From 4fd9d1186efed0de8e3ae1d1e2fa5a0e5c46c2fb Mon Sep 17 00:00:00 2001
From: Paul Selkirk <paul@psgd.org>
Date: Mon, 2 Dec 2019 15:38:58 -0500
Subject: After some thought, I'd rather make raw export/import a sub-function
 of key export/import (kekek = none, kek_len = 0), rather than separate RPCs.

---
 cryptech/libhal.py |  20 -----
 hal.h              |  10 ---
 hal_internal.h     |  12 ---
 rpc_api.c          |  26 +------
 rpc_client.c       |  66 +----------------
 rpc_pkey.c         | 213 +++++++++++++++++++++++++++--------------------------
 rpc_server.c       |  60 ---------------
 utils/pkey.c       |  58 +++++----------
 8 files changed, 134 insertions(+), 331 deletions(-)

diff --git a/cryptech/libhal.py b/cryptech/libhal.py
index 1899102..647dbd6 100644
--- a/cryptech/libhal.py
+++ b/cryptech/libhal.py
@@ -191,8 +191,6 @@ RPCFunc.define('''
     RPC_FUNC_PKEY_EXPORT,
     RPC_FUNC_PKEY_IMPORT,
     RPC_FUNC_PKEY_GENERATE_HASHSIG,
-    RPC_FUNC_PKEY_EXPORT_RAW,
-    RPC_FUNC_PKEY_IMPORT_RAW,
 ''')
 
 class HALDigestAlgorithm(Enum): pass
@@ -436,12 +434,6 @@ class PKey(Handle):
     def import_pkey(self, pkcs8, kek, flags = 0):
         return self.hsm.pkey_import(kekek = self, pkcs8 = pkcs8, kek = kek, flags = flags)
 
-    def export_raw_pkey(self, pkey):
-        return self.hsm.pkey_export_raw(pkey = pkey, der_max = 5480)
-
-    def import_raw_pkey(self, der, flags = 0):
-        return self.hsm.pkey_import_raw(der = der, flags = flags)
-
 class ContextManagedUnpacker(xdrlib.Unpacker):
 
     def __enter__(self):
@@ -718,15 +710,3 @@ class HSM(object):
             pkey = PKey(self, r.unpack_uint(), UUID(bytes = r.unpack_bytes()))
             logger.debug("Imported pkey %s", pkey.uuid)
             return pkey
-
-    def pkey_export_raw(self, pkey, der_max = 2560):
-        with self.rpc(RPC_FUNC_PKEY_EXPORT_RAW, pkey, der_max) as r:
-            der = r.unpack_bytes(), r.unpack_bytes()
-            logger.debug("Exported raw pkey %s", pkey.uuid)
-            return der
-
-    def pkey_import_raw(self, der, flags = 0, client = 0, session = 0):
-        with self.rpc(RPC_FUNC_PKEY_IMPORT_RAW, session, der, flags, client = client) as r:
-            pkey = PKey(self, r.unpack_uint(), UUID(bytes = r.unpack_bytes()))
-            logger.debug("Imported raw pkey %s", pkey.uuid)
-            return pkey
diff --git a/hal.h b/hal.h
index 1a08690..e2cb3ac 100644
--- a/hal.h
+++ b/hal.h
@@ -893,9 +893,6 @@ extern hal_error_t hal_rpc_pkey_export(const hal_pkey_handle_t pkey,
                                        uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max,
                                        uint8_t *kek,   size_t *kek_len,   const size_t kek_max);
 
-extern hal_error_t hal_rpc_pkey_export_raw(const hal_pkey_handle_t pkey,
-                                           uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max);
-
 extern hal_error_t hal_rpc_pkey_import(const hal_client_handle_t client,
                                        const hal_session_handle_t session,
                                        hal_pkey_handle_t *pkey,
@@ -905,13 +902,6 @@ extern hal_error_t hal_rpc_pkey_import(const hal_client_handle_t client,
                                        const uint8_t * const kek,   const size_t kek_len,
                                        const hal_key_flags_t flags);
 
