/*
 * hal.h
 * ----------
 * Memory map, access functions, and HAL for Cryptech cores.
 *
 * Authors: Joachim Strombergson, Paul Selkirk, Rob Austein
 * Copyright (c) 2015-2016, NORDUnet A/S All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 * - Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 *
 * - Redistributions in binary form must reproduce the above copyright
 *   notice, this list of conditions and the following disclaimer in the
 *   documentation and/or other materials provided with the distribution.
 *
 * - Neither the name of the NORDUnet nor the names of its contributors may
 *   be used to endorse or promote products derived from this software
 *   without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef _HAL_H_
#define _HAL_H_

#include <stdint.h>
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>

/*
 * A handy macro from cryptlib.
 */
#ifndef bitsToBytes
#define bitsToBytes(x)          ((x) / 8)
#endif

/*
 * Current name and version values for crypto cores.
 *
 * Should these even be here?  Dunno.
 * Should the versions be here even if the names should be?
 */

#define NOVENA_BOARD_NAME	"PVT1    "
#define NOVENA_BOARD_VERSION    "0.10"

#define EIM_INTERFACE_NAME      "eim     "
#define EIM_INTERFACE_VERSION   "0.10"

#define I2C_INTERFACE_NAME      "i2c     "
#define I2C_INTERFACE_VERSION   "0.10"

#define TRNG_NAME               "trng    "
#define TRNG_VERSION            "0.51"

#define AVALANCHE_ENTROPY_NAME	"extnoise"
#define AVALANCHE_ENTROPY_VERSION "0.10"

#define ROSC_ENTROPY_NAME       "rosc ent"
#define ROSC_ENTROPY_VERSION    "0.10"

#define CSPRNG_NAME             "csprng  "
#define CSPRNG_VERSION          "0.50"

#define SHA1_NAME               "sha1    "
#define SHA1_VERSION            "0.50"

#define SHA256_NAME             "sha2-256"
#define SHA256_VERSION          "1.80"

#define SHA512_NAME             "sha2-512"
#define SHA512_VERSION          "0.80"

#define AES_CORE_NAME           "aes     "
#define AES_CORE_VERSION        "0.80"

#define CHACHA_NAME             "chacha  "
#define CHACHA_VERSION          "0.80"

#define MODEXP_NAME             "modexp"
#define MODEXP_VERSION          "0.10"

#define MODEXPS6_NAME           "modexps6"
#define MODEXPS6_VERSION        "0.10"

#define MODEXPA7_NAME           "modexpa7"
#define MODEXPA7_VERSION        "0.10"

#define MKMIF_NAME              "mkmif   "
#define MKMIF_VERSION           "0.10"

#define ECDSA256_NAME           "ecdsa256"
#define ECDSA256_VERSION        "0.11"

#define ECDSA256_NAME           "ecdsa384"
#define ECDSA256_VERSION        "0.11"

/*
 * C API error codes.  Defined in this form so we can keep the tokens
 * and error strings together.  See errorstrings.c.
 */

#define HAL_ERROR_LIST \
  DEFINE_HAL_ERROR(HAL_OK,                              "No error")                                     \
  DEFINE_HAL_ERROR(HAL_ERROR_BAD_ARGUMENTS,             "Bad arguments given")                          \
  DEFINE_HAL_ERROR(HAL_ERROR_UNSUPPORTED_KEY,           "Unsupported key type or key length")           \
  DEFINE_HAL_ERROR(HAL_ERROR_IO_SETUP_FAILED,           "Could not set up I/O with FPGA")               \
  DEFINE_HAL_ERROR(HAL_ERROR_IO_TIMEOUT,                "I/O with FPGA timed out")                      \
  DEFINE_HAL_ERROR(HAL_ERROR_IO_UNEXPECTED,             "Unexpected response from FPGA")                \
  DEFINE_HAL_ERROR(HAL_ERROR_IO_OS_ERROR,               "Operating system error talking to FPGA")       \
  DEFINE_HAL_ERROR(HAL_ERROR_IO_BAD_COUNT,              "Bad byte count")                               \
  DEFINE_HAL_ERROR(HAL_ERROR_CSPRNG_BROKEN,             "CSPRNG is returning nonsense")                 \
  DEFINE_HAL_ERROR(HAL_ERROR_KEYWRAP_BAD_MAGIC,         "Bad magic number while unwrapping key")        \
  DEFINE_HAL_ERROR(HAL_ERROR_KEYWRAP_BAD_LENGTH,        "Length out of range while unwrapping key")     \
  DEFINE_HAL_ERROR(HAL_ERROR_KEYWRAP_BAD_PADDING,       "Non-zero padding detected unwrapping key")     \
  DEFINE_HAL_ERROR(HAL_ERROR_IMPOSSIBLE,                "\"Impossible\" error")                         \
  DEFINE_HAL_ERROR(HAL_ERROR_ALLOCATION_FAILURE,        "Memory allocation failed")                     \
  DEFINE_HAL_ERROR(HAL_ERROR_RESULT_TOO_LONG,           "Result too long for buffer")                   \
  DEFINE_HAL_ERROR(HAL_ERROR_ASN1_PARSE_FAILED,         "ASN.1 parse failed")                           \
  DEFINE_HAL_ERROR(HAL_ERROR_KEY_NOT_ON_CURVE,          "EC key is not on its purported curve")         \
  DEFINE_HAL_ERROR(HAL_ERROR_INVALID_SIGNATURE,         "Invalid signature")                            \
  DEFINE_HAL_ERROR(HAL_ERROR_CORE_NOT_FOUND,            "Requested core not found")                     \
  DEFINE_HAL_ERROR(HAL_ERROR_CORE_BUSY,                 "Requested core busy")                          \
  DEFINE_HAL_ERROR(HAL_ERROR_KEYSTORE_ACCESS,           "Could not access keystore")                    \
  DEFINE_HAL_ERROR(HAL_ERROR_KEY_NOT_FOUND,             "Key not found")                                \
  DEFINE_HAL_ERROR(HAL_ERROR_KEY_NAME_IN_USE,           "Key name in use")                              \
  DEFINE_HAL_ERROR(HAL_ERROR_NO_KEY_SLOTS_AVAILABLE,    "No key slots available")                       \
  DEFINE_HAL_ERROR(HAL_ERROR_PIN_INCORRECT,             "PIN incorrect")                                \
  DEFINE_HAL_ERROR(HAL_ERROR_NO_CLIENT_SLOTS_AVAILABLE, "No client slots available")                    \
  DEFINE_HAL_ERROR(HAL_ERROR_FORBIDDEN,                 "Forbidden")                                    \
  DEFINE_HAL_ERROR(HAL_ERROR_XDR_BUFFER_OVERFLOW,       "XDR buffer overflow")                          \
  DEFINE_HAL_ERROR(HAL_ERROR_RPC_TRANSPORT,             "RPC transport error")                          \
  DEFINE_HAL_ERROR(HAL_ERROR_RPC_PACKET_OVERFLOW,       "RPC packet overflow")                          \
  DEFINE_HAL_ERROR(HAL_ERROR_RPC_BAD_FUNCTION,          "Bad RPC function number")                      \
  DEFINE_HAL_ERROR(HAL_ERROR_KEY_NAME_TOO_LONG,         "Key name too long")                            \
  DEFINE_HAL_ERROR(HAL_ERROR_MASTERKEY_NOT_SET,         "Master key (Key Encryption Key) not set")      \
  DEFINE_HAL_ERROR(HAL_ERROR_MASTERKEY_FAIL,            "Master key generic failure")                   \
  DEFINE_HAL_ERROR(HAL_ERROR_MASTERKEY_BAD_LENGTH,      "Master key of unacceptable length")            \
  DEFINE_HAL_ERROR(HAL_ERROR_KS_DRIVER_NOT_FOUND,       "Keystore driver not found")                    \
  DEFINE_HAL_ERROR(HAL_ERROR_KEYSTORE_BAD_CRC,          "Bad CRC in keystore")                          \
  DEFINE_HAL_ERROR(HAL_ERROR_KEYSTORE_BAD_BLOCK_TYPE,   "Unsupported keystore block type")              \
  DEFINE_HAL_ERROR(HAL_ERROR_KEYSTORE_LOST_DATA,        "Keystore appears to have lost data")           \
  DEFINE_HAL_ERROR(HAL_ERROR_BAD_ATTRIBUTE_LENGTH,      "Bad attribute length")                         \
  DEFINE_HAL_ERROR(HAL_ERROR_ATTRIBUTE_NOT_FOUND,       "Attribute not found")                          \
  DEFINE_HAL_ERROR(HAL_ERROR_NO_KEY_INDEX_SLOTS,        "No key index slots available")                 \
  DEFINE_HAL_ERROR(HAL_ERROR_KSI_INDEX_UUID_MISORDERED, "Key index UUID misordered")                    \
  DEFINE_HAL_ERROR(HAL_ERROR_KSI_INDEX_CHUNK_ORPHANED,  "Key index chunk orphaned")                     \
  DEFINE_HAL_ERROR(HAL_ERROR_KSI_INDEX_CHUNK_MISSING,   "Key index chunk missing")                      \
  DEFINE_HAL_ERROR(HAL_ERROR_KSI_INDEX_CHUNK_OVERLAPS,  "Key index chunk overlaps")                     \
  DEFINE_HAL_ERROR(HAL_ERROR_KEYSTORE_WRONG_BLOCK_TYPE, "Wrong block type in keystore")                 \
  DEFINE_HAL_ERROR(HAL_ERROR_RPC_PROTOCOL_ERROR,        "RPC protocol error")                           \
  DEFINE_HAL_ERROR(HAL_ERROR_NOT_IMPLEMENTED,           "Not implemented")                              \
  END_OF_HAL_ERROR_LIST

