forked from ThienLK1/fabric-v2.2
-
Notifications
You must be signed in to change notification settings - Fork 1
/
conf.go
100 lines (87 loc) · 2.77 KB
/
conf.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
/*
Copyright IBM Corp. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
package pkcs11
import (
"crypto/sha256"
"crypto/sha512"
"encoding/asn1"
"fmt"
"hash"
"golang.org/x/crypto/sha3"
)
type config struct {
ellipticCurve asn1.ObjectIdentifier
hashFunction func() hash.Hash
aesBitLength int
rsaBitLength int
}
func (conf *config) setSecurityLevel(securityLevel int, hashFamily string) (err error) {
switch hashFamily {
case "SHA2":
err = conf.setSecurityLevelSHA2(securityLevel)
case "SHA3":
err = conf.setSecurityLevelSHA3(securityLevel)
default:
err = fmt.Errorf("Hash Family not supported [%s]", hashFamily)
}
return
}
func (conf *config) setSecurityLevelSHA2(level int) (err error) {
switch level {
case 256:
conf.ellipticCurve = oidNamedCurveP256
conf.hashFunction = sha256.New
conf.rsaBitLength = 2048
conf.aesBitLength = 32
case 384:
conf.ellipticCurve = oidNamedCurveP384
conf.hashFunction = sha512.New384
conf.rsaBitLength = 3072
conf.aesBitLength = 32
default:
err = fmt.Errorf("Security level not supported [%d]", level)
}
return
}
func (conf *config) setSecurityLevelSHA3(level int) (err error) {
switch level {
case 256:
conf.ellipticCurve = oidNamedCurveP256
conf.hashFunction = sha3.New256
conf.rsaBitLength = 2048
conf.aesBitLength = 32
case 384:
conf.ellipticCurve = oidNamedCurveP384
conf.hashFunction = sha3.New384
conf.rsaBitLength = 3072
conf.aesBitLength = 32
default:
err = fmt.Errorf("Security level not supported [%d]", level)
}
return
}
// PKCS11Opts contains options for the P11Factory
type PKCS11Opts struct {
// Default algorithms when not specified (Deprecated?)
SecLevel int `mapstructure:"security" json:"security"`
HashFamily string `mapstructure:"hash" json:"hash"`
// Keystore options
Ephemeral bool `mapstructure:"tempkeys,omitempty" json:"tempkeys,omitempty"`
FileKeystore *FileKeystoreOpts `mapstructure:"filekeystore,omitempty" json:"filekeystore,omitempty"`
DummyKeystore *DummyKeystoreOpts `mapstructure:"dummykeystore,omitempty" json:"dummykeystore,omitempty"`
// PKCS11 options
Library string `mapstructure:"library" json:"library"`
Label string `mapstructure:"label" json:"label"`
Pin string `mapstructure:"pin" json:"pin"`
SoftVerify bool `mapstructure:"softwareverify,omitempty" json:"softwareverify,omitempty"`
Immutable bool `mapstructure:"immutable,omitempty" json:"immutable,omitempty"`
}
// FileKeystoreOpts currently only ECDSA operations go to PKCS11, need a keystore still
// Pluggable Keystores, could add JKS, P12, etc..
type FileKeystoreOpts struct {
KeyStorePath string `mapstructure:"keystore" json:"keystore" yaml:"KeyStore"`
}
// DummyKeystoreOpts is placeholder for testing purposes
type DummyKeystoreOpts struct{}