-extern hal_error_t hal_rpc_pkey_import_raw(const hal_client_handle_t client,
-                                           const hal_session_handle_t session,
-                                           hal_pkey_handle_t *pkey,
-                                           hal_uuid_t *name,
-                                           const uint8_t * const pkcs8, const size_t pkcs8_len,
-                                           const hal_key_flags_t flags);
-
 extern hal_error_t hal_rpc_client_init(void);
 
 extern hal_error_t hal_rpc_client_close(void);
diff --git a/hal_internal.h b/hal_internal.h
index 1885595..1297b98 100644
--- a/hal_internal.h
+++ b/hal_internal.h
@@ -380,16 +380,6 @@ typedef struct {
                         const uint8_t * const kek, const size_t kek_len,
                         const hal_key_flags_t flags);
 
-  hal_error_t (*export_raw)(const hal_pkey_handle_t pkey_handle,
-                            uint8_t *der, size_t *der_len, const size_t der_max);
-
-  hal_error_t (*import_raw)(const hal_client_handle_t client,
-                            const hal_session_handle_t session,
-                            hal_pkey_handle_t *pkey,
-                            hal_uuid_t *name,
-                            const uint8_t * const der, const size_t der_len,
-                            const hal_key_flags_t flags);
-
 } hal_rpc_pkey_dispatch_t;
 
 
@@ -672,8 +662,6 @@ typedef enum {
     RPC_FUNC_PKEY_EXPORT,
     RPC_FUNC_PKEY_IMPORT,
     RPC_FUNC_PKEY_GENERATE_HASHSIG,
-    RPC_FUNC_PKEY_EXPORT_RAW,
-    RPC_FUNC_PKEY_IMPORT_RAW,
 } rpc_func_num_t;
 
 #define RPC_VERSION 0x01010200          /* 1.1.2.0 */
diff --git a/rpc_api.c b/rpc_api.c
index 155cb30..5f32a22 100644
--- a/rpc_api.c
+++ b/rpc_api.c
@@ -413,7 +413,8 @@ hal_error_t hal_rpc_pkey_export(const hal_pkey_handle_t pkey,
                                 uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max,
                                 uint8_t *kek,   size_t *kek_len,   const size_t kek_max)
 {
-  if (pkcs8 == NULL || pkcs8_len == NULL || kek == NULL || kek_len == NULL || kek_max <= KEK_LENGTH)
+  if (pkcs8 == NULL || pkcs8_len == NULL ||
+      (kekek.handle != HAL_HANDLE_NONE && (kek == NULL || kek_len == NULL || kek_max <= KEK_LENGTH)))
     return HAL_ERROR_BAD_ARGUMENTS;
   return hal_rpc_pkey_dispatch->export(pkey, kekek, pkcs8, pkcs8_len, pkcs8_max, kek, kek_len, kek_max);
 }
@@ -427,31 +428,12 @@ hal_error_t hal_rpc_pkey_import(const hal_client_handle_t client,
                                 const uint8_t * const kek,   const size_t kek_len,
                                 const hal_key_flags_t flags)
 {
-  if (pkey == NULL || name == NULL || pkcs8 == NULL || kek == NULL || kek_len <= 2)
+  if (pkey == NULL || name == NULL || pkcs8 == NULL ||
+      (kekek.handle != HAL_HANDLE_NONE && (kek == NULL || kek_len <= 2)))
     return HAL_ERROR_BAD_ARGUMENTS;
   return hal_rpc_pkey_dispatch->import(client, session, pkey, name, kekek, pkcs8, pkcs8_len, kek, kek_len, flags);
 }
 
