BCCSP KeyStore

This change-set introduce the concept of KeyStore at the BCCSP level. A KeyStore represents a storage system for cryptographic keys. It allows to store and retrieve bccsp.Key objects. The key store can be read only, in that case storing a key will return an error. Now, to initialize a software-based BCCSP, a key store must be specified. A file based keystore is provided. In addition, all the dependencies from viper has been removed. In order to do that, some assumptions has been made on default security level. The organization of this paramenters will be better addressed in a subsequent change-set. This change-set comes in the context of: https://jira.hyperledger.org/browse/FAB-354 Change-Id: I7e96eea7e5e89ecec86863ebc11b919d29c0019a Signed-off-by: Angelo De Caro <adc@zurich.ibm.com>
hyperledger · Nov 23, 2016 · 2013daa · 2013daa
1 parent 68aef4e
commit 2013daa
Show file tree

Hide file tree

Showing 10 changed files with 505 additions and 388 deletions.
diff --git a/core/crypto/bccsp/factory/factory.go b/core/crypto/bccsp/factory/factory.go
@@ -20,8 +20,10 @@ import (
 	"fmt"
 	"sync"
 
+	"os"
+
 	"github.com/hyperledger/fabric/core/crypto/bccsp"
-	"github.com/spf13/viper"
+	"github.com/hyperledger/fabric/core/crypto/bccsp/sw"
 )
 
 var (
@@ -104,12 +106,7 @@ func initFactoriesMap() error {
 }
 
 func createDefaultBCCSP() (bccsp.BCCSP, error) {
-	defaultBCCSPFactoryName := viper.GetString("bccsp.default")
-	if defaultBCCSPFactoryName == "" {
-		defaultBCCSPFactoryName = SoftwareBasedFactoryName
-	}
-
-	return getBCCSPInternal(&DefaultOpts{defaultBCCSPFactoryName, false})
+	return sw.NewDefaultSecurityLevel(os.TempDir())
 }
 
 func getBCCSPInternal(opts Opts) (bccsp.BCCSP, error) {

diff --git a/core/crypto/bccsp/factory/factory_test.go b/core/crypto/bccsp/factory/factory_test.go
@@ -15,7 +15,12 @@ limitations under the License.
 */
 package factory
 
-import "testing"
+import (
+	"os"
+	"testing"
+
+	"github.com/hyperledger/fabric/core/crypto/bccsp/sw"
+)
 
 func TestGetDefault(t *testing.T) {
 	bccsp, err := GetDefault()
@@ -28,12 +33,17 @@ func TestGetDefault(t *testing.T) {
 }
 
 func TestGetBCCPEphemeral(t *testing.T) {
-	bccsp1, err := GetBCCSP(&SwOpts{EphemeralFlag: true})
+	ks := &sw.FileBasedKeyStore{}
+	if err := ks.Init(nil, os.TempDir(), false); err != nil {
+		t.Fatalf("Failed initializing key store [%s]", err)
+	}
+
+	bccsp1, err := GetBCCSP(&SwOpts{Ephemeral_: true, SecLevel: 256, HashFamily: "SHA2", KeyStore: ks})
 	if err != nil {
 		t.Fatalf("Failed getting ephemeral software-based BCCSP [%s]", err)
 	}
 
-	bccsp2, err := GetBCCSP(&SwOpts{EphemeralFlag: true})
+	bccsp2, err := GetBCCSP(&SwOpts{Ephemeral_: true, SecLevel: 256, HashFamily: "SHA2", KeyStore: ks})
 	if err != nil {
 		t.Fatalf("Failed getting ephemeral software-based BCCSP [%s]", err)
 	}
@@ -44,12 +54,17 @@ func TestGetBCCPEphemeral(t *testing.T) {
 }
 
 func TestGetBCCP2Ephemeral(t *testing.T) {
-	bccsp1, err := GetBCCSP(&SwOpts{EphemeralFlag: false})
+	ks := &sw.FileBasedKeyStore{}
+	if err := ks.Init(nil, os.TempDir(), false); err != nil {
+		t.Fatalf("Failed initializing key store [%s]", err)
+	}
+
+	bccsp1, err := GetBCCSP(&SwOpts{Ephemeral_: false, SecLevel: 256, HashFamily: "SHA2", KeyStore: ks})
 	if err != nil {
 		t.Fatalf("Failed getting non-ephemeral software-based BCCSP [%s]", err)
 	}
 
-	bccsp2, err := GetBCCSP(&SwOpts{EphemeralFlag: false})
+	bccsp2, err := GetBCCSP(&SwOpts{Ephemeral_: false, SecLevel: 256, HashFamily: "SHA2", KeyStore: ks})
 	if err != nil {
 		t.Fatalf("Failed getting non-ephemeral software-based BCCSP [%s]", err)
 	}

diff --git a/core/crypto/bccsp/factory/sw_factory.go → core/crypto/bccsp/factory/swfactory.go b/core/crypto/bccsp/factory/sw_factory.go → core/crypto/bccsp/factory/swfactory.go
@@ -52,20 +52,28 @@ func (f *SWFactory) Get(opts Opts) (bccsp.BCCSP, error) {
 		return nil, fmt.Errorf("Invalid Provider Name [%s]. Opts must refer to [%s].", opts.FactoryName(), f.Name())
 	}
 
+	swOpts, ok := opts.(*SwOpts)
+	if !ok {
+		return nil, errors.New("Invalid opts. They must be of type SwOpts.")
+	}
+
 	if !opts.Ephemeral() {
 		f.initOnce.Do(func() {
-			f.bccsp, f.err = sw.NewDefaultSecurityLevel()
+			f.bccsp, f.err = sw.New(swOpts.SecLevel, swOpts.HashFamily, swOpts.KeyStore)
 			return
 		})
 		return f.bccsp, f.err
 	}
 
-	return sw.NewDefaultSecurityLevel()
+	return sw.New(swOpts.SecLevel, swOpts.HashFamily, swOpts.KeyStore)
 }
 
 // SwOpts contains options for the SWFactory
 type SwOpts struct {
-	EphemeralFlag bool
+	Ephemeral_ bool
+	SecLevel   int
+	HashFamily string
+	KeyStore   bccsp.KeyStore
 }
 
 // FactoryName returns the name of the provider
@@ -75,5 +83,5 @@ func (o *SwOpts) FactoryName() string {
 
 // Ephemeral returns true if the CSP has to be ephemeral, false otherwise
 func (o *SwOpts) Ephemeral() bool {
-	return o.EphemeralFlag
+	return o.Ephemeral_
 }
diff --git a/core/crypto/bccsp/keystore.go b/core/crypto/bccsp/keystore.go
@@ -0,0 +1,34 @@
+/*
+Copyright IBM Corp. 2016 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package bccsp
+
+// KeyStore represents a storage system for cryptographic keys.
+// It allows to store and retrieve bccsp.Key objects.
+// The KeyStore can be read only, in that case StoreKey will return
+// an error.
+type KeyStore interface {
+
+	// ReadOnly returns true if this KeyStore is read only, false otherwise.
+	// If ReadOnly is true then StoreKey will fail.
+	ReadOnly() bool
+
+	// GetKey returns a key object whose SKI is the one passed.
+	GetKey(ski []byte) (k Key, err error)
+
+	// StoreKey stores the key k in this KeyStore.
+	// If this KeyStore is read only then the method will fail.
+	StoreKey(k Key) (err error)
+}
diff --git a/core/crypto/bccsp/signer/signer_test.go b/core/crypto/bccsp/signer/signer_test.go
@@ -22,7 +22,6 @@ import (
 
 	"github.com/hyperledger/fabric/core/crypto/bccsp"
 	"github.com/hyperledger/fabric/core/crypto/bccsp/sw"
-	"github.com/spf13/viper"
 )
 
 var (
@@ -31,10 +30,8 @@ var (
 
 func getBCCSP(t *testing.T) bccsp.BCCSP {
 	if swBCCSPInstance == nil {
-		viper.Set("security.bccsp.default.keyStorePath", os.TempDir())
-
 		var err error
-		swBCCSPInstance, err = sw.NewDefaultSecurityLevel()
+		swBCCSPInstance, err = sw.NewDefaultSecurityLevel(os.TempDir())
 		if err != nil {
 			t.Fatalf("Failed initializing key store [%s]", err)
 		}

diff --git a/core/crypto/bccsp/sw/conf.go b/core/crypto/bccsp/sw/conf.go
@@ -16,57 +16,24 @@ limitations under the License.
 package sw
 
 import (
-	"errors"
-	"path/filepath"
-
-	"os"
-
 	"crypto/elliptic"
 	"crypto/sha256"
 	"crypto/sha512"
 	"fmt"
 	"hash"
 
-	"github.com/spf13/viper"
 	"golang.org/x/crypto/sha3"
 )
 
 type config struct {
-	keystorePath  string
+	keyStorePath  string
 	securityLevel int
 	hashFamily    string
 
-	configurationPathProperty string
-	ellipticCurve             elliptic.Curve
-	hashFunction              func() hash.Hash
-	aesBitLength              int
-	rsaBitLength              int
-}
-
-func (conf *config) init(securityLevel int, hashFamily string) error {
-	// Set security level
-	err := conf.setSecurityLevel(securityLevel, hashFamily)
-	if err != nil {
-		return fmt.Errorf("Failed initliazing security level [%s]", err)
-	}
-	// Set ks path
-	conf.configurationPathProperty = "security.bccsp.default.keyStorePath"
-
-	// Check mandatory fields
-	var rootPath string
-	if err := conf.checkProperty(conf.configurationPathProperty); err != nil {
-		logger.Warning("'security.bccsp.default.keyStorePath' not set. Using the default directory [%s] for temporary files", os.TempDir())
-		rootPath = os.TempDir()
-	} else {
-		rootPath = viper.GetString(conf.configurationPathProperty)
-	}
-	logger.Infof("Root Path [%s]", rootPath)
-	// Set configuration path
-	rootPath = filepath.Join(rootPath, "crypto")
-
-	conf.keystorePath = filepath.Join(rootPath, "ks")
-
-	return nil
+	ellipticCurve elliptic.Curve
+	hashFunction  func() hash.Hash
+	aesBitLength  int
+	rsaBitLength  int
 }
 
 func (conf *config) setSecurityLevel(securityLevel int, hashFamily string) (err error) {
@@ -116,19 +83,3 @@ func (conf *config) setSecurityLevelSHA3(level int) (err error) {
 	}
 	return
 }
-
-func (conf *config) checkProperty(property string) error {
-	res := viper.GetString(property)
-	if res == "" {
-		return errors.New("Property not specified in configuration file. Please check that property is set: " + property)
-	}
-	return nil
-}
-
-func (conf *config) getKeyStorePath() string {
-	return conf.keystorePath
-}
-
-func (conf *config) getPathForAlias(alias, suffix string) string {
-	return filepath.Join(conf.getKeyStorePath(), alias+"_"+suffix)
-}