From 4fd9d1186efed0de8e3ae1d1e2fa5a0e5c46c2fb Mon Sep 17 00:00:00 2001 From: Paul Selkirk Date: Mon, 2 Dec 2019 15:38:58 -0500 Subject: After some thought, I'd rather make raw export/import a sub-function of key export/import (kekek = none, kek_len = 0), rather than separate RPCs. --- cryptech/libhal.py | 20 ----- hal.h | 10 --- hal_internal.h | 12 --- rpc_api.c | 26 +------ rpc_client.c | 66 +---------------- rpc_pkey.c | 213 +++++++++++++++++++++++++++-------------------------- rpc_server.c | 60 --------------- utils/pkey.c | 58 +++++---------- 8 files changed, 134 insertions(+), 331 deletions(-) diff --git a/cryptech/libhal.py b/cryptech/libhal.py index 1899102..647dbd6 100644 --- a/cryptech/libhal.py +++ b/cryptech/libhal.py @@ -191,8 +191,6 @@ RPCFunc.define(''' RPC_FUNC_PKEY_EXPORT, RPC_FUNC_PKEY_IMPORT, RPC_FUNC_PKEY_GENERATE_HASHSIG, - RPC_FUNC_PKEY_EXPORT_RAW, - RPC_FUNC_PKEY_IMPORT_RAW, ''') class HALDigestAlgorithm(Enum): pass @@ -436,12 +434,6 @@ class PKey(Handle): def import_pkey(self, pkcs8, kek, flags = 0): return self.hsm.pkey_import(kekek = self, pkcs8 = pkcs8, kek = kek, flags = flags) - def export_raw_pkey(self, pkey): - return self.hsm.pkey_export_raw(pkey = pkey, der_max = 5480) - - def import_raw_pkey(self, der, flags = 0): - return self.hsm.pkey_import_raw(der = der, flags = flags) - class ContextManagedUnpacker(xdrlib.Unpacker): def __enter__(self): @@ -718,15 +710,3 @@ class HSM(object): pkey = PKey(self, r.unpack_uint(), UUID(bytes = r.unpack_bytes())) logger.debug("Imported pkey %s", pkey.uuid) return pkey - - def pkey_export_raw(self, pkey, der_max = 2560): - with self.rpc(RPC_FUNC_PKEY_EXPORT_RAW, pkey, der_max) as r: - der = r.unpack_bytes(), r.unpack_bytes() - logger.debug("Exported raw pkey %s", pkey.uuid) - return der - - def pkey_import_raw(self, der, flags = 0, client = 0, session = 0): - with self.rpc(RPC_FUNC_PKEY_IMPORT_RAW, session, der, flags, client = client) as r: - pkey = PKey(self, r.unpack_uint(), UUID(bytes = r.unpack_bytes())) - logger.debug("Imported raw pkey %s", pkey.uuid) - return pkey diff --git a/hal.h b/hal.h index 1a08690..e2cb3ac 100644 --- a/hal.h +++ b/hal.h @@ -893,9 +893,6 @@ extern hal_error_t hal_rpc_pkey_export(const hal_pkey_handle_t pkey, uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max, uint8_t *kek, size_t *kek_len, const size_t kek_max); -extern hal_error_t hal_rpc_pkey_export_raw(const hal_pkey_handle_t pkey, - uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max); - extern hal_error_t hal_rpc_pkey_import(const hal_client_handle_t client, const hal_session_handle_t session, hal_pkey_handle_t *pkey, @@ -905,13 +902,6 @@ extern hal_error_t hal_rpc_pkey_import(const hal_client_handle_t client, const uint8_t * const kek, const size_t kek_len, const hal_key_flags_t flags); -extern hal_error_t hal_rpc_pkey_import_raw(const hal_client_handle_t client, - const hal_session_handle_t session, - hal_pkey_handle_t *pkey, - hal_uuid_t *name, - const uint8_t * const pkcs8, const size_t pkcs8_len, - const hal_key_flags_t flags); - extern hal_error_t hal_rpc_client_init(void); extern hal_error_t hal_rpc_client_close(void); diff --git a/hal_internal.h b/hal_internal.h index 1885595..1297b98 100644 --- a/hal_internal.h +++ b/hal_internal.h @@ -380,16 +380,6 @@ typedef struct { const uint8_t * const kek, const size_t kek_len, const hal_key_flags_t flags); - hal_error_t (*export_raw)(const hal_pkey_handle_t pkey_handle, - uint8_t *der, size_t *der_len, const size_t der_max); - - hal_error_t (*import_raw)(const hal_client_handle_t client, - const hal_session_handle_t session, - hal_pkey_handle_t *pkey, - hal_uuid_t *name, - const uint8_t * const der, const size_t der_len, - const hal_key_flags_t flags); - } hal_rpc_pkey_dispatch_t; @@ -672,8 +662,6 @@ typedef enum { RPC_FUNC_PKEY_EXPORT, RPC_FUNC_PKEY_IMPORT, RPC_FUNC_PKEY_GENERATE_HASHSIG, - RPC_FUNC_PKEY_EXPORT_RAW, - RPC_FUNC_PKEY_IMPORT_RAW, } rpc_func_num_t; #define RPC_VERSION 0x01010200 /* 1.1.2.0 */ diff --git a/rpc_api.c b/rpc_api.c index 155cb30..5f32a22 100644 --- a/rpc_api.c +++ b/rpc_api.c @@ -413,7 +413,8 @@ hal_error_t hal_rpc_pkey_export(const hal_pkey_handle_t pkey, uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max, uint8_t *kek, size_t *kek_len, const size_t kek_max) { - if (pkcs8 == NULL || pkcs8_len == NULL || kek == NULL || kek_len == NULL || kek_max <= KEK_LENGTH) + if (pkcs8 == NULL || pkcs8_len == NULL || + (kekek.handle != HAL_HANDLE_NONE && (kek == NULL || kek_len == NULL || kek_max <= KEK_LENGTH))) return HAL_ERROR_BAD_ARGUMENTS; return hal_rpc_pkey_dispatch->export(pkey, kekek, pkcs8, pkcs8_len, pkcs8_max, kek, kek_len, kek_max); } @@ -427,31 +428,12 @@ hal_error_t hal_rpc_pkey_import(const hal_client_handle_t client, const uint8_t * const kek, const size_t kek_len, const hal_key_flags_t flags) { - if (pkey == NULL || name == NULL || pkcs8 == NULL || kek == NULL || kek_len <= 2) + if (pkey == NULL || name == NULL || pkcs8 == NULL || + (kekek.handle != HAL_HANDLE_NONE && (kek == NULL || kek_len <= 2))) return HAL_ERROR_BAD_ARGUMENTS; return hal_rpc_pkey_dispatch->import(client, session, pkey, name, kekek, pkcs8, pkcs8_len, kek, kek_len, flags); } -hal_error_t hal_rpc_pkey_export_raw(const hal_pkey_handle_t pkey, - uint8_t *der, size_t *der_len, const size_t der_max) -{ - if (der == NULL || der_len == NULL) - return HAL_ERROR_BAD_ARGUMENTS; - return hal_rpc_pkey_dispatch->export_raw(pkey, der, der_len, der_max); -} - -hal_error_t hal_rpc_pkey_import_raw(const hal_client_handle_t client, - const hal_session_handle_t session, - hal_pkey_handle_t *pkey, - hal_uuid_t *name, - const uint8_t * const der, const size_t der_len, - const hal_key_flags_t flags) -{ - if (pkey == NULL || name == NULL || der == NULL) - return HAL_ERROR_BAD_ARGUMENTS; - return hal_rpc_pkey_dispatch->import_raw(client, session, pkey, name, der, der_len, flags); -} - /* * Local variables: * indent-tabs-mode: nil diff --git a/rpc_client.c b/rpc_client.c index face70f..c9ac9b7 100644 --- a/rpc_client.c +++ b/rpc_client.c @@ -1018,64 +1018,6 @@ static hal_error_t pkey_remote_import(const hal_client_handle_t client, return rpc_ret; } -static hal_error_t pkey_remote_export_raw(const hal_pkey_handle_t pkey, - uint8_t *der, size_t *der_len, const size_t der_max) -{ - uint8_t outbuf[nargs(4)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); - uint8_t inbuf[nargs(3) + pad(der_max)]; - const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); - hal_client_handle_t