-hal_error_t hal_rpc_pkey_export_raw(const hal_pkey_handle_t pkey,
-                                    uint8_t *der, size_t *der_len, const size_t der_max)
-{
-  if (der == NULL || der_len == NULL)
-    return HAL_ERROR_BAD_ARGUMENTS;
-  return hal_rpc_pkey_dispatch->export_raw(pkey, der, der_len, der_max);
-}
-
-hal_error_t hal_rpc_pkey_import_raw(const hal_client_handle_t client,
-                                    const hal_session_handle_t session,
-                                    hal_pkey_handle_t *pkey,
-                                    hal_uuid_t *name,
-                                    const uint8_t * const der, const size_t der_len,
-                                    const hal_key_flags_t flags)
-{
-  if (pkey == NULL || name == NULL || der == NULL)
-    return HAL_ERROR_BAD_ARGUMENTS;
-  return hal_rpc_pkey_dispatch->import_raw(client, session, pkey, name, der, der_len, flags);
-}
-
 /*
  * Local variables:
  * indent-tabs-mode: nil
diff --git a/rpc_client.c b/rpc_client.c
index face70f..c9ac9b7 100644
--- a/rpc_client.c
+++ b/rpc_client.c
@@ -1018,64 +1018,6 @@ static hal_error_t pkey_remote_import(const hal_client_handle_t client,
   return rpc_ret;
 }
 
-static hal_error_t pkey_remote_export_raw(const hal_pkey_handle_t pkey,
-                                          uint8_t *der, size_t *der_len, const size_t der_max)
-{
-  uint8_t outbuf[nargs(4)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
-  uint8_t inbuf[nargs(3) + pad(der_max)];
-  const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
-  hal_client_handle_t dummy_client = {0};
-  hal_error_t rpc_ret;
-
-  check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_EXPORT_RAW));
-  check(hal_xdr_encode_int(&optr, olimit, dummy_client.handle));
-  check(hal_xdr_encode_int(&optr, olimit, pkey.handle));
-  check(hal_xdr_encode_int(&optr, olimit, der_max));
-  check(hal_rpc_send(outbuf, optr - outbuf));
-
-  check(read_matching_packet(RPC_FUNC_PKEY_EXPORT_RAW, inbuf, sizeof(inbuf), &iptr, &ilimit));
-
-  check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
-  if (rpc_ret == HAL_OK) {
-    check(hal_xdr_decode_variable_opaque(&iptr, ilimit, der, der_len, der_max));
-  }
-  return rpc_ret;
-}
-
-static hal_error_t pkey_remote_import_raw(const hal_client_handle_t client,
-                                          const hal_session_handle_t session,
-                                          hal_pkey_handle_t *pkey,
-                                          hal_uuid_t *name,
-                                          const uint8_t * const der, const size_t der_len,
-                                          const hal_key_flags_t flags)
-{
-  uint8_t outbuf[nargs(5) + pad(der_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
-  uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))];
-  const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
-  size_t name_len;
-  hal_error_t rpc_ret;
-
-  check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_IMPORT_RAW));
-  check(hal_xdr_encode_int(&optr, olimit, client.handle));
-  check(hal_xdr_encode_int(&optr, olimit, session.handle));
-  check(hal_xdr_encode_variable_opaque(&optr, olimit, der, der_len));
-  check(hal_xdr_encode_int(&optr, olimit, flags));
-  check(hal_rpc_send(outbuf, optr - outbuf));
-
-  check(read_matching_packet(RPC_FUNC_PKEY_IMPORT_RAW, inbuf, sizeof(inbuf), &iptr, &ilimit));
-
-  check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
-
-  if (rpc_ret == HAL_OK) {
-    check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle));
-    check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len, sizeof(name->uuid)));
-    if (name_len != sizeof(name->uuid))
-      return HAL_ERROR_KEY_NAME_TOO_LONG;
-  }
-
-  return rpc_ret;
-}
-
 #if RPC_CLIENT == RPC_CLIENT_MIXED
 
 /*
@@ -1207,9 +1149,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_remote_pkey_dispatch = {
   .set_attributes               = pkey_remote_set_attributes,
   .get_attributes               = pkey_remote_get_attributes,
   .export                       = pkey_remote_export,
-  .import                       = pkey_remote_import,
-  .export_raw                   = pkey_remote_export_raw,
-  .import_raw                   = pkey_remote_import_raw
+  .import                       = pkey_remote_import
 };
 
