Introduce placeholder for PKCS11 CSP

This is simply a copy of the SW CSP: - sw directory -> pkcs11 directory - swfactory.go -> pkcs11factory.go Not much changed: pkcs11factory.go uses PKCS11 instead of "Software" or "SW". And new package name. The code is currently un-reachable (except by copied tests). Next set of changes will add - configuration: probably integrate what Keith did for https://gerrit.hyperledger.org/r/#/c/3735/2 - replace (operation at a time) SW operations with PKCS11 operations Change-Id: I46f35b92be9303e52d66fdbc0962990efb47104e Signed-off-by: Volodymyr Paprotski <vpaprots@ca.ibm.com>
hyperledger · Jan 16, 2017 · d812dc7 · d812dc7
1 parent c701cb5
commit d812dc7
Show file tree

Hide file tree

Showing 13 changed files with 4,164 additions and 0 deletions.
diff --git a/bccsp/factory/pkcs11factory.go b/bccsp/factory/pkcs11factory.go
@@ -0,0 +1,87 @@
+/*
+Copyright IBM Corp. 2016 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package factory
+
+import (
+	"errors"
+	"fmt"
+	"sync"
+
+	"github.com/hyperledger/fabric/bccsp"
+	"github.com/hyperledger/fabric/bccsp/pkcs11"
+)
+
+const (
+	// PKCS11BasedFactoryName is the name of the factory of the hsm-based BCCSP implementation
+	PKCS11BasedFactoryName = "P11"
+)
+
+// PKCS11Factory is the factory of the HSM-based BCCSP.
+type PKCS11Factory struct {
+	initOnce sync.Once
+	bccsp    bccsp.BCCSP
+	err      error
+}
+
+// Name returns the name of this factory
+func (f *PKCS11Factory) Name() string {
+	return PKCS11BasedFactoryName
+}
+
+// Get returns an instance of BCCSP using Opts.
+func (f *PKCS11Factory) Get(opts Opts) (bccsp.BCCSP, error) {
+	// Validate arguments
+	if opts == nil {
+		return nil, errors.New("Invalid opts. It must not be nil.")
+	}
+
+	if opts.FactoryName() != f.Name() {
+		return nil, fmt.Errorf("Invalid Provider Name [%s]. Opts must refer to [%s].", opts.FactoryName(), f.Name())
+	}
+
+	pkcs11Opts, ok := opts.(*PKCS11Opts)
+	if !ok {
+		return nil, errors.New("Invalid opts. They must be of type PKCS11Opts.")
+	}
+
+	if !opts.Ephemeral() {
+		f.initOnce.Do(func() {
+			f.bccsp, f.err = pkcs11.New(pkcs11Opts.SecLevel, pkcs11Opts.HashFamily, pkcs11Opts.KeyStore)
+			return
+		})
+		return f.bccsp, f.err
+	}
+
+	return pkcs11.New(pkcs11Opts.SecLevel, pkcs11Opts.HashFamily, pkcs11Opts.KeyStore)
+}
+
+// PKCS11Opts contains options for the P11Factory
+type PKCS11Opts struct {
+	Ephemeral_ bool
+	SecLevel   int
+	HashFamily string
+	KeyStore   bccsp.KeyStore
+}
+
+// FactoryName returns the name of the provider
+func (o *PKCS11Opts) FactoryName() string {
+	return PKCS11BasedFactoryName
+}
+
+// Ephemeral returns true if the CSP has to be ephemeral, false otherwise
+func (o *PKCS11Opts) Ephemeral() bool {
+	return o.Ephemeral_
+}
diff --git a/bccsp/pkcs11/aes.go b/bccsp/pkcs11/aes.go
@@ -0,0 +1,137 @@
+/*
+Copyright IBM Corp. 2016 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pkcs11
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"io"
+)
+
+// GetRandomBytes returns len random looking bytes
+func GetRandomBytes(len int) ([]byte, error) {
+	buffer := make([]byte, len)
+
+	n, err := rand.Read(buffer)
+	if err != nil {
+		return nil, err
+	}
+	if n != len {
+		return nil, fmt.Errorf("Buffer not filled. Requested [%d], got [%d]", len, n)
+	}
+
+	return buffer, nil
+}
+
+func pkcs7Padding(src []byte) []byte {
+	padding := aes.BlockSize - len(src)%aes.BlockSize
+	padtext := bytes.Repeat([]byte{byte(padding)}, padding)
+	return append(src, padtext...)
+}
+
+func pkcs7UnPadding(src []byte) ([]byte, error) {
+	length := len(src)
+	unpadding := int(src[length-1])
+
+	if unpadding > aes.BlockSize || unpadding == 0 {
+		return nil, errors.New("Invalid pkcs7 padding (unpadding > aes.BlockSize || unpadding == 0)")
+	}
+
+	pad := src[len(src)-unpadding:]
+	for i := 0; i < unpadding; i++ {
+		if pad[i] != byte(unpadding) {
+			return nil, errors.New("Invalid pkcs7 padding (pad[i] != unpadding)")
+		}
+	}
+
+	return src[:(length - unpadding)], nil
+}
+
+func aesCBCEncrypt(key, s []byte) ([]byte, error) {
+	if len(s)%aes.BlockSize != 0 {
+		return nil, errors.New("Invalid plaintext. It must be a multiple of the block size")
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	ciphertext := make([]byte, aes.BlockSize+len(s))
+	iv := ciphertext[:aes.BlockSize]
+	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, err
+	}
+
+	mode := cipher.NewCBCEncrypter(block, iv)
+	mode.CryptBlocks(ciphertext[aes.BlockSize:], s)
+
+	return ciphertext, nil
+}
+
+func aesCBCDecrypt(key, src []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(src) < aes.BlockSize {
+		return nil, errors.New("Invalid ciphertext. It must be a multiple of the block size")
+	}
+	iv := src[:aes.BlockSize]
+	src = src[aes.BlockSize:]
+
+	if len(src)%aes.BlockSize != 0 {
+		return nil, errors.New("Invalid ciphertext. It must be a multiple of the block size")
+	}
+
+	mode := cipher.NewCBCDecrypter(block, iv)
+
+	mode.CryptBlocks(src, src)
+
+	return src, nil
+}
+
+// AESCBCPKCS7Encrypt combines CBC encryption and PKCS7 padding
+func AESCBCPKCS7Encrypt(key, src []byte) ([]byte, error) {
+	// First pad
+	tmp := pkcs7Padding(src)
+
+	// Then encrypt
+	return aesCBCEncrypt(key, tmp)
+}
+
+// AESCBCPKCS7Decrypt combines CBC decryption and PKCS7 unpadding
+func AESCBCPKCS7Decrypt(key, src []byte) ([]byte, error) {
+	// First decrypt
+	pt, err := aesCBCDecrypt(key, src)
+	if err != nil {
+		return nil, err
+	}
+
+	// Then remove padding
+	original, err := pkcs7UnPadding(pt)
+	if err != nil {
+		return nil, err
+	}
+
+	return original, nil
+}