yubihsm: Support for exporting/importing wrapped (encrypted) keys

Cargo.toml

@@ -42,7 +42,7 @@ signatory-ledger-tm = { version = "0.11", optional = true }
 subtle-encoding = { version = "0.3", features = ["bech32-preview"] }
 tendermint = { version = "0.3.0-beta1", path = "tendermint-rs" }
 tiny-bip39 = "0.6"
-yubihsm = { version = "0.22.0-alpha2", features = ["setup", "usb"], optional = true }
+yubihsm = { version = "0.22", features = ["setup", "usb"], optional = true }
 zeroize = "0.5"
 
 [dev-dependencies]

README.md

@@ -76,7 +76,7 @@ You will need the following prerequisites:
 
 To install `tmkms`, do the following:
 
-1. (x86_64 only) Configure `RUSTFLAGS` environment variable: `export RUSTFLAGS=-Ctarget-feature=+aes`
+1. (x86_64 only) Configure `RUSTFLAGS` environment variable: `export RUSTFLAGS=-Ctarget-feature=+aes,+ssse3`
 2. Run the following to install Tendermint KMS using Rust's `cargo` tool:
 
 ```

src/commands/yubihsm/keys/export.rs

@@ -0,0 +1,74 @@
+use super::*;
+use abscissa::Callable;
+use std::{fs::OpenOptions, io::Write, os::unix::fs::OpenOptionsExt, path::PathBuf, process};
+use subtle_encoding::base64;
+
+/// The `yubihsm keys export` subcommand: create encrypted backups of keys
+#[derive(Debug, Default, Options)]
+pub struct ExportCommand {
+    /// Path to configuration file
+    #[options(short = "c", long = "config")]
+    pub config: Option<String>,
+
+    /// ID of the key to export
+    #[options(short = "i", long = "id")]
+    pub key_id: u16,
+
+    /// ID of the wrap key to encrypt the exported key under
+    #[options(short = "w", long = "wrapkey")]
+    pub wrap_key_id: Option<u16>,
+
+    /// Path to write the resulting file to
+    #[options(free)]
+    pub path: PathBuf,
+}
+
+impl Callable for ExportCommand {
+    fn call(&self) {
+        let wrap_key_id = self.wrap_key_id.unwrap_or(DEFAULT_WRAP_KEY);
+
+        let wrapped_bytes = crate::yubihsm::client()
+            .export_wrapped(
+                wrap_key_id,
+                yubihsm::object::Type::AsymmetricKey,
+                self.key_id,
+            )
+            .unwrap_or_else(|e| {
+                status_err!(
+                    "couldn't export key {} under wrap key {}: {}",
+                    self.key_id,
+                    wrap_key_id,
+                    e
+                );
+                process::exit(1);
+            });
+
+        let mut export_file = OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .mode(0o600)
+            .open(&self.path)
+            .unwrap_or_else(|e| {
+                status_err!("couldn't export to {} ({})", &self.path.display(), e);
+                process::exit(1);
+            });
+
+        export_file
+            .write_all(&base64::encode(&wrapped_bytes.into_vec()))
+            .unwrap_or_else(|e| {
+                status_err!("error exporting {}: {}", &self.path.display(), e);
+                process::exit(1);
+            });
+
+        status_ok!(
+            "Exported",
+            "key 0x{:04x} (encrypted under wrap key 0x{:04x}) to {}",
+            self.key_id,
+            wrap_key_id,
+            self.path.display()
+        );
+    }
+}
+
+impl_command!(ExportCommand);

src/commands/yubihsm/keys/generate.rs

@@ -119,6 +119,7 @@ impl Callable for GenerateCommand {
 impl_command!(GenerateCommand);
 
 /// Create an encrypted backup of this key under the given wrap key ID
+// TODO(tarcieri): unify this with the similar code in export?
 fn create_encrypted_backup(
     hsm: &yubihsm::Client,
     key_id: yubihsm::object::Id,