 #if RPC_CLIENT == RPC_CLIENT_MIXED
@@ -1232,9 +1172,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_mixed_pkey_dispatch = {
   .set_attributes               = pkey_remote_set_attributes,
   .get_attributes               = pkey_remote_get_attributes,
   .export                       = pkey_remote_export,
-  .import                       = pkey_remote_import,
-  .export_raw                   = pkey_remote_export_raw,
-  .import_raw                   = pkey_remote_import_raw
+  .import                       = pkey_remote_import
 };
 #endif /* RPC_CLIENT == RPC_CLIENT_MIXED */
 
diff --git a/rpc_pkey.c b/rpc_pkey.c
index 67732ad..3f2b5f5 100644
--- a/rpc_pkey.c
+++ b/rpc_pkey.c
@@ -1287,11 +1287,70 @@ static hal_error_t pkey_local_get_attributes(const hal_pkey_handle_t pkey,
                                attributes_buffer, attributes_buffer_len);
 }
 
+static hal_error_t pkey_local_export_raw(const hal_pkey_handle_t pkey_handle,
+                                         uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max)
+{
+  hal_assert(pkcs8 != NULL && pkcs8_len != NULL);
+
+  uint8_t kek[KEK_LENGTH];
+  size_t kek_len;
+  hal_error_t err;
+  size_t len;
+
+  hal_pkey_slot_t * const pkey = find_handle(pkey_handle);
+
+  if (pkey == NULL)
+    return HAL_ERROR_KEY_NOT_FOUND;
+
+  if ((pkey->flags & HAL_KEY_FLAG_EXPORTABLE) == 0)
+    return HAL_ERROR_FORBIDDEN;
+
+  if (pkcs8_max < HAL_KS_WRAPPED_KEYSIZE)
+    return HAL_ERROR_RESULT_TOO_LONG;
+
+  if ((err = ks_fetch_from_flags(pkey, pkcs8, &len, pkcs8_max)) != HAL_OK)
+    goto fail;
+
+  /* if hashsig, update internal parameters and disable further use */
+  if (pkey->type == HAL_KEY_TYPE_HASHSIG_PRIVATE) {
+    if ((err = hal_hashsig_export_raw(&pkey->name, pkcs8, &len, pkcs8_max)) != HAL_OK)
+      goto fail;
+    pkey->flags &= ~HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE;
+  }
+
+  if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK)
+    goto fail;
+
+  *pkcs8_len = pkcs8_max;
+  if ((err = hal_aes_keywrap(NULL, kek, KEK_LENGTH, pkcs8, len, pkcs8, pkcs8_len)) != HAL_OK)
+    goto fail;
+
+  if ((err = hal_asn1_encode_pkcs8_encryptedprivatekeyinfo(hal_asn1_oid_aesKeyWrap,
+                                                           hal_asn1_oid_aesKeyWrap_len,
+                                                           pkcs8, *pkcs8_len,
+                                                           pkcs8, pkcs8_len, pkcs8_max)) != HAL_OK)
+    goto fail;
+
+  return HAL_OK;
+
+ fail:
+  memset(pkcs8, 0, pkcs8_max);
+  memset(kek, 0, sizeof(kek));
+  *pkcs8_len = 0;
+  return err;
+}
+
 static hal_error_t pkey_local_export(const hal_pkey_handle_t pkey_handle,
                                      const hal_pkey_handle_t kekek_handle,
                                      uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max,
                                      uint8_t *kek,   size_t *kek_len,   const size_t kek_max)
 {
+  if (kekek_handle.handle == HAL_HANDLE_NONE) {
+    if (kek_len != NULL)
+      *kek_len = 0;
+    return pkey_local_export_raw(pkey_handle, pkcs8, pkcs8_len, pkcs8_max);
+  }
+
   hal_assert(pkcs8 != NULL && pkcs8_len != NULL && kek != NULL && kek_len != NULL && kek_max > KEK_LENGTH);
 
   uint8_t rsabuf[hal_rsa_key_t_size];
@@ -1385,6 +1444,53 @@ static hal_error_t pkey_local_export(const hal_pkey_handle_t pkey_handle,
   return err;
 }
 
