From 2b28debd52317b25e3bf90aa290838c51d8cf676 Mon Sep 17 00:00:00 2001 From: Magnus Ahltorp Date: Fri, 10 Apr 2015 10:33:10 +0200 Subject: Add HSM support in sign module --- Makefile | 3 ++- src/Dss.asn1 | 8 ++++++++ src/sign.erl | 46 ++++++++++++++++++++++++++++++++++++++-------- 3 files changed, 48 insertions(+), 9 deletions(-) create mode 100644 src/Dss.asn1 diff --git a/Makefile b/Makefile index 3ec6fdb..28d26b0 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,9 @@ build all: (cd c_src && make all) mkdir -p priv - cp c_src/fsynchelper priv/ + cp c_src/fsynchelper c_src/hsmhelper priv/ mkdir -p test/ebin + (cd src && erlc -bber +der src/Dss.asn1 && rm Dss.beam) ./make.erl clean: (cd c_src && make clean) diff --git a/src/Dss.asn1 b/src/Dss.asn1 new file mode 100644 index 0000000..9ce3c18 --- /dev/null +++ b/src/Dss.asn1 @@ -0,0 +1,8 @@ +Dss DEFINITIONS ::= +BEGIN + Dss-Sig-Value ::= SEQUENCE { + r INTEGER, + s INTEGER + } +END + diff --git a/src/sign.erl b/src/sign.erl index 250c601..1fb1c07 100644 --- a/src/sign.erl +++ b/src/sign.erl @@ -26,6 +26,7 @@ -record(state, {pubkey :: public_key:rsa_public_key(), privkey :: public_key:rsa_private_key(), + hsmport :: port(), logid :: binary() }). @@ -42,14 +43,26 @@ init([]) -> %% LogID = crypto:hash(sha256, %% public_key:der_encode('RSAPublicKey', Public_key)), %% Read EC keypair. - PrivKeyfile = application:get_env(plop, log_private_key, none), PubKeyfile = application:get_env(plop, log_public_key, none), - Private_key = read_keyfile_ec(PrivKeyfile), Public_key = read_keyfile_ec(PubKeyfile), LogID = read_keyfile_ec_logid(PubKeyfile), - {ok, #state{pubkey = Public_key, - privkey = Private_key, - logid = LogID}}. + + case application:get_env(plop, hsm) of + {ok, Args} -> + Port = open_port({spawn_executable, + code:priv_dir(plop) ++ "/hsmhelper"}, + [{args, Args}, + {packet, 4}]), + {ok, #state{pubkey = Public_key, + hsmport = Port, + logid = LogID}}; + undefined -> + PrivKeyfile = application:get_env(plop, log_private_key, none), + Private_key = read_keyfile_ec(PrivKeyfile), + {ok, #state{pubkey = Public_key, + privkey = Private_key, + logid = LogID}} + end. %% TODO: Merge the keyfile reading functions. %% @doc Read one password protected PEM file with an RSA keypair. @@ -177,6 +190,11 @@ verify_sth(STH, Signature) -> PublicKey = read_keyfile_ec(PubKeyfile), public_key:verify(STH, sha256, Signature, PublicKey). +encode_ec_signature(RawSignature, SignatureLength) -> + <> = RawSignature, + {ok, Signature} = 'Dss':encode('Dss-Sig-Value', #'Dss-Sig-Value'{r = R, s = S}), + Signature. + %%%%%%%%%%%%%%%%%%%% %% gen_server callbacks. @@ -205,6 +223,18 @@ handle_call({get, pubkey}, _From, State) -> handle_call({sign, Data}, _From, State) -> %% FIXME: Merge RSA and DC. - Signature = signhash_ec(Data, State#state.privkey), - lager:debug("signing ~p: ~p", [Data, Signature]), - {reply, Signature, State}. + case State#state.hsmport of + undefined -> + Signature = signhash_ec(Data, State#state.privkey), + lager:debug("signing ~p: ~p", [Data, Signature]), + {reply, Signature, State}; + Port -> + lager:debug("sending signing request to HSM"), + Port ! {self(), {command, crypto:hash(sha256, Data)}}, + receive + {Port, {data, RawSignature}} when is_port(Port) -> + Signature = encode_ec_signature(list_to_binary(RawSignature), 256), + lager:debug("received signing reply from HSM: ~p", [Signature]), + {reply, Signature, State} + end + end. -- cgit v1.1