dummy_client = {0}; - hal_error_t rpc_ret; - - check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_EXPORT_RAW)); - check(hal_xdr_encode_int(&optr, olimit, dummy_client.handle)); - check(hal_xdr_encode_int(&optr, olimit, pkey.handle)); - check(hal_xdr_encode_int(&optr, olimit, der_max)); - check(hal_rpc_send(outbuf, optr - outbuf)); - - check(read_matching_packet(RPC_FUNC_PKEY_EXPORT_RAW, inbuf, sizeof(inbuf), &iptr, &ilimit)); - - check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret)); - if (rpc_ret == HAL_OK) { - check(hal_xdr_decode_variable_opaque(&iptr, ilimit, der, der_len, der_max)); - } - return rpc_ret; -} - -static hal_error_t pkey_remote_import_raw(const hal_client_handle_t client, - const hal_session_handle_t session, - hal_pkey_handle_t *pkey, - hal_uuid_t *name, - const uint8_t * const der, const size_t der_len, - const hal_key_flags_t flags) -{ - uint8_t outbuf[nargs(5) + pad(der_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); - uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))]; - const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); - size_t name_len; - hal_error_t rpc_ret; - - check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_IMPORT_RAW)); - check(hal_xdr_encode_int(&optr, olimit, client.handle)); - check(hal_xdr_encode_int(&optr, olimit, session.handle)); - check(hal_xdr_encode_variable_opaque(&optr, olimit, der, der_len)); - check(hal_xdr_encode_int(&optr, olimit, flags)); - check(hal_rpc_send(outbuf, optr - outbuf)); - - check(read_matching_packet(RPC_FUNC_PKEY_IMPORT_RAW, inbuf, sizeof(inbuf), &iptr, &ilimit)); - - check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret)); - - if (rpc_ret == HAL_OK) { - check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle)); - check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len, sizeof(name->uuid))); - if (name_len != sizeof(name->uuid)) - return HAL_ERROR_KEY_NAME_TOO_LONG; - } - - return rpc_ret; -} - #if RPC_CLIENT == RPC_CLIENT_MIXED /* @@ -1207,9 +1149,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_remote_pkey_dispatch = { .set_attributes = pkey_remote_set_attributes, .get_attributes = pkey_remote_get_attributes, .export = pkey_remote_export, - .import = pkey_remote_import, - .export_raw = pkey_remote_export_raw, - .import_raw = pkey_remote_import_raw + .import = pkey_remote_import }; #if RPC_CLIENT == RPC_CLIENT_MIXED @@ -1232,9 +1172,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_mixed_pkey_dispatch = { .set_attributes = pkey_remote_set_attributes, .get_attributes = pkey_remote_get_attributes, .export = pkey_remote_export, - .import = pkey_remote_import, - .export_raw = pkey_remote_export_raw, - .import_raw = pkey_remote_import_raw + .import = pkey_remote_import }; #endif /* RPC_CLIENT == RPC_CLIENT_MIXED */ diff --git a/rpc_pkey.c b/rpc_pkey.c index 67732ad..3f2b5f5 100644 --- a/rpc_pkey.c +++ b/rpc_pkey.c @@ -1287,11 +1287,70 @@ static hal_error_t pkey_local_get_attributes(const hal_pkey_handle_t pkey, attributes_buffer, attributes_buffer_len); } +static hal_error_t pkey_local_export_raw(const hal_pkey_handle_t pkey_handle, + uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max) +{ + hal_assert(pkcs8 != NULL && pkcs8_len != NULL); + + uint8_t