+static hal_error_t pkey_local_import_raw(const hal_client_handle_t client,
+                                         const hal_session_handle_t session,
+                                         hal_pkey_handle_t *pkey,
+                                         hal_uuid_t *name,
+                                         const uint8_t * const pkcs8, const size_t pkcs8_len,
+                                         const hal_key_flags_t flags)
+{
+  hal_assert(pkey != NULL && name != NULL && pkcs8 != NULL);
+
+  uint8_t kek[KEK_LENGTH], der[HAL_KS_WRAPPED_KEYSIZE];
+  size_t der_len, oid_len, data_len, kek_len;
+  const uint8_t *oid, *data;
+  hal_error_t err;
+
+  if ((err = hal_asn1_decode_pkcs8_encryptedprivatekeyinfo(&oid, &oid_len, &data, &data_len,
+                                                           pkcs8, pkcs8_len)) != HAL_OK)
+    goto fail;
+
+  if (oid_len != hal_asn1_oid_aesKeyWrap_len ||
+      memcmp(oid, hal_asn1_oid_aesKeyWrap, oid_len) != 0 ||
+      data_len > sizeof(der)) {
+    err = HAL_ERROR_ASN1_PARSE_FAILED;
+    goto fail;
+  }
+
+  if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK)
+    goto fail;
+
+  der_len = sizeof(der);
+  if ((err = hal_aes_keyunwrap(NULL, kek, kek_len, data, data_len, der, &der_len)) != HAL_OK)
+    goto fail;
+
+  hal_key_type_t type;
+  hal_curve_name_t curve;
+  if ((err = hal_asn1_guess_key_type(&type, &curve, der, der_len)) == HAL_OK &&
+      type == HAL_KEY_TYPE_HASHSIG_PRIVATE &&
+      (err = hal_hashsig_import(der, der_len, flags)) != HAL_OK)
+    goto fail;
+
+  err = hal_rpc_pkey_load(client, session, pkey, name, der, der_len, flags);
+
+ fail:
+  memset(kek, 0, sizeof(kek));
+  memset(der, 0, sizeof(der));
+  return err;
+}
+
 static hal_error_t pkey_local_import(const hal_client_handle_t client,
                                      const hal_session_handle_t session,
                                      hal_pkey_handle_t *pkey,
@@ -1394,6 +1500,9 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client,
                                      const uint8_t * const kek_,  const size_t kek_len,
                                      const hal_key_flags_t flags)
 {
+  if (kekek_handle.handle == HAL_HANDLE_NONE)
+    return pkey_local_import_raw(client, session, pkey, name, pkcs8, pkcs8_len, flags);
+
   hal_assert(pkey != NULL && name != NULL && pkcs8 != NULL && kek_ != NULL && kek_len > 2);
 
   uint8_t kek[KEK_LENGTH], rsabuf[hal_rsa_key_t_size], der[HAL_KS_WRAPPED_KEYSIZE], *d;
@@ -1474,106 +1583,6 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client,
   return err;
 }
 