/* Marker to forestall silly line continuation errors */
#define END_OF_HAL_ERROR_LIST

/* Define the error code enum here.  See errorstrings.c for the text strings. */
#define DEFINE_HAL_ERROR(_code_,_text_)  _code_,
typedef enum { HAL_ERROR_LIST N_HAL_ERRORS } hal_error_t;
#undef  DEFINE_HAL_ERROR

/*
 * Error translation.
 */

extern const char *hal_error_string(const hal_error_t err);

/*
 * Very low level public API for working directly with crypto cores.
 */

/*
 * Typedef to isolate code from our current choice of representation
 * for a Cryptech bus address.
 */

typedef off_t hal_addr_t;

/*
 * Opaque structure representing a core.
 */

typedef struct hal_core hal_core_t;

/*
 * Public I/O functions.
 */

extern void hal_io_set_debug(int onoff);
extern hal_error_t hal_io_write(const hal_core_t *core, hal_addr_t offset, const uint8_t *buf, size_t len);
extern hal_error_t hal_io_read(const hal_core_t *core, hal_addr_t offset, uint8_t *buf, size_t len);
extern hal_error_t hal_io_init(const hal_core_t *core);
extern hal_error_t hal_io_next(const hal_core_t *core);
extern hal_error_t hal_io_wait(const hal_core_t *core, uint8_t status, int *count);
extern hal_error_t hal_io_wait_ready(const hal_core_t *core);
extern hal_error_t hal_io_wait_valid(const hal_core_t *core);

/*
 * Core management functions.
 *
 * Given our druthers, we'd handle public information about a core
 * using the opaque type and individual access methods, but C's
 * insistence on discarding array bounds information makes
 * non-delimited character arrays problematic unless we wrap them in a
 * structure.
 */

typedef struct {
  char name[8];
  char version[4];
  hal_addr_t base;
} hal_core_info_t;

extern hal_core_t *hal_core_find(const char *name, hal_core_t *core);
extern const hal_core_info_t *hal_core_info(const hal_core_t *core);
extern hal_addr_t hal_core_base(const hal_core_t *core);
extern hal_core_t * hal_core_iterate(hal_core_t *core);
extern void hal_core_reset_table(void);
extern hal_error_t hal_core_alloc(const char *name, hal_core_t **core);
extern void hal_core_free(hal_core_t *core);
extern void hal_critical_section_start(void);
extern void hal_critical_section_end(void);
extern const int hal_core_busy(const hal_core_t *core);

/*
 * Slightly higher level public API, still working directly with cores.
 */

/*
 * Get random bytes from the CSPRNG.
 */

extern hal_error_t hal_get_random(hal_core_t *core, void *buffer, const size_t length);

/*
 * Hash and HMAC API.
 */

/*
 * Opaque driver structure for digest algorithms.
 */

typedef struct hal_hash_driver hal_hash_driver_t;

/*
 * Public information about a digest algorithm.
 *
 * The _state_length values in the descriptor and the typed opaque
 * pointers in the API are all intended to hide internal details of
 * the implementation while making memory allocation the caller's
 * problem.
 */

typedef enum {
  HAL_DIGEST_ALGORITHM_NONE,
  HAL_DIGEST_ALGORITHM_SHA1,
  HAL_DIGEST_ALGORITHM_SHA224,
  HAL_DIGEST_ALGORITHM_SHA256,
  HAL_DIGEST_ALGORITHM_SHA512_224,
  HAL_DIGEST_ALGORITHM_SHA512_256,
  HAL_DIGEST_ALGORITHM_SHA384,
  HAL_DIGEST_ALGORITHM_SHA512
} hal_digest_algorithm_t;

typedef struct {
  hal_digest_algorithm_t digest_algorithm;
  size_t block_length;
  size_t digest_length;
  size_t hash_state_length;
  size_t hmac_state_length;
  const uint8_t * const digest_algorithm_id;
  size_t digest_algorithm_id_length;
  const hal_hash_driver_t *driver;
  char core_name[8];
  unsigned can_restore_state : 1;
} hal_hash_descriptor_t;

/*
 * Opaque structures for internal state.
 */

typedef struct hal_hash_state hal_hash_state_t;
typedef struct hal_hmac_state hal_hmac_state_t;

/*
 * Supported digest algorithms.  These are one-element arrays so that
 * they can be used as constant pointers.
 */

extern const hal_hash_descriptor_t hal_hash_sha1[1];
extern const hal_hash_descriptor_t hal_hash_sha224[1];
extern const hal_hash_descriptor_t hal_hash_sha256[1];
extern const hal_hash_descriptor_t hal_hash_sha512_224[1];
extern const hal_hash_descriptor_t hal_hash_sha512_256[1];
extern const hal_hash_descriptor_t hal_hash_sha384[1];
extern const hal_hash_descriptor_t hal_hash_sha512[1];

/*
 * Hash and HMAC functions.
 */

extern void hal_hash_set_debug(int onoff);

extern hal_error_t hal_hash_initialize(hal_core_t *core,
                                       const hal_hash_descriptor_t * const descriptor,
                                       hal_hash_state_t **state,
                                       void *state_buffer, const size_t state_length);

extern hal_error_t hal_hash_update(hal_hash_state_t *state,
                                   const uint8_t * data, const size_t length);

extern hal_error_t hal_hash_finalize(hal_hash_state_t *state,
                                     uint8_t *digest, const size_t length);

extern hal_error_t hal_hmac_initialize(hal_core_t *core,
                                       const hal_hash_descriptor_t * const descriptor,
                                       hal_hmac_state_t **state,
                                       void *state_buffer, const size_t state_length,
                                       const uint8_t * const key, const size_t key_length);

extern hal_error_t hal_hmac_update(hal_hmac_state_t *state,
                                   const uint8_t * data, const size_t length);

extern hal_error_t hal_hmac_finalize(hal_hmac_state_t *state,
                                     uint8_t *hmac, const size_t length);
extern void hal_hash_cleanup(hal_hash_state_t **state);

extern void hal_hmac_cleanup(hal_hmac_state_t **state);

extern const hal_hash_descriptor_t *hal_hash_get_descriptor(const hal_hash_state_t * const state);

extern const hal_hash_descriptor_t *hal_hmac_get_descriptor(const hal_hmac_state_t * const state);

/*
 * AES key wrap functions.
 */

extern hal_error_t hal_aes_keywrap(hal_core_t *core,
                                   const uint8_t *kek, const size_t kek_length,
                                   const uint8_t *plaintext, const size_t plaintext_length,
                                   uint8_t *cyphertext, size_t *ciphertext_length);

extern hal_error_t hal_aes_keyunwrap(hal_core_t *core,
                                     const uint8_t *kek, const size_t kek_length,
                                     const uint8_t *ciphertext, const size_t ciphertext_length,
                                     unsigned char *plaintext, size_t *plaintext_length);

extern size_t hal_aes_keywrap_ciphertext_length(const size_t plaintext_length);

/*
 * PBKDF2 function.  Uses HMAC with the specified digest algorithm as
 * the pseudo-random function (PRF).
 */

extern hal_error_t hal_pbkdf2(hal_core_t *core,
                              const hal_hash_descriptor_t * const descriptor,
			      const uint8_t * const password, const size_t password_length,
			      const uint8_t * const salt,     const size_t salt_length,
			      uint8_t       * derived_key,    const size_t derived_key_length,
			      unsigned iterations_desired);

/*
 * Modular exponentiation.
 */

extern void hal_modexp_set_debug(const int onoff);

extern hal_error_t hal_modexp(hal_core_t *core,
                              const uint8_t * const msg, const size_t msg_len, /* Message */
                              const uint8_t * const exp, const size_t exp_len, /* Exponent */
                              const uint8_t * const mod, const size_t mod_len, /* Modulus */
                              uint8_t * result, const size_t result_len);

/*
 * Master Key Memory Interface
 */

extern hal_error_t hal_mkmif_init(hal_core_t *core);
extern hal_error_t hal_mkmif_set_clockspeed(hal_core_t *core, const uint32_t divisor);
extern hal_error_t hal_mkmif_get_clockspeed(hal_core_t *core, uint32_t *divisor);
extern hal_error_t hal_mkmif_write(hal_core_t *core, uint32_t addr, const uint8_t *buf, size_t len);
extern hal_error_t hal_mkmif_write_word(hal_core_t *core, uint32_t addr, const uint32_t data);
extern hal_error_t hal_mkmif_read(hal_core_t *core, uint32_t addr, uint8_t *buf, size_t len);
extern hal_error_t hal_mkmif_read_word(hal_core_t *core, uint32_t addr, uint32_t *data);


