From cc46a697de71e66e90653e3ac7fffe413acfd8c8 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Tue, 11 Apr 2017 00:14:59 -0400
Subject: API cleanup: pkey_open() and pkey_match().

pkey_open() now looks in both keystores rather than requiring the user
to know.  The chance of collision with randomly-generated UUID is low
enough that we really ought to be able to present a single namespace.
So now we do.

pkey_match() now takes a couple of extra arguments which allow a
single search to cover both keystores, as well as matching for
specific key flags.  The former interface was pretty much useless for
anything involving flags, and required the user to issue a separate
call for each keystore.

User wheel is now exempt from the per-session key lookup constraints,
Whether this is a good idea or not is an interesting question, but the
whole PKCS #11 derived per-session key thing is weird to begin with,
and having keystore listings on the console deliberately ignore
session keys was just too confusing.
---
 cryptech_backup | 64 ++++++++++++++++++++++-----------------------------------
 1 file changed, 24 insertions(+), 40 deletions(-)

(limited to 'cryptech_backup')

diff --git a/cryptech_backup b/cryptech_backup
index 7360a0d..7e465b8 100755
--- a/cryptech_backup
+++ b/cryptech_backup
@@ -8,22 +8,10 @@
 #
 #   Load KEKEK public   <----------------  Export KEKEK public
 #
-#                       {
-#                               "kekek-uuid":   "[UUID]",
-#                               "kekek":        "[Base64]"
-#                       }
-#
 #       hal_rpc_pkey_load()
 #       hal_rpc_pkey_export()
 #
-#   Export PKCS #8 and KEK   ---------->   Load PKCS #8 and KEK, import key:
-#
-#                       {
-#                               "kekek-uuid":   "[UUID]",
-#                               "pkey":         "[Base64]",
-#                               "kek":          "[Base64]"
-#                       }
-#
+#   Export PKCS #8 and KEK   ---------->   Load PKCS #8 and KEK, import key
 #
 #                                               hal_rpc_pkey_import()
 
@@ -125,10 +113,11 @@ def cmd_setup(args, hsm):
     elif not args.new:
         uuids.extend(hsm.pkey_match(
             type  = HAL_KEY_TYPE_RSA_PRIVATE,
+            mask  = HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT | HAL_KEY_FLAG_TOKEN,
             flags = HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT | HAL_KEY_FLAG_TOKEN))
 
     for uuid in uuids:
-        with hsm.pkey_open(uuid, HAL_KEY_FLAG_TOKEN) as kekek:
+        with hsm.pkey_open(uuid) as kekek:
             if kekek.key_type != HAL_KEY_TYPE_RSA_PRIVATE:
                 sys.stderr.write("Key {} is not an RSA private key\n".format(uuid))
             elif (kekek.key_flags & HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT) == 0:
@@ -179,31 +168,26 @@ def cmd_export(args, hsm):
         kekek = hsm.pkey_load(der   = b64join(db["kekek_pubkey"]),
                               flags = HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT)
 
-        # What we *should* do here is a single .pkey_match() loop
-        # matching exactly the keys we want, but the current semantics
-        # of .pkey_match() are a bit confused.  While that yak is
-        # waiting for its shave, we do this the dumb way by iterating
-        # over all keys then skipping the ones we don't want.
-
-        for flags in (0, HAL_KEY_FLAG_TOKEN):
-            for uuid in hsm.pkey_match(flags = flags):
-                with hsm.pkey_open(uuid, flags) as pkey:
-                    if (pkey.key_flags & HAL_KEY_FLAG_EXPORTABLE) == 0:
-                        continue
-                    if pkey.key_type in (HAL_KEY_TYPE_RSA_PRIVATE, HAL_KEY_TYPE_EC_PRIVATE):
-                        pkcs8, kek = kekek.export_pkey(pkey)
-                        result.append(dict(
-                            comment = "Encrypted private key",
-                            pkcs8   = b64(pkcs8),
-                            kek     = b64(kek),
-                            uuid    = str(pkey.uuid),
-                            flags   = pkey.key_flags))
-                    elif pkey.key_type in (HAL_KEY_TYPE_RSA_PUBLIC, HAL_KEY_TYPE_EC_PUBLIC):
-                        result.append(dict(
-                            comment = "Public key",
-                            spki    = b64(pkey.public_key),
-                            uuid    = str(pkey.uuid),
-                            flags   = pkey.key_flags))
+        for uuid in hsm.pkey_match(mask  = HAL_KEY_FLAG_EXPORTABLE,
+                                   flags = HAL_KEY_FLAG_EXPORTABLE):
+            with hsm.pkey_open(uuid) as pkey:
+
+                if pkey.key_type in (HAL_KEY_TYPE_RSA_PRIVATE, HAL_KEY_TYPE_EC_PRIVATE):
+                    pkcs8, kek = kekek.export_pkey(pkey)
+                    result.append(dict(
+                        comment = "Encrypted private key",
+                        pkcs8   = b64(pkcs8),
+                        kek     = b64(kek),
+                        uuid    = str(pkey.uuid),
+                        flags   = pkey.key_flags))
+
+                elif pkey.key_type in (HAL_KEY_TYPE_RSA_PUBLIC, HAL_KEY_TYPE_EC_PUBLIC):
+                    result.append(dict(
+                        comment = "Public key",
+                        spki    = b64(pkey.public_key),
+                        uuid    = str(pkey.uuid),
+                        flags   = pkey.key_flags))
+
     finally:
         if kekek is not None:
             kekek.delete()
@@ -222,7 +206,7 @@ def cmd_import(args, hsm):
     """
 
     db = json.load(args.input)
-    with hsm.pkey_open(uuid.UUID(db["kekek_uuid"]).bytes, HAL_KEY_FLAG_TOKEN) as kekek:
+    with hsm.pkey_open(uuid.UUID(db["kekek_uuid"]).bytes) as kekek:
         for k in db["keys"]:
             pkcs8 = b64join(k.get("pkcs8", ""))
             spki  = b64join(k.get("spki",  ""))
-- 
cgit v1.2.3