-static hal_error_t pkey_local_export_raw(const hal_pkey_handle_t pkey_handle,
-                                         uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max)
-{
-  hal_assert(pkcs8 != NULL && pkcs8_len != NULL);
-
-  uint8_t kek[KEK_LENGTH];
-  size_t kek_len;
-  hal_error_t err;
-  size_t len;
-
-  hal_pkey_slot_t * const pkey = find_handle(pkey_handle);
-
-  if (pkey == NULL)
-    return HAL_ERROR_KEY_NOT_FOUND;
-
-  if ((pkey->flags & HAL_KEY_FLAG_EXPORTABLE) == 0)
-    return HAL_ERROR_FORBIDDEN;
-
-  if (pkcs8_max < HAL_KS_WRAPPED_KEYSIZE)
-    return HAL_ERROR_RESULT_TOO_LONG;
-
-  if ((err = ks_fetch_from_flags(pkey, pkcs8, &len, pkcs8_max)) != HAL_OK)
-    goto fail;
-
-  /* if hashsig, update internal parameters and disable further use */
-  if (pkey->type == HAL_KEY_TYPE_HASHSIG_PRIVATE) {
-    if ((err = hal_hashsig_export_raw(&pkey->name, pkcs8, &len, pkcs8_max)) != HAL_OK)
-      goto fail;
-    pkey->flags &= ~HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE;
-  }
-
-  if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK)
-    goto fail;
-
-  *pkcs8_len = pkcs8_max;
-  if ((err = hal_aes_keywrap(NULL, kek, KEK_LENGTH, pkcs8, len, pkcs8, pkcs8_len)) != HAL_OK)
-    goto fail;
-
-  if ((err = hal_asn1_encode_pkcs8_encryptedprivatekeyinfo(hal_asn1_oid_aesKeyWrap,
-                                                           hal_asn1_oid_aesKeyWrap_len,
-                                                           pkcs8, *pkcs8_len,
-                                                           pkcs8, pkcs8_len, pkcs8_max)) != HAL_OK)
-    goto fail;
-
-  return HAL_OK;
-
- fail:
-  memset(pkcs8, 0, pkcs8_max);
-  memset(kek, 0, sizeof(kek));
-  *pkcs8_len = 0;
-  return err;
-}
-
-static hal_error_t pkey_local_import_raw(const hal_client_handle_t client,
-                                         const hal_session_handle_t session,
-                                         hal_pkey_handle_t *pkey,
-                                         hal_uuid_t *name,
-                                         const uint8_t * const pkcs8, const size_t pkcs8_len,
-                                         const hal_key_flags_t flags)
-{
-  hal_assert(pkey != NULL && name != NULL && pkcs8 != NULL);
-
-  uint8_t kek[KEK_LENGTH], der[HAL_KS_WRAPPED_KEYSIZE];
-  size_t der_len, oid_len, data_len, kek_len;
-  const uint8_t *oid, *data;
-  hal_error_t err;
-
-  if ((err = hal_asn1_decode_pkcs8_encryptedprivatekeyinfo(&oid, &oid_len, &data, &data_len,
-                                                           pkcs8, pkcs8_len)) != HAL_OK)
-    goto fail;
-
-  if (oid_len != hal_asn1_oid_aesKeyWrap_len ||
-      memcmp(oid, hal_asn1_oid_aesKeyWrap, oid_len) != 0 ||
-      data_len > sizeof(der)) {
-    err = HAL_ERROR_ASN1_PARSE_FAILED;
-    goto fail;
-  }
-
-  if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK)
-    goto fail;
-
-  der_len = sizeof(der);
-  if ((err = hal_aes_keyunwrap(NULL, kek, kek_len, data, data_len, der, &der_len)) != HAL_OK)
-    goto fail;
-
-  hal_key_type_t type;
-  hal_curve_name_t curve;
-  if ((err = hal_asn1_guess_key_type(&type, &curve, der, der_len)) == HAL_OK &&
-      type == HAL_KEY_TYPE_HASHSIG_PRIVATE &&
-      (err = hal_hashsig_import(der, der_len, flags)) != HAL_OK)
-    goto fail;
-
-  err = hal_rpc_pkey_load(client, session, pkey, name, der, der_len, flags);
-
- fail:
-  memset(kek, 0, sizeof(kek));
-  memset(der, 0, sizeof(der));
-  return err;
-}
-
 const hal_rpc_pkey_dispatch_t hal_rpc_local_pkey_dispatch = {
   .load                 = pkey_local_load,
   .open                 = pkey_local_open,
@@ -1593,9 +1602,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_local_pkey_dispatch = {
   .set_attributes       = pkey_local_set_attributes,
   .get_attributes       = pkey_local_get_attributes,
   .export               = pkey_local_export,
-  .import               = pkey_local_import,
-  .export_raw           = pkey_local_export_raw,
-  .import_raw           = pkey_local_import_raw
+  .import               = pkey_local_import
 };
 