/*
 * Key types and curves, used in various places.
 */

typedef enum {
  HAL_KEY_TYPE_NONE = 0,
  HAL_KEY_TYPE_RSA_PRIVATE,
  HAL_KEY_TYPE_RSA_PUBLIC,
  HAL_KEY_TYPE_EC_PRIVATE,
  HAL_KEY_TYPE_EC_PUBLIC
} hal_key_type_t;

typedef enum {
  HAL_CURVE_NONE,
  HAL_CURVE_P256,
  HAL_CURVE_P384,
  HAL_CURVE_P521
} hal_curve_name_t;

/*
 * RSA.
 */

typedef struct hal_rsa_key hal_rsa_key_t;

extern const size_t hal_rsa_key_t_size;

extern void hal_rsa_set_debug(const int onoff);

extern void hal_rsa_set_blinding(const int onoff);

extern hal_error_t hal_rsa_key_load_private(hal_rsa_key_t **key,
                                            void *keybuf, const size_t keybuf_len,
                                            const uint8_t * const n,  const size_t n_len,
                                            const uint8_t * const e,  const size_t e_len,
                                            const uint8_t * const d,  const size_t d_len,
                                            const uint8_t * const p,  const size_t p_len,
                                 <style>pre { line-height: 125%; }
td.linenos .normal { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; }
span.linenos { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; }
.highlight .hll { background-color: #ffffcc }
.highlight .c { color: #888888 } /* Comment */
.highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */
.highlight .k { color: #008800; font-weight: bold } /* Keyword */
.highlight .ch { color: #888888 } /* Comment.Hashbang */
.highlight .cm { color: #888888 } /* Comment.Multiline */
.highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */
.highlight .cpf { color: #888888 } /* Comment.PreprocFile */
.highlight .c1 { color: #888888 } /* Comment.Single */
.highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */
.highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */
.highlight .ge { font-style: italic } /* Generic.Emph */
.highlight .ges { font-weight: bold; font-style: italic } /* Generic.EmphStrong */
.highlight .gr { color: #aa0000 } /* Generic.Error */
.highlight .gh { color: #333333 } /* Generic.Heading */
.highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */
.highlight .go { color: #888888 } /* Generic.Output */
.highlight .gp { color: #555555 } /* Generic.Prompt */
.highlight .gs { font-weight: bold } /* Generic.Strong */
.highlight .gu { color: #666666 } /* Generic.Subheading */
.highlight .gt { color: #aa0000 } /* Generic.Traceback */
.highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */
.highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */
.highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */
.highlight .kp { color: #008800 } /* Keyword.Pseudo */
.highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */
.highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */
.highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */
.highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */
.highlight .na { color: #336699 } /* Name.Attribute */
.highlight .nb { color: #003388 } /* Name.Builtin */
.highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */
.highlight .no { color: #003366; font-weight: bold } /* Name.Constant */
.highlight .nd { color: #555555 } /* Name.Decorator */
.highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */
.highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */
.highlight .nl { color: #336699; font-style: italic } /* Name.Label */
.highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */
.highlight .py { color: #336699; font-weight: bold } /* Name.Property */
.highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */
.highlight .nv { color: #336699 } /* Name.Variable */
.highlight .ow { color: #008800 } /* Operator.Word */
.highlight .w { color: #bbbbbb } /* Text.Whitespace */
.highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */
.highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */
.highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */
.highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */
.highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */
.highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */
.highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */
.highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */
.highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */
.highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */
.highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */
.highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */
.highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */
.highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */
.highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */
.highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */
.highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */
.highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */
.highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */
.highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */
.highlight .vc { color: #336699 } /* Name.Variable.Class */
.highlight .vg { color: #dd7700 } /* Name.Variable.Global */
.highlight .vi { color: #3333bb } /* Name.Variable.Instance */
.highlight .vm { color: #336699 } /* Name.Variable.Magic */
.highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */</style><div class="highlight"><pre><span></span><span class="ch">#!/usr/bin/env python</span>

<span class="sd">&quot;&quot;&quot;</span>
<span class="sd">Securely back up private keys from one Cryptech HSM to another.</span>

<span class="sd">This works by having the destination HSM (the one importing keys)</span>
<span class="sd">create an RSA keypair (the &quot;KEKEK&quot;), the public key of which can then</span>
<span class="sd">be imported into the source HSM (the one exporting keys) and used to</span>
<span class="sd">encrypt AES key encryption keys (KEKs) which in turn can be used to</span>
<span class="sd">wrap the private keys being transfered.  Transfers are encoded in</span>
<span class="sd">JSON; the underlying ASN.1 formats are SubjectPublicKeyInfo (KEKEK</span>
<span class="sd">public key) and PKCS #8 EncryptedPrivateKeyInfo (everything else).</span>

<span class="sd">NOTE WELL: while this process makes it POSSIBLE to back up keys</span>
<span class="sd">securely, it is not sufficient by itself: the operator MUST make</span>
<span class="sd">sure only to export keys using a KEKEK known to have been generated by</span>
<span class="sd">the target HSM.  See the unit tests in the source repository for</span>
<span class="sd">an example of how to fake this in a few lines of Python.</span>

<span class="sd">We also implement a software-based variant on this backup mechanism,</span>
<span class="sd">for cases where there is no second HSM.  The protocol is much the</span>
<span class="sd">same, but the KEKEK is generated in software and encrypted using a</span>
<span class="sd">symmetric key derived from a passphrase using PBKDF2.  This requires</span>
<span class="sd">the PyCrypto library, and is only as secure as memory on the machine</span>
<span class="sd">where you&#39;re running it (so it&#39;s theoretically vulnerable to root or</span>
<span class="sd">anybody with access to /dev/mem).  Don&#39;t use this mode unless you</span>
<span class="sd">understand the risks, and see the &quot;NOTE WELL&quot; above.</span>

<span class="sd">YOU HAVE BEEN WARNED.  Be careful out there.</span>
<span class="sd">&quot;&quot;&quot;</span>

<span class="c1"># Diagram of the trivial protocol we&#39;re using:</span>
<span class="c1">#</span>
<span class="c1">#    SOURCE HSM                            DESTINATION HSM</span>
<span class="c1">#</span>
<span class="c1">#                                          Generate and export KEKEK:</span>
<span class="c1">#                                               hal_rpc_pkey_generate_rsa()</span>
<span class="c1">#                                               hal_rpc_pkey_get_public_key()</span>
<span class="c1">#</span>
<span class="c1">#   Load KEKEK public        &lt;---------    Export KEKEK public</span>
<span class="c1">#        hal_rpc_pkey_load()</span>
<span class="c1">#        hal_rpc_pkey_export()</span>
<span class="c1">#</span>
<span class="c1">#   Export PKCS #8 and KEK   ----------&gt;   Load PKCS #8 and KEK, import key</span>
<span class="c1">#                                               hal_rpc_pkey_import()</span>

<span class="kn">import</span> <span class="nn">sys</span>
<span class="kn">import</span> <span class="nn">json</span>
<span class="kn">import</span> <span class="nn">uuid</span>
<span class="kn">import</span> <span class="nn">atexit</span>
<span class="kn">import</span> <span class="nn">getpass</span>
<span class="kn">import</span> <span class="nn">argparse</span>

<span class="kn">from</span> <span class="nn">cryptech.libhal</span> <span class="kn">import</span> <span class="o">*</span>

<span class="k">def</span> <span class="nf">main</span><span class="p">():</span>

    <span class="n">parser</span> <span class="o">=</span> <span class="n">argparse</span><span class="o">.</span><span class="n">ArgumentParser</span><span class="p">(</span>
        <span class="n">formatter_class</span> <span class="o">=</span> <span class="n">argparse</span><span class="o">.</span><span class="n">RawDescriptionHelpFormatter</span><span class="p">,</span>
        <span class="n">description</span> <span class="o">=</span> <span class="vm">__doc__</span><span class="p">)</span>
    <span class="n">subparsers</span> <span class="o">=</span> <span class="n">parser</span><span class="o">.</span><span class="n">add_subparsers</span><span class="p">(</span>
        <span class="n">title</span> <span class="o">=</span> <span class="s2">&quot;Commands (use </span><span class="se">\&quot;</span><span class="s2">--help</span><span class="se">\&quot;</span><span class="s2"> after command name for help with individual commands)&quot;</span><span class="p">,</span>
        <span class="n">metavar</span> <span class="o">=</span> <span class="s2">&quot;&quot;</span><span class="p">)</span>
    <span class="n">setup_parser</span>  <span class="o">=</span> <span class="n">defcmd</span><span class="p">(</span><span class="n">subparsers</span><span class="p">,</span> <span class="n">cmd_setup</span><span class="p">)</span>
    <span class="n">export_parser</span> <span class="o">=</span> <span class="n">defcmd</span><span class="p">(</span><span class="n">subparsers</span><span class="p">,</span> <span class="n">cmd_export</span><span class="p">)</span>
    <span class="n">import_parser</span> <span class="o">=</span> <span class="n">defcmd</span><span class="p">(</span><span class="n">subparsers</span><span class="p">,</span> <span class="n">cmd_import</span><span class="p">)</span>
    <span class="n">setup_mutex_group</span> <span class="o">=</span> <span class="n">setup_parser</span><span class="o">.</span><span class="n">add_mutually_exclusive_group</span><span class="p">()</span>


    <span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span>
        <span class="s2">&quot;-p&quot;</span><span class="p">,</span> <span class="s2">&quot;--pin&quot;</span><span class="p">,</span>
        <span class="n">help</span>    <span class="o">=</span> <span class="s2">&quot;wheel PIN&quot;</span><span class="p">)</span>


