github.com/lzy4123/fabric@v2.1.1+incompatible/bccsp/pkcs11/impl.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package pkcs11 8 9 import ( 10 "crypto/ecdsa" 11 "crypto/x509" 12 "os" 13 14 "github.com/hyperledger/fabric/bccsp" 15 "github.com/hyperledger/fabric/bccsp/sw" 16 "github.com/hyperledger/fabric/common/flogging" 17 "github.com/miekg/pkcs11" 18 "github.com/pkg/errors" 19 ) 20 21 var ( 22 logger = flogging.MustGetLogger("bccsp_p11") 23 sessionCacheSize = 10 24 ) 25 26 // New WithParams returns a new instance of the software-based BCCSP 27 // set at the passed security level, hash family and KeyStore. 28 func New(opts PKCS11Opts, keyStore bccsp.KeyStore) (bccsp.BCCSP, error) { 29 // Init config 30 conf := &config{} 31 err := conf.setSecurityLevel(opts.SecLevel, opts.HashFamily) 32 if err != nil { 33 return nil, errors.Wrapf(err, "Failed initializing configuration") 34 } 35 36 // Check KeyStore 37 if keyStore == nil { 38 return nil, errors.New("Invalid bccsp.KeyStore instance. It must be different from nil") 39 } 40 41 swCSP, err := sw.NewWithParams(opts.SecLevel, opts.HashFamily, keyStore) 42 if err != nil { 43 return nil, errors.Wrapf(err, "Failed initializing fallback SW BCCSP") 44 } 45 46 lib := opts.Library 47 pin := opts.Pin 48 label := opts.Label 49 ctx, slot, session, err := loadLib(lib, pin, label) 50 if err != nil { 51 return nil, errors.Wrapf(err, "Failed initializing PKCS11 library %s %s", 52 lib, label) 53 } 54 55 sessions := make(chan pkcs11.SessionHandle, sessionCacheSize) 56 csp := &impl{swCSP, conf, ctx, sessions, slot, pin, lib, opts.SoftVerify, opts.Immutable} 57 csp.returnSession(*session) 58 return csp, nil 59 } 60 61 type impl struct { 62 bccsp.BCCSP 63 64 conf *config 65 66 ctx *pkcs11.Ctx 67 sessions chan pkcs11.SessionHandle 68 slot uint 69 pin string 70 71 lib string 72 softVerify bool 73 //Immutable flag makes object immutable 74 immutable bool 75 } 76 77 // KeyGen generates a key using opts. 78 func (csp *impl) KeyGen(opts bccsp.KeyGenOpts) (k bccsp.Key, err error) { 79 // Validate arguments 80 if opts == nil { 81 return nil, errors.New("Invalid Opts parameter. It must not be nil") 82 } 83 84 // Parse algorithm 85 switch opts.(type) { 86 case *bccsp.ECDSAKeyGenOpts: 87 ski, pub, err := csp.generateECKey(csp.conf.ellipticCurve, opts.Ephemeral()) 88 if err != nil { 89 return nil, errors.Wrapf(err, "Failed generating ECDSA key") 90 } 91 k = &ecdsaPrivateKey{ski, ecdsaPublicKey{ski, pub}} 92 93 case *bccsp.ECDSAP256KeyGenOpts: 94 ski, pub, err := csp.generateECKey(oidNamedCurveP256, opts.Ephemeral()) 95 if err != nil { 96 return nil, errors.Wrapf(err, "Failed generating ECDSA P256 key") 97 } 98 99 k = &ecdsaPrivateKey{ski, ecdsaPublicKey{ski, pub}} 100 101 case *bccsp.ECDSAP384KeyGenOpts: 102 ski, pub, err := csp.generateECKey(oidNamedCurveP384, opts.Ephemeral()) 103 if err != nil { 104 return nil, errors.Wrapf(err, "Failed generating ECDSA P384 key") 105 } 106 107 k = &ecdsaPrivateKey{ski, ecdsaPublicKey{ski, pub}} 108 109 default: 110 return csp.BCCSP.KeyGen(opts) 111 } 112 113 return k, nil 114 } 115 116 // KeyImport imports a key from its raw representation using opts. 117 // The opts argument should be appropriate for the primitive used. 118 func (csp *impl) KeyImport(raw interface{}, opts bccsp.KeyImportOpts) (k bccsp.Key, err error) { 119 // Validate arguments 120 if raw == nil { 121 return nil, errors.New("Invalid raw. Cannot be nil") 122 } 123 124 if opts == nil { 125 return nil, errors.New("Invalid Opts parameter. It must not be nil") 126 } 127 128 switch opts.(type) { 129 130 case *bccsp.X509PublicKeyImportOpts: 131 x509Cert, ok := raw.(*x509.Certificate) 132 if !ok { 133 return nil, errors.New("[X509PublicKeyImportOpts] Invalid raw material. Expected *x509.Certificate") 134 } 135 136 pk := x509Cert.PublicKey 137 138 switch pk.