[FABG-721] pkcs11.ContextHandle - pinning scripts

Change-Id: I8e4ce40faff30164cb2d6652379faeec376c44e9 Signed-off-by: Sudesh Shetty <sudesh.shetty@securekey.com>
hyperledger · Aug 24, 2018 · 4351215 · 4351215
1 parent cb2a4cf
commit 4351215
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 43 deletions.
diff --git a/internal/github.com/hyperledger/fabric/bccsp/pkcs11/impl.go b/internal/github.com/hyperledger/fabric/bccsp/pkcs11/impl.go
@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 Notice: This file has been modified for Hyperledger Fabric SDK Go usage.
 Please review third_party pinning scripts and patches for more details.
 */
+
 package pkcs11
 
 import (
@@ -18,7 +19,7 @@ import (
 	"github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric/bccsp"
 	"github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric/bccsp/sw"
 	flogging "github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric/sdkpatch/logbridge"
-	handle "github.com/hyperledger/fabric-sdk-go/pkg/core/cryptosuite/common/pkcs11"
+	sdkp11 "github.com/hyperledger/fabric-sdk-go/pkg/core/cryptosuite/common/pkcs11"
 	"github.com/pkg/errors"
 )
 
@@ -48,13 +49,11 @@ func New(opts PKCS11Opts, keyStore bccsp.KeyStore) (bccsp.BCCSP, error) {
 	}
 
 	//Load PKCS11 context handle
-	pkcs11Ctx, err := loadContext(opts.Library, opts.Pin, opts.Label)
+	pkcs11Ctx, err := sdkp11.LoadContextAndLogin(opts.Library, opts.Pin, opts.Label)
 	if err != nil {
 		return nil, errors.Wrapf(err, "Failed initializing PKCS11 context")
 	}
-
-	csp := &impl{swCSP, conf, keyStore, opts.SoftVerify, pkcs11Ctx}
-
+	csp := &impl{BCCSP: swCSP, conf: conf, ks: keyStore, softVerify: opts.SoftVerify, pkcs11Ctx: pkcs11Ctx}
 	return csp, nil
 }
 
@@ -64,9 +63,8 @@ type impl struct {
 	conf *config
 	ks   bccsp.KeyStore
 
+	pkcs11Ctx  *sdkp11.ContextHandle
 	softVerify bool
-
-	pkcs11Ctx *handle.ContextHandle
 }
 
 // KeyGen generates a key using opts.
@@ -152,9 +150,8 @@ func (csp *impl) GetKey(ski []byte) (bccsp.Key, error) {
 	if err == nil {
 		if isPriv {
 			return &ecdsaPrivateKey{ski, ecdsaPublicKey{ski, pubKey}}, nil
-		} else {
-			return &ecdsaPublicKey{ski, pubKey}, nil
 		}
+		return &ecdsaPublicKey{ski, pubKey}, nil
 	}
 	return csp.BCCSP.GetKey(ski)
 }

diff --git a/internal/github.com/hyperledger/fabric/bccsp/pkcs11/pkcs11.go b/internal/github.com/hyperledger/fabric/bccsp/pkcs11/pkcs11.go
@@ -22,40 +22,18 @@ import (
 	"time"
 
 	"github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric/sdkpatch/cachebridge"
+	sdkp11 "github.com/hyperledger/fabric-sdk-go/pkg/core/cryptosuite/common/pkcs11"
 
 	logging "github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric/sdkpatch/logbridge"
-	handle "github.com/hyperledger/fabric-sdk-go/pkg/core/cryptosuite/common/pkcs11"
 	"github.com/miekg/pkcs11"
 )
 
-func loadContext(lib, pin, label string) (*handle.ContextHandle, error) {
-	pkcs11Context, err := handle.LoadPKCS11ContextHandle(lib, label, pin)
-	if err != nil {
-		return nil, err
-	}
-
-	session, err := pkcs11Context.OpenSession()
-	if err != nil {
-		return nil, err
-	}
-
-	err = pkcs11Context.Login(session)
-	if err != nil {
-		return nil, err
-	}
-
-	pkcs11Context.ReturnSession(session)
-	cachebridge.ClearAllSession()
-
-	return pkcs11Context, err
-}
-
 // Look for an EC key by SKI, stored in CKA_ID
 // This function can probably be adapted for both EC and RSA keys.
 func (csp *impl) getECKey(ski []byte) (pubKey *ecdsa.PublicKey, isPriv bool, err error) {
+
 	session := csp.pkcs11Ctx.GetSession()
 	defer csp.pkcs11Ctx.ReturnSession(session)
-
 	isPriv = true
 	_, err = csp.pkcs11Ctx.FindKeyPairFromSKI(session, ski, privateKeyFlag)
 	if err != nil {
@@ -232,6 +210,7 @@ func (csp *impl) generateECKey(curve asn1.ObjectIdentifier, ephemeral bool) (ski
 }
 
 func (csp *impl) signP11ECDSA(ski []byte, msg []byte) (R, S *big.Int, err error) {
+
 	session := csp.pkcs11Ctx.GetSession()
 	defer csp.pkcs11Ctx.ReturnSession(session)
 
