Removing primitives package dependency from BCCSP

This change-set removes the dependency on the initialization
of the primitives package from the software-based BCCSP.
This is the first step in removing dependency to the primitives package
from the fabric.
This change-set comes in the context of:
https://jira.hyperledger.org/browse/FAB-354

Change-Id: I062162400970bb8fa54aa953161ddcac538c2159
Signed-off-by: Angelo De Caro <adc@zurich.ibm.com>

core/crypto/bccsp/factory/sw_factory.go

@@ -54,13 +54,13 @@ func (f *SWFactory) Get(opts Opts) (bccsp.BCCSP, error) {
 
  if !opts.Ephemeral() {
  f.initOnce.Do(func() {
- f.bccsp, f.err = sw.New()
+ f.bccsp, f.err = sw.NewDefaultSecurityLevel()
  return
  })
  return f.bccsp, f.err
  }
 
- return sw.New()
+ return sw.NewDefaultSecurityLevel()
 }
 
 // SwOpts contains options for the SWFactory

core/crypto/bccsp/signer/signer_test.go

@@ -22,7 +22,6 @@ import (
 
  "github.com/hyperledger/fabric/core/crypto/bccsp"
  "github.com/hyperledger/fabric/core/crypto/bccsp/sw"
- "github.com/hyperledger/fabric/core/crypto/primitives"
  "github.com/spf13/viper"
 )
 
@@ -32,11 +31,10 @@ var (
 
 func getBCCSP(t *testing.T) bccsp.BCCSP {
  if swBCCSPInstance == nil {
- primitives.InitSecurityLevel("SHA2", 256)
  viper.Set("security.bccsp.default.keyStorePath", os.TempDir())
 
  var err error
- swBCCSPInstance, err = sw.New()
+ swBCCSPInstance, err = sw.NewDefaultSecurityLevel()
  if err != nil {
  t.Fatalf("Failed initializing key store [%s]", err)
  }
@@ -95,12 +93,18 @@ func TestSign(t *testing.T) {
  }
 
  msg := []byte("Hello World")
- signature, err := signer.Sign(rand.Reader, primitives.Hash(msg), nil)
+
+ digest, err := csp.Hash(msg, nil)
+ if err != nil {
+ t.Fatalf("Failed generating digest [%s]", err)
+ }
+
+ signature, err := signer.Sign(rand.Reader, digest, nil)
  if err != nil {
  t.Fatalf("Failed generating ECDSA signature [%s]", err)
  }
 
- valid, err := csp.Verify(k, signature, primitives.Hash(msg), nil)
+ valid, err := csp.Verify(k, signature, digest, nil)
  if err != nil {
  t.Fatalf("Failed verifying ECDSA signature [%s]", err)
  }

core/crypto/bccsp/sw/aeskey.go

@@ -18,8 +18,9 @@ package sw
 import (
  "errors"
 
+ "crypto/sha256"
+
  "github.com/hyperledger/fabric/core/crypto/bccsp"
- "github.com/hyperledger/fabric/core/crypto/primitives"
 )
 
 type aesPrivateKey struct {
@@ -39,7 +40,9 @@ func (k *aesPrivateKey) Bytes() (raw []byte, err error) {
 
 // SKI returns the subject key identifier of this key.
 func (k *aesPrivateKey) SKI() (ski []byte) {
- return primitives.Hash(k.k)
+ hash := sha256.New()
+ hash.Write(k.k)
+ return hash.Sum(nil)
 }
 
 // Symmetric returns true if this key is a symmetric key,

core/crypto/bccsp/sw/conf.go

@@ -21,16 +21,35 @@ import (
 
  "os"
 
+ "crypto/elliptic"
+ "crypto/sha256"
+ "crypto/sha512"
+ "fmt"
+ "hash"
+
  "github.com/spf13/viper"
+ "golang.org/x/crypto/sha3"
 )
 
 type config struct {
- keystorePath string
+ keystorePath string
+ securityLevel int
+ hashFamily string
 
  configurationPathProperty string
+ ellipticCurve elliptic.Curve
+ hashFunction func() hash.Hash
+ aesBitLength int
+ rsaBitLength int
 }
 
