hide pkcs11 behind a build tag so that token sdk is pure go by default

arner · arner · commit 32c7dfa5dda0 · 2024-07-17T11:26:30.000+02:00
Signed-off-by: Arne Rutjes &lt;arne123@gmail.com&gt;
diff --git a/docs/core-token.md b/docs/core-token.md
@@ -102,19 +102,21 @@ token:
             path: /path/to/issuer-wallet
             # additional options that can be used to instantiated the wallet.
             # options are driver dependent. With `fabtoken` and `dlog` drivers,
-            # the following options apply
+            # the following options apply.
             opts:
               BCCSP:
                 Default: SW
+                SW:
+                  Hash: SHA2
+                  Security: 256
+                # The following only needs to be defined if the BCCSP Default is set to PKCS11.
+                # NOTE: in order to use pkcs11, you have to build the application with "go build -tags pkcs11"
                 PKCS11:
                   Hash: SHA2
                   Label: null
                   Library: null
                   Pin: null
                   Security: 256
-                SW:
-                  Hash: SHA2
-                  Security: 256
         # auditor wallets
         auditors:
           - id: auditor # the unique identifier of this wallet. Here is an example of use: `ttx.GetAuditorWallet(context, "auditor)`
diff --git a/docs/deployment/deployment.md b/docs/deployment/deployment.md
@@ -56,4 +56,10 @@ func main() {
 		return nil
 	})
 }
-```
+```
+
+## HSM Support
+
+In order to use a hardware HSM for x.509 identities, you have to build the application with
+`CGO_ENABLED=1 go build -tags pkcs11` and configure the PKCS11 settings in the configuration
+file (see [core-token.md](../core-token.md)).
diff --git a/token/services/identity/msp/x509/msp/bccsp.go b/token/services/identity/msp/x509/msp/bccsp.go
@@ -10,8 +10,8 @@ import (
 	"encoding/hex"
 	"path/filepath"
 
+	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/x509/msp/pkcs11"
 	"github.com/hyperledger/fabric/bccsp"
-	"github.com/hyperledger/fabric/bccsp/pkcs11"
 	"github.com/hyperledger/fabric/bccsp/sw"
 	"github.com/pkg/errors"
 )
@@ -42,14 +42,12 @@ func GetPKCS11BCCSP(conf *BCCSP) (bccsp.BCCSP, bccsp.KeyStore, error) {
 		return nil, nil, errors.New("invalid BCCSP.PKCS11. missing configuration")
 	}
 
-	p11Opts := *conf.PKCS11
+	p11Opts := conf.PKCS11
 	ks := sw.NewDummyKeyStore()
-	mapper := skiMapper(p11Opts)
-	csp, err := pkcs11.New(*ToPKCS11OptsOpts(&p11Opts), ks, pkcs11.WithKeyMapper(mapper))
-	if err != nil {
-		return nil, nil, errors.WithMessagef(err, "Failed initializing PKCS11 library with config [%+v]", p11Opts)
-	}
-	return csp, ks, nil
+	opts := ToPKCS11OptsOpts(p11Opts)
+	csp, err := pkcs11.NewProvider(*opts, ks, skiMapper(*p11Opts))
+
+	return csp, ks, err
 }
 
 func skiMapper(p11Opts PKCS11) func([]byte) []byte {
diff --git a/token/services/identity/msp/x509/msp/pkcs11/disabled.go b/token/services/identity/msp/x509/msp/pkcs11/disabled.go
@@ -0,0 +1,45 @@
+//go:build !pkcs11
+
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package pkcs11
+
+import (
+	"github.com/hyperledger/fabric/bccsp"
+)
+
+type KeyIDMapping struct {
+	SKI string `yaml:"SKI,omitempty"`
+	ID  string `yaml:"ID,omitempty"`
+}
+
+type PKCS11Opts struct {
+	// Default algorithms when not specified (Deprecated?)
+	Security int    `yaml:"Security"`
+	Hash     string `yaml:"Hash"`
+
+	// PKCS11 options
+	Library        string         `yaml:"Library"`
+	Label          string         `yaml:"Label"`
+	Pin            string         `yaml:"Pin"`
+	SoftwareVerify bool           `yaml:"SoftwareVerify,omitempty"`
+	Immutable      bool           `yaml:"Immutable,omitempty"`
+	AltID          string         `yaml:"AltId,omitempty"`
+	KeyIDs         []KeyIDMapping `yaml:"KeyIds,omitempty" mapstructure:"KeyIds"`
+}
+
+func NewProvider(opts any, ks bccsp.KeyStore, mapper func(ski []byte) []byte) (bccsp.BCCSP, error) {
+	panic("pkcs11 not included in build. Use: go build -tags pkcs11")
+}
+
+func ToPKCS11OptsOpts(o any) *PKCS11Opts {
+	panic("pkcs11 not included in build. Use: go build -tags pkcs11")
+}
+
+func FindPKCS11Lib() (lib, pin, label string, err error) {
+	panic("pkcs11 not included in build. Use: go build -tags pkcs11")
+}
diff --git a/token/services/identity/msp/x509/msp/pkcs11/pkcs11.go b/token/services/identity/msp/x509/msp/pkcs11/pkcs11.go
@@ -1,3 +1,5 @@
+//go:build pkcs11
+
 /*
 Copyright IBM Corp. All Rights Reserved.
 
@@ -9,6 +11,7 @@ package pkcs11
 import (
 	"os"
 
+	"github.com/hyperledger/fabric/bccsp"
 	"github.com/hyperledger/fabric/bccsp/pkcs11"
 	"github.com/pkg/errors"
 )
@@ -25,6 +28,15 @@ type (
 	KeyIDMapping = pkcs11.KeyIDMapping
 )
 
+// NewProvider returns a pkcs11 provider
+func NewProvider(opts PKCS11Opts, ks bccsp.KeyStore, mapper func(ski []byte) []byte) (*pkcs11.Provider, error) {
+	csp, err := pkcs11.New(opts, ks, pkcs11.WithKeyMapper(mapper))
+	if err != nil {
+		return nil, errors.WithMessagef(err, "Failed initializing PKCS11 library with config [%+v]", opts)
+	}
+	return csp, nil
+}
+
 // FindPKCS11Lib attempts to find the PKCS11 library based on the given configuration
 func FindPKCS11Lib() (lib, pin, label string, err error) {
 	if lib = os.Getenv("PKCS11_LIB"); lib == "" {