(type) { 139 case *ecdsa.PublicKey: 140 return csp.KeyImport(pk, &bccsp.ECDSAGoPublicKeyImportOpts{Temporary: opts.Ephemeral()}) 141 default: 142 return nil, errors.New("Certificate's public key type not recognized. Supported keys: [ECDSA]") 143 } 144 145 default: 146 return csp.BCCSP.KeyImport(raw, opts) 147 148 } 149 } 150 151 // GetKey returns the key this CSP associates to 152 // the Subject Key Identifier ski. 153 func (csp *impl) GetKey(ski []byte) (bccsp.Key, error) { 154 pubKey, isPriv, err := csp.getECKey(ski) 155 if err == nil { 156 if isPriv { 157 return &ecdsaPrivateKey{ski, ecdsaPublicKey{ski, pubKey}}, nil 158 } 159 return &ecdsaPublicKey{ski, pubKey}, nil 160 } 161 return csp.BCCSP.GetKey(ski) 162 } 163 164 // Sign signs digest using key k. 165 // The opts argument should be appropriate for the primitive used. 166 // 167 // Note that when a signature of a hash of a larger message is needed, 168 // the caller is responsible for hashing the larger message and passing 169 // the hash (as digest). 170 func (csp *impl) Sign(k bccsp.Key, digest []byte, opts bccsp.SignerOpts) ([]byte, error) { 171 // Validate arguments 172 if k == nil { 173 return nil, errors.New("Invalid Key. It must not be nil") 174 } 175 if len(digest) == 0 { 176 return nil, errors.New("Invalid digest. Cannot be empty") 177 } 178 179 // Check key type 180 switch key := k.(type) { 181 case *ecdsaPrivateKey: 182 return csp.signECDSA(*key, digest, opts) 183 default: 184 return csp.BCCSP.Sign(key, digest, opts) 185 } 186 } 187 188 // Verify verifies signature against key k and digest 189 func (csp *impl) Verify(k bccsp.Key, signature, digest []byte, opts bccsp.SignerOpts) (bool, error) { 190 // Validate arguments 191 if k == nil { 192 return false, errors.New("Invalid Key. It must not be nil") 193 } 194 if len(signature) == 0 { 195 return false, errors.New("Invalid signature. Cannot be empty") 196 } 197 if len(digest) == 0 { 198 return false, errors.New("Invalid digest. Cannot be empty") 199 } 200 201 // Check key type 202 switch key := k.(type) { 203 case *ecdsaPrivateKey: 204 return csp.verifyECDSA(key.pub, signature, digest, opts) 205 case *ecdsaPublicKey: 206 return csp.verifyECDSA(*key, signature, digest, opts) 207 default: 208 return csp.BCCSP.Verify(k, signature, digest, opts) 209 } 210 } 211 212 // Encrypt encrypts plaintext using key k. 213 // The opts argument should be appropriate for the primitive used. 214 func (csp *impl) Encrypt(k bccsp.Key, plaintext []byte, opts bccsp.EncrypterOpts) ([]byte, error) { 215 // TODO: Add PKCS11 support for encryption, when fabric starts requiring it 216 return csp.BCCSP.Encrypt(k, plaintext, opts) 217 } 218 219 // Decrypt decrypts ciphertext using key k. 220 // The opts argument should be appropriate for the primitive used. 221 func (csp *impl) Decrypt(k bccsp.Key, ciphertext []byte, opts bccsp.DecrypterOpts) ([]byte, error) { 222 return csp.BCCSP.Decrypt(k, ciphertext, opts) 223 } 224 225 // FindPKCS11Lib IS ONLY USED FOR TESTING 226 // This is a convenience function. Useful to self-configure, for tests where usual configuration is not 227 // available 228 func FindPKCS11Lib() (lib, pin, label string) { 229 //FIXME: Till we workout the configuration piece, look for the libraries in the familiar places 230 lib = os.Getenv("PKCS11_LIB") 231 if lib == "" { 232 pin = "98765432" 233 label = "ForFabric" 234 possibilities := []string{ 235 "/usr/lib/softhsm/libsofthsm2.so", //Debian 236 "/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so", //Ubuntu 237 "/usr/lib/s390x-linux-gnu/softhsm/libsofthsm2.so", //Ubuntu 238 "/usr/lib/powerpc64le-linux-gnu/softhsm/libsofthsm2.so", //Power 239 "/usr/local/Cellar/softhsm/2.5.0/lib/softhsm/libsofthsm2.so", //MacOS 240 } 241 for _, path := range possibilities { 242 if _, err := os.Stat(path); !os.IsNotExist(err) { 243 lib = path 244 break 245 } 246 } 247 } else { 248 pin = os.Getenv("PKCS11_PIN") 249 label = os.Getenv("PKCS11_LABEL") 250 } 251 return lib, pin, label 252 }