-func (conf *config) init() error {
+func (conf *config) init(securityLevel int, hashFamily string) error {
+ // Set security level
+ err := conf.setSecurityLevel(securityLevel, hashFamily)
+ if err != nil {
+ return fmt.Errorf("Failed initliazing security level [%s]", err)
+ }
+ // Set ks path
  conf.configurationPathProperty = "security.bccsp.default.keyStorePath"
 
  // Check mandatory fields
@@ -45,12 +64,59 @@ func (conf *config) init() error {
  // Set configuration path
  rootPath = filepath.Join(rootPath, "crypto")
 
- // Set ks path
  conf.keystorePath = filepath.Join(rootPath, "ks")
 
  return nil
 }
 
+func (conf *config) setSecurityLevel(securityLevel int, hashFamily string) (err error) {
+ switch hashFamily {
+ case "SHA2":
+ err = conf.setSecurityLevelSHA2(securityLevel)
+ case "SHA3":
+ err = conf.setSecurityLevelSHA3(securityLevel)
+ default:
+ err = fmt.Errorf("Hash Family not supported [%s]", hashFamily)
+ }
+ return
+}
+
+func (conf *config) setSecurityLevelSHA2(level int) (err error) {
+ switch level {
+ case 256:
+ conf.ellipticCurve = elliptic.P256()
+ conf.hashFunction = sha256.New
+ conf.rsaBitLength = 2048
+ conf.aesBitLength = 32
+ case 384:
+ conf.ellipticCurve = elliptic.P384()
+ conf.hashFunction = sha512.New384
+ conf.rsaBitLength = 3072
+ conf.aesBitLength = 32
+ default:
+ err = fmt.Errorf("Security level not supported [%d]", level)
+ }
+ return
+}
+
+func (conf *config) setSecurityLevelSHA3(level int) (err error) {
+ switch level {
+ case 256:
+ conf.ellipticCurve = elliptic.P256()
+ conf.hashFunction = sha3.New256
+ conf.rsaBitLength = 2048
+ conf.aesBitLength = 32
+ case 384:
+ conf.ellipticCurve = elliptic.P384()
+ conf.hashFunction = sha3.New384
+ conf.rsaBitLength = 3072
+ conf.aesBitLength = 32
+ default:
+ err = fmt.Errorf("Security level not supported [%d]", level)
+ }
+ return
+}
+
 func (conf *config) checkProperty(property string) error {
  res := viper.GetString(property)
  if res == "" {

core/crypto/bccsp/sw/ecdsakey.go

@@ -20,6 +20,8 @@ import (
  "crypto/x509"
  "fmt"
 
+ "crypto/sha256"
+
  "github.com/hyperledger/fabric/core/crypto/bccsp"
  "github.com/hyperledger/fabric/core/crypto/primitives"
 )
@@ -44,7 +46,9 @@ func (k *ecdsaPrivateKey) SKI() (ski []byte) {
  raw, _ := primitives.PrivateKeyToDER(k.k)
  // TODO: Error should not be thrown. Anyway, move the marshalling at initialization.
 
- return primitives.Hash(raw)
+ hash := sha256.New()
+ hash.Write(raw)
+ return hash.Sum(nil)
 }
 
 // Symmetric returns true if this key is a symmetric key,
@@ -89,7 +93,9 @@ func (k *ecdsaPublicKey) SKI() (ski []byte) {
  raw, _ := primitives.PublicKeyToPEM(k.k, nil)
  // TODO: Error should not be thrown. Anyway, move the marshalling at initialization.
 
- return primitives.Hash(raw)
+ hash := sha256.New()
+ hash.Write(raw)
+ return hash.Sum(nil)
 }
 
 // Symmetric returns true if this key is a symmetric key,

core/crypto/bccsp/sw/impl.go

@@ -30,6 +30,8 @@ import (
 
  "crypto/x509"
 
+ "crypto/hmac"
+
  "github.com/hyperledger/fabric/core/crypto/bccsp"
  "github.com/hyperledger/fabric/core/crypto/primitives"
  "github.com/hyperledger/fabric/core/crypto/utils"
@@ -40,10 +42,17 @@ var (
  logger = logging.MustGetLogger("SW_BCCSP")
 )
 
