diff --git a/ci/scripts/setup_softhsm.sh b/ci/scripts/setup_softhsm.sh index 8a8505ab0..692e4a948 100755 --- a/ci/scripts/setup_softhsm.sh +++ b/ci/scripts/setup_softhsm.sh @@ -20,7 +20,7 @@ if [[ "$OSTYPE" == "darwin"* ]]; then # softhsm2-util --delete-token --token "ForFSC" || true echo "Initializing tokens..." - softhsm2-util --init-token --slot 13 --label "ForFSC" --so-pin 1234 --pin 98765432 + softhsm2-util --init-token --free --label "ForFSC" --so-pin 1234 --pin 98765432 else diff --git a/docs/core-token.md b/docs/core-token.md index bf4f18875..a57182726 100644 --- a/docs/core-token.md +++ b/docs/core-token.md @@ -102,19 +102,21 @@ token: path: /path/to/issuer-wallet # additional options that can be used to instantiated the wallet. # options are driver dependent. With `fabtoken` and `dlog` drivers, - # the following options apply + # the following options apply. opts: BCCSP: Default: SW + SW: + Hash: SHA2 + Security: 256 + # The following only needs to be defined if the BCCSP Default is set to PKCS11. + # NOTE: in order to use pkcs11, you have to build the application with "go build -tags pkcs11" PKCS11: Hash: SHA2 Label: null Library: null Pin: null Security: 256 - SW: - Hash: SHA2 - Security: 256 # auditor wallets auditors: - id: auditor # the unique identifier of this wallet. Here is an example of use: `ttx.GetAuditorWallet(context, "auditor)` diff --git a/docs/deployment/deployment.md b/docs/deployment/deployment.md index 018028661..daa70b8ee 100644 --- a/docs/deployment/deployment.md +++ b/docs/deployment/deployment.md @@ -56,4 +56,10 @@ func main() { return nil }) } -``` \ No newline at end of file +``` + +## HSM Support + +In order to use a hardware HSM for x.509 identities, you have to build the application with +`CGO_ENABLED=1 go build -tags pkcs11` and configure the PKCS11 settings in the configuration +file (see [core-token.md](../core-token.md)). diff --git a/fungible.mk b/fungible.mk index 04a4f0569..f515dd090 100644 --- a/fungible.mk +++ b/fungible.mk @@ -63,7 +63,7 @@ integration-tests-dloghsm-fabric: install-softhsm @echo "Setup SoftHSM" @./ci/scripts/setup_softhsm.sh @echo "Start Integration Test" - cd ./integration/token/fungible/dloghsm; export FAB_BINS=$(FAB_BINS); ginkgo $(GINKGO_TEST_OPTS) --label-filter="$(TEST_FILTER)" . + cd ./integration/token/fungible/dloghsm; export FAB_BINS=$(FAB_BINS); ginkgo $(GINKGO_TEST_OPTS) --tags pkcs11 --label-filter="$(TEST_FILTER)" . .PHONY: integration-tests-fabtoken-fabric-t1 integration-tests-fabtoken-fabric-t1: @@ -87,7 +87,7 @@ integration-tests-fabtoken-fabric-t5: .PHONY: integration-tests-fabtoken-fabric integration-tests-fabtoken-fabric: - cd ./integration/token/fungible/fabtoken; export FAB_BINS=$(FAB_BINS); ginkgo $(GINKGO_TEST_OPTS) --label-filter="$(TEST_FILTER)" . + cd ./integration/token/fungible/fabtoken; export FAB_BINS=$(FAB_BINS); ginkgo $(GINKGO_TEST_OPTS) --tags pkcs11 --label-filter="$(TEST_FILTER)" . .PHONY: integration-tests-dlog-orion integration-tests-dlog-orion: diff --git a/go.mod b/go.mod index 