    <span class="n">setup_mutex_group</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span>
        <span class="s2">&quot;-n&quot;</span><span class="p">,</span> <span class="s2">&quot;--new&quot;</span><span class="p">,</span>
        <span class="n">action</span>  <span class="o">=</span> <span class="s2">&quot;store_true&quot;</span><span class="p">,</span>
        <span class="n">help</span>    <span class="o">=</span> <span class="s2">&quot;force creation of new KEKEK&quot;</span><span class="p">)</span>

    <span class="n">setup_mutex_group</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span>
        <span class="s2">&quot;-u&quot;</span><span class="p">,</span> <span class="s2">&quot;--uuid&quot;</span><span class="p">,</span>
        <span class="n">help</span>    <span class="o">=</span> <span class="s2">&quot;UUID of existing KEKEK to use&quot;</span><span class="p">)</span>

    <span class="n">setup_mutex_group</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span>
        <span class="s2">&quot;-s&quot;</span><span class="p">,</span> <span class="s2">&quot;--soft-backup&quot;</span><span class="p">,</span>
        <span class="n">action</span> <span class="o">=</span> <span class="s2">&quot;store_true&quot;</span><span class="p">,</span>
        <span class="n">help</span>   <span class="o">=</span> <span class="s2">&quot;software-based backup, see warnings&quot;</span><span class="p">)</span>

    <span class="n">setup_parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span>
        <span class="s2">&quot;-k&quot;</span><span class="p">,</span> <span class="s2">&quot;--keylen&quot;</span><span class="p">,</span>
        <span class="nb">type</span>    <span class="o">=</span> <span class="nb">int</span><span class="p">,</span>
        <span class="n">default</span> <span class="o">=</span> <span class="mi">2048</span><span class="p">,</span>
        <span class="n">help</span>    <span class="o">=</span> <span class="s2">&quot;length of new KEKEK if we need to create one&quot;</span><span class="p">)</span>

    <span class="n">setup_parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span>
        <span class="s2">&quot;-o&quot;</span><span class="p">,</span> <span class="s2">&quot;--output&quot;</span><span class="p">,</span>
        <span class="nb">type</span>    <span class="o">=</span> <span class="n">argparse</span><span class="o">.</span><span class="n">FileType</span><span class="p">(</span><span class="s2">&quot;w&quot;</span><span class="p">),</span>
        <span class="n">default</span> <span class="o">=</span> <span class="s2">&quot;-&quot;</span><span class="p">,</span>
        <span class="n">help</span>    <span class="o">=</span> <span class="s2">&quot;output file&quot;</span><span class="p">)</span>


    <span class="n">export_parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span>
        <span class="s2">&quot;-i&quot;</span><span class="p">,</span> <span class="s2">&quot;--input&quot;</span><span class="p">,</span>
        <span class="nb">type</span>    <span class="o">=</span> <span class="n">argparse</span><span class="o">.</span><span class="n">FileType</span><span class="p">(</span><span class="s2">&quot;r&quot;</span><span class="p">),</span>
        <span class="n">default</span> <span class="o">=</span> <span class="s2">&quot;-&quot;</span><span class="p">,</span>
        <span class="n">help</span>    <span class="o">=</span> <span class="s2">&quot;input file&quot;</span><span class="p">)</span>

    <span class="n">export_parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span>
        <span class="s2">&quot;-o&quot;</span><span class="p">,</span> <span class="s2">&quot;--output&quot;</span><span class="p">,</span>
        <span class="nb">type</span>    <span class="o">=</span> <span class="n">argparse</span><span class="o">.</span><span class="n">FileType</span><span class="p">(</span><span class="s2">&quot;w&quot;</span><span class="p">),</span>
        <span class="n">default</span> <span class="o">=</span> <span class="s2">&quot;-&quot;</span><span class="p">,</span>
        <span class="n">help</span>    <span class="o">=</span> <span class="s2">&quot;output file&quot;</span><span class="p">)</span>


    <span class="n">import_parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span>
        <span class="s2">&quot;-i&quot;</span><span class="p">,</span> <span class="s2">&quot;--input&quot;</span><span class="p">,</span>
        <span class="nb">type</span>    <span class="o">=</span> <span class="n">argparse</span><span class="o">.</span><span class="n">FileType</span><span class="p">(</span><span class="s2">&quot;r&quot;</span><span class="p">),</span>
        <span class="n">default</span> <span class="o">=</span> <span class="s2">&quot;-&quot;</span><span class="p">,</span>
        <span class="n">help</span>    <span class="o">=</span> <span class="s2">&quot;input file&quot;</span><span class="p">)</span>


    <span class="n">args</span> <span class="o">=</span> <span class="n">parser</span><span class="o">.</span><span class="n">parse_args</span><span class="p">()</span>

    <span class="n">hsm</span> <span class="o">=</span> <span class="n">HSM</span><span class="p">()</span>

    <span class="k">try</span><span class="p">:</span>
        <span class="n">hsm</span><span class="o">.</span><span class="n">login</span><span class="p">(</span><span class="n">HAL_USER_WHEEL</span><span class="p">,</span> <span class="n">args</span><span class="o">.</span><span class="n">pin</span> <span class="ow">or</span> <span class="n">getpass</span><span class="o">.</span><span class="n">getpass</span><span class="p">(</span><span class="s2">&quot;Wheel PIN: &quot;</span><span class="p">))</span>

    <span class="k">except</span> <span class="n">HALError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
        <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="s2">&quot;Couldn&#39;t log into HSM: </span><span class="si">{}</span><span class="s2">&quot;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">e</span><span class="p">))</span>

    <span class="k">try</span><span class="p">:</span>
        <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="n">args</span><span class="o">.</span><span class="n">func</span><span class="p">(</span><span class="n">args</span><span class="p">,</span> <span class="n">hsm</span><span class="p">))</span>

    <span class="k">finally</span><span class="p">:</span>
        <span class="n">hsm</span><span class="o">.</span><span class="n">logout</span><span class="p">()</span>


<span class="k">def</span> <span class="nf">defcmd</span><span class="p">(</span><span class="n">subparsers</span><span class="p">,</span> <span class="n">func</span><span class="p">):</span>
    <span class="k">assert</span> <span class="n">func</span><span class="o">.</span><span class="vm">__name__</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="s2">&quot;cmd_&quot;</span><span class="p">)</span>
    <span class="n">subparser</span> <span class="o">=</span> <span class="n">subparsers</span><span class="o">.</span><span class="n">add_parser</span><span class="p">(</span><span class="n">func</span><span class="o">.</span><span class="vm">__name__</span><span class="p">[</span><span class="mi">4</span><span class="p">:],</span>
                                      <span class="n">description</span> <span class="o">=</span> <span class="n">func</span><span class="o">.</span><span class="vm">__doc__</span><span class="p">,</span>
                                      <span class="n">help</span> <span class="o">=</span> <span class="n">func</span><span class="o">.</span><span class="vm">__doc__</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span><span class="o">.</span><span class="n">splitlines</span><span class="p">()[</span><span class="mi">0</span><span class="p">])</span>
    <span class="n">subparser</span><span class="o">.</span><span class="n">set_defaults</span><span class="p">(</span><span class="n">func</span> <span class="o">=</span> <span class="n">func</span><span class="p">)</span>
    <span class="k">return</span> <span class="n">subparser</span>


<span class="k">def</span> <span class="nf">b64</span><span class="p">(</span><span class="nb">bytes</span><span class="p">):</span>
    <span class="k">return</span> <span class="nb">bytes</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s2">&quot;base64&quot;</span><span class="p">)</span><span class="o">.</span><span class="n">splitlines</span><span class="p">()</span>

<span class="k">def</span> <span class="nf">b64join</span><span class="p">(</span><span class="n">lines</span><span class="p">):</span>
    <span class="k">return</span> <span class="s2">&quot;&quot;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">lines</span><span class="p">)</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s2">&quot;base64&quot;</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">cmd_setup</span><span class="p">(</span><span class="n">args</span><span class="p">,</span> <span class="n">hsm</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Set up backup HSM for subsequent import.</span>
<span class="sd">    Generates an RSA keypair with appropriate usage settings</span>
<span class="sd">    to use as a key-encryption-key-encryption-key (KEKEK), and</span>
<span class="sd">    writes the KEKEK to a JSON file for transfer to primary HSM.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">result</span> <span class="o">=</span> <span class="p">{}</span>
    <span class="n">uuids</span>  <span class="o">=</span> <span class="p">[]</span>

    <span class="k">if</span> <span class="n">args</span><span class="o">.</span><span class="n">soft_backup</span><span class="p">:</span>
        <span class="n">SoftKEKEK</span><span class="o">.</span><span class="n">generate</span><span class="p">(</span><span class="n">args</span><span class="p">,</span> <span class="n">result</span><span class="p">)</span>
    <span class="k">elif</span> <span class="n">args</span><span class="o">.</span><span class="n">uuid</span><span class="p">:</span>
        <span class="n">uuids</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">args</span><span class="o">.</span><span class="n">uuid</span><span class="p">)</span>
    <span class="k">elif</span> <span class="ow">not</span> <span class="n">args</span><span class="o">.</span><span class="n">new</span><span class="p">:</span>
        <span class="n">uuids</span><span class="o">.</span><span class="n">extend</span><span class="p">(</span><span class="n">hsm</span><span class="o">.</span><span class="n">pkey_match</span><span class="p">(</span>
            <span class="nb">type</span>  <span class="o">=</span> <span class="n">HAL_KEY_TYPE_RSA_PRIVATE</span><span class="p">,</span>
            <span class="n">mask</span>  <span class="o">=</span> <span class="n">HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT</span> <span class="o">|</span> <span class="n">HAL_KEY_FLAG_TOKEN</span><span class="p">,</span>
            <span class="n">flags</span> <span class="o">=</span> <span class="n">HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT</span> <span class="o">|</span> <span class="n">HAL_KEY_FLAG_TOKEN</span><span class="p">))</span>

    <span class="k">for</span> <span class="n">uuid</span> <span class="ow">in</span> <span class="n">uuids</span><span class="p">:</span>
        <span class="k">with</span> <span class="n">hsm</span><span class="o">.</span><span class="n">pkey_open</span><span class="p">(</span><span class="n">uuid</span><span class="p">)</span> <span class="k">as</span> <span class="n">kekek</span><span class="p">:</span>
            <span class="k">if</span> <span class="n">kekek</span><span class="o">.</span><span class="n">key_type</span> <span class="o">!=</span> <span class="n">HAL_KEY_TYPE_RSA_PRIVATE</span><span class="p">:</span>
                <span class="n">sys</span><span class="o">.</span><span class="n">stderr</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">&quot;Key </span><span class="si">{}</span><span class="s2"> is not an RSA private key</span><span class="se">\n</span><span class="s2">&quot;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">uuid</span><span class="p">))</span>
            <span class="k">elif</span> <span class="p">(</span><span class="n">kekek</span><span class="o">.</span><span class="n">key_flags</span> <span class="o">&amp;</span> <span class="n">HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
                <span class="n">sys</span><span class="o">.</span><span class="n">stderr</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">&quot;Key </span><span class="si">{}</span><span class="s2"> does not allow key encipherment</span><span class="se">\n</span><span class="s2">&quot;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">uuid</span><span class="p">))</span>
            <span class="k">else</span><span class="p">:</span>
                <span class="n">result</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">kekek_uuid</span>   <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">kekek</span><span class="o">.</span><span class="n">uuid</span><span class="p">),</span>
                              <span class="n">kekek_pubkey</span> <span class="o">=</span> <span class="n">b64</span><span class="p">(</span><span class="n">kekek</span><span class="o">.</span><span class="n">public_key</span><span class="p">))</span>
                <span class="k">break</span>

    <span class="k">if</span> <span class="ow">not</span> <span class="n">result</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">args</span><span class="o">.</span><span class="n">uuid</span><span class="p">:</span>
        <span class="k">with</span> <span class="n">hsm</span><span class="o">.</span><span class="n">pkey_generate_rsa</span><span class="p">(</span>
                <span class="n">keylen</span> <span class="o">=</span> <span class="n">args</span><span class="o">.</span><span class="n">keylen</span><span class="p">,</span>
                <span class="n">flags</span> <span class="o">=</span> <span class="n">HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT</span> <span class="o">|</span> <span class="n">HAL_KEY_FLAG_TOKEN</span><span class="p">)</span> <span class="k">as</span> <span class="n">kekek</span><span class="p">:</span>
            <span class="n">result</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">kekek_uuid</span>   <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">kekek</span><span class="o">.</span><span class="n">uuid</span><span class="p">),</span>
                          <span class="n">kekek_pubkey</span> <span class="o">=</span> <span class="n">b64</span><span class="p">(</span><span class="n">kekek</span><span class="o">.</span><span class="n">public_key</span><span class="p">))</span>
    <span class="k">if</span> <span class="ow">not</span> <span class="n">result</span><span class="p">:</span>
        <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="s2">&quot;Could not find suitable KEKEK&quot;</span><span class="p">)</span>

    <span class="k">if</span> <span class="n">args</span><span class="o">.</span><span class="n">soft_backup</span><span class="p">:</span>
        <span class="n">result</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">comment</span> <span class="o">=</span> <span class="s2">&quot;KEKEK software keypair&quot;</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
        <span class="n">result</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">comment</span> <span class="o">=</span> <span class="s2">&quot;KEKEK public key&quot;</span><span class="p">)</span>

    <span class="n">json</span><span class="o">.</span><span class="n">dump</span><span class="p">(</span><span class="n">result</span><span class="p">,</span> <span class="n">args</span><span class="o">.</span><span class="n">output</span><span class="p">,</span> <span class="n">indent</span> <span class="o">=</span> <span class="mi">4</span><span class="p">,</span> <span class="n">sort_keys</span> <span class="o">=</span> <span class="kc">True</span><span class="p">)</span>
    <span class="n">args</span><span class="o">.</span><span class="n">output</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">&quot;</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">key_flag_names</span><span class="p">(</span><span class="n">flags</span><span class="p">):</span>
    <span class="n">names</span> <span class="o">=</span> <span class="nb">dict</span><span class="p">(</span><span class="n">digitalsignature</span> <span class="o">=</span> <span class="n">HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE</span><span class="p">,</span>
                 <span class="n">keyencipherment</span>  <span class="o">=</span> <span class="n">HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT</span><span class="p">,</span>
                 <span class="n">dataencipherment</span> <span class="o">=</span> <span class="n">HAL_KEY_FLAG_USAGE_DATAENCIPHERMENT</span><span class="p">,</span>
                 <span class="n">token</span>            <span class="o">=</span> <span class="n">HAL_KEY_FLAG_TOKEN</span><span class="p">,</span>
                 <span class="n">public</span>           <span class="o">=</span> <span class="n">HAL_KEY_FLAG_PUBLIC</span><span class="p">,</span>
                 <span class="n">exportable</span>       <span class="o">=</span> <span class="n">HAL_KEY_FLAG_EXPORTABLE</span><span class="p">)</span>
    <span class="k">return</span> <span class="s2">&quot;, &quot;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="nb">sorted</span><span class="p">(</span><span class="n">k</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">names</span><span class="o">.</span><span class="n">iteritems</span><span class="p">()</span> <span class="k">if</span> <span class="p">(</span><span class="n">flags</span> <span class="o">&amp;</span> <span class="n">v</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">))</span>


<span class="k">def</span> <span class="nf">cmd_export</span><span class="p">(</span><span class="n">args</span><span class="p">,</span> <span class="n">hsm</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Export encrypted keys from primary HSM.</span>
<span class="sd">    Takes a JSON file containing KEKEK (generated by running this</span>
<span class="sd">    script&#39;s &quot;setup&quot; command against the backup HSM), installs that</span>
<span class="sd">    key on the primary HSM, and backs up keys encrypted to the KEKEK</span>
<span class="sd">    by writing them to another JSON file for transfer to the backup HSM.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">db</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">load</span><span class="p">(</span><span class="n">args</span><span class="o">.</span><span class="n">input</span><span class="p">)</span>

    <span class="n">result</span> <span class="o">=</span> <span class="p">[]</span>

    <span class="n">kekek</span> <span class="o">=</span> <span class="kc">None</span>
    <span class="k">try</span><span class="p">:</span>
        <span class="n">kekek</span> <span class="o">=</span> <span class="n">hsm</span><span class="o">.</span><span class="n">pkey_load</span><span class="p">(</span><span class="n">der</span>   <span class="o">=</span> <span class="n">b64join</span><span class="p">(</span><span class="n">db</span><span class="p">[</span><span class="s2">&quot;kekek_pubkey&quot;</span><span class="p">]),</span>
                              <span class="n">flags</span> <span class="o">=</span> <span class="n">HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT</span><span class="p">)</span>

        <span class="k">for</span> <span class="n">uuid</span> <span class="ow">in</span> <span class="n">hsm</span><span class="o">.</span><span class="n">pkey_match</span><span class="p">(</span><span class="n">mask</span>  <span class="o">=</span> <span class="n">HAL_KEY_FLAG_EXPORTABLE</span><span class="p">,</span>
                                   <span class="n">flags</span> <span class="o">=</span> <span class="n">HAL_KEY_FLAG_EXPORTABLE</span><span class="p">):</span>
            <span class="k">with</span> <span class="n">hsm</span><span class="o">.</span><span class="n">pkey_open</span><span class="p">(</span><span class="n">uuid</span><span class="p">)</span> <span class="k">as</span> <span class="n">pkey</span><span class="p">:</span>

                <span class="k">if</span> <span class="n">pkey</span><span class="o">.</span><span class="n">key_type</span> <span class="ow">in</span> <span class="p">(</span><span class="n">HAL_KEY_TYPE_RSA_PRIVATE</span><span class="p">,</span> <span class="n">HAL_KEY_TYPE_EC_PRIVATE</span><span class="p">):</span>
                    <span class="n">pkcs8</span><span class="p">,</span> <span class="n">kek</span> <span class="o">=</span> <span class="n">kekek</span><span class="o">.</span><span class="n">export_pkey</span><span class="p">(</span><span class="n">pkey</span><span class="p">)</span>
                    <span class="n">result</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="nb">dict</span><span class="p">(</span>
                        <span class="n">comment</span> <span class="o">=</span> <span class="s2">&quot;Encrypted private key&quot;</span><span class="p">,</span>
                        <span class="n">pkcs8</span>   <span class="o">=</span> <span class="n">b64</span><span class="p">(</span><span class="n">pkcs8</span><span class="p">),</span>
                        <span class="n">kek</span>     <span class="o">=</span> <span class="n">b64</span><span class="p">(</span><span class="n">kek</span><span class="p">),</span>
                        <span class="n">uuid</span>    <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">pkey</span><span class="o">.</span><span class="n">uuid</span><span class="p">),</span>
                        <span class="n">flags</span>   <span class="o">=</span> <span class="n">pkey</span><span class="o">.</span><span class="n">key_flags</span><span class="p">))</span>

