FabricV2. How to select AES, EDCSA and SHA for 2bccsp Suite

1.FabricV2.2 specific cryptographic algorithms used

Although fabricv2 2 supports many cryptographic algorithms, but in actual use, the default is to select several sub algorithms from the three encryption algorithms of symmetric encryption algorithm, asymmetric encryption algorithm and hash algorithm

First, the code in Fabric adopts the factory design pattern to produce a specific BCCSP suite

1.1. Study the Factory folder in BCCSP

Pkcs11.0 is ignored by default during Fabric compilation Go and pkcs11factory Go by the build tool because of the custom flag, so there is no need to consider pkcs11 Go and pkcs11factory Go two bags

The above has one core and two branches:

1 core refers to factory go; 2 branch refers to pkcs11factory Go and swfactory go;

​ no pkcs11. Go does not use PKCs 11 hardware to realize the configuration of BCCSP

​ opts.go indicates which configuration information can decide whether to initialize pkcs11factory or swfactory

Since our core lies in the cipher suite implemented by bccsp software, we should focus on factory go,swfactory.go,nopkcs11.go,opts.go file to investigate the types of Fabric's default encryption algorithms


As shown in the figure, the Get method determines the actual factory type of BCCSPFactory (PKCS11Factory or SWFactory) according to the FactoryOpts parameter

The GetDefault method uses the singleton design model to obtain the defaultBCCSP

fabric/bccsp/factory/opts.go in

Question: how to initialize the defaultBCCSP instance?

As described in the above figure: if config==nil, the SHA2-256 hash algorithm used in the defaultBCCSP instance

When BCCSPFactory is specified as swfactory Go, the resolution of the Get method is as follows:


// SwOpts contains options for the SWFactory
type SwOpts struct {
	// Default algorithms when not specified (Deprecated?)
	SecLevel      int                `mapstructure:"security" json:"security" yaml:"Security"`
	HashFamily    string             `mapstructure:"hash" json:"hash" yaml:"Hash"`
	FileKeystore  *FileKeystoreOpts  `mapstructure:"filekeystore,omitempty" json:"filekeystore,omitempty" yaml:"FileKeyStore"`
	DummyKeystore *DummyKeystoreOpts `mapstructure:"dummykeystore,omitempty" json:"dummykeystore,omitempty"`
	InmemKeystore *InmemKeystoreOpts `mapstructure:"inmemkeystore,omitempty" json:"inmemkeystore,omitempty"`

Default: SecLevel=256,HashFamily = "SHA2", FileKeystore records the key file path, and other fields do not need to be studied temporarily

//The Get function generates a specific BCCSP encryption service suite according to the FactoryOpts parameter
// Get returns an instance of BCCSP using Opts.
func (f *SWFactory) Get(config *FactoryOpts) (bccsp.BCCSP, error) {
	// Validate arguments
	if config == nil || config.SwOpts == nil {
		return nil, errors.New("Invalid config. It must not be nil.")

	swOpts := config.SwOpts

	var ks bccsp.KeyStore
	switch {
	case swOpts.FileKeystore != nil:
		fks, err := sw.NewFileBasedKeyStore(nil, swOpts.FileKeystore.KeyStorePath, false)
		if err != