hyperledger · denyeart · Jan 20, 2024 · Jan 20, 2024
@@ -262,6 +262,38 @@ func (opts *SHAOpts) Algorithm() string {
 	return SHA
 }
 
+// RSAKeyGenOpts contains options for RSA key generation.
+type RSAKeyGenOpts struct {
+	Temporary bool
+}
+
+// Algorithm returns the key generation algorithm identifier (to be used).
+func (opts *RSAKeyGenOpts) Algorithm() string {
+	return RSA
+}
+
+// Ephemeral returns true if the key to generate has to be ephemeral,
+// false otherwise.
+func (opts *RSAKeyGenOpts) Ephemeral() bool {
+	return opts.Temporary
+}
+
+// RSAGoPublicKeyImportOpts contains options for RSA key importation from rsa.PublicKey
+type RSAGoPublicKeyImportOpts struct {
+	Temporary bool
+}
+
+// Algorithm returns the key importation algorithm identifier (to be used).
+func (opts *RSAGoPublicKeyImportOpts) Algorithm() string {
+	return RSA
+}
+
+// Ephemeral returns true if the key to generate has to be ephemeral,
+// false otherwise.
+func (opts *RSAGoPublicKeyImportOpts) Ephemeral() bool {
+	return opts.Temporary
+}
+
 // X509PublicKeyImportOpts contains options for importing public keys from an x509 certificate
 type X509PublicKeyImportOpts struct {
 	Temporary bool

@@ -20,6 +20,7 @@ type config struct {
 	ellipticCurve elliptic.Curve
 	hashFunction  func() hash.Hash
 	aesBitLength  int
+	rsaBitLength  int
 }
 
 func (conf *config) setSecurityLevel(securityLevel int, hashFamily string) (err error) {
@@ -39,10 +40,12 @@ func (conf *config) setSecurityLevelSHA2(level int) (err error) {
 	case 256:
 		conf.ellipticCurve = elliptic.P256()
 		conf.hashFunction = sha256.New
+		conf.rsaBitLength = 2048
 		conf.aesBitLength = 32
 	case 384:
 		conf.ellipticCurve = elliptic.P384()
 		conf.hashFunction = sha512.New384
+		conf.rsaBitLength = 3072
 		conf.aesBitLength = 32
 	default:
 		err = fmt.Errorf("Security level not supported [%d]", level)
@@ -55,10 +58,12 @@ func (conf *config) setSecurityLevelSHA3(level int) (err error) {
 	case 256:
 		conf.ellipticCurve = elliptic.P256()
 		conf.hashFunction = sha3.New256
+		conf.rsaBitLength = 2048
 		conf.aesBitLength = 32
 	case 384:
 		conf.ellipticCurve = elliptic.P384()
 		conf.hashFunction = sha3.New384
+		conf.rsaBitLength = 3072
 		conf.aesBitLength = 32
 	default:
 		err = fmt.Errorf("Security level not supported [%d]", level)

@@ -1,17 +1,7 @@
 /*
-Copyright IBM Corp. 2017 All Rights Reserved.
+Copyright IBM Corp. All Rights Reserved.
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-		 http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+SPDX-License-Identifier: Apache-2.0
 */
 
 package sw
@@ -20,6 +10,7 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/rsa"
 	"fmt"
 
 	"github.com/hyperledger/fabric/bccsp"
@@ -50,3 +41,16 @@ func (kg *aesKeyGenerator) KeyGen(opts bccsp.KeyGenOpts) (bccsp.Key, error) {
 