                <span class="k">elif</span> <span class="n">pkey</span><span class="o">.</span><span class="n">key_type</span> <span class="ow">in</span> <span class="p">(</span><span class="n">HAL_KEY_TYPE_RSA_PUBLIC</span><span class="p">,</span> <span class="n">HAL_KEY_TYPE_EC_PUBLIC</span><span class="p">):</span>
                    <span class="n">result</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="nb">dict</span><span class="p">(</span>
                        <span class="n">comment</span> <span class="o">=</span> <span class="s2">&quot;Public key&quot;</span><span class="p">,</span>
                        <span class="n">spki</span>    <span class="o">=</span> <span class="n">b64</span><span class="p">(</span><span class="n">pkey</span><span class="o">.</span><span class="n">public_key</span><span class="p">),</span>
                        <span class="n">uuid</span>    <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">pkey</span><span class="o">.</span><span class="n">uuid</span><span class="p">),</span>
                        <span class="n">flags</span>   <span class="o">=</span> <span class="n">pkey</span><span class="o">.</span><span class="n">key_flags</span><span class="p">))</span>

    <span class="k">finally</span><span class="p">:</span>
        <span class="k">if</span> <span class="n">kekek</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span>
            <span class="n">kekek</span><span class="o">.</span><span class="n">delete</span><span class="p">()</span>

    <span class="n">db</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">comment</span> <span class="o">=</span> <span class="s2">&quot;Cryptech Alpha encrypted key backup&quot;</span><span class="p">,</span>
              <span class="n">keys</span>    <span class="o">=</span> <span class="n">result</span><span class="p">)</span>
    <span class="n">json</span><span class="o">.</span><span class="n">dump</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">args</span><span class="o">.</span><span class="n">output</span><span class="p">,</span> <span class="n">indent</span> <span class="o">=</span> <span class="mi">4</span><span class="p">,</span> <span class="n">sort_keys</span> <span class="o">=</span> <span class="kc">True</span><span class="p">)</span>
    <span class="n">args</span><span class="o">.</span><span class="n">output</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">&quot;</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">cmd_import</span><span class="p">(</span><span class="n">args</span><span class="p">,</span> <span class="n">hsm</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Import encrypted keys into backup HSM.</span>
<span class="sd">    Takes a JSON file containing a key backup (generated by running</span>
<span class="sd">    this script&#39;s &quot;export&quot; command against the primary HSM) and imports</span>
<span class="sd">    keys into the backup HSM.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">db</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">load</span><span class="p">(</span><span class="n">args</span><span class="o">.</span><span class="n">input</span><span class="p">)</span>

    <span class="n">soft_key</span> <span class="o">=</span> <span class="n">SoftKEKEK</span><span class="o">.</span><span class="n">is_soft_key</span><span class="p">(</span><span class="n">db</span><span class="p">)</span>

    <span class="k">with</span> <span class="p">(</span><span class="n">hsm</span><span class="o">.</span><span class="n">pkey_load</span><span class="p">(</span><span class="n">SoftKEKEK</span><span class="o">.</span><span class="n">recover</span><span class="p">(</span><span class="n">db</span><span class="p">),</span> <span class="n">HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT</span><span class="p">)</span>
          <span class="k">if</span> <span class="n">soft_key</span> <span class="k">else</span>
          <span class="n">hsm</span><span class="o">.</span><span class="n">pkey_open</span><span class="p">(</span><span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span><span class="p">(</span><span class="n">db</span><span class="p">[</span><span class="s2">&quot;kekek_uuid&quot;</span><span class="p">])</span><span class="o">.</span><span class="n">bytes</span><span class="p">)</span>
    <span class="p">)</span> <span class="k">as</span> <span class="n">kekek</span><span class="p">:</span>

        <span class="k">for</span> <span class="n">k</span> <span class="ow">in</span> <span class="n">db</span><span class="p">[</span><span class="s2">&quot;keys&quot;</span><span class="p">]:</span>
            <span class="n">pkcs8</span> <span class="o">=</span> <span class="n">b64join</span><span class="p">(</span><span class="n">k</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;pkcs8&quot;</span><span class="p">,</span> <span class="s2">&quot;&quot;</span><span class="p">))</span>
            <span class="n">spki</span>  <span class="o">=</span> <span class="n">b64join</span><span class="p">(</span><span class="n">k</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;spki&quot;</span><span class="p">,</span>  <span class="s2">&quot;&quot;</span><span class="p">))</span>
            <span class="n">kek</span>   <span class="o">=</span> <span class="n">b64join</span><span class="p">(</span><span class="n">k</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;kek&quot;</span><span class="p">,</span>   <span class="s2">&quot;&quot;</span><span class="p">))</span>
            <span class="n">flags</span> <span class="o">=</span>         <span class="n">k</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;flags&quot;</span><span class="p">,</span>  <span class="mi">0</span><span class="p">)</span>
            <span class="k">if</span> <span class="n">pkcs8</span> <span class="ow">and</span> <span class="n">kek</span><span class="p">:</span>
                <span class="k">with</span> <span class="n">kekek</span><span class="o">.</span><span class="n">import_pkey</span><span class="p">(</span><span class="n">pkcs8</span> <span class="o">=</span> <span class="n">pkcs8</span><span class="p">,</span> <span class="n">kek</span> <span class="o">=</span> <span class="n">kek</span><span class="p">,</span> <span class="n">flags</span> <span class="o">=</span> <span class="n">flags</span><span class="p">)</span> <span class="k">as</span> <span class="n">pkey</span><span class="p">:</span>
                    <span class="nb">print</span> <span class="s2">&quot;Imported </span><span class="si">{}</span><span class="s2"> as </span><span class="si">{}</span><span class="s2">&quot;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">k</span><span class="p">[</span><span class="s2">&quot;uuid&quot;</span><span class="p">],</span> <span class="n">pkey</span><span class="o">.</span><span class="n">uuid</span><span class="p">)</span>
            <span class="k">elif</span> <span class="n">spki</span><span class="p">:</span>
                <span class="k">with</span> <span class="n">hsm</span><span class="o">.</span><span class="n">pkey_load</span><span class="p">(</span><span class="n">der</span> <span class="o">=</span> <span class="n">spki</span><span class="p">,</span> <span class="n">flags</span> <span class="o">=</span> <span class="n">flags</span><span class="p">)</span> <span class="k">as</span> <span class="n">pkey</span><span class="p">:</span>
                    <span class="nb">print</span> <span class="s2">&quot;Loaded </span><span class="si">{}</span><span class="s2"> as </span><span class="si">{}</span><span class="s2">&quot;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">k</span><span class="p">[</span><span class="s2">&quot;uuid&quot;</span><span class="p">],</span> <span class="n">pkey</span><span class="o">.</span><span class="n">uuid</span><span class="p">)</span>

        <span class="k">if</span> <span class="n">soft_key</span><span class="p">:</span>
            <span class="n">kekek</span><span class="o">.</span><span class="n">delete</span><span class="p">()</span>


<span class="k">class</span> <span class="nc">AESKeyWrapWithPadding</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Implementation of AES Key Wrap With Padding from RFC 5649.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">class</span> <span class="nc">UnwrapError</span><span class="p">(</span><span class="ne">Exception</span><span class="p">):</span>
        <span class="s2">&quot;Something went wrong during unwrap.&quot;</span>

    <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">key</span><span class="p">):</span>
        <span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">ctx</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_ECB</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">_encrypt</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">b1</span><span class="p">,</span> <span class="n">b2</span><span class="p">):</span>
        <span class="n">aes_block</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ctx</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">b1</span> <span class="o">+</span> <span class="n">b2</span><span class="p">)</span>
        <span class="k">return</span> <span class="n">aes_block</span><span class="p">[:</span><span class="mi">8</span><span class="p">],</span> <span class="n">aes_block</span><span class="p">[</span><span class="mi">8</span><span class="p">:]</span>

    <span class="k">def</span> <span class="nf">_decrypt</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">b1</span><span class="p">,</span> <span class="n">b2</span><span class="p">):</span>
        <span class="n">aes_block</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ctx</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">b1</span> <span class="o">+</span> <span class="n">b2</span><span class="p">)</span>
        <span class="k">return</span> <span class="n">aes_block</span><span class="p">[:</span><span class="mi">8</span><span class="p">],</span> <span class="n">aes_block</span><span class="p">[</span><span class="mi">8</span><span class="p">:]</span>

