Support key import

[zugzwang]

Private Key Import

This PR adds support for importing and representing an arbitrary OpenPGP Transferable Secret Key (henceforth TSK) in Fortanix DSM. This PGP key can come from other implementations such as Sequoia (locally), the GnuPG keyring, OpenPGPjs, etc.

Because nothing is known about the input key, the corresponding structure of Sobjects has been enhanced to represent it in fair generality. More fields have been added as custom metadata (fingerprint of each subkeys, external creation timestamps, ECDH additional algorithms, etc). Consequently, this next release (0.3.0) is not backwards compatible with previous versions.

The input key is accepted for import under the following assumptions:

• The primary key is always C or CS,
• there is at least one Et or Er subkey,
• if the primary key is C, then there is at least one S subkey, and
• the given cipher suites and algorithms are supported by Fortanix DSM.

Testing

... against GnuPG

The test script generate_gpg_import_dsm.sh generates a key in the local GnuPG keyring, exports it, imports the TSK to Fortanix DSM, checks signature and encryption roundtrips, exports it from DSM, and imports it back on the local keyring. Phew.

... against known keys

The test script knownkeys_import_dsm.sh attempts to import known keys, some of which are "exotic" (taken from the OpenPGP interoperability test suite. It checks signature and encryption roundtrips.

Fixes #5

[MihirLuthra]

Partially reviewed. Will complete the remaining soon.

[MihirLuthra]

Nice PR! Still reviewing.

[MihirLuthra]

While trying to use sq-dsm, I see that the ops take really long.
For example:

~/sq-dsm support-key-import*
❯ time sq key generate --dsm-key="alice2" --cipher-suite="nistp521" --userid="Alice2 <[email protected]>"
./target/debug/sq key generate --dsm-key="alice2" --cipher-suite="nistp521"   0.20s user 0.02s system 0% cpu 1:58.96 total

key generate almost took 2 mins.
If this is expected, can we please put some message here? I mean, something that tells it is ongoing and may take time.

[MihirLuthra]

Btw, just wanted to mention this - I was testing this against https://sdkms.test.fortanix.com and I receive SSL errors.

~/sq-dsm support-key-import*
❯ time sq key generate --dsm-key="alice2" --cipher-suite="nistp521" --userid="Alice2 <[email protected]>"                                                                                      
Error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1204: (unable to get local issuer certificate)
./target/debug/sq key generate --dsm-key="alice2" --cipher-suite="nistp521"   0.01s user 0.01s system 2% cpu 0.740 total

I didn't want to get into these, so just put the following for my testing:

let tls_conn = TlsConnector::builder()
    .danger_accept_invalid_certs(true)
    .danger_accept_invalid_hostnames(true)
    .build()?;

This could be an env issue on my side but thought you may want to know.

[zugzwang]

I don't have any TLS issues with that same endpoint, and key generation takes 30 seconds from my end. (It needs to generate 2 keys, produce 2 signatures, and several Sobject updates).

[MihirLuthra]

I don't have any TLS issues with that same endpoint, and key generation takes 30 seconds from my end. (It needs to generate 2 keys, produce 2 signatures, and several Sobject updates).

Right. I see #60 also addresses this.