 	return &aesPrivateKey{lowLevelKey, false}, nil
 }
+
+type rsaKeyGenerator struct {
+	length int
+}
+
+func (kg *rsaKeyGenerator) KeyGen(opts bccsp.KeyGenOpts) (bccsp.Key, error) {
+	lowLevelKey, err := rsa.GenerateKey(rand.Reader, int(kg.length))
+	if err != nil {
+		return nil, fmt.Errorf("Failed generating RSA %d key [%s]", kg.length, err)
+	}
+
+	return &rsaPrivateKey{lowLevelKey}, nil
+}
@@ -80,6 +80,11 @@ func NewWithParams(securityLevel int, hashFamily string, keyStore bccsp.KeyStore
 	swbccsp.AddWrapper(reflect.TypeOf(&bccsp.AES256KeyGenOpts{}), &aesKeyGenerator{length: 32})
 	swbccsp.AddWrapper(reflect.TypeOf(&bccsp.AES192KeyGenOpts{}), &aesKeyGenerator{length: 24})
 	swbccsp.AddWrapper(reflect.TypeOf(&bccsp.AES128KeyGenOpts{}), &aesKeyGenerator{length: 16})
+	swbccsp.AddWrapper(reflect.TypeOf(&bccsp.RSAKeyGenOpts{}), &rsaKeyGenerator{length: conf.rsaBitLength})
+	swbccsp.AddWrapper(reflect.TypeOf(&bccsp.RSA1024KeyGenOpts{}), &rsaKeyGenerator{length: 1024})
+	swbccsp.AddWrapper(reflect.TypeOf(&bccsp.RSA2048KeyGenOpts{}), &rsaKeyGenerator{length: 2048})
+	swbccsp.AddWrapper(reflect.TypeOf(&bccsp.RSA3072KeyGenOpts{}), &rsaKeyGenerator{length: 3072})
+	swbccsp.AddWrapper(reflect.TypeOf(&bccsp.RSA4096KeyGenOpts{}), &rsaKeyGenerator{length: 4096})
 
 	// Set the key deriver
 	swbccsp.AddWrapper(reflect.TypeOf(&ecdsaPrivateKey{}), &ecdsaPrivateKeyKeyDeriver{})

@@ -7,46 +7,56 @@ SPDX-License-Identifier: Apache-2.0
 package sw
 
 import (
+	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
 	"errors"
 	"fmt"
 
 	"github.com/hyperledger/fabric/bccsp"
 )
 
-// An rsaPublicKey wraps the standard library implementation of an RSA public
-// key with functions that satisfy the bccsp.Key interface.
-//
-// NOTE: Fabric does not support RSA signing or verification. This code simply
-// allows MSPs to include RSA CAs in their certificate chains.
-type rsaPublicKey struct{ pubKey *rsa.PublicKey }
-
-func (k *rsaPublicKey) Symmetric() bool               { return false }
-func (k *rsaPublicKey) Private() bool                 { return false }
-func (k *rsaPublicKey) PublicKey() (bccsp.Key, error) { return k, nil }
-
-// Bytes converts this key to its serialized representation.
-func (k *rsaPublicKey) Bytes() (raw []byte, err error) {
-	if k.pubKey == nil {
-		return nil, errors.New("Failed marshalling key. Key is nil.")
-	}
-	raw, err = x509.MarshalPKIXPublicKey(k.pubKey)
-	if err != nil {
-		return nil, fmt.Errorf("Failed marshalling key [%s]", err)
+type rsaSigner struct{}
+
+func (s *rsaSigner) Sign(k bccsp.Key, digest []byte, opts bccsp.SignerOpts) ([]byte, error) {
+	if opts == nil {
+		return nil, errors.New("Invalid options. Must be different from nil.")
 	}
-	return
+
+	return k.(*rsaPrivateKey).privKey.Sign(rand.Reader, digest, opts)
 }
 
-// SKI returns the subject key identifier of this key.
-func (k *rsaPublicKey) SKI() []byte {
-	if k.pubKey == nil {
-		return nil
+type rsaPrivateKeyVerifier struct{}
+
+func (v *rsaPrivateKeyVerifier) Verify(k bccsp.Key, signature, digest []byte, opts bccsp.SignerOpts) (bool, error) {
+	if opts == nil {
+		return false, errors.New("Invalid options. It must not be nil.")
+	}
+	switch opts.(type) {
+	case *rsa.PSSOptions:
+		err := rsa.VerifyPSS(&(k.(*rsaPrivateKey).privKey.PublicKey),
+			(opts.(*rsa.PSSOptions)).Hash,
+			digest, signature, opts.(*rsa.PSSOptions))
+
+		return err == nil, err
+	default:
+		return false, fmt.Errorf("Opts type not recognized [%s]", opts)
 	}
+}
+
+type rsaPublicKeyKeyVerifier struct{}
 