    <span class="nd">@staticmethod</span>
    <span class="k">def</span> <span class="nf">_start_stop</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">stop</span><span class="p">):</span>               <span class="c1"># Syntactic sugar</span>
        <span class="n">step</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1</span> <span class="k">if</span> <span class="n">start</span> <span class="o">&gt;</span> <span class="n">stop</span> <span class="k">else</span> <span class="mi">1</span>
        <span class="k">return</span> <span class="n">xrange</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">stop</span> <span class="o">+</span> <span class="n">step</span><span class="p">,</span> <span class="n">step</span><span class="p">)</span>

    <span class="nd">@staticmethod</span>
    <span class="k">def</span> <span class="nf">_xor</span><span class="p">(</span><span class="n">R0</span><span class="p">,</span> <span class="n">t</span><span class="p">):</span>
        <span class="kn">from</span> <span class="nn">struct</span> <span class="kn">import</span> <span class="n">pack</span><span class="p">,</span> <span class="n">unpack</span>
        <span class="k">return</span> <span class="n">pack</span><span class="p">(</span><span class="s2">&quot;&gt;Q&quot;</span><span class="p">,</span> <span class="n">unpack</span><span class="p">(</span><span class="s2">&quot;&gt;Q&quot;</span><span class="p">,</span> <span class="n">R0</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">^</span> <span class="n">t</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">wrap</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">Q</span><span class="p">):</span>
        <span class="s2">&quot;RFC 5649 section 4.1.&quot;</span>
        <span class="kn">from</span> <span class="nn">struct</span> <span class="kn">import</span> <span class="n">pack</span>
        <span class="n">m</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">Q</span><span class="p">)</span>                              <span class="c1"># Plaintext length</span>
        <span class="k">if</span> <span class="n">m</span> <span class="o">%</span> <span class="mi">8</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span>                          <span class="c1"># Pad Q if needed</span>
            <span class="n">Q</span> <span class="o">+=</span> <span class="s2">&quot;</span><span class="se">\x00</span><span class="s2">&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="mi">8</span> <span class="o">-</span> <span class="p">(</span><span class="n">m</span> <span class="o">%</span> <span class="mi">8</span><span class="p">))</span>
        <span class="n">R</span> <span class="o">=</span> <span class="p">[</span><span class="n">pack</span><span class="p">(</span><span class="s2">&quot;&gt;LL&quot;</span><span class="p">,</span> <span class="mh">0xa65959a6</span><span class="p">,</span> <span class="n">m</span><span class="p">)]</span>        <span class="c1"># Magic MSB(32,A), build LSB(32,A)</span>
        <span class="n">R</span><span class="o">.</span><span class="n">extend</span><span class="p">(</span><span class="n">Q</span><span class="p">[</span><span class="n">i</span> <span class="p">:</span> <span class="n">i</span> <span class="o">+</span> <span class="mi">8</span><span class="p">]</span>                   <span class="c1"># Append Q</span>
                 <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">xrange</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">Q</span><span class="p">),</span> <span class="mi">8</span><span class="p">))</span>
        <span class="n">n</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">R</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span>
        <span class="k">if</span> <span class="n">n</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
            <span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">R</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">_encrypt</span><span class="p">(</span><span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">R</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
        <span class="k">else</span><span class="p">:</span>
            <span class="c1"># RFC 3394 section 2.2.1</span>
            <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">_start_stop</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">5</span><span class="p">):</span>
                <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">_start_stop</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">n</span><span class="p">):</span>
                    <span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">R</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">_encrypt</span><span class="p">(</span><span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">R</span><span class="p">[</span><span class="n">i</span><span class="p">])</span>
                    <span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">_xor</span><span class="p">(</span><span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">n</span> <span class="o">*</span> <span class="n">j</span> <span class="o">+</span> <span class="n">i</span><span class="p">)</span>
        <span class="k">assert</span> <span class="nb">len</span><span class="p">(</span><span class="n">R</span><span class="p">)</span> <span class="o">==</span> <span class="p">(</span><span class="n">n</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="ow">and</span> <span class="nb">all</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="o">==</span> <span class="mi">8</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">R</span><span class="p">)</span>
        <span class="k">return</span> <span class="s2">&quot;&quot;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">R</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">unwrap</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">C</span><span class="p">):</span>
        <span class="s2">&quot;RFC 5649 section 4.2.&quot;</span>
        <span class="kn">from</span> <span class="nn">struct</span> <span class="kn">import</span> <span class="n">unpack</span>
        <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">C</span><span class="p">)</span> <span class="o">%</span> <span class="mi">8</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span>
            <span class="k">raise</span> <span class="bp">self</span><span class="o">.</span><span class="n">UnwrapError</span><span class="p">(</span><span class="s2">&quot;Ciphertext length </span><span class="si">{}</span><span class="s2"> is not an integral number of blocks&quot;</span>
                                   <span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">C</span><span class="p">)))</span>
        <span class="n">n</span> <span class="o">=</span> <span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">C</span><span class="p">)</span> <span class="o">/</span> <span class="mi">8</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span>
        <span class="n">R</span> <span class="o">=</span> <span class="p">[</span><span class="n">C</span><span class="p">[</span><span class="n">i</span> <span class="p">:</span> <span class="n">i</span> <span class="o">+</span> <span class="mi">8</span><span class="p">]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">xrange</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">C</span><span class="p">),</span> <span class="mi">8</span><span class="p">)]</span>
        <span class="k">if</span> <span class="n">n</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
            <span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">R</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">_decrypt</span><span class="p">(</span><span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">R</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
        <span class="k">else</span><span class="p">:</span>
            <span class="c1"># RFC 3394 section 2.2.2 steps (1), (2), and part of (3)</span>
            <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">_start_stop</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="mi">0</span><span class="p">):</span>
                <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">_start_stop</span><span class="p">(</span><span class="n">n</span><span class="p">,</span> <span class="mi">1</span><span class="p">):</span>
                    <span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">_xor</span><span class="p">(</span><span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">n</span> <span class="o">*</span> <span class="n">j</span> <span class="o">+</span> <span class="n">i</span><span class="p">)</span>
                    <span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">R</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">_decrypt</span><span class="p">(</span><span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">R</span><span class="p">[</span><span class="n">i</span><span class="p">])</span>
        <span class="n">magic</span><span class="p">,</span> <span class="n">m</span> <span class="o">=</span> <span class="n">unpack</span><span class="p">(</span><span class="s2">&quot;&gt;LL&quot;</span><span class="p">,</span> <span class="n">R</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span>
        <span class="k">if</span> <span class="n">magic</span> <span class="o">!=</span> <span class="mh">0xa65959a6</span><span class="p">:</span>
            <span class="k">raise</span> <span class="bp">self</span><span class="o">.</span><span class="n">UnwrapError</span><span class="p">(</span><span class="s2">&quot;Magic value in AIV should have been 0xa65959a6, was 0x</span><span class="si">{:02x}</span><span class="s2">&quot;</span>
                              <span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">magic</span><span class="p">))</span>
        <span class="k">if</span> <span class="n">m</span> <span class="o">&lt;=</span> <span class="mi">8</span> <span class="o">*</span> <span class="p">(</span><span class="n">n</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="ow">or</span> <span class="n">m</span> <span class="o">&gt;</span> <span class="mi">8</span> <span class="o">*</span> <span class="n">n</span><span class="p">:</span>
            <span class="k">raise</span> <span class="bp">self</span><span class="o">.</span><span class="n">UnwrapError</span><span class="p">(</span><span class="s2">&quot;Length encoded in AIV out of range: m </span><span class="si">{}</span><span class="s2">, n </span><span class="si">{}</span><span class="s2">&quot;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">m</span><span class="p">,</span> <span class="n">n</span><span class="p">))</span>
        <span class="n">R</span> <span class="o">=</span> <span class="s2">&quot;&quot;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">R</span><span class="p">[</span><span class="mi">1</span><span class="p">:])</span>
        <span class="k">assert</span> <span class="nb">len</span><span class="p">(</span><span class="n">R</span><span class="p">)</span> <span class="o">==</span>  <span class="mi">8</span> <span class="o">*</span> <span class="n">n</span>
        <span class="k">if</span> <span class="nb">any</span><span class="p">(</span><span class="n">r</span> <span class="o">!=</span> <span class="s2">&quot;</span><span class="se">\x00</span><span class="s2">&quot;</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">R</span><span class="p">[</span><span class="n">m</span><span class="p">:]):</span>
            <span class="k">raise</span> <span class="bp">self</span><span class="o">.</span><span class="n">UnwrapError</span><span class="p">(</span><span class="s2">&quot;Nonzero trailing bytes </span><span class="si">{}</span><span class="s2">&quot;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">R</span><span class="p">[</span><span class="n">m</span><span class="p">:]</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s2">&quot;hex&quot;</span><span class="p">)))</span>
        <span class="k">return</span> <span class="n">R</span><span class="p">[:</span><span class="n">m</span><span class="p">]</span>


<span class="k">class</span> <span class="nc">SoftKEKEK</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Wrapper around all the goo we need to implement soft backups.</span>
<span class="sd">    Requires PyCrypto on about every other line.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">oid_aesKeyWrap</span> <span class="o">=</span> <span class="s2">&quot;</span><span class="se">\x60\x86\x48\x01\x65\x03\x04\x01\x30</span><span class="s2">&quot;</span>

