github.com/bigzoro/my_simplechain@v0.0.0-20240315012955-8ad0a2a29bb9/core/access_contoller/crypto/pkcs11/common.go (about) 1 /* 2 Copyright (C) BABEC. All rights reserved. 3 Copyright (C) THL A29 Limited, a Tencent company. All rights reserved. 4 5 SPDX-License-Identifier: Apache-2.0 6 */ 7 8 package pkcs11 9 10 import ( 11 "crypto/ecdsa" 12 "crypto/elliptic" 13 "crypto/rsa" 14 "encoding/asn1" 15 "fmt" 16 "math/big" 17 "strings" 18 "sync/atomic" 19 20 "github.com/miekg/pkcs11" 21 22 bccrypto "chainmaker.org/chainmaker/common/v2/crypto" 23 bcecdsa "chainmaker.org/chainmaker/common/v2/crypto/asym/ecdsa" 24 bcrsa "chainmaker.org/chainmaker/common/v2/crypto/asym/rsa" 25 "chainmaker.org/chainmaker/common/v2/crypto/hash" 26 "github.com/pkg/errors" 27 "github.com/tjfoc/gmsm/sm2" 28 ) 29 30 type P11KeyType string 31 32 const ( 33 RSA P11KeyType = "RSA" 34 ECDSA P11KeyType = "ECDSA" 35 SM2 P11KeyType = "SM2" 36 37 AES P11KeyType = "AES" 38 SM4 P11KeyType = "SM4" 39 40 UNKNOWN P11KeyType = "UNKNOWN" 41 ) 42 43 type GenOpts struct { 44 KeyBits int 45 CurveParams string 46 } 47 48 // rsaPublicKey reflects the ASN.1 structure of a PKCS#1 public key. 49 type rsaPublicKeyASN struct { 50 N *big.Int 51 E int 52 } 53 54 // ecdsaSignature is a r-s style ecdsa signature 55 //type ecdsaSignature struct { 56 // R, S *big.Int 57 //} 58 59 func (p11 *P11Handle) GetPublicKeySKI(pk bccrypto.PublicKey) ([]byte, error) { 60 if pk == nil { 61 return nil, fmt.Errorf("public key is nil") 62 } 63 64 var pkBytes []byte 65 var err error 66 switch pk.(type) { 67 case *bcecdsa.PublicKey: 68 pubKey := pk.ToStandardKey() 69 switch k := pubKey.(type) { 70 case *ecdsa.PublicKey: 71 pkBytes = elliptic.Marshal(k.Curve, k.X, k.Y) 72 case *sm2.PublicKey: 73 pkBytes = elliptic.Marshal(k.Curve, k.X, k.Y) 74 default: 75 return nil, errors.New("unknown public key type") 76 } 77 case *bcrsa.PublicKey: 78 k, _ := pk.ToStandardKey().(*rsa.PublicKey) 79 pkBytes, err = asn1.Marshal(rsaPublicKeyASN{ 80 N: k.N, 81 E: k.E, 82 }) 83 if err != nil { 84 return nil, err 85 } 86 default: 87 return nil, fmt.Errorf("unknown public key type") 88 } 89 90 return hash.GetByStrType(p11.hash, pkBytes) 91 } 92 93 //NewPrivateKey returns a crypto PrivateKey which wraps a pkcs11 private key 94 func NewPrivateKey(p11 *P11Handle, keyId string, keyType bccrypto.KeyType) (bccrypto.PrivateKey, error) { 95 kType := convertToP11KeyType(keyType) 96 var privKey bccrypto.PrivateKey 97 var err error 98 switch kType { 99 case RSA: 100 privKey, err = NewP11RSAPrivateKey(p11, []byte(keyId), kType) 101 case ECDSA, SM2: 102 privKey, err = NewP11ECDSAPrivateKey(p11, []byte(keyId), kType) 103 default: 104 return nil, errors.New("KeyType is UNKNOWN") 105 } 106 return privKey, err 107 } 108 109 // nolint 110 var nextId uint32 111 112 // nolint 113 func incNextId() uint32 { 114 return atomic.AddUint32(&nextId, 1) 115 } 116 117 //convertToP11KeyType convert KeyType to internal P11KeyType 118 func convertToP11KeyType(keyType bccrypto.KeyType) P11KeyType { 119 keyTypeStr := bccrypto.KeyType2NameMap[keyType] 120 if strings.Contains(keyTypeStr, "RSA") { 121 return