-	// Marshal the public key and hash it
-	raw := x509.MarshalPKCS1PublicKey(k.pubKey)
-	hash := sha256.Sum256(raw)
-	return hash[:]
+func (v *rsaPublicKeyKeyVerifier) Verify(k bccsp.Key, signature, digest []byte, opts bccsp.SignerOpts) (bool, error) {
+	if opts == nil {
+		return false, errors.New("Invalid options. It must not be nil.")
+	}
+	switch opts.(type) {
+	case *rsa.PSSOptions:
+		err := rsa.VerifyPSS(k.(*rsaPublicKey).pubKey,
+			(opts.(*rsa.PSSOptions)).Hash,
+			digest, signature, opts.(*rsa.PSSOptions))
+
+		return err == nil, err
+	default:
+		return false, fmt.Errorf("Opts type not recognized [%s]", opts)
+	}
 }
@@ -12,17 +12,11 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/asn1"
-	"math/big"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 )
 
-type rsaPublicKeyASN struct {
-	N *big.Int
-	E int
-}
-
 func TestRSAPublicKey(t *testing.T) {
 	lowLevelKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	require.NoError(t, err)

@@ -0,0 +1,124 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package sw
+
+import (
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/asn1"
+	"errors"
+	"fmt"
+	"math/big"
+
+	"github.com/hyperledger/fabric/bccsp"
+)
+
+// rsaPublicKey reflects the ASN.1 structure of a PKCS#1 public key.
+type rsaPublicKeyASN struct {
+	N *big.Int
+	E int
+}
+
+type rsaPrivateKey struct {
+	privKey *rsa.PrivateKey
+}
+
+// Bytes converts this key to its byte representation,
+// if this operation is allowed.
+func (k *rsaPrivateKey) Bytes() ([]byte, error) {
+	return nil, errors.New("Not supported.")
+}
+
+// SKI returns the subject key identifier of this key.
+func (k *rsaPrivateKey) SKI() []byte {
+	if k.privKey == nil {
+		return nil
+	}
+
+	// Marshall the public key
+	raw, _ := asn1.Marshal(rsaPublicKeyASN{
+		N: k.privKey.N,
+		E: k.privKey.E,
+	})
+
+	// Hash it
+	hash := sha256.New()
+	hash.Write(raw)
+	return hash.Sum(nil)
+}
+
+// Symmetric returns true if this key is a symmetric key,
+// false is this key is asymmetric
+func (k *rsaPrivateKey) Symmetric() bool {
+	return false
+}
+
+// Private returns true if this key is an asymmetric private key,
+// false otherwise.
+func (k *rsaPrivateKey) Private() bool {
+	return true
+}
+
+// PublicKey returns the corresponding public key part of an asymmetric public/private key pair.
+// This method returns an error in symmetric key schemes.
+func (k *rsaPrivateKey) PublicKey() (bccsp.Key, error) {
+	return &rsaPublicKey{&k.privKey.PublicKey}, nil
+}
+
+type rsaPublicKey struct {
+	pubKey *rsa.PublicKey
+}
+
+// Bytes converts this key to its byte representation,
+// if this operation is allowed.
+func (k *rsaPublicKey) Bytes() (raw []byte, err error) {
+	if k.pubKey == nil {
+		return nil, errors.New("Failed marshalling key. Key is nil.")
+	}
+	raw, err = x509.MarshalPKIXPublicKey(k.pubKey)
+	if err != nil {
+		return nil, fmt.Errorf("Failed marshalling key [%s]", err)
+	}
+	return
+}
+
+// SKI returns the subject key identifier of this key.
+func (k *rsaPublicKey) SKI() []byte {
+	if k.pubKey == nil {
+		return nil
+	}
+
+	// Marshall the public key
+	raw, _ := asn1.Marshal(rsaPublicKeyASN{
+		N: k.pubKey.N,
+		E: k.pubKey.E,
+	})
+
+	// Hash it
+	hash := sha256.New()
+	hash.Write(raw)
+	return hash.Sum(nil)
+}
+
+// Symmetric returns true if this key is a symmetric key,
+// false is this key is asymmetric
+func (k *rsaPublicKey) Symmetric() bool {
+	return false
+}
+
+// Private returns true if this key is an asymmetric private key,
+// false otherwise.
+func (k *rsaPublicKey) Private() bool {
+	return false
+}
+
+// PublicKey returns the corresponding public key part of an asymmetric public/private key pair.
+// This method returns an error in symmetric key schemes.
+func (k *rsaPublicKey) PublicKey() (bccsp.Key, error) {
+	return k, nil
+}