diff options
| author | Paul Selkirk <paul@psgd.org> | 2019-11-06 14:34:00 -0500 |
|---|---|---|
| committer | Paul Selkirk <paul@psgd.org> | 2019-11-06 14:34:00 -0500 |
| commit | 323bc8ade3eae73174961bbf604257a1b099fe55 (patch) | |
| tree | 1559cea03677438ca9a7cb0313b65aa0cfb8f7b5 /hashsig.c | |
| parent | 9e6edd6082cc8d501e2b062983ed58b01ef677d7 (diff) | |
Export/import "raw" keys for external storage.
Exported keys are wrapped with the MKM KEK, not a transit KEK, and can
only be imported back to the same HSM.
The idea is to support operators who have more keys than will fit on the
HSM, so they will cycle keys into and out of the HSM as needed.
NOTE that hashsig is, as always, special. The hashsig key has an internal
index that is updated on every signature. To prevent a hashsig key from
being re-imported with an old index (which would compromise the security
of the key), the hashsig key is disabled on export, and must be deleted
from the HSM before being re-imported.
Diffstat (limited to 'hashsig.c')
| -rw-r--r-- | hashsig.c | 35 |
1 files changed, 35 insertions, 0 deletions
@@ -2100,6 +2100,41 @@ err_out: return err; } +hal_error_t hal_hashsig_export_raw(const hal_uuid_t * const name, uint8_t *der, size_t *der_len, const size_t der_max) +{ + hal_error_t err; + hal_hashsig_key_t keybuf, *tmp_key = &keybuf, *hss_key; + + if ((err = hal_hashsig_private_key_from_der(&hss_key, &keybuf, sizeof(keybuf), der, *der_len)) != HAL_OK) + goto err_out; + if (hss_key == tmp_key) { + err = HAL_ERROR_KEY_NOT_FOUND; /* or IMPOSSIBLE? */ + goto err_out; + } + + /* adjust exported q */ + hss_key->q_start = hss_key->lms_keys[0].q; + + /* store updated hss_key + * toggle HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE to disable further use + */ + hal_pkey_slot_t slot = { + .type = HAL_KEY_TYPE_HASHSIG_PRIVATE, + .name = *name, + .flags = HAL_KEY_FLAG_TOKEN | HAL_KEY_FLAG_EXPORTABLE + }; + if ((err = hal_hashsig_private_key_to_der(hss_key, der, der_len, der_max)) != HAL_OK || + (err = hal_ks_rewrite_der(hal_ks_token, &slot, der, *der_len)) != HAL_OK) + goto err_out; + + /* return with updated der */ + +err_out: + memset(&keybuf, 0, sizeof(keybuf)); + hss_key = NULL; + return err; +} + hal_error_t hal_hashsig_import(const uint8_t *der, const size_t der_len, const hal_key_flags_t flags) { |