First cut at key backup code. Not tested yet.

Still missing Python script to drive backup process, and need to do
something about setting the EXPORTABLE key flag for this to be useful.

1 files changed, 78 insertions, 3 deletions

diff --git a/rpc_client.c b/rpc_client.c
index 4adf247..5729b6f 100644
--- a/rpc_client.c
+++ b/rpc_client.c
@@ -915,6 +915,78 @@ static hal_error_t pkey_remote_get_attributes(const hal_pkey_handle_t pkey,
   return rpc_ret;
 }
 
+static hal_error_t pkey_remote_export(const hal_pkey_handle_t pkey,
+                                      const hal_pkey_handle_t kekek,
+                                      uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max,
+                                      uint8_t *kek,   size_t *kek_len,   const size_t kek_max)
+{
+  uint8_t outbuf[nargs(6)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
+  uint8_t inbuf[nargs(5) + pad(pkcs8_max) + pad(kek_max)];
+  const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
+  hal_client_handle_t dummy_client = {0};
+  hal_error_t rpc_ret;
+
+  check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_EXPORT));
+  check(hal_xdr_encode_int(&optr, olimit, dummy_client.handle));
+  check(hal_xdr_encode_int(&optr, olimit, pkey.handle));
+  check(hal_xdr_encode_int(&optr, olimit, kekek.handle));
+  check(hal_xdr_encode_int(&optr, olimit, pkcs8_max));
+  check(hal_xdr_encode_int(&optr, olimit, kek_max));
+  check(hal_rpc_send(outbuf, optr - outbuf));
+
+  check(read_matching_packet(RPC_FUNC_PKEY_EXPORT, inbuf, sizeof(inbuf), &iptr, &ilimit));
+
+  check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
+  if (rpc_ret == HAL_OK) {
+    uint32_t len;
+    len = pkcs8_max;
+    check(hal_xdr_decode_buffer(&iptr, ilimit, pkcs8, &len));
+    *pkcs8_len = (size_t) len;
+    len = kek_max;
+    check(hal_xdr_decode_buffer(&iptr, ilimit, kek, &len));
+    *kek_len = (size_t) len;
+  }
+  return rpc_ret;
+}
+
+static hal_error_t pkey_remote_import(const hal_client_handle_t client,
+                                      const hal_session_handle_t session,
+                                      hal_pkey_handle_t *pkey,
+                                      hal_uuid_t *name,
+                                      const hal_pkey_handle_t kekek,
+                                      const uint8_t * const pkcs8, const size_t pkcs8_len,
+                                      const uint8_t * const kek,   const size_t kek_len,
+                                      const hal_key_flags_t flags)
+{
+  uint8_t outbuf[nargs(7) + pad(pkcs8_len) + pad(kek_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
+  uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))];
+  const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
+  uint32_t name_len = sizeof(name->uuid);
+  hal_error_t rpc_ret;
+
+  check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_IMPORT));
+  check(hal_xdr_encode_int(&optr, olimit, client.handle));
+  check(hal_xdr_encode_int(&optr, olimit, session.handle));
+  check(hal_xdr_encode_int(&optr, olimit, kekek.handle));
+  check(hal_xdr_encode_buffer(&optr, olimit, pkcs8, pkcs8_len));
+  check(hal_xdr_encode_buffer(&optr, olimit, kek, kek_len));
+  check(hal_xdr_encode_int(&optr, olimit, flags));
+  check(hal_rpc_send(outbuf, optr - outbuf));
+
+  check(read_matching_packet(RPC_FUNC_PKEY_IMPORT, inbuf, sizeof(inbuf), &iptr, &ilimit));
+
+  check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
+
+  if (rpc_ret == HAL_OK) {
+    check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle));
+    check(hal_xdr_decode_buffer(&iptr, ilimit, name->uuid, &name_len));
+    if (name_len != sizeof(name->uuid))
+      return HAL_ERROR_KEY_NAME_TOO_LONG;
+  }
+
+  return rpc_ret;
+}
+
 #if RPC_CLIENT == RPC_CLIENT_MIXED
 
 /*
@@ -1043,7 +1115,9 @@ const hal_rpc_pkey_dispatch_t hal_rpc_remote_pkey_dispatch = {
   .verify                       = pkey_remote_verify,
   .match                        = pkey_remote_match,
   .set_attributes               = pkey_remote_set_attributes,
-  .get_attributes               = pkey_remote_get_attributes
+  .get_attributes               = pkey_remote_get_attributes,
+  .export                       = pkey_remote_export,
+  .import                       = pkey_remote_import
 };
 
 #if RPC_CLIENT == RPC_CLIENT_MIXED
@@ -1063,7 +1137,9 @@ const hal_rpc_pkey_dispatch_t hal_rpc_mixed_pkey_dispatch = {
   .verify                       = pkey_mixed_verify,
   .match                        = pkey_remote_match,
   .set_attributes               = pkey_remote_set_attributes,
-  .get_attributes               = pkey_remote_get_attributes
+  .get_attributes               = pkey_remote_get_attributes,
+  .export                       = pkey_remote_export,
+  .import                       = pkey_remote_import
 };
 #endif /* RPC_CLIENT == RPC_CLIENT_MIXED */
 
@@ -1100,7 +1176,6 @@ hal_error_t hal_rpc_client_close(void)
 #endif
 }
 
-
 /*
  * Local variables:
  * indent-tabs-mode: nil