This repository has been archived by the owner on Jun 3, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 43
Add tmkms yubihsm keys import
command
#107
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,125 @@ | ||
extern crate serde_json; | ||
|
||
use super::*; | ||
|
||
use std::fs::File; | ||
use std::io::prelude::*; | ||
use std::process; | ||
use std::str; | ||
|
||
use abscissa::Callable; | ||
use signatory::ed25519; | ||
use signatory::ed25519::Seed; | ||
use subtle_encoding::base64; | ||
use tendermint::public_keys::ConsensusKey; | ||
use yubihsm; | ||
|
||
use serde_json::Value; | ||
|
||
/// The `yubihsm keys import` subcommand | ||
#[derive(Debug, Default, Options)] | ||
pub struct ImportCommand { | ||
/// Path to the validator configuration file | ||
#[options(short = "p", long = "path")] | ||
pub path: Option<String>, | ||
|
||
/// Type of key to import (default 'ed25519') | ||
#[options(short = "t")] | ||
pub key_type: Option<String>, | ||
|
||
/// Label for imported key | ||
#[options(short = "l", long = "label")] | ||
pub label: Option<String>, | ||
|
||
/// Key ID for imported key | ||
#[options(free)] | ||
key_id: Option<u16>, | ||
} | ||
|
||
impl Callable for ImportCommand { | ||
fn call(&self) { | ||
if self.path.is_none() { | ||
status_err!("must provide a valid path to priv_validator.json"); | ||
process::exit(1); | ||
} | ||
|
||
if self.key_id.is_none() { | ||
status_err!("must provide a unique key_id"); | ||
process::exit(1); | ||
} | ||
|
||
match &self.key_type { | ||
Some(ref key_type) => if key_type != DEFAULT_KEY_TYPE { | ||
status_err!( | ||
"only supported key type is: ed25519 (given: \"{}\")", | ||
key_type | ||
); | ||
process::exit(1); | ||
}, | ||
None => (), | ||
} | ||
|
||
if let Some(path) = &self.path { | ||
let mut f = File::open(path).unwrap_or_else(|e| { | ||
status_err!("couldn't open validator config file {}: {}", path, e); | ||
process::exit(1); | ||
}); | ||
|
||
let mut contents = Vec::new(); | ||
f.read_to_end(&mut contents).unwrap_or_else(|e| { | ||
status_err!("couldn't read validator config file {}: {}", path, e); | ||
process::exit(1); | ||
}); | ||
let v: Value = serde_json::from_slice(&contents).unwrap(); | ||
let s = v["priv_key"]["value"].as_str().unwrap_or_else(|| { | ||
status_err!("couldn't read validator private key from config: {}", path); | ||
process::exit(1); | ||
}); | ||
|
||
let key = base64::decode(s).unwrap_or_else(|e| { | ||
status_err!("couldn't decode validator private key from config: {}", e); | ||
process::exit(1); | ||
}); | ||
Seed::from_keypair(&key).unwrap_or_else(|e| { | ||
status_err!("invalid key in validator config: {}", e); | ||
process::exit(1); | ||
}); | ||
let label = | ||
yubihsm::ObjectLabel::from(self.label.as_ref().map(|l| l.as_ref()).unwrap_or("")); | ||
|
||
let mut hsm = yubihsm::get_hsm_client(); | ||
|
||
if let Err(e) = hsm.put_asymmetric_key( | ||
self.key_id.unwrap(), | ||
label, | ||
DEFAULT_DOMAINS, | ||
DEFAULT_CAPABILITIES, | ||
yubihsm::AsymmetricAlg::Ed25519, | ||
key, | ||
) { | ||
status_err!("couldn't import key #{}: {}", self.key_id.unwrap(), e); | ||
process::exit(1); | ||
} | ||
|
||
let public_key = ed25519::PublicKey::from_bytes( | ||
hsm.get_pubkey(self.key_id.unwrap()).unwrap_or_else(|e| { | ||
status_err!( | ||
"couldn't get public key for key #{}: {}", | ||
self.key_id.unwrap(), | ||
e | ||
); | ||
process::exit(1); | ||
}), | ||
).unwrap(); | ||
|
||
status_ok!( | ||
"Imported", | ||
"key #{}: {}", | ||
self.key_id.unwrap(), | ||
ConsensusKey::from(public_key) | ||
); | ||
} | ||
} | ||
} | ||
|
||
impl_command!(ImportCommand); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
//! Integration tests for the `yubihsm keys import` subcommand | ||
// TODO: `yubihsm keys import` tests |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One alternative to consider for this sort of thing is using
serde_derive
to deriveDeserialize
for the structure ofpriv_validator.json
.I'm not sure it matters as this code is probably effectively "done" in that the
priv_validator.json
format is unlikely to change and this is literally the only use case which matters fortmkms
, but I thought I'd at least throw it out there.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I also thought about this. But I think we can keep this for now. If we ever need other fields, we can change to using serde_derive.