gitee.com/lh-her-team/common@v1.5.1/crypto/pkcs11/common.go (about) 1 package pkcs11 2 3 import ( 4 "crypto/ecdsa" 5 "crypto/elliptic" 6 "crypto/rsa" 7 "encoding/asn1" 8 "fmt" 9 "math/big" 10 "strings" 11 "sync/atomic" 12 13 "github.com/miekg/pkcs11" 14 15 bccrypto "gitee.com/lh-her-team/common/crypto" 16 bcecdsa "gitee.com/lh-her-team/common/crypto/asym/ecdsa" 17 bcrsa "gitee.com/lh-her-team/common/crypto/asym/rsa" 18 "gitee.com/lh-her-team/common/crypto/hash" 19 "github.com/pkg/errors" 20 "github.com/tjfoc/gmsm/sm2" 21 ) 22 23 type P11KeyType string 24 25 const ( 26 RSA P11KeyType = "RSA" 27 ECDSA P11KeyType = "ECDSA" 28 SM2 P11KeyType = "SM2" 29 AES P11KeyType = "AES" 30 SM4 P11KeyType = "SM4" 31 UNKNOWN P11KeyType = "UNKNOWN" 32 ) 33 34 type GenOpts struct { 35 KeyBits int 36 CurveParams string 37 } 38 39 // rsaPublicKey reflects the ASN.1 structure of a PKCS#1 public key. 40 type rsaPublicKeyASN struct { 41 N *big.Int 42 E int 43 } 44 45 func (p11 *P11Handle) GetPublicKeySKI(pk bccrypto.PublicKey) ([]byte, error) { 46 if pk == nil { 47 return nil, fmt.Errorf("public key is nil") 48 } 49 var pkBytes []byte 50 var err error 51 switch pk.(type) { 52 case *bcecdsa.PublicKey: 53 pubKey := pk.ToStandardKey() 54 switch k := pubKey.(type) { 55 case *ecdsa.PublicKey: 56 pkBytes = elliptic.Marshal(k.Curve, k.X, k.Y) 57 case *sm2.PublicKey: 58 pkBytes = elliptic.Marshal(k.Curve, k.X, k.Y) 59 default: 60 return nil, errors.New("unknown public key type") 61 } 62 case *bcrsa.PublicKey: 63 k, _ := pk.ToStandardKey().(*rsa.PublicKey) 64 pkBytes, err = asn1.Marshal(rsaPublicKeyASN{ 65 N: k.N, 66 E: k.E, 67 }) 68 if err != nil { 69 return nil, err 70 } 71 default: 72 return nil, fmt.Errorf("unknown public key type") 73 } 74 return hash.GetByStrType(p11.hash, pkBytes) 75 } 76 77 //NewPrivateKey returns a crypto PrivateKey which wraps a pkcs11 private key 78 func NewPrivateKey(p11 *P11Handle, keyId string, keyType bccrypto.KeyType) (bccrypto.PrivateKey, error) { 79 kType := convertToP11KeyType(keyType) 80 var privKey bccrypto.PrivateKey 81 var err error 82 switch kType { 83 case RSA: 84 privKey, err = NewP11RSAPrivateKey(p11, []byte(keyId), kType) 85 case ECDSA, SM2: 86 privKey, err = NewP11ECDSAPrivateKey(p11, []byte(keyId), kType) 87 default: 88 return nil, errors.New("KeyType is UNKNOWN") 89 } 90 return privKey, err 91 } 92 93 // nolint 94 var nextId uint32 95 96 // nolint 97 func incNextId() uint32 { 98 return atomic.AddUint32(&nextId, 1) 99 } 100 101 //convertToP11KeyType convert KeyType to internal P11KeyType 102 func convertToP11KeyType(keyType bccrypto.KeyType) P11KeyType { 103 keyTypeStr := bccrypto.KeyType2NameMap[keyType] 104 if strings.Contains(keyTypeStr, "RSA") { 105 return RSA 106 } else if strings.Contains(keyTypeStr, "SM2") { 107 return SM2 108 } else if strings.Contains(keyTypeStr, "ECC") || strings.Contains(keyTypeStr, "ECDSA") { 109 return ECDSA 110 } else if strings.Contains(keyTypeStr, "AES") { 111 return AES 112 } else if strings.Contains(keyTypeStr, "SM4") { 113 return SM4 114 } 115 return UNKNOWN 116 } 117 118 //NewSecretKey returns a crypto SymmetricKey which wraps a pkcs11 secret key 119 func NewSecretKey(p11 *P11Handle, keyId string, keyType bccrypto.KeyType) (bccrypto.SymmetricKey, error) { 120 if p11 == nil || len(keyId) == 0 { 121 return nil, errors.New("Invalid parameter, p11 or keyId is nil") 122 } 123 kType := convertToP11KeyType(keyType) 124 switch kType { 125 case AES: 126 return NewAESKey(p11, []byte(keyId)) 127 case SM4: 128 return NewSM4Key(p11, []byte(keyId)) 129 default: 130 return nil, errors.New("KeyType is UNKNOWN") 131 } 132 } 133 134 //GenSecretKey generate a new pkcs11 secret key 135 func GenSecretKey(p11 *P11Handle, keyId string, keyType bccrypto.KeyType, keySize int) (bccrypto.SymmetricKey, error) { 136 if p11 == nil || len(keyId) == 0 { 137 return nil, errors.New("Invalid parameter, p11 or keyId is nil") 138 } 139 kType := convertToP11KeyType(keyType) 140 switch kType { 141 case AES: 142 if keySize != 16 && keySize != 24 && keySize != 32 { 143 return nil, fmt.Errorf("invalid aes keySize, want 16|24|32, got %d", keySize) 144 } 145 keyTemplate := []*pkcs11.Attribute{ 146 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 147 pkcs11.NewAttribute(pkcs11.CKA_ENCRYPT, true), 148 pkcs11.NewAttribute(pkcs11.CKA_DECRYPT, true), 149 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 150 pkcs11.NewAttribute(pkcs11.CKA_VALUE_LEN, keySize), 151 } 152 mech := pkcs11.NewMechanism(pkcs11.CKM_AES_KEY_GEN, nil) 153 _, err := p11.GenerateKey(mech, keyTemplate) 154 if err != nil { 155 return nil, errors.WithMessage(err, "failed to generate pkcs11 aes key") 156 } 157 return NewAESKey(p11, []byte(keyId)) 158 case SM4: 159 keyTemplate := []*pkcs11.Attribute{ 160 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 161 pkcs11.NewAttribute(pkcs11.CKA_PRIVATE, true), 162 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 163 pkcs11.NewAttribute(pkcs11.CKA_ENCRYPT, true), 164 } 165 mech := pkcs11.NewMechanism(CKM_SM4_KEY_GEN, nil) 166 _, err := p11.GenerateKey(mech, keyTemplate) 167 if err != nil { 168 return nil, errors.WithMessage(err, "failed to generate pkcs11 sm4 key") 169 } 170 return NewSM4Key(p11, []byte(keyId)) 171 default: 172 return nil, errors.New("KeyType is UNKNOWN") 173 } 174 } 175 176 func GenKeyPair(p11 *P11Handle, keyId string, keyType bccrypto.KeyType, opts *GenOpts) (bccrypto.PrivateKey, error) { 177 if p11 == nil || len(keyId) == 0 { 178 return nil, errors.New("Invalid parameter, p11 or keyId is nil") 179 } 180 kType := convertToP11KeyType(keyType) 181 switch kType { 182 case SM2: 183 publicKeyTemplate := []*pkcs11.Attribute{ 184 pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, CKK_SM2), 185 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 186 pkcs11.NewAttribute(pkcs11.CKA_VERIFY, true), 187 pkcs11.NewAttribute(pkcs11.CKA_ENCRYPT, true), 188 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 189 } 190 privateKeyTemplate := []*pkcs11.Attribute{ 191 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 192 pkcs11.NewAttribute(pkcs11.CKA_SIGN, true), 193 pkcs11.NewAttribute(pkcs11.CKA_DECRYPT, true), 194 pkcs11.NewAttribute(pkcs11.CKA_PRIVATE, true), 195 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 196 pkcs11.NewAttribute(pkcs11.CKA_SENSITIVE, true), 197 } 198 mech := pkcs11.NewMechanism(CKM_SM2_KEY_PAIR_GEN, nil) 199 _, _, err := p11.GenKeyPair(mech, privateKeyTemplate, publicKeyTemplate) 200 if err != nil { 201 return nil, errors.WithMessage(err, "failed to generate pkcs11 sm2 key") 202 } 203 return NewP11ECDSAPrivateKey(p11, []byte(keyId), kType) 204 case ECDSA: 205 publicKeyTemplate := []*pkcs11.Attribute{ 206 pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_EC), 207 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 208 pkcs11.NewAttribute(pkcs11.CKA_VERIFY, true), 209 pkcs11.NewAttribute(pkcs11.CKA_ENCRYPT, true), 210 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 211 pkcs11.NewAttribute(pkcs11.CKA_ECDSA_PARAMS, opts.CurveParams), 212 } 213 privateKeyTemplate := []*pkcs11.Attribute{ 214 pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_EC), 215 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 216 pkcs11.NewAttribute(pkcs11.CKA_SIGN, true), 217 pkcs11.NewAttribute(pkcs11.CKA_DECRYPT, true), 218 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 219 pkcs11.NewAttribute(pkcs11.CKA_ECDSA_PARAMS, opts.CurveParams), 220 } 221 mech := pkcs11.NewMechanism(pkcs11.CKM_EC_KEY_PAIR_GEN, nil) 222 _, _, err := p11.GenKeyPair(mech, privateKeyTemplate, publicKeyTemplate) 223 if err != nil { 224 return nil, errors.WithMessage(err, "failed to generate pkcs11 ecdsa key") 225 } 226 return NewP11ECDSAPrivateKey(p11, []byte(keyId), kType) 227 case RSA: 228 if opts.KeyBits != 1024 && opts.KeyBits != 2048 && opts.KeyBits != 3072 { 229 return nil, errors.New("Invalid rsa keyBits, Must be 1024|2048|3072") 230 } 231 publicKeyTemplate := []*pkcs11.Attribute{ 232 pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_RSA), 233 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 234 pkcs11.NewAttribute(pkcs11.CKA_VERIFY, true), 235 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 236 pkcs11.NewAttribute(pkcs11.CKA_MODULUS_BITS, opts.KeyBits), 237 } 238 privateKeyTemplate := []*pkcs11.Attribute{ 239 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 240 pkcs11.NewAttribute(pkcs11.CKA_SIGN, true), 241 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 242 pkcs11.NewAttribute(pkcs11.CKA_SENSITIVE, true), 243 } 244 mech := pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS_KEY_PAIR_GEN, nil) 245 _, _, err := p11.GenKeyPair(mech, privateKeyTemplate, publicKeyTemplate) 246 if err != nil { 247 return nil, errors.WithMessage(err, "failed to generate pkcs11 rsa key") 248 } 249 return NewP11RSAPrivateKey(p11, []byte(keyId), kType) 250 default: 251 return nil, errors.New("unknown key type") 252 } 253 }