-// New returns a new instance of the software-based BCCSP.
-func New() (bccsp.BCCSP, error) {
+// NewDefaultSecurityLevel returns a new instance of the software-based BCCSP
+// at security level 256 and hash family SHA2
+func NewDefaultSecurityLevel() (bccsp.BCCSP, error) {
+ return New(256, "SHA2")
+}
+
+// New returns a new instance of the software-based BCCSP
+// set at the passed security level and hash family.
+func New(securityLevel int, hashFamily string) (bccsp.BCCSP, error) {
  conf := &config{}
- err := conf.init()
+ err := conf.init(securityLevel, hashFamily)
  if err != nil {
  return nil, fmt.Errorf("Failed initializing configuration [%s]", err)
  }
@@ -52,14 +61,16 @@ func New() (bccsp.BCCSP, error) {
  if err := ks.init(nil, conf); err != nil {
  return nil, fmt.Errorf("Failed initializing key store [%s]", err)
  }
- return &impl{ks}, nil
+ return &impl{conf, ks}, nil
 }
 
 // SoftwareBasedBCCSP is the software-based implementation of the BCCSP.
-// It is based on code used in the primitives package.
+// It uses util code in the primitives package but does not depend on the
+// initialization of that package.
 // It can be configured via viper.
 type impl struct {
- ks *keyStore
+ conf *config
+ ks *keyStore
 }
 
 // KeyGen generates a key using opts.
@@ -72,7 +83,7 @@ func (csp *impl) KeyGen(opts bccsp.KeyGenOpts) (k bccsp.Key, err error) {
  // Parse algorithm
  switch opts.Algorithm() {
  case bccsp.ECDSA:
- lowLevelKey, err := primitives.NewECDSAKey()
+ lowLevelKey, err := ecdsa.GenerateKey(csp.conf.ellipticCurve, rand.Reader)
  if err != nil {
  return nil, fmt.Errorf("Failed generating ECDSA key [%s]", err)
  }
@@ -90,7 +101,7 @@ func (csp *impl) KeyGen(opts bccsp.KeyGenOpts) (k bccsp.Key, err error) {
 
  return k, nil
  case bccsp.AES:
- lowLevelKey, err := primitives.GenAESKey()
+ lowLevelKey, err := primitives.GetRandomBytes(csp.conf.aesBitLength)
 
  if err != nil {
  return nil, fmt.Errorf("Failed generating AES key [%s]", err)
@@ -109,7 +120,7 @@ func (csp *impl) KeyGen(opts bccsp.KeyGenOpts) (k bccsp.Key, err error) {
 
  return k, nil
  case bccsp.RSA:
- lowLevelKey, err := primitives.NewRSAKey()
+ lowLevelKey, err := rsa.GenerateKey(rand.Reader, csp.conf.rsaBitLength)
 
  if err != nil {
  return nil, fmt.Errorf("Failed generating RSA (2048) key [%s]", err)
@@ -216,7 +227,9 @@ func (csp *impl) KeyDeriv(k bccsp.Key, opts bccsp.KeyDerivOpts) (dk bccsp.Key, e
  case *bccsp.HMACTruncated256AESDeriveKeyOpts:
  hmacOpts := opts.(*bccsp.HMACTruncated256AESDeriveKeyOpts)
 
- hmacedKey := &aesPrivateKey{primitives.HMACAESTruncated(aesK.k, hmacOpts.Argument()), false}
+ mac := hmac.New(csp.conf.hashFunction, aesK.k)
+ mac.Write(hmacOpts.Argument())
+ hmacedKey := &aesPrivateKey{mac.Sum(nil)[:csp.conf.aesBitLength], false}
 
  // If the key is not Ephemeral, store it.
  if !opts.Ephemeral() {
@@ -233,7 +246,9 @@ func (csp *impl) KeyDeriv(k bccsp.Key, opts bccsp.KeyDerivOpts) (dk bccsp.Key, e
 
  hmacOpts := opts.(*bccsp.HMACDeriveKeyOpts)
 
