parse_args()
 
@@ -138,6 +179,7 @@ def cmd_setup(args, hsm):
 
     result.update(comment = "KEKEK public key")
     json.dump(result, args.output, indent = 4, sort_keys = True)
+    args.output.write("\n")
 
 
 def key_flag_names(flags):
@@ -195,6 +237,7 @@ def cmd_export(args, hsm):
     db.update(comment = "Cryptech Alpha encrypted key backup",
               keys    = result)
     json.dump(db, args.output, indent = 4, sort_keys = True)
+    args.output.write("\n")
 
 
 def cmd_import(args, hsm):