[FAB-3194] Fixes from whitebox testing with PKCS11

Several fixes from testing E2E with HSM.

Tested with SoftHSM as well as IBM CEX5S.

- Biggest change: make most pkcs11 operations class-based
   (This is so that multiple CSPs can be instantiated at once.
    This in turn is useful for cryptogen, to generate in multiple
    pkcs11 tokens at once)
- viper.UnmarshalKey ignores ENV vars. Luckily Jason already has
  viperutil that does not
- some further pkcs11 option cleanup,
- implement softverify flag
- implement sensitive flag, since real card prohibits key import

Change-Id: Ic40323f1a32499da0f61ab0658371a1af95c564d
Signed-off-by: Volodymyr Paprotski <[email protected]>

Author: Volodymyr Paprotski

bccsp/factory/factory.go

@@ -41,7 +41,7 @@ var (
 	// Factories' Initialization Error
 	factoriesInitError error
 
-	logger = logging.MustGetLogger("BCCSP_FACTORY")
+	logger = logging.MustGetLogger("bccsp")
 )
 
 // BCCSPFactory is used to get instances of the BCCSP interface.

bccsp/factory/factory_test.go

@@ -23,12 +23,13 @@ import (
 	"os"
 	"testing"
 
+	"github.com/hyperledger/fabric/bccsp/pkcs11"
 	"github.com/spf13/viper"
 )
 
 func TestMain(m *testing.M) {
 	flag.Parse()
-	lib, pin, label, enable := findPKCS11Lib()
+	lib, pin, label := pkcs11.FindPKCS11Lib()
 
 	var jsonBCCSP, yamlBCCSP *FactoryOpts
 	jsonCFG := []byte(
@@ -55,7 +56,7 @@ BCCSP:
         Label:   %s
         `, lib, pin, label)
 
-	if !enable {
+	if lib == "" {
 		fmt.Printf("Could not find PKCS11 libraries, running without\n")
 		yamlCFG = `
 BCCSP:
@@ -121,34 +122,3 @@ func TestGetBCCSP(t *testing.T) {
 		t.Fatal("Failed Software BCCSP. Nil instance.")
 	}
 }
-
-func findPKCS11Lib() (lib, pin, label string, enablePKCS11tests bool) {
-	//FIXME: Till we workout the configuration piece, look for the libraries in the familiar places
-	lib = os.Getenv("PKCS11_LIB")
-	if lib == "" {
-		pin = "98765432"
-		label = "ForFabric"
-		possibilities := []string{
-			"/usr/lib/softhsm/libsofthsm2.so",                            //Debian
-			"/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so",           //Ubuntu
-			"/usr/lib/s390x-linux-gnu/softhsm/libsofthsm2.so",            //Ubuntu
-			"/usr/lib/powerpc64le-linux-gnu/softhsm/libsofthsm2.so",      //Power
-			"/usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so", //MacOS
-		}
-		for _, path := range possibilities {
-			if _, err := os.Stat(path); !os.IsNotExist(err) {
-				lib = path
-				enablePKCS11tests = true
-				break
-			}
-		}
-		if lib == "" {
-			enablePKCS11tests = false
-		}
-	} else {
-		enablePKCS11tests = true
-		pin = os.Getenv("PKCS11_PIN")
-		label = os.Getenv("PKCS11_LABEL")
-	}
-	return lib, pin, label, enablePKCS11tests
-}

bccsp/factory/nopkcs11.go

@@ -68,3 +68,18 @@ func InitFactories(config *FactoryOpts) error {
 
 	return factoriesInitError
 }
+
+// GetBCCSPFromOpts returns a BCCSP created according to the options passed in input.
+func GetBCCSPFromOpts(config *FactoryOpts) (bccsp.BCCSP, error) {
+	var f BCCSPFactory
+	switch config.ProviderName {
+	case "SW":
+		f = &SWFactory{}
+	}
+
+	csp, err := f.Get(config)
+	if err != nil {
+		return nil, fmt.Errorf("Could not initialize BCCSP %s [%s]", f.Name(), err)
+	}
+	return csp, nil
+}

bccsp/factory/pkcs11.go

@@ -21,12 +21,13 @@ import (
 	"fmt"
 
 	"github.com/hyperledger/fabric/bccsp"
+	"github.com/hyperledger/fabric/bccsp/pkcs11"
 )
 
 type FactoryOpts struct {
-	ProviderName string      `mapstructure:"default" json:"default" yaml:"Default"`
-	SwOpts       *SwOpts     `mapstructure:"SW,omitempty" json:"SW,omitempty" yaml:"SwOpts"`
-	Pkcs11Opts   *PKCS11Opts `mapstructure:"PKCS11,omitempty" json:"PKCS11,omitempty" yaml:"PKCS11"`
+	ProviderName string             `mapstructure:"default" json:"default" yaml:"Default"`
+	SwOpts       *SwOpts            `mapstructure:"SW,omitempty" json:"SW,omitempty" yaml:"SwOpts"`
+	Pkcs11Opts   *pkcs11.PKCS11Opts `mapstructure:"PKCS11,omitempty" json:"PKCS11,omitempty" yaml:"PKCS11"`
 }
 