RSA 122 } else if strings.Contains(keyTypeStr, "SM2") { 123 return SM2 124 } else if strings.Contains(keyTypeStr, "ECC") || strings.Contains(keyTypeStr, "ECDSA") { 125 return ECDSA 126 } else if strings.Contains(keyTypeStr, "AES") { 127 return AES 128 } else if strings.Contains(keyTypeStr, "SM4") { 129 return SM4 130 } 131 132 return UNKNOWN 133 } 134 135 //NewSecretKey returns a crypto SymmetricKey which wraps a pkcs11 secret key 136 func NewSecretKey(p11 *P11Handle, keyId string, keyType bccrypto.KeyType) (bccrypto.SymmetricKey, error) { 137 if p11 == nil || len(keyId) == 0 { 138 return nil, errors.New("Invalid parameter, p11 or keyId is nil") 139 } 140 141 kType := convertToP11KeyType(keyType) 142 switch kType { 143 case AES: 144 return NewAESKey(p11, []byte(keyId)) 145 case SM4: 146 return NewSM4Key(p11, []byte(keyId)) 147 default: 148 return nil, errors.New("KeyType is UNKNOWN") 149 } 150 } 151 152 //GenSecretKey generate a new pkcs11 secret key 153 func GenSecretKey(p11 *P11Handle, keyId string, keyType bccrypto.KeyType, keySize int) (bccrypto.SymmetricKey, error) { 154 if p11 == nil || len(keyId) == 0 { 155 return nil, errors.New("Invalid parameter, p11 or keyId is nil") 156 } 157 kType := convertToP11KeyType(keyType) 158 switch kType { 159 case AES: 160 if keySize != 16 && keySize != 24 && keySize != 32 { 161 return nil, fmt.Errorf("invalid aes keySize, want 16|24|32, got %d", keySize) 162 } 163 keyTemplate := []*pkcs11.Attribute{ 164 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 165 pkcs11.NewAttribute(pkcs11.CKA_ENCRYPT, true), 166 pkcs11.NewAttribute(pkcs11.CKA_DECRYPT, true), 167 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 168 pkcs11.NewAttribute(pkcs11.CKA_VALUE_LEN, keySize), 169 } 170 171 mech := pkcs11.NewMechanism(pkcs11.CKM_AES_KEY_GEN, nil) 172 173 _, err := p11.GenerateKey(mech, keyTemplate) 174 if err != nil { 175 return nil, errors.WithMessage(err, "failed to generate pkcs11 aes key") 176 } 177 return NewAESKey(p11, []byte(keyId)) 178 case SM4: 179 keyTemplate := []*pkcs11.Attribute{ 180 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 181 pkcs11.NewAttribute(pkcs11.CKA_PRIVATE, true), 182 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 183 pkcs11.NewAttribute(pkcs11.CKA_ENCRYPT, true), 184 } 185 mech := pkcs11.NewMechanism(CKM_SM4_KEY_GEN, nil) 186 _, err := p11.GenerateKey(mech, keyTemplate) 187 if err != nil { 188 return nil, errors.WithMessage(err, "failed to generate pkcs11 sm4 key") 189 } 190 return NewSM4Key(p11, []byte(keyId)) 191 default: 192 return nil, errors.New("KeyType is UNKNOWN") 193 } 194 } 195 196 func GenKeyPair(p11 *P11Handle, keyId string, keyType bccrypto.KeyType, opts *GenOpts) (bccrypto.PrivateKey, error) { 197 if p11 == nil || len(keyId) == 0 { 198 return nil, errors.New("Invalid parameter, p11 or keyId is nil") 199 } 200 kType := convertToP11KeyType(keyType) 201 switch kType { 202 case SM2: 203 publicKeyTemplate := []*pkcs11.Attribute{ 204 pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, CKK_SM2), 205 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 206 pkcs11.NewAttribute(pkcs11.CKA_VERIFY, true), 