Add HSM support in sign modulehsmhelper

3 files changed, 48 insertions, 9 deletions

diff --git a/Makefile b/Makefile
index 3ec6fdb..28d26b0 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,9 @@
 build all:
 	(cd c_src && make all)
 	mkdir -p priv
-	cp c_src/fsynchelper priv/
+	cp c_src/fsynchelper c_src/hsmhelper priv/
 	mkdir -p test/ebin
+	(cd src && erlc -bber +der src/Dss.asn1 && rm Dss.beam)
 	./make.erl
 clean:
 	(cd c_src && make clean)
diff --git a/src/Dss.asn1 b/src/Dss.asn1
new file mode 100644
index 0000000..9ce3c18
--- /dev/null
+++ b/src/Dss.asn1
@@ -0,0 +1,8 @@
+Dss DEFINITIONS ::=
+BEGIN
+  Dss-Sig-Value ::= SEQUENCE {
+    r INTEGER,
+    s INTEGER
+  }
+END
+
diff --git a/src/sign.erl b/src/sign.erl
index 250c601..1fb1c07 100644
--- a/src/sign.erl
+++ b/src/sign.erl
@@ -26,6 +26,7 @@
 
 -record(state, {pubkey :: public_key:rsa_public_key(),
                 privkey :: public_key:rsa_private_key(),
+                hsmport :: port(),
                 logid :: binary()
                }).
 
@@ -42,14 +43,26 @@ init([]) ->
     %% LogID = crypto:hash(sha256,
     %%                     public_key:der_encode('RSAPublicKey', Public_key)),
     %% Read EC keypair.
-    PrivKeyfile = application:get_env(plop, log_private_key, none),
     PubKeyfile = application:get_env(plop, log_public_key, none),
-    Private_key = read_keyfile_ec(PrivKeyfile),
     Public_key = read_keyfile_ec(PubKeyfile),
     LogID = read_keyfile_ec_logid(PubKeyfile),
-    {ok, #state{pubkey = Public_key,
-                privkey = Private_key,
-                logid = LogID}}.
+
+    case application:get_env(plop, hsm) of
+        {ok, Args} ->
+            Port = open_port({spawn_executable,
+                              code:priv_dir(plop) ++ "/hsmhelper"},
+                             [{args, Args},
+                              {packet, 4}]),
+            {ok, #state{pubkey = Public_key,
+                        hsmport = Port,
+                        logid = LogID}};
+        undefined ->
+            PrivKeyfile = application:get_env(plop, log_private_key, none),
+            Private_key = read_keyfile_ec(PrivKeyfile),
+            {ok, #state{pubkey = Public_key,
+                        privkey = Private_key,
+                        logid = LogID}}
+    end.
 
 %% TODO: Merge the keyfile reading functions.
 %% @doc Read one password protected PEM file with an RSA keypair.
@@ -177,6 +190,11 @@ verify_sth(STH, Signature) ->
     PublicKey = read_keyfile_ec(PubKeyfile),
     public_key:verify(STH, sha256, Signature, PublicKey).
 
+encode_ec_signature(RawSignature, SignatureLength) ->
+    <<R:SignatureLength, S:SignatureLength>> = RawSignature,
+    {ok, Signature} = 'Dss':encode('Dss-Sig-Value', #'Dss-Sig-Value'{r = R, s = S}),
+    Signature.
+
 
 %%%%%%%%%%%%%%%%%%%%
 %% gen_server callbacks.
@@ -205,6 +223,18 @@ handle_call({get, pubkey}, _From, State) ->
 
 handle_call({sign, Data}, _From, State) ->
     %% FIXME: Merge RSA and DC.
-    Signature = signhash_ec(Data, State#state.privkey),
-    lager:debug("signing ~p: ~p", [Data, Signature]),
-    {reply, Signature, State}.
+    case State#state.hsmport of
+        undefined ->
+            Signature = signhash_ec(Data, State#state.privkey),
+            lager:debug("signing ~p: ~p", [Data, Signature]),
+            {reply, Signature, State};
+        Port ->
+            lager:debug("sending signing request to HSM"),
+            Port ! {self(), {command, crypto:hash(sha256, Data)}},
+            receive
+                {Port, {data, RawSignature}} when is_port(Port) ->
+                    Signature = encode_ec_signature(list_to_binary(RawSignature), 256),
+                    lager:debug("received signing reply from HSM: ~p", [Signature]),
+                    {reply, Signature, State}
+            end
+    end.