 /*
diff --git a/rpc_server.c b/rpc_server.c
index aa7e936..9598413 100644
--- a/rpc_server.c
+++ b/rpc_server.c
@@ -776,60 +776,6 @@ static hal_error_t pkey_import(const uint8_t **iptr, const uint8_t * const ilimi
     return err;
 }
 
-static hal_error_t pkey_export_raw(const uint8_t **iptr, const uint8_t * const ilimit,
-                                   uint8_t **optr, const uint8_t * const olimit)
-{
-    hal_client_handle_t client;
-    hal_pkey_handle_t pkey;
-    size_t   der_len;
-    uint32_t der_max;
-    uint8_t *optr_orig = *optr;
-    hal_error_t err;
-
-    check(hal_xdr_decode_int(iptr, ilimit, &client.handle));
-    check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle));
-    check(hal_xdr_decode_int(iptr, ilimit, &der_max));
-
-    if (nargs(1) + pad(der_max) > (uint32_t)(olimit - *optr))
-        return HAL_ERROR_RPC_PACKET_OVERFLOW;
-
-    uint8_t der[der_max];
-
-    check(hal_rpc_pkey_export_raw(pkey, der, &der_len, sizeof(der)));
-
-    if ((err = hal_xdr_encode_variable_opaque(optr, olimit, der, der_len)) != HAL_OK)
-        *optr = optr_orig;
-
-    return err;
-}
-
-static hal_error_t pkey_import_raw(const uint8_t **iptr, const uint8_t * const ilimit,
-                                   uint8_t **optr, const uint8_t * const olimit)
-{
-    hal_client_handle_t client;
-    hal_session_handle_t session;
-    hal_pkey_handle_t pkey;
-    hal_uuid_t name;
-    const uint8_t *der;
-    size_t der_len;
-    uint8_t *optr_orig = *optr;
-    hal_key_flags_t flags;
-    hal_error_t err;
-
-    check(hal_xdr_decode_int(iptr, ilimit, &client.handle));
-    check(hal_xdr_decode_int(iptr, ilimit, &session.handle));
-    check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &der, &der_len));
-    check(hal_xdr_decode_int(iptr, ilimit, &flags));
-
-    check(hal_rpc_pkey_import_raw(client, session, &pkey, &name, der, der_len, flags));
-
-    if ((err = hal_xdr_encode_int(optr, olimit, pkey.handle)) != HAL_OK ||
-        (err = hal_xdr_encode_variable_opaque(optr, olimit, name.uuid, sizeof(name.uuid))) != HAL_OK)
-        *optr = optr_orig;
-
-    return err;
-}
-
 
 hal_error_t hal_rpc_server_dispatch(const uint8_t * const ibuf, const size_t ilen,
                                     uint8_t * const obuf, size_t * const olen)
@@ -944,12 +890,6 @@ hal_error_t hal_rpc_server_dispatch(const uint8_t * const ibuf, const size_t ile
     case RPC_FUNC_PKEY_IMPORT:
         handler = pkey_import;
         break;
-    case RPC_FUNC_PKEY_EXPORT_RAW:
-        handler = pkey_export_raw;
-        break;
-    case RPC_FUNC_PKEY_IMPORT_RAW:
-        handler = pkey_import_raw;
-        break;
     }
 
     if (handler)
diff --git a/utils/pkey.c b/utils/pkey.c
index efd360d..d1a8b07 100644
--- a/utils/pkey.c
+++ b/utils/pkey.c
@@ -62,7 +62,7 @@
  * list [-t type]
  * sign [-h (hash)] [-k keyname] [-m msgfile] [-s sigfile] [-n iterations]
  * verify [-h (hash)] [-k keyname] [-m msgfile] [-s sigfile]
- * export [-k keyname] [-r (raw) | -K kekekfile] [-o outfile]
+ * export [-k keyname] <-r (raw) | -K kekekfile> [-o outfile]
  * import [-r (raw) | -K kekekfile] [-i infile] [-x (exportable)] [-v (volatile keystore)]
  * delete [-k keyname] ...
  */
@@ -233,10 +233,7 @@ fail:
 
 static int pkey_load(const char * const fn, hal_pkey_handle_t *key_handle)
 {
-    size_t der_len = file_size(fn);
-    if (der_len == SIZE_MAX)
-        return -1;
-    uint8_t der[der_len];
+    uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len;
     if (file_read(fn, der, &der_len, sizeof(der)) == -1)
         return -1;
 