kek[KEK_LENGTH]; + size_t kek_len; + hal_error_t err; + size_t len; + + hal_pkey_slot_t * const pkey = find_handle(pkey_handle); + + if (pkey == NULL) + return HAL_ERROR_KEY_NOT_FOUND; + + if ((pkey->flags & HAL_KEY_FLAG_EXPORTABLE) == 0) + return HAL_ERROR_FORBIDDEN; + + if (pkcs8_max < HAL_KS_WRAPPED_KEYSIZE) + return HAL_ERROR_RESULT_TOO_LONG; + + if ((err = ks_fetch_from_flags(pkey, pkcs8, &len, pkcs8_max)) != HAL_OK) + goto fail; + + /* if hashsig, update internal parameters and disable further use */ + if (pkey->type == HAL_KEY_TYPE_HASHSIG_PRIVATE) { + if ((err = hal_hashsig_export_raw(&pkey->name, pkcs8, &len, pkcs8_max)) != HAL_OK) + goto fail; + pkey->flags &= ~HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE; + } + + if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK) + goto fail; + + *pkcs8_len = pkcs8_max; + if ((err = hal_aes_keywrap(NULL, kek, KEK_LENGTH, pkcs8, len, pkcs8, pkcs8_len)) != HAL_OK) + goto fail; + + if ((err = hal_asn1_encode_pkcs8_encryptedprivatekeyinfo(hal_asn1_oid_aesKeyWrap, + hal_asn1_oid_aesKeyWrap_len, + pkcs8, *pkcs8_len, + pkcs8, pkcs8_len, pkcs8_max)) != HAL_OK) + goto fail; + + return HAL_OK; + + fail: + memset(pkcs8, 0, pkcs8_max); + memset(kek, 0, sizeof(kek)); + *pkcs8_len = 0; + return err; +} + static hal_error_t pkey_local_export(const hal_pkey_handle_t pkey_handle, const hal_pkey_handle_t kekek_handle, uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max, uint8_t *kek, size_t *kek_len, const size_t kek_max) { + if (kekek_handle.handle == HAL_HANDLE_NONE) { + if (kek_len != NULL) + *kek_len = 0; + return pkey_local_export_raw(pkey_handle, pkcs8, pkcs8_len, pkcs8_max); + } + hal_assert(pkcs8 != NULL && pkcs8_len != NULL && kek != NULL && kek_len != NULL && kek_max > KEK_LENGTH); uint8_t rsabuf[hal_rsa_key_t_size]; @@ -1385,6 +1444,53 @@ static hal_error_t pkey_local_export(const hal_pkey_handle_t pkey_handle, return err; } +static hal_error_t pkey_local_import_raw(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + hal_uuid_t *name, + const uint8_t * const pkcs8, const size_t pkcs8_len, + const hal_key_flags_t flags) +{ + hal_assert(pkey != NULL && name != NULL && pkcs8 != NULL); + + uint8_t kek[KEK_LENGTH], der[HAL_KS_WRAPPED_KEYSIZE]; + size_t der_len, oid_len, data_len, kek_len; + const uint8_t *oid, *data; + hal_error_t err; + + if ((err = hal_asn1_decode_pkcs8_encryptedprivatekeyinfo(&oid, &oid_len, &data, &data_len, + pkcs8, pkcs8_len)) != HAL_OK) + goto fail; + + if (oid_len != hal_asn1_oid_aesKeyWrap_len || + memcmp(oid, hal_asn1_oid_aesKeyWrap, oid_len) != 0 || + data_len > sizeof(der)) { + err = HAL_ERROR_ASN1_PARSE_FAILED; + goto fail; + } + + if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK) + goto fail; + + der_len = sizeof(der); + if ((err = hal_aes_keyunwrap(NULL, kek, kek_len, data, data_len, der, &der_len)) != HAL_OK) + goto fail; + + hal_key_type_t type; + hal_curve_name_t curve; + if ((err = hal_asn1_guess_key_type(&type, &curve, der, der_len)) == HAL_OK && + type == HAL_KEY_TYPE_HASHSIG_PRIVATE && + (err = hal_hashsig_import(der, der_len, flags)) != HAL_OK) + goto fail; + + err = hal_rpc_pkey_load(client, session, pkey, name, der, der_len, flags); + + fail: + memset(kek, 0, sizeof(kek)); + memset(der, 