@@ -352,13 +331,13 @@ func (csp *impl) findKeyPairFromSKI(mod *pkcs11.Ctx, session pkcs11.SessionHandl
 // 00000020  19 de ef 32 46 50 68 02  24 62 36 db ed b1 84 7b  |...2FPh.$b6....{|
 // 00000030  93 d8 40 c3 d5 a6 b7 38  16 d2 35 0a 53 11 f9 51  |..@....8..5.S..Q|
 // 00000040  fc a7 16                                          |...|
-func ecPoint(handle *handle.ContextHandle, session pkcs11.SessionHandle, key pkcs11.ObjectHandle) (ecpt, oid []byte, err error) {
+func ecPoint(p11lib *sdkp11.ContextHandle, session pkcs11.SessionHandle, key pkcs11.ObjectHandle) (ecpt, oid []byte, err error) {
 	template := []*pkcs11.Attribute{
 		pkcs11.NewAttribute(pkcs11.CKA_EC_POINT, nil),
 		pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, nil),
 	}
 
-	attr, err := handle.GetAttributeValue(session, key, template)
+	attr, err := p11lib.GetAttributeValue(session, key, template)
 	if err != nil {
 		return nil, nil, fmt.Errorf("PKCS11: get(EC point) [%s]", err)
 	}
@@ -392,11 +371,11 @@ func ecPoint(handle *handle.ContextHandle, session pkcs11.SessionHandle, key pkc
 	return ecpt, oid, nil
 }
 
-func listAttrs(handle *handle.ContextHandle, session pkcs11.SessionHandle, obj pkcs11.ObjectHandle) {
+func listAttrs(p11lib *sdkp11.ContextHandle, session pkcs11.SessionHandle, obj pkcs11.ObjectHandle) {
 	var cktype, ckclass uint
 	var ckaid, cklabel []byte
 
-	if handle == nil {
+	if p11lib == nil {
 		return
 	}
 
@@ -408,7 +387,7 @@ func listAttrs(handle *handle.ContextHandle, session pkcs11.SessionHandle, obj p
 	}
 
 	// certain errors are tolerated, if value is missing
-	attr, err := handle.GetAttributeValue(session, obj, template)
+	attr, err := p11lib.GetAttributeValue(session, obj, template)
 	if err != nil {
 		logger.Debugf("P11: get(attrlist) [%s]\n", err)
 	}

diff --git a/pkg/core/cryptosuite/common/pkcs11/contextHandle.go b/pkg/core/cryptosuite/common/pkcs11/contextHandle.go
@@ -33,6 +33,29 @@ func ReloadPKCS11ContextHandle(lib, label, pin string, opts ...Options) (*Contex
 	return getInstance(&pkcs11CtxCacheKey{lib: lib, label: label, pin: pin, opts: getCtxOpts(opts...)}, true)
 }
 
+//LoadContextAndLogin loads Context handle and performs login
+func LoadContextAndLogin(lib, pin, label string) (*ContextHandle, error) {
+	pkcs11Context, err := LoadPKCS11ContextHandle(lib, label, pin)
+	if err != nil {
+		return nil, err
+	}
+
+	session, err := pkcs11Context.OpenSession()
+	if err != nil {
+		return nil, err
+	}
+
+	err = pkcs11Context.Login(session)
+	if err != nil {
+		return nil, err
+	}
+
+	pkcs11Context.ReturnSession(session)
+	cachebridge.ClearAllSession()
+
+	return pkcs11Context, err
+}
+
 //ContextHandle encapsulate basic pkcs11.Ctx operations and manages sessions
 type ContextHandle struct {
 	ctx      *pkcs11.Ctx

diff --git a/scripts/third_party_pins/fabric/apply_fabric_client_utils.sh b/scripts/third_party_pins/fabric/apply_fabric_client_utils.sh
@@ -160,16 +160,35 @@ gofilter() {
 