@@ -925,7 +922,7 @@ fail:
 
 static int pkey_export(int argc, char *argv[])
 {
-    char usage[] = "Usage: export [-k keyname] [-r | -K kekekfile] [-o outfile]";
+    char usage[] = "Usage: export [-k keyname] <-r | -K kekekfile> [-o outfile]";
 
     hal_pkey_handle_t kekek_handle = {HAL_HANDLE_NONE};
     char *kekek_fn = NULL;
@@ -987,17 +984,10 @@ done:
         uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len;
         uint8_t kek[HAL_KS_WRAPPED_KEYSIZE]; size_t kek_len;
 
-        if (!raw) {
-            if ((err = hal_rpc_pkey_export(key_handle, kekek_handle,
-                                           der, &der_len, sizeof(der),
-                                           kek, &kek_len, sizeof(kek))) != HAL_OK)
-                lose("Error exporting private key: %s\n", hal_error_string(err));
-        }
-        else {
-            if ((err = hal_rpc_pkey_export_raw(key_handle,
-                                           der, &der_len, sizeof(der))) != HAL_OK)
-                lose("Error exporting private key: %s\n", hal_error_string(err));
-        }
+        if ((err = hal_rpc_pkey_export(key_handle, kekek_handle,
+                                       der, &der_len, sizeof(der),
+                                       kek, &kek_len, sizeof(kek))) != HAL_OK)
+            lose("Error exporting private key: %s\n", hal_error_string(err));
 
         char fn[strlen(out_fn) + 5];
         strcpy(fn, out_fn); strcat(fn, ".der");
@@ -1078,40 +1068,28 @@ done:
         goto fail;
 
     {
+        uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len;
+        uint8_t kek[HAL_KS_WRAPPED_KEYSIZE]; size_t kek_len = 0;
+
         hal_error_t err;
         char fn[strlen(in_fn) + 5];
         strcpy(fn, in_fn); strcat(fn, ".der");
-        size_t der_len = file_size(fn);
-        if (der_len == SIZE_MAX)
-            goto fail;
-        uint8_t der[der_len];
         if (file_read(fn, der, &der_len, sizeof(der)) != 0)
             goto fail;
 
         if (!raw) {
             strcpy(fn, in_fn); strcat(fn, ".kek");
-            size_t kek_len = file_size(fn);
-            if (kek_len == SIZE_MAX)
-                goto fail;
-            uint8_t kek[kek_len]; 
             if (file_read(fn, kek, &kek_len, sizeof(kek)) != 0)
                 goto fail;
-
-            if ((err = hal_rpc_pkey_import(client, session,
-                                           &key_handle, &key_uuid,
-                                           kekek_handle,
-                                           der, der_len,
-                                           kek, kek_len,
-                                           flags)) != HAL_OK)
-                lose("Error importing private key: %s\n", hal_error_string(err));
         }
-        else {
-            if ((err = hal_rpc_pkey_import_raw(client, session,
-                                               &key_handle, &key_uuid,
-                                               der, der_len,
-                                               flags)) != HAL_OK)
-                lose("Error importing private key: %s\n", hal_error_string(err));
-        }            
+
+        if ((err = hal_rpc_pkey_import(client, session,
+                                       &key_handle, &key_uuid,
+                                       kekek_handle,
+                                       der, der_len,
+                                       kek, kek_len,
+                                       flags)) != HAL_OK)
+            lose("Error importing private key: %s\n", hal_error_string(err));
 
         char name_str[HAL_UUID_TEXT_SIZE];
         if ((err = hal_uuid_format(&key_uuid, name_str, sizeof(name_str))) != HAL_OK)
-- 
cgit v1.2.3