207 pkcs11.NewAttribute(pkcs11.CKA_ENCRYPT, true), 208 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 209 } 210 privateKeyTemplate := []*pkcs11.Attribute{ 211 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 212 pkcs11.NewAttribute(pkcs11.CKA_SIGN, true), 213 pkcs11.NewAttribute(pkcs11.CKA_DECRYPT, true), 214 pkcs11.NewAttribute(pkcs11.CKA_PRIVATE, true), 215 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 216 pkcs11.NewAttribute(pkcs11.CKA_SENSITIVE, true), 217 } 218 mech := pkcs11.NewMechanism(CKM_SM2_KEY_PAIR_GEN, nil) 219 _, _, err := p11.GenKeyPair(mech, privateKeyTemplate, publicKeyTemplate) 220 if err != nil { 221 return nil, errors.WithMessage(err, "failed to generate pkcs11 sm2 key") 222 } 223 return NewP11ECDSAPrivateKey(p11, []byte(keyId), kType) 224 case ECDSA: 225 publicKeyTemplate := []*pkcs11.Attribute{ 226 pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_EC), 227 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 228 pkcs11.NewAttribute(pkcs11.CKA_VERIFY, true), 229 pkcs11.NewAttribute(pkcs11.CKA_ENCRYPT, true), 230 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 231 pkcs11.NewAttribute(pkcs11.CKA_ECDSA_PARAMS, opts.CurveParams), 232 } 233 privateKeyTemplate := []*pkcs11.Attribute{ 234 pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_EC), 235 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 236 pkcs11.NewAttribute(pkcs11.CKA_SIGN, true), 237 pkcs11.NewAttribute(pkcs11.CKA_DECRYPT, true), 238 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 239 pkcs11.NewAttribute(pkcs11.CKA_ECDSA_PARAMS, opts.CurveParams), 240 } 241 mech := pkcs11.NewMechanism(pkcs11.CKM_EC_KEY_PAIR_GEN, nil) 242 _, _, err := p11.GenKeyPair(mech, privateKeyTemplate, publicKeyTemplate) 243 if err != nil { 244 return nil, errors.WithMessage(err, "failed to generate pkcs11 ecdsa key") 245 } 246 return NewP11ECDSAPrivateKey(p11, []byte(keyId), kType) 247 case RSA: 248 if opts.KeyBits != 1024 && opts.KeyBits != 2048 && opts.KeyBits != 3072 { 249 return nil, errors.New("Invalid rsa keyBits, Must be 1024|2048|3072") 250 } 251 publicKeyTemplate := []*pkcs11.Attribute{ 252 pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_RSA), 253 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 254 pkcs11.NewAttribute(pkcs11.CKA_VERIFY, true), 255 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 256 pkcs11.NewAttribute(pkcs11.CKA_MODULUS_BITS, opts.KeyBits), 257 } 258 privateKeyTemplate := []*pkcs11.Attribute{ 259 pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), 260 pkcs11.NewAttribute(pkcs11.CKA_SIGN, true), 261 pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(keyId)), 262 pkcs11.NewAttribute(pkcs11.CKA_SENSITIVE, true), 263 } 264 mech := pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS_KEY_PAIR_GEN, nil) 265 _, _, err := p11.GenKeyPair(mech, privateKeyTemplate, publicKeyTemplate) 266 if err != nil { 267 return nil, errors.WithMessage(err, "failed to generate pkcs11 rsa key") 268 } 269 return NewP11RSAPrivateKey(p11, []byte(keyId), kType) 270 default: 271 return nil, errors.New("unknown key type") 272 } 273 }