github.com/kchristidis/fabric@v1.0.4-0.20171028114726-837acd08cde1/bccsp/pkcs11/conf.go (about) 1 /* 2 Copyright IBM Corp. 2016 All Rights Reserved. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 package pkcs11 17 18 import ( 19 "crypto/sha256" 20 "crypto/sha512" 21 "encoding/asn1" 22 "fmt" 23 "hash" 24 25 "golang.org/x/crypto/sha3" 26 ) 27 28 type config struct { 29 ellipticCurve asn1.ObjectIdentifier 30 hashFunction func() hash.Hash 31 aesBitLength int 32 rsaBitLength int 33 } 34 35 func (conf *config) setSecurityLevel(securityLevel int, hashFamily string) (err error) { 36 switch hashFamily { 37 case "SHA2": 38 err = conf.setSecurityLevelSHA2(securityLevel) 39 case "SHA3": 40 err = conf.setSecurityLevelSHA3(securityLevel) 41 default: 42 err = fmt.Errorf("Hash Family not supported [%s]", hashFamily) 43 } 44 return 45 } 46 47 func (conf *config) setSecurityLevelSHA2(level int) (err error) { 48 switch level { 49 case 256: 50 conf.ellipticCurve = oidNamedCurveP256 51 conf.hashFunction = sha256.New 52 conf.rsaBitLength = 2048 53 conf.aesBitLength = 32 54 case 384: 55 conf.ellipticCurve = oidNamedCurveP384 56 conf.hashFunction = sha512.New384 57 conf.rsaBitLength = 3072 58 conf.aesBitLength = 32 59 default: 60 err = fmt.Errorf("Security level not supported [%d]", level) 61 } 62 return 63 } 64 65 func (conf *config) setSecurityLevelSHA3(level int) (err error) { 66 switch level { 67 case 256: 68 conf.ellipticCurve = oidNamedCurveP256 69 conf.hashFunction = sha3.New256 70 conf.rsaBitLength = 2048 71 conf.aesBitLength = 32 72 case 384: 73 conf.ellipticCurve = oidNamedCurveP384 74 conf.hashFunction = sha3.New384 75 conf.rsaBitLength = 3072 76 conf.aesBitLength = 32 77 default: 78 err = fmt.Errorf("Security level not supported [%d]", level) 79 } 80 return 81 } 82 83 // PKCS11Opts contains options for the P11Factory 84 type PKCS11Opts struct { 85 // Default algorithms when not specified (Deprecated?) 86 SecLevel int `mapstructure:"security" json:"security"` 87 HashFamily string `mapstructure:"hash" json:"hash"` 88 89 // Keystore options 90 Ephemeral bool `mapstructure:"tempkeys,omitempty" json:"tempkeys,omitempty"` 91 FileKeystore *FileKeystoreOpts `mapstructure:"filekeystore,omitempty" json:"filekeystore,omitempty"` 92 DummyKeystore *DummyKeystoreOpts `mapstructure:"dummykeystore,omitempty" json:"dummykeystore,omitempty"` 93 94 // PKCS11 options 95 Library string `mapstructure:"library" json:"library"` 96 Label string `mapstructure:"label" json:"label"` 97 Pin string `mapstructure:"pin" json:"pin"` 98 Sensitive bool `mapstructure:"sensitivekeys,omitempty" json:"sensitivekeys,omitempty"` 99 SoftVerify bool `mapstructure:"softwareverify,omitempty" json:"softwareverify,omitempty"` 100 } 101 102 // Since currently only ECDSA operations go to PKCS11, need a keystore still 103 // Pluggable Keystores, could add JKS, P12, etc.. 104 type FileKeystoreOpts struct { 105 KeyStorePath string `mapstructure:"keystore" json:"keystore" yaml:"KeyStore"` 106 } 107 108 type DummyKeystoreOpts struct{}