2abf9ced5..edb7a9852 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/IBM/mathlib v0.0.3-0.20231011094432-44ee0eb539da github.com/dgraph-io/badger/v3 v3.2103.2 github.com/hashicorp/go-uuid v1.0.2 - github.com/hyperledger-labs/fabric-smart-client v0.3.1-0.20240724173042-088844238ec3 + github.com/hyperledger-labs/fabric-smart-client v0.3.1-0.20240805090211-ae3778fa9aac github.com/hyperledger-labs/fabric-token-sdk/txgen v0.0.0-00010101000000-000000000000 github.com/hyperledger-labs/orion-sdk-go v0.2.10 github.com/hyperledger-labs/orion-server v0.2.10 diff --git a/go.sum b/go.sum index 9704a8415..eca196690 100644 --- a/go.sum +++ b/go.sum @@ -467,8 +467,8 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg= github.com/huin/goupnp v1.2.0 h1:uOKW26NG1hsSSbXIZ1IR7XP9Gjd1U8pnLaCMgntmkmY= github.com/huin/goupnp v1.2.0/go.mod h1:gnGPsThkYa7bFi/KWmEysQRf48l2dvR5bxr2OFckNX8= -github.com/hyperledger-labs/fabric-smart-client v0.3.1-0.20240724173042-088844238ec3 h1:XqxKaspPPyty8w4LlIIKUcMEp2zi5QCvnia+2YVW6ME= -github.com/hyperledger-labs/fabric-smart-client v0.3.1-0.20240724173042-088844238ec3/go.mod h1:o/L/+Apv/hCHFVIQNIiYJcHh1Sl0LGSc2kAWJAeFLB0= +github.com/hyperledger-labs/fabric-smart-client v0.3.1-0.20240805090211-ae3778fa9aac h1:tarUHl0o/9a9q5IcZn6CLWL7Qv/en1SZD2dJ2oD/Xb4= +github.com/hyperledger-labs/fabric-smart-client v0.3.1-0.20240805090211-ae3778fa9aac/go.mod h1:o/L/+Apv/hCHFVIQNIiYJcHh1Sl0LGSc2kAWJAeFLB0= github.com/hyperledger-labs/orion-sdk-go v0.2.10 h1:lFgWgxyvngIhWnIqymYGBmtmq9D6uC5d0uLG9cbyh5s= github.com/hyperledger-labs/orion-sdk-go v0.2.10/go.mod h1:iN2xZB964AqwVJwL+EnwPOs8z1EkMEbbIg/qYeC7gDY= github.com/hyperledger-labs/orion-server v0.2.10 h1:G4zbQEL5Egk0Oj+TwHCZWdTOLDBHOjaAEvYOT4G7ozw= diff --git a/integration/nwo/token/generators/dlog/dlog_test.go b/integration/nwo/token/generators/dlog/dlog_test.go index fc0bb6efd..58b0fa031 100644 --- a/integration/nwo/token/generators/dlog/dlog_test.go +++ b/integration/nwo/token/generators/dlog/dlog_test.go @@ -22,7 +22,7 @@ import ( func TestDLogFabricCryptoMaterialGenerator_Setup(t *testing.T) { gomega.RegisterTestingT(t) - buildServer := common.NewBuildServer() + buildServer := common.NewBuildServer("-tags", "pkcs11") buildServer.Serve() defer buildServer.Shutdown(true) diff --git a/token/services/identity/msp/x509/msp/bccsp.go b/token/services/identity/msp/x509/msp/bccsp.go index c4914f2fe..4f8cd3520 100644 --- a/token/services/identity/msp/x509/msp/bccsp.go +++ b/token/services/identity/msp/x509/msp/bccsp.go @@ -10,8 +10,8 @@ import ( "encoding/hex" "path/filepath" + "github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/msp/x509/msp/pkcs11" "github.com/hyperledger/fabric/bccsp" - "github.com/hyperledger/fabric/bccsp/pkcs11" "github.com/hyperledger/fabric/bccsp/sw" "github.com/pkg/errors" ) @@ -42,14 +42,12 @@ func GetPKCS11BCCSP(conf *BCCSP) (bccsp.BCCSP, bccsp.KeyStore, error) { return nil, nil, errors.New("invalid BCCSP.PKCS11. missing configuration") } - p11Opts := *conf.PKCS11 + p11Opts := conf.PKCS11 ks := sw.NewDummyKeyStore() - mapper := skiMapper(p11Opts) - csp, err := pkcs11.New(*ToPKCS11OptsOpts(&p11Opts), ks, pkcs11.WithKeyMapper(mapper)) - if err != nil { - return nil, nil, errors.WithMessagef(err, "Failed initializing PKCS11 library with config [%+v]", p11Opts) - } - return csp, ks, nil + opts := ToPKCS11OptsOpts(p11Opts) + csp, err := pkcs11.NewProvider(*opts, ks, skiMapper(*p11Opts)) + + return csp, ks, err } func skiMapper(p11Opts PKCS11) func([]byte) []byte { diff --git a/token/services/identity/msp/x509/msp/pkcs11/disabled.go b/token/services/identity/msp/x509/msp/pkcs11/disabled.go new file mode 100644 index 000000000..c77007ada --- /dev/null +++ b/token/services/identity/msp/x509/msp/pkcs11/disabled.go @@ -0,0 +1,45 @@ +//go:build !pkcs11 + +/* +Copyright IBM Corp. All Rights Reserved. + +SPDX-License-Identifier: Apache-2.0 +*/ + +package pkcs11 + +import ( + "github.com/hyperledger/fabric/bccsp" +) + +type KeyIDMapping struct { + SKI string `yaml:"SKI,omitempty"` + ID string `yaml:"ID,omitempty"` +} + +type PKCS11Opts struct { + // Default algorithms when not specified (Deprecated?) + Security int `yaml:"Security"` + Hash string `yaml:"Hash"` + + // PKCS11 options + Library string `yaml:"Library"` + Label string `yaml:"Label"` + Pin string `yaml:"Pin"` + SoftwareVerify bool `yaml:"SoftwareVerify,omitempty"` + Immutable bool `yaml:"Immutable,omitempty"` + AltID string `yaml:"AltId,omitempty"` + KeyIDs []KeyIDMapping `yaml:"KeyIds,omitempty" mapstructure:"KeyIds"` +} + +func NewProvider(opts any, ks bccsp.KeyStore, mapper func(ski []byte) []byte) (bccsp.BCCSP, error) { + panic("pkcs11 not included in build. Use: go build -tags pkcs11") +} + +func ToPKCS11OptsOpts(o any) *PKCS11Opts { + panic("pkcs11 not included in build. Use: go build -tags pkcs11") +} + +func FindPKCS11Lib() (lib, pin, label string, err error) { + panic("pkcs11 not included in build. Use: go build -tags pkcs11") +} diff --git a/token/services/identity/msp/x509/msp/pkcs11/pkcs11.go b/token/services/identity/msp/x509/msp/pkcs11/pkcs11.go index ca6d9d831..f39383323 100644 --- a/token/services/identity/msp/x509/msp/pkcs11/pkcs11.go +++ b/token/services/identity/msp/x509/msp/pkcs11/pkcs11.go @@ -1,3 +1,5 @@ +//go:build pkcs11 + /* Copyright IBM Corp. All Rights Reserved. @@ -9,6 +11,7 @@ package pkcs11 import ( "os" + "github.com/hyperledger/fabric/bccsp" "github.com/hyperledger/fabric/bccsp/pkcs11" "github.com/pkg/errors" ) @@ -25,6 +28,15 @@ type ( KeyIDMapping = pkcs11.KeyIDMapping ) +// NewProvider returns a pkcs11 provider +func NewProvider(opts PKCS11Opts, ks bccsp.KeyStore, mapper func(ski []byte) []byte) (*pkcs11.Provider, error) { + csp, err := pkcs11.New(opts, ks, pkcs11.WithKeyMapper(mapper)) + if err != nil { + return nil, errors.WithMessagef(err, "Failed initializing PKCS11 library with config [%+v]", opts) + } + return csp, nil +} + // FindPKCS11Lib attempts to find the PKCS11 library based on the given configuration func FindPKCS11Lib() (lib, pin, label string, err error) { if lib = os.Getenv("PKCS11_LIB"); lib == "" {