-
Notifications
You must be signed in to change notification settings - Fork 8.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This change-set introduces the Blockchain Crypto Service Provider (BCCSP, for short). The BCCSP will provides the implementation of cryptographic standards and algorithms, and it will be pluggable. This change-set represents the first step in the context of: https://jira.hyperledger.org/browse/FAB-354 Subsequents change-sets will provides the following: 1. An implementation of the BCCSP based on the crypto/primitives package. 2. A crypto.Signer BCCSP-based implementation to be used to sign x509 certs. 3. A factory framework to allow multiple BCCSP implementations Change-Id: Id369f68e12da256be1e6bdec7004265b9dcf9c2b Signed-off-by: Angelo De Caro <adc@zurich.ibm.com>
- Loading branch information
Showing
2 changed files
with
326 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,139 @@ | ||
| /* | ||
| Copyright IBM Corp. 2016 All Rights Reserved. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package bccsp | ||
|
|
||
| import "crypto" | ||
|
|
||
| // Key represents a cryptographic key | ||
| type Key interface { | ||
|
|
||
| // Bytes converts this key to its byte representation, | ||
| // if this operation is allowed. | ||
| Bytes() ([]byte, error) | ||
|
|
||
| // SKI returns the subject key identifier of this key. | ||
| SKI() []byte | ||
|
|
||
| // Symmetric returns true if this key is a symmetric key, | ||
| // false is this key is asymmetric | ||
| Symmetric() bool | ||
|
|
||
| // Private returns true if this key is an asymmetric private key, | ||
| // false otherwise. | ||
| Private() bool | ||
|
|
||
| // PublicKey returns the corresponding public key if this key | ||
| // is an asymmetric private key. If this key is already public, | ||
| // PublicKey returns this key itself. | ||
| PublicKey() (Key, error) | ||
| } | ||
|
|
||
| // KeyGenOpts contains options for key-generation with a CSP. | ||
| type KeyGenOpts interface { | ||
|
|
||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to generate a key. | ||
| Algorithm() string | ||
|
|
||
| // Ephemeral returns true if the key to generate has to be ephemeral, | ||
| // false otherwise. | ||
| Ephemeral() bool | ||
| } | ||
|
|
||
| // KeyDerivOpts contains options for key-derivation with a CSP. | ||
| type KeyDerivOpts interface { | ||
|
|
||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to derive a key. | ||
| Algorithm() string | ||
|
|
||
| // Ephemeral returns true if the key to derived has to be ephemeral, | ||
| // false otherwise. | ||
| Ephemeral() bool | ||
| } | ||
|
|
||
| // KeyImportOpts contains options for importing the raw material of a key with a CSP. | ||
| type KeyImportOpts interface { | ||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to import the raw material of a key. | ||
| Algorithm() string | ||
|
|
||
| // Ephemeral returns true if the key generated has to be ephemeral, | ||
| // false otherwise. | ||
| Ephemeral() bool | ||
| } | ||
|
|
||
| // HashOpts contains options for hashing with a CSP. | ||
| type HashOpts interface { | ||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to hash. | ||
| Algorithm() string | ||
| } | ||
|
|
||
| // SignerOpts contains options for signing with a CSP. | ||
| type SignerOpts interface { | ||
| crypto.SignerOpts | ||
| } | ||
|
|
||
| // EncrypterOpts contains options for encrypting with a CSP. | ||
| type EncrypterOpts interface{} | ||
|
|
||
| // DecrypterOpts contains options for decrypting with a CSP. | ||
| type DecrypterOpts interface{} | ||
|
|
||
| // BCCSP is the blockchain cryptographic service provider that offers | ||
| // the implementation of cryptographic standards and algorithms. | ||