0, sizeof(der)); + return err; +} + static hal_error_t pkey_local_import(const hal_client_handle_t client, const hal_session_handle_t session, hal_pkey_handle_t *pkey, @@ -1394,6 +1500,9 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client, const uint8_t * const kek_, const size_t kek_len, const hal_key_flags_t flags) { + if (kekek_handle.handle == HAL_HANDLE_NONE) + return pkey_local_import_raw(client, session, pkey, name, pkcs8, pkcs8_len, flags); + hal_assert(pkey != NULL && name != NULL && pkcs8 != NULL && kek_ != NULL && kek_len > 2); uint8_t kek[KEK_LENGTH], rsabuf[hal_rsa_key_t_size], der[HAL_KS_WRAPPED_KEYSIZE], *d; @@ -1474,106 +1583,6 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client, return err; } -static hal_error_t pkey_local_export_raw(const hal_pkey_handle_t pkey_handle, - uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max) -{ - hal_assert(pkcs8 != NULL && pkcs8_len != NULL); - - uint8_t kek[KEK_LENGTH]; - size_t kek_len; - hal_error_t err; - size_t len; - - hal_pkey_slot_t * const pkey = find_handle(pkey_handle); - - if (pkey == NULL) - return HAL_ERROR_KEY_NOT_FOUND; - - if ((pkey->flags & HAL_KEY_FLAG_EXPORTABLE) == 0) - return HAL_ERROR_FORBIDDEN; - - if (pkcs8_max < HAL_KS_WRAPPED_KEYSIZE) - return HAL_ERROR_RESULT_TOO_LONG; - - if ((err = ks_fetch_from_flags(pkey, pkcs8, &len, pkcs8_max)) != HAL_OK) - goto fail; - - /* if hashsig, update internal parameters and disable further use */ - if (pkey->type == HAL_KEY_TYPE_HASHSIG_PRIVATE) { - if ((err = hal_hashsig_export_raw(&pkey->name, pkcs8, &len, pkcs8_max)) != HAL_OK) - goto fail; - pkey->flags &= ~HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE; - } - - if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK) - goto fail; - - *pkcs8_len = pkcs8_max; - if ((err = hal_aes_keywrap(NULL, kek, KEK_LENGTH, pkcs8, len, pkcs8, pkcs8_len)) != HAL_OK) - goto fail; - - if ((err = hal_asn1_encode_pkcs8_encryptedprivatekeyinfo(hal_asn1_oid_aesKeyWrap, - hal_asn1_oid_aesKeyWrap_len, - pkcs8, *pkcs8_len, - pkcs8, pkcs8_len, pkcs8_max)) != HAL_OK) - goto fail; - - return HAL_OK; - - fail: - memset(pkcs8, 0, pkcs8_max); - memset(kek, 0, sizeof(kek)); - *pkcs8_len = 0; - return err; -} - -static hal_error_t pkey_local_import_raw(const hal_client_handle_t client, - const hal_session_handle_t session, - hal_pkey_handle_t *pkey, - hal_uuid_t *name, - const uint8_t * const pkcs8, const size_t pkcs8_len, - const hal_key_flags_t flags) -{ - hal_assert(pkey != NULL && name != NULL && pkcs8 != NULL); - - uint8_t kek[KEK_LENGTH], der[HAL_KS_WRAPPED_KEYSIZE]; - size_t der_len, oid_len, data_len, kek_len; - const uint8_t *oid, *data; - hal_error_t err; - - if ((err = hal_asn1_decode_pkcs8_encryptedprivatekeyinfo(&oid, &oid_len, &data, &data_len, - pkcs8, pkcs8_len)) != HAL_OK) - goto fail; - - if (oid_len != hal_asn1_oid_aesKeyWrap_len || - memcmp(oid, hal_asn1_oid_aesKeyWrap, oid_len) != 0 || - data_len > sizeof(der)) { - err = HAL_ERROR_ASN1_PARSE_FAILED; - goto fail; - } - - if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) != HAL_OK) - goto fail; - - der_len = sizeof(der); - if ((err = hal_aes_keyunwrap(NULL, kek, kek_len, data, data_len, der, &der_len)) != HAL_OK) - goto fail; - - hal_key_type_t type; - hal_curve_name_t curve; - if ((err = hal_asn1_guess_key_type(&type, &curve, der, der_len)) == HAL_OK && - type == HAL_KEY_TYPE_HASHSIG_PRIVATE && - (err = hal_hashsig_import(der, der_len, flags)) != HAL_OK) - goto fail; - - err = hal_rpc_pkey_load(client, session, pkey, name, der, der_len, flags); - - fail: - memset(kek, 0, sizeof(kek)); - memset(der, 0, sizeof(der)); - return err; -} - const hal_rpc_pkey_dispatch_t hal_rpc_local_pkey_dispatch = { .load = pkey_local_load, .open = pkey_local_open, @@ -1593,9 +1602,7 @@ const hal_rpc_pkey_dispatch_t hal_rpc_local_pkey_dispatch = { .set_attributes = pkey_local_set_attributes, .get_attributes = pkey_local_get_attributes, .export = pkey_local_export, - .import = pkey_local_import, - .export_raw = pkey_local_export_raw, - .import_raw = pkey_local_import_raw + .import = pkey_local_import }; /* diff --git a/rpc_server.c b/rpc_server.c index aa7e936..9598413 100644 --- a/rpc_server.c +++ b/rpc_server.c @@ -776,60 +776,6 @@ static hal_error_t pkey_import(const uint8_t **iptr, const uint8_t * const ilimi return err; } -static hal_error_t pkey_export_raw(const uint8_t **iptr, const uint8_t * const ilimit, - uint8_t **optr, const uint8_t * const olimit) -{ - hal_client_handle_t client; - hal_pkey_handle_t pkey; - size_t der_len; - uint32_t der_max; - uint8_t *optr_orig = *optr; - hal_error_t err; - - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); - check(hal_xdr_decode_int(iptr, ilimit, &der_max)); - - if (nargs(1) + pad(der_max) > (uint32_t)(olimit - *optr)) - return HAL_ERROR_RPC_PACKET_OVERFLOW; - - uint8_t der[der_max]; - - check(hal_rpc_pkey_export_raw(pkey, der, &der_len, sizeof(der))); - - if ((err = hal_xdr_encode_variable_opaque(optr, olimit, der, der_len)) != HAL_OK) - *optr = optr_orig; - - return err; -} - -static hal_error_t pkey_import_raw(const uint8_t **iptr, const uint8_t * const ilimit, - uint8_t **optr, const uint8_t * const olimit) -{ - hal_client_handle_t client; - hal_session_handle_t session; - hal_pkey_handle_t pkey; - hal_uuid_t name; - const uint8_t *der; - size_t der_len; - uint8_t *optr_orig = *optr; - hal_key_flags_t flags; - hal_error_t err; - - check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); - check(hal_xdr_decode_int(iptr, ilimit, &session.handle)); - check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &der, &der_len)); - check(hal_xdr_decode_int(iptr, ilimit, &flags)); - - check(hal_rpc_pkey_import_raw(client, session, &pkey, &name, der, der_len, flags)); - - if ((err = hal_xdr_encode_int(optr, olimit, pkey.handle)) != HAL_OK || - (err = hal_xdr_encode_variable_opaque(optr, olimit, name.uuid, sizeof(name.uuid))) != HAL_OK) - *optr = optr_orig; - - return err; -} - hal_error_t hal_rpc_server_dispatch(const uint8_t * const ibuf, const size_t ilen, uint8_t * const obuf, size_t * const olen) @@ -944,12 +890,6 @@ hal_error_t hal_rpc_server_dispatch(const uint8_t * const ibuf, const size_t ile case RPC_FUNC_PKEY_IMPORT: handler = pkey_import; break; - case RPC_FUNC_PKEY_EXPORT_RAW: - handler = pkey_export_raw; - break; - case RPC_FUNC_PKEY_IMPORT_RAW: - handler = pkey_import_raw; - break; } if (handler) diff --git a/utils/pkey.c b/utils/pkey.c index efd360d..d1a8b07 100644 --- a/utils/pkey.c +++ b/utils/pkey.c @@ -62,7 +62,7 @@ * list [-t type] * sign [-h (hash)] [-k keyname] [-m msgfile] [-s sigfile] [-n iterations] * verify [-h (hash)] [-k keyname] [-m msgfile] [-s sigfile] - * export [-k keyname] [-r (raw) | -K kekekfile] [-o outfile] + * export [-k keyname] <-r (raw) | -K kekekfile> [-o outfile] * import [-r (raw) | -K kekekfile] [-i infile] [-x (exportable)] [-v (volatile keystore)] * delete [-k keyname] ... */ @@ -233,10 +233,7 @@ fail: static int pkey_load(const char * const fn, hal_pkey_handle_t *key_handle) { - size_t der_len = file_size(fn); - if (der_len == SIZE_MAX) - return -1; - uint8_t der[der_len]; + uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len; if (file_read(fn, der, &der_len, sizeof(der)) == -1) return -1; @@ -925,7 +922,7 @@ fail: static int pkey_export(int argc, char *argv[]) { - char usage[] = "Usage: export [-k keyname] [-r | -K kekekfile] [-o outfile]"; + char usage[] = "Usage: export [-k keyname] <-r | -K kekekfile> [-o outfile]"; hal_pkey_handle_t kekek_handle = {HAL_HANDLE_NONE}; char *kekek_fn = NULL; @@ -987,17 +984,10 @@ done: uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len; uint8_t kek[HAL_KS_WRAPPED_KEYSIZE]; size_t kek_len; - if (!raw) { - if ((err = hal_rpc_pkey_export(key_handle, kekek_handle, - der, &der_len, sizeof(der), - kek, &kek_len, sizeof(kek))) != HAL_OK) - lose("Error exporting private key: %s\n", hal_error_string(err)); - } - else { - if ((err = hal_rpc_pkey_export_raw(key_handle, - der, &der_len, sizeof(der))) != HAL_OK) - lose("Error exporting private key: %s\n", hal_error_string(err)); - } + if ((err = hal_rpc_pkey_export(key_handle, kekek_handle, + der, &der_len, sizeof(der), + kek, &kek_len, sizeof(kek))) != HAL_OK) + lose("Error exporting private key: %s\n", hal_error_string(err)); char fn[strlen(out_fn) + 5]; strcpy(fn, out_fn); strcat(fn, ".der"); @@ -1078,40 +1068,28 @@ done: goto fail; { + uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len; + uint8_t kek[HAL_KS_WRAPPED_KEYSIZE]; size_t kek_len = 0; + hal_error_t err; char fn[strlen(in_fn) + 5]; strcpy(fn, in_fn); strcat(fn, ".der"); - size_t der_len = file_size(fn); - if (der_len == SIZE_MAX) - goto fail; - uint8_t der[der_len]; if (file_read(fn, der, &der_len, sizeof(der)) != 0) goto fail; if (!raw) { strcpy(fn, in_fn); strcat(fn, ".kek"); - size_t kek_len = file_size(fn); - if (kek_len == SIZE_MAX) - goto fail; - uint8_t kek[kek_len]; if (file_read(fn, kek, &kek_len, sizeof(kek)) != 0) goto fail; - - if ((err = hal_rpc_pkey_import(client, session, - &key_handle, &key_uuid, - kekek_handle, - der, der_len, - kek, kek_len, - flags)) != HAL_OK) - lose("Error importing private key: %s\n", hal_error_string(err)); } - else { - if ((err = hal_rpc_pkey_import_raw(client, session, - &key_handle, &key_uuid, - der, der_len, - flags)) != HAL_OK) - lose("Error importing private key: %s\n", hal_error_string(err)); - } + + if ((err = hal_rpc_pkey_import(client, session, + &key_handle, &key_uuid, + kekek_handle, + der, der_len, + kek, kek_len, + flags)) != HAL_OK) + lose("Error importing private key: %s\n", hal_error_string(err)); char name_str[HAL_UUID_TEXT_SIZE]; if ((err = hal_uuid_format(&key_uuid, name_str, sizeof(name_str))) != HAL_OK) -- cgit v1.2.3