 // InitFactories must be called before using factory interfaces
@@ -78,3 +79,20 @@ func InitFactories(config *FactoryOpts) error {
 
 	return factoriesInitError
 }
+
+// GetBCCSPFromOpts returns a BCCSP created according to the options passed in input.
+func GetBCCSPFromOpts(config *FactoryOpts) (bccsp.BCCSP, error) {
+	var f BCCSPFactory
+	switch config.ProviderName {
+	case "SW":
+		f = &SWFactory{}
+	case "PKCS11":
+		f = &PKCS11Factory{}
+	}
+
+	csp, err := f.Get(config)
+	if err != nil {
+		return nil, fmt.Errorf("Could not initialize BCCSP %s [%s]", f.Name(), err)
+	}
+	return csp, nil
+}

bccsp/factory/pkcs11factory.go

@@ -42,7 +42,7 @@ func (f *PKCS11Factory) Name() string {
 // Get returns an instance of BCCSP using Opts.
 func (f *PKCS11Factory) Get(config *FactoryOpts) (bccsp.BCCSP, error) {
 	// Validate arguments
-	if config == nil || config.SwOpts == nil {
+	if config == nil || config.Pkcs11Opts == nil {
 		return nil, errors.New("Invalid config. It must not be nil.")
 	}
 
@@ -62,29 +62,5 @@ func (f *PKCS11Factory) Get(config *FactoryOpts) (bccsp.BCCSP, error) {
 		// Default to DummyKeystore
 		ks = sw.NewDummyKeyStore()
 	}
-	err := pkcs11.InitPKCS11(p11Opts.Library, p11Opts.Pin, p11Opts.Label)
-	if err != nil {
-		return nil, fmt.Errorf("Failed initializing PKCS11 library %s %s [%s]",
-			p11Opts.Library, p11Opts.Label, err)
-	}
-	return pkcs11.New(p11Opts.SecLevel, p11Opts.HashFamily, ks)
-}
-
-// PKCS11Opts contains options for the P11Factory
-type PKCS11Opts struct {
-	// Default algorithms when not specified (Deprecated?)
-	SecLevel   int    `mapstructure:"security" json:"security"`
-	HashFamily string `mapstructure:"hash" json:"hash"`
-
-	// Keystore options
-	Ephemeral     bool               `mapstructure:"tempkeys,omitempty" json:"tempkeys,omitempty"`
-	FileKeystore  *FileKeystoreOpts  `mapstructure:"filekeystore,omitempty" json:"filekeystore,omitempty"`
-	DummyKeystore *DummyKeystoreOpts `mapstructure:"dummykeystore,omitempty" json:"dummykeystore,omitempty"`
-
-	// PKCS11 options
-	Library    string `mapstructure:"library" json:"library"`
-	Label      string `mapstructure:"label" json:"label"`
-	Pin        string `mapstructure:"pin" json:"pin"`
-	Sensitive  bool   `mapstructure:"sensitivekeys,omitempty" json:"sensitivekeys,omitempty"`
-	SoftVerify bool   `mapstructure:"softwareverify,omitempty" json:"softwareverify,omitempty"`
+	return pkcs11.New(*p11Opts, ks)
 }

bccsp/pkcs11/conf.go

@@ -83,3 +83,30 @@ func (conf *config) setSecurityLevelSHA3(level int) (err error) {
 	}
 	return
 }
+
+// PKCS11Opts contains options for the P11Factory
+type PKCS11Opts struct {
+	// Default algorithms when not specified (Deprecated?)
+	SecLevel   int    `mapstructure:"security" json:"security"`
+	HashFamily string `mapstructure:"hash" json:"hash"`
+
+	// Keystore options
+	Ephemeral     bool               `mapstructure:"tempkeys,omitempty" json:"tempkeys,omitempty"`
+	FileKeystore  *FileKeystoreOpts  `mapstructure:"filekeystore,omitempty" json:"filekeystore,omitempty"`
+	DummyKeystore *DummyKeystoreOpts `mapstructure:"dummykeystore,omitempty" json:"dummykeystore,omitempty"`
+
+	// PKCS11 options
+	Library    string `mapstructure:"library" json:"library"`
+	Label      string `mapstructure:"label" json:"label"`
+	Pin        string `mapstructure:"pin" json:"pin"`
+	Sensitive  bool   `mapstructure:"sensitivekeys,omitempty" json:"sensitivekeys,omitempty"`
+	SoftVerify bool   `mapstructure:"softwareverify,omitempty" json:"softwareverify,omitempty"`
+}
+
+// Since currently only ECDSA operations go to PKCS11, need a keystore still
+// Pluggable Keystores, could add JKS, P12, etc..
+type FileKeystoreOpts struct {
+	KeyStorePath string `mapstructure:"keystore" json:"keystore" yaml:"KeyStore"`
+}
+
+type DummyKeystoreOpts struct{}

bccsp/pkcs11/ecdsa.go

@@ -16,6 +16,7 @@ limitations under the License.
 package pkcs11
 
 import (
+	"crypto/ecdsa"
 	"crypto/elliptic"
 	"encoding/asn1"
 	"errors"
@@ -73,7 +74,7 @@ func unmarshalECDSASignature(raw []byte) (*big.Int, *big.Int, error) {
 }
 
 func (csp *impl) signECDSA(k ecdsaPrivateKey, digest []byte, opts bccsp.SignerOpts) (signature []byte, err error) {
-	r, s, err := signECDSA(k.ski, digest)
+	r, s, err := csp.signP11ECDSA(k.ski, digest)
 	if err != nil {
 		return nil, err
 	}
@@ -111,5 +112,9 @@ func (csp *impl) verifyECDSA(k ecdsaPublicKey, signature, digest []byte, opts bc
 		return false, fmt.Errorf("Invalid S. Must be smaller than half the order [%s][%s].", s, halfOrder)
 	}
 
-	return verifyECDSA(k.ski, digest, r, s, k.pub.Curve.Params().BitSize/8)
+	if csp.softVerify {
+		return ecdsa.Verify(k.pub, digest, r, s), nil
+	} else {
+		return csp.verifyP11ECDSA(k.ski, digest, r, s, k.pub.Curve.Params().BitSize/8)
+	}
 }