 echo "Modifying go source files"
 FILTER_FILENAME="bccsp/pkcs11/impl.go"
-sed -i'' -e 's/impl{swCSP, conf, keyStore, ctx, sessions, slot, lib, opts.Sensitive, opts.SoftVerify}/impl{BCCSP: swCSP, conf: conf, ks: keyStore, ctx: ctx, sessions: sessions, slot: slot, lib: lib, privImport: opts.Sensitive, softVerify: opts.SoftVerify}/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
-sed -i'' -e '/"math\/big"/a "github.com\/hyperledger\/fabric-sdk-go\/internal\/github.com\/hyperledger\/fabric\/sdkpatch\/cachebridge"' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
-sed -i'' -e '/csp.returnSession(\*session)/a cachebridge.ClearAllSession()' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e '/"math\/big"/a sdkp11 "github.com\/hyperledger\/fabric-sdk-go\/pkg\/core\/cryptosuite\/common\/pkcs11"' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+START_LINE=`grep -n "lib := opts.Library" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" | head -n 1 | awk -F':' '{print $1}'`
+for i in {1..12}
+do
+    sed -i'' -e ${START_LINE}'d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+done
+sed -i "$START_LINE i \/\/Load PKCS11 context handle" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+let "START_LINE+=1"
+sed -i "$START_LINE i pkcs11Ctx, err := sdkp11.LoadContextAndLogin(opts.Library, opts.Pin, opts.Label)" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+let "START_LINE+=1"
+sed -i "$START_LINE i if err != nil {return nil, errors.Wrapf(err, \"Failed initializing PKCS11 context\")}" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+let "START_LINE+=1"
+sed -i "$START_LINE i csp := &impl{BCCSP: swCSP, conf: conf, ks: keyStore, softVerify: opts.SoftVerify, pkcs11Ctx: pkcs11Ctx}" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+
+START_LINE=`grep -n "type impl struct {" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" | head -n 1 | awk -F':' '{print $1}'`
+let "START_LINE+=6"
+for i in {1..5}
+do
+    sed -i'' -e ${START_LINE}'d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+done
+
+sed -i "$START_LINE i pkcs11Ctx *sdkp11.ContextHandle" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 
 FILTER_FILENAME="bccsp/pkcs11/pkcs11.go"
 sed -i'' -e '/"github.com\/hyperledger"/a "time"/' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 sed -i'' -e '/"math\/big"/a "github.com\/hyperledger\/fabric-sdk-go\/internal\/github.com\/hyperledger\/fabric\/sdkpatch\/cachebridge"' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e '/"math\/big"/a sdkp11 "github.com\/hyperledger\/fabric-sdk-go\/pkg\/core\/cryptosuite\/common\/pkcs11"' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 sed -i'' -e '/session = s/a cachebridge.ClearSession(fmt.Sprintf("%d", session))' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
-sed -i'' -e 's/= findKeyPairFromSKI/= csp.findKeyPairFromSKI/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
-sed -i'' -e '/privateKey, err := csp.findKeyPairFromSKI(p11lib,/a defer timeTrack(time.Now(), fmt.Sprintf("signing [session: %d]", session))' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/= findKeyPairFromSKI(p11lib,/= csp.pkcs11Ctx.FindKeyPairFromSKI(/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 sed -i'' -e 's/func findKeyPairFromSKI(mod/func (csp \*impl) findKeyPairFromSKI(mod/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 START_LINE=`grep -n "func (csp \*impl) findKeyPairFromSKI(mod" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" | head -n 1 | awk -F':' '{print $1}'`
 let "START_LINE+=1"
@@ -186,6 +205,30 @@ func timeTrack(start time.Time, msg string) {\
 
 ' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 
+START_LINE=`grep -n "func loadLib(lib, pin, label string)" "${TMP_PROJECT_PATH}/${FILTER_FILENAME}" | head -n 1 | awk -F':' '{print $1}'`
+for i in {1..97}
+do
+    sed -i'' -e ${START_LINE}'d' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+done
+
+sed -i'' -e 's/p11lib := csp.ctx//g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/session := csp.getSession()/session := csp.pkcs11Ctx.GetSession()/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/defer csp.returnSession(session)/defer csp.pkcs11Ctx.ReturnSession(session)/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/= ecPoint(p11lib/= ecPoint(csp.pkcs11Ctx/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/= p11lib.GenerateKeyPair(/= csp.pkcs11Ctx.GenerateKeyPair(/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/= p11lib.SetAttributeValue(/= csp.pkcs11Ctx.SetAttributeValue(/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/= p11lib.GetAttributeValue(session/= csp.pkcs11Ctx.GetAttributeValue(session/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/= p11lib.CreateObject(/= csp.pkcs11Ctx.CreateObject(/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/= p11lib.VerifyInit(session/= csp.pkcs11Ctx.VerifyInit(session/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/= p11lib.Verify(session/= csp.pkcs11Ctx.Verify(session/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/= p11lib.SignInit(session/= csp.pkcs11Ctx.SignInit(session/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/= p11lib.Sign(session/= csp.pkcs11Ctx.Sign(session/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/listAttrs(p11lib, session/listAttrs(csp.pkcs11Ctx, session/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/func listAttrs(p11lib \*pkcs11.Ctx,/func listAttrs(p11lib \*sdkp11.ContextHandle,/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/func ecPoint(p11lib \*pkcs11.Ctx,/func ecPoint(p11lib \*sdkp11.ContextHandle,/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/attr, err := csp.pkcs11Ctx.GetAttributeValue(session, key, template)/attr, err := p11lib.GetAttributeValue(session, key, template)/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e 's/attr, err := csp.pkcs11Ctx.GetAttributeValue(session, obj, template)/attr, err := p11lib.GetAttributeValue(session, obj, template)/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
+sed -i'' -e '/privateKey, err := csp.pkcs11Ctx.FindKeyPairFromSKI/a defer timeTrack(time.Now(), fmt.Sprintf("signing [session: %d]", session))' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 
 echo "Filtering Go sources for allowed functions ..."
 FILTERS_ENABLED="fn"