diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/Dss.asn1 | 8 | ||||
| -rw-r--r-- | src/sign.erl | 46 |
2 files changed, 46 insertions, 8 deletions
diff --git a/src/Dss.asn1 b/src/Dss.asn1 new file mode 100644 index 0000000..9ce3c18 --- /dev/null +++ b/src/Dss.asn1 @@ -0,0 +1,8 @@ +Dss DEFINITIONS ::= +BEGIN + Dss-Sig-Value ::= SEQUENCE { + r INTEGER, + s INTEGER + } +END + diff --git a/src/sign.erl b/src/sign.erl index 250c601..1fb1c07 100644 --- a/src/sign.erl +++ b/src/sign.erl @@ -26,6 +26,7 @@ -record(state, {pubkey :: public_key:rsa_public_key(), privkey :: public_key:rsa_private_key(), + hsmport :: port(), logid :: binary() }). @@ -42,14 +43,26 @@ init([]) -> %% LogID = crypto:hash(sha256, %% public_key:der_encode('RSAPublicKey', Public_key)), %% Read EC keypair. - PrivKeyfile = application:get_env(plop, log_private_key, none), PubKeyfile = application:get_env(plop, log_public_key, none), - Private_key = read_keyfile_ec(PrivKeyfile), Public_key = read_keyfile_ec(PubKeyfile), LogID = read_keyfile_ec_logid(PubKeyfile), - {ok, #state{pubkey = Public_key, - privkey = Private_key, - logid = LogID}}. + + case application:get_env(plop, hsm) of + {ok, Args} -> + Port = open_port({spawn_executable, + code:priv_dir(plop) ++ "/hsmhelper"}, + [{args, Args}, + {packet, 4}]), + {ok, #state{pubkey = Public_key, + hsmport = Port, + logid = LogID}}; + undefined -> + PrivKeyfile = application:get_env(plop, log_private_key, none), + Private_key = read_keyfile_ec(PrivKeyfile), + {ok, #state{pubkey = Public_key, + privkey = Private_key, + logid = LogID}} + end. %% TODO: Merge the keyfile reading functions. %% @doc Read one password protected PEM file with an RSA keypair. @@ -177,6 +190,11 @@ verify_sth(STH, Signature) -> PublicKey = read_keyfile_ec(PubKeyfile), public_key:verify(STH, sha256, Signature, PublicKey). +encode_ec_signature(RawSignature, SignatureLength) -> + <<R:SignatureLength, S:SignatureLength>> = RawSignature, + {ok, Signature} = 'Dss':encode('Dss-Sig-Value', #'Dss-Sig-Value'{r = R, s = S}), + Signature. + %%%%%%%%%%%%%%%%%%%% %% gen_server callbacks. @@ -205,6 +223,18 @@ handle_call({get, pubkey}, _From, State) -> handle_call({sign, Data}, _From, State) -> %% FIXME: Merge RSA and DC. - Signature = signhash_ec(Data, State#state.privkey), - lager:debug("signing ~p: ~p", [Data, Signature]), - {reply, Signature, State}. + case State#state.hsmport of + undefined -> + Signature = signhash_ec(Data, State#state.privkey), + lager:debug("signing ~p: ~p", [Data, Signature]), + {reply, Signature, State}; + Port -> + lager:debug("sending signing request to HSM"), + Port ! {self(), {command, crypto:hash(sha256, Data)}}, + receive + {Port, {data, RawSignature}} when is_port(Port) -> + Signature = encode_ec_signature(list_to_binary(RawSignature), 256), + lager:debug("received signing reply from HSM: ~p", [Signature]), + {reply, Signature, State} + end + end. |