| type BCCSP interface { | ||
|
|
||
| // KeyGen generates a key using opts. | ||
| KeyGen(opts KeyGenOpts) (k Key, err error) | ||
|
|
||
| // KeyDeriv derives a key from k using opts. | ||
| // The opts argument should be appropriate for the primitive used. | ||
| KeyDeriv(k Key, opts KeyDerivOpts) (dk Key, err error) | ||
|
|
||
| // KeyImport imports a key from its raw representation using opts. | ||
| // The opts argument should be appropriate for the primitive used. | ||
| KeyImport(raw []byte, opts KeyImportOpts) (k Key, err error) | ||
|
|
||
| // GetKey returns the key this CSP associates to | ||
| // the Subject Key Identifier ski. | ||
| GetKey(ski []byte) (k Key, err error) | ||
|
|
||
| // Hash hashes messages msg using options opts. | ||
| Hash(msg []byte, opts HashOpts) (hash []byte, err error) | ||
|
|
||
| // Sign signs digest using key k. | ||
| // The opts argument should be appropriate for the algorithm used. | ||
| // | ||
| // Note that when a signature of a hash of a larger message is needed, | ||
| // the caller is responsible for hashing the larger message and passing | ||
| // the hash (as digest). | ||
| Sign(k Key, digest []byte, opts SignerOpts) (signature []byte, err error) | ||
|
|
||
| // Verify verifies signature against key k and digest | ||
| // The opts argument should be appropriate for the algorithm used. | ||
| Verify(k Key, signature, digest []byte) (valid bool, err error) | ||
|
|
||
| // Encrypt encrypts plaintext using key k. | ||
| // The opts argument should be appropriate for the algorithm used. | ||
| Encrypt(k Key, plaintext []byte, opts EncrypterOpts) (ciphertext []byte, err error) | ||
|
|
||
| // Decrypt decrypts ciphertext using key k. | ||
| // The opts argument should be appropriate for the algorithm used. | ||
| Decrypt(k Key, ciphertext []byte, opts DecrypterOpts) (plaintext []byte, err error) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,187 @@ | ||
| /* | ||
| Copyright IBM Corp. 2016 All Rights Reserved. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package bccsp | ||
|
|
||
| const ( | ||
| // ECDSA Elliptic Curve Digital Signature Algorithm (key gen, import, sign, veirfy). | ||
| ECDSA = "ECDSA" | ||
| // ECDSAReRand ECDSA key re-randomization | ||
| ECDSAReRand = "ECDSA_RERAND" | ||
|
|
||
| // AES Advanced Encryption Standard | ||
| AES = "AES" | ||
|
|
||
| // HMAC keyed-hash message authentication code | ||
| HMAC = "HMAC" | ||
| // HMACTruncated256 HMAC truncated at 256 bits. | ||
| HMACTruncated256 = "HMAC_TRUNCATED_256" | ||
|
|
||
| // SHA Secure Hash Algorithm | ||
| SHA = "SHA" | ||
| ) | ||
|
|
||
| // ECDSAKeyGenOpts contains options for ECDSA key generation. | ||
| type ECDSAKeyGenOpts struct { | ||
| Temporary bool | ||
| } | ||
|
|
||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to generate a key. | ||
| func (opts *ECDSAKeyGenOpts) Algorithm() string { | ||
| return ECDSA | ||
| } | ||
|
|
||
| // Ephemeral returns true if the key to generate has to be ephemeral, | ||
| // false otherwise. | ||
| func (opts *ECDSAKeyGenOpts) Ephemeral() bool { | ||
| return opts.Temporary | ||
| } | ||
|
|
||
| // ECDSAReRandKeyOpts contains options for ECDSA key re-randomization. | ||
| type ECDSAReRandKeyOpts struct { | ||
| Temporary bool | ||
| Expansion []byte | ||
| } | ||
|
|
||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to generate a key. | ||
| func (opts *ECDSAReRandKeyOpts) Algorithm() string { | ||
| return ECDSAReRand | ||
| } | ||
|
|
||
| // Ephemeral returns true if the key to generate has to be ephemeral, | ||
| // false otherwise. | ||
| func (opts *ECDSAReRandKeyOpts) Ephemeral() bool { | ||
| return opts.Temporary | ||
| } | ||
|
|
||
| // ExpansionValue returns the re-randomization factor | ||
| func (opts *ECDSAReRandKeyOpts) ExpansionValue() []byte { | ||
| return opts.Expansion | ||
| } | ||
|
|
||
| // AES256KeyGenOpts contains options for AES256 key generation. | ||
| type AESKeyGenOpts struct { | ||
| Temporary bool | ||
| } | ||
|
|
||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to generate a key. | ||
| func (opts *AESKeyGenOpts) Algorithm() string { | ||
| return AES | ||
| } | ||
|
|
||
| // Ephemeral returns true if the key to generate has to be ephemeral, | ||
| // false otherwise. | ||
| func (opts *AESKeyGenOpts) Ephemeral() bool { | ||
| return opts.Temporary | ||
| } | ||
|
|
||
| // AESCBCPKCS7ModeOpts contains options for AES encryption in CBC mode | ||
| // with PKCS7 padding. | ||
| type AESCBCPKCS7ModeOpts struct{} | ||
|
|
||
| // HMACTruncated256AESDeriveKeyOpts contains options for HMAC truncated | ||
| // at 256 bits key derivation. | ||
| type HMACTruncated256AESDeriveKeyOpts struct { | ||
| Temporary bool | ||
| Arg []byte | ||
| } | ||
|
|
||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to generate a key. | ||
| func (opts *HMACTruncated256AESDeriveKeyOpts) Algorithm() string { | ||
| return HMACTruncated256 | ||
| } | ||
|
|
||
| // Ephemeral returns true if the key to generate has to be ephemeral, | ||
| // false otherwise. | ||
| func (opts *HMACTruncated256AESDeriveKeyOpts) Ephemeral() bool { | ||
| return opts.Temporary | ||
| } | ||
|
|
||
| // Argument returns the argument to be passed to the HMAC | ||
| func (opts *HMACTruncated256AESDeriveKeyOpts) Argument() []byte { | ||
| return opts.Arg | ||
| } | ||
|
|
||
| // HMACDeriveKeyOpts contains options for HMAC key derivation. | ||
| type HMACDeriveKeyOpts struct { | ||
| Temporary bool | ||
| Arg []byte | ||
| } | ||
|
|
||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to generate a key. | ||
| func (opts *HMACDeriveKeyOpts) Algorithm() string { | ||
| return HMAC | ||
| } | ||
|
|
||
| // Ephemeral returns true if the key to generate has to be ephemeral, | ||
| // false otherwise. | ||
| func (opts *HMACDeriveKeyOpts) Ephemeral() bool { | ||
| return opts.Temporary | ||
| } | ||
|
|
||
| // Argument returns the argument to be passed to the HMAC | ||
| func (opts *HMACDeriveKeyOpts) Argument() []byte { | ||
| return opts.Arg | ||
| } | ||
|
|
||
| // AES256ImportKeyOpts contains options for importing AES 256 keys. | ||
| type AES256ImportKeyOpts struct { | ||
| Temporary bool | ||
| } | ||
|
|
||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to import the raw material of a key. | ||
| func (opts *AES256ImportKeyOpts) Algorithm() string { | ||
| return AES | ||
| } | ||
|
|
||
| // Ephemeral returns true if the key generated has to be ephemeral, | ||
| // false otherwise. | ||
| func (opts *AES256ImportKeyOpts) Ephemeral() bool { | ||
| return opts.Temporary | ||
| } | ||
|
|
||
| // HMACImportKeyOpts contains options for importing HMAC keys. | ||
| type HMACImportKeyOpts struct { | ||
| Temporary bool | ||
| } | ||
|
|
||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to import the raw material of a key. | ||
| func (opts *HMACImportKeyOpts) Algorithm() string { | ||
| return HMAC | ||
| } | ||
|
|
||
| // Ephemeral returns true if the key generated has to be ephemeral, | ||
| // false otherwise. | ||
| func (opts *HMACImportKeyOpts) Ephemeral() bool { | ||
| return opts.Temporary | ||
| } | ||
|
|
||
| // SHAOpts contains options for computing SHA. | ||
| type SHAOpts struct { | ||
| } | ||
|
|
||
| // Algorithm returns an identifier for the algorithm to be used | ||
| // to hash. | ||
| func (opts *SHAOpts) Algorithm() string { | ||
| return SHA | ||
| } |