diff options
Diffstat (limited to 'cryptech_backup')
| -rwxr-xr-x | cryptech_backup | 64 |
1 files changed, 24 insertions, 40 deletions
diff --git a/cryptech_backup b/cryptech_backup index 7360a0d..7e465b8 100755 --- a/cryptech_backup +++ b/cryptech_backup @@ -8,22 +8,10 @@ # # Load KEKEK public <---------------- Export KEKEK public # -# { -# "kekek-uuid": "[UUID]", -# "kekek": "[Base64]" -# } -# # hal_rpc_pkey_load() # hal_rpc_pkey_export() # -# Export PKCS #8 and KEK ----------> Load PKCS #8 and KEK, import key: -# -# { -# "kekek-uuid": "[UUID]", -# "pkey": "[Base64]", -# "kek": "[Base64]" -# } -# +# Export PKCS #8 and KEK ----------> Load PKCS #8 and KEK, import key # # hal_rpc_pkey_import() @@ -125,10 +113,11 @@ def cmd_setup(args, hsm): elif not args.new: uuids.extend(hsm.pkey_match( type = HAL_KEY_TYPE_RSA_PRIVATE, + mask = HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT | HAL_KEY_FLAG_TOKEN, flags = HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT | HAL_KEY_FLAG_TOKEN)) for uuid in uuids: - with hsm.pkey_open(uuid, HAL_KEY_FLAG_TOKEN) as kekek: + with hsm.pkey_open(uuid) as kekek: if kekek.key_type != HAL_KEY_TYPE_RSA_PRIVATE: sys.stderr.write("Key {} is not an RSA private key\n".format(uuid)) elif (kekek.key_flags & HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT) == 0: @@ -179,31 +168,26 @@ def cmd_export(args, hsm): kekek = hsm.pkey_load(der = b64join(db["kekek_pubkey"]), flags = HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT) - # What we *should* do here is a single .pkey_match() loop - # matching exactly the keys we want, but the current semantics - # of .pkey_match() are a bit confused. While that yak is - # waiting for its shave, we do this the dumb way by iterating - # over all keys then skipping the ones we don't want. - - for flags in (0, HAL_KEY_FLAG_TOKEN): - for uuid in hsm.pkey_match(flags = flags): - with hsm.pkey_open(uuid, flags) as pkey: - if (pkey.key_flags & HAL_KEY_FLAG_EXPORTABLE) == 0: - continue - if pkey.key_type in (HAL_KEY_TYPE_RSA_PRIVATE, HAL_KEY_TYPE_EC_PRIVATE): - pkcs8, kek = kekek.export_pkey(pkey) - result.append(dict( - comment = "Encrypted private key", - pkcs8 = b64(pkcs8), - kek = b64(kek), - uuid = str(pkey.uuid), - flags = pkey.key_flags)) - elif pkey.key_type in (HAL_KEY_TYPE_RSA_PUBLIC, HAL_KEY_TYPE_EC_PUBLIC): - result.append(dict( - comment = "Public key", - spki = b64(pkey.public_key), - uuid = str(pkey.uuid), - flags = pkey.key_flags)) + for uuid in hsm.pkey_match(mask = HAL_KEY_FLAG_EXPORTABLE, + flags = HAL_KEY_FLAG_EXPORTABLE): + with hsm.pkey_open(uuid) as pkey: + + if pkey.key_type in (HAL_KEY_TYPE_RSA_PRIVATE, HAL_KEY_TYPE_EC_PRIVATE): + pkcs8, kek = kekek.export_pkey(pkey) + result.append(dict( + comment = "Encrypted private key", + pkcs8 = b64(pkcs8), + kek = b64(kek), + uuid = str(pkey.uuid), + flags = pkey.key_flags)) + + elif pkey.key_type in (HAL_KEY_TYPE_RSA_PUBLIC, HAL_KEY_TYPE_EC_PUBLIC): + result.append(dict( + comment = "Public key", + spki = b64(pkey.public_key), + uuid = str(pkey.uuid), + flags = pkey.key_flags)) + finally: if kekek is not None: kekek.delete() @@ -222,7 +206,7 @@ def cmd_import(args, hsm): """ db = json.load(args.input) - with hsm.pkey_open(uuid.UUID(db["kekek_uuid"]).bytes, HAL_KEY_FLAG_TOKEN) as kekek: + with hsm.pkey_open(uuid.UUID(db["kekek_uuid"]).bytes) as kekek: for k in db["keys"]: pkcs8 = b64join(k.get("pkcs8", "")) spki = b64join(k.get("spki", "")) |