    <span class="k">def</span> <span class="nf">parse_EncryptedPrivateKeyInfo</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">der</span><span class="p">):</span>
        <span class="kn">from</span> <span class="nn">Crypto.Util.asn1</span> <span class="kn">import</span> <span class="n">DerObject</span><span class="p">,</span> <span class="n">DerSequence</span><span class="p">,</span> <span class="n">DerOctetString</span><span class="p">,</span> <span class="n">DerObjectId</span>
        <span class="n">encryptedPrivateKeyInfo</span> <span class="o">=</span> <span class="n">DerSequence</span><span class="p">()</span>
        <span class="n">encryptedPrivateKeyInfo</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="n">der</span><span class="p">)</span>
        <span class="n">encryptionAlgorithm</span> <span class="o">=</span> <span class="n">DerSequence</span><span class="p">()</span>
        <span class="n">algorithm</span> <span class="o">=</span> <span class="n">DerObjectId</span><span class="p">()</span>
        <span class="n">encryptedData</span> <span class="o">=</span> <span class="n">DerOctetString</span><span class="p">()</span>
        <span class="n">encryptionAlgorithm</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="n">encryptedPrivateKeyInfo</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span>
        <span class="n">DerObject</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="n">algorithm</span><span class="p">,</span> <span class="n">encryptionAlgorithm</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span>
        <span class="n">DerObject</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="n">encryptedData</span><span class="p">,</span> <span class="n">encryptedPrivateKeyInfo</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
        <span class="k">if</span> <span class="n">algorithm</span><span class="o">.</span><span class="n">payload</span> <span class="o">!=</span> <span class="bp">self</span><span class="o">.</span><span class="n">oid_aesKeyWrap</span><span class="p">:</span>
            <span class="k">raise</span> <span class="ne">ValueError</span>
        <span class="k">return</span> <span class="n">encryptedData</span><span class="o">.</span><span class="n">payload</span>

    <span class="k">def</span> <span class="nf">encode_EncryptedPrivateKeyInfo</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">der</span><span class="p">):</span>
        <span class="kn">from</span> <span class="nn">Crypto.Util.asn1</span> <span class="kn">import</span> <span class="n">DerSequence</span><span class="p">,</span> <span class="n">DerOctetString</span>
        <span class="k">return</span> <span class="n">DerSequence</span><span class="p">([</span>
            <span class="n">DerSequence</span><span class="p">([</span>
                <span class="nb">chr</span><span class="p">(</span><span class="mh">0x06</span><span class="p">)</span> <span class="o">+</span> <span class="nb">chr</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">oid_aesKeyWrap</span><span class="p">))</span> <span class="o">+</span> <span class="bp">self</span><span class="o">.</span><span class="n">oid_aesKeyWrap</span>
            <span class="p">])</span><span class="o">.</span><span class="n">encode</span><span class="p">(),</span>
            <span class="n">DerOctetString</span><span class="p">(</span><span class="n">der</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span>
        <span class="p">])</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span>

    <span class="k">def</span> <span class="nf">gen_salt</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="nb">bytes</span> <span class="o">=</span> <span class="mi">16</span><span class="p">):</span>
        <span class="kn">from</span> <span class="nn">Crypto</span> <span class="kn">import</span> <span class="n">Random</span>
        <span class="k">return</span> <span class="n">Random</span><span class="o">.</span><span class="n">new</span><span class="p">()</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="nb">bytes</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">wrapper</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">salt</span><span class="p">,</span> <span class="n">keylen</span> <span class="o">=</span> <span class="mi">256</span><span class="p">,</span> <span class="n">iterations</span> <span class="o">=</span> <span class="mi">8000</span><span class="p">):</span>
        <span class="kn">from</span> <span class="nn">Crypto.Protocol.KDF</span> <span class="kn">import</span> <span class="n">PBKDF2</span>
        <span class="kn">from</span> <span class="nn">Crypto.Hash</span>         <span class="kn">import</span> <span class="n">SHA256</span><span class="p">,</span> <span class="n">HMAC</span>
        <span class="k">return</span> <span class="n">AESKeyWrapWithPadding</span><span class="p">(</span><span class="n">PBKDF2</span><span class="p">(</span>
            <span class="n">password</span> <span class="o">=</span> <span class="n">getpass</span><span class="o">.</span><span class="n">getpass</span><span class="p">(</span><span class="s2">&quot;KEKEK Passphrase: &quot;</span><span class="p">),</span>
            <span class="n">salt</span>     <span class="o">=</span> <span class="n">salt</span><span class="p">,</span>
            <span class="n">dkLen</span>    <span class="o">=</span> <span class="n">keylen</span><span class="o">/</span><span class="mi">8</span><span class="p">,</span>
            <span class="n">count</span>    <span class="o">=</span> <span class="n">iterations</span><span class="p">,</span>
            <span class="n">prf</span>      <span class="o">=</span> <span class="k">lambda</span> <span class="n">p</span><span class="p">,</span> <span class="n">s</span><span class="p">:</span> <span class="n">HMAC</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">s</span><span class="p">,</span> <span class="n">SHA256</span><span class="p">)</span><span class="o">.</span><span class="n">digest</span><span class="p">()))</span>

    <span class="nd">@classmethod</span>
    <span class="k">def</span> <span class="nf">is_soft_key</span><span class="p">(</span><span class="bp">cls</span><span class="p">,</span> <span class="n">db</span><span class="p">):</span>
        <span class="k">return</span> <span class="nb">all</span><span class="p">(</span><span class="n">k</span> <span class="ow">in</span> <span class="n">db</span> <span class="k">for</span> <span class="n">k</span> <span class="ow">in</span> <span class="p">(</span><span class="s2">&quot;kekek_pkcs8&quot;</span><span class="p">,</span> <span class="s2">&quot;kekek_salt&quot;</span><span class="p">))</span>

    <span class="nd">@classmethod</span>
    <span class="k">def</span> <span class="nf">generate</span><span class="p">(</span><span class="bp">cls</span><span class="p">,</span> <span class="n">args</span><span class="p">,</span> <span class="n">result</span><span class="p">):</span>
        <span class="kn">from</span> <span class="nn">Crypto.PublicKey</span> <span class="kn">import</span> <span class="n">RSA</span>
        <span class="bp">self</span> <span class="o">=</span> <span class="bp">cls</span><span class="p">()</span>
        <span class="n">k</span> <span class="o">=</span> <span class="n">RSA</span><span class="o">.</span><span class="n">generate</span><span class="p">(</span><span class="n">args</span><span class="o">.</span><span class="n">keylen</span><span class="p">)</span>
        <span class="n">salt</span>  <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">gen_salt</span><span class="p">()</span>
        <span class="n">spki</span>  <span class="o">=</span> <span class="n">k</span><span class="o">.</span><span class="n">publickey</span><span class="p">()</span><span class="o">.</span><span class="n">exportKey</span><span class="p">(</span><span class="nb">format</span> <span class="o">=</span> <span class="s2">&quot;DER&quot;</span><span class="p">)</span>
        <span class="n">pkcs8</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">encode_EncryptedPrivateKeyInfo</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">wrapper</span><span class="p">(</span><span class="n">salt</span><span class="p">)</span><span class="o">.</span><span class="n">wrap</span><span class="p">(</span>
            <span class="n">k</span><span class="o">.</span><span class="n">exportKey</span><span class="p">(</span><span class="nb">format</span> <span class="o">=</span> <span class="s2">&quot;DER&quot;</span><span class="p">,</span> <span class="n">pkcs</span> <span class="o">=</span> <span class="mi">8</span><span class="p">)))</span>
        <span class="n">result</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">kekek_salt</span>   <span class="o">=</span> <span class="n">b64</span><span class="p">(</span><span class="n">salt</span><span class="p">),</span>
                      <span class="n">kekek_pkcs8</span>  <span class="o">=</span> <span class="n">b64</span><span class="p">(</span><span class="n">pkcs8</span><span class="p">),</span>
                      <span class="n">kekek_pubkey</span> <span class="o">=</span> <span class="n">b64</span><span class="p">(</span><span class="n">spki</span><span class="p">))</span>

    <span class="nd">@classmethod</span>
    <span class="k">def</span> <span class="nf">recover</span><span class="p">(</span><span class="bp">cls</span><span class="p">,</span> <span class="n">db</span><span class="p">):</span>
        <span class="bp">self</span> <span class="o">=</span> <span class="bp">cls</span><span class="p">()</span>
        <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">wrapper</span><span class="p">(</span><span class="n">b64join</span><span class="p">(</span><span class="n">db</span><span class="p">[</span><span class="s2">&quot;kekek_salt&quot;</span><span class="p">]))</span><span class="o">.</span><span class="n">unwrap</span><span class="p">(</span>
            <span class="bp">self</span><span class="o">.</span><span class="n">parse_EncryptedPrivateKeyInfo</span><span class="p">(</span><span class="n">b64join</span><span class="p">(</span><span class="n">db</span><span class="p">[</span><span class="s2">&quot;kekek_pkcs8&quot;</span><span class="p">])))</span>


<span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&quot;__main__&quot;</span><span class="p">:</span>
    <span class="n">main</span><span class="p">()</span>
</pre></div>
</code></pre></td></tr></table>
</div> <!-- class=content -->
<div class='footer'>generated by <a href='https://git.zx2c4.com/cgit/about/'>cgit v1.2.3</a> (<a href='https://git-scm.com/'>git 2.25.1</a>) at 2024-11-26 04:04:21 +0000</div>
</div> <!-- id=cgit -->
</body>
</html>