- hmacedKey := &aesPrivateKey{primitives.HMAC(aesK.k, hmacOpts.Argument()), true}
+ mac := hmac.New(csp.conf.hashFunction, aesK.k)
+ mac.Write(hmacOpts.Argument())
+ hmacedKey := &aesPrivateKey{mac.Sum(nil), true}
 
  // If the key is not Ephemeral, store it.
  if !opts.Ephemeral() {
@@ -484,12 +499,16 @@ func (csp *impl) GetKey(ski []byte) (k bccsp.Key, err error) {
 // Hash hashes messages msg using options opts.
 func (csp *impl) Hash(msg []byte, opts bccsp.HashOpts) (hash []byte, err error) {
  if opts == nil {
- return primitives.Hash(msg), nil
+ hash := csp.conf.hashFunction()
+ hash.Write(msg)
+ return hash.Sum(nil), nil
  }
 
  switch opts.Algorithm() {
  case bccsp.DefaultHash, bccsp.SHA:
- return primitives.Hash(msg), nil
+ hash := csp.conf.hashFunction()
+ hash.Write(msg)
+ return hash.Sum(nil), nil
  default:
  return nil, fmt.Errorf("Algorithm not recognized [%s]", opts.Algorithm())
  }
@@ -499,12 +518,12 @@ func (csp *impl) Hash(msg []byte, opts bccsp.HashOpts) (hash []byte, err error)
 // If opts is nil then the default hash function is returned.
 func (csp *impl) GetHash(opts bccsp.HashOpts) (h hash.Hash, err error) {
  if opts == nil {
- return primitives.NewHash(), nil
+ return csp.conf.hashFunction(), nil
  }
 
  switch opts.Algorithm() {
  case bccsp.SHA, bccsp.DefaultHash:
- return primitives.NewHash(), nil
+ return csp.conf.hashFunction(), nil
  default:
  return nil, fmt.Errorf("Algorithm not recognized [%s]", opts.Algorithm())
  }

core/crypto/bccsp/sw/impl_test.go

@@ -31,6 +31,10 @@ import (
  "net"
  "time"
 
+ "crypto/ecdsa"
+ "crypto/elliptic"
+ "crypto/sha256"
+
  "github.com/hyperledger/fabric/core/crypto/bccsp"
  "github.com/hyperledger/fabric/core/crypto/bccsp/signer"
  "github.com/hyperledger/fabric/core/crypto/primitives"
@@ -43,11 +47,10 @@ var (
 
 func getBCCSP(t *testing.T) bccsp.BCCSP {
  if swBCCSPInstance == nil {
- primitives.InitSecurityLevel("SHA2", 256)
  viper.Set("security.bccsp.default.keyStorePath", os.TempDir())
 
  var err error
- swBCCSPInstance, err = New()
+ swBCCSPInstance, err = NewDefaultSecurityLevel()
  if err != nil {
  t.Fatalf("Failed initializing key store [%s]", err)
  }
@@ -418,8 +421,8 @@ func TestECDSAKeyImportFromECDSAPublicKey(t *testing.T) {
 func TestECDSAKeyImportFromECDSAPrivateKey(t *testing.T) {
  csp := getBCCSP(t)
 
- // Generate an ECDSA key
- key, err := primitives.NewECDSAKey()
+ // Generate an ECDSA key, default is P256
+ key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
  if err != nil {
  t.Fatalf("Failed generating ECDSA key [%s]", err)
  }
@@ -752,7 +755,7 @@ func TestHMACKeyDerivOverAES256Key(t *testing.T) {
 func TestAES256KeyImport(t *testing.T) {
  csp := getBCCSP(t)
 
- raw, err := primitives.GenAESKey()
+ raw, err := primitives.GetRandomBytes(32)
  if err != nil {
  t.Fatalf("Failed generating AES key [%s]", err)
  }
@@ -855,7 +858,10 @@ func TestSHA(t *testing.T) {
  t.Fatalf("Failed computing SHA [%s]", err)
  }
 
- h2 := primitives.Hash(b[:])
+ // Default HASH is SHA2 256
+ hash := sha256.New()
+ hash.Write(b)
+ h2 := hash.Sum(nil)
 
  if !bytes.Equal(h1, h2) {
  t.Fatalf("Discrempancy found in HASH result [%x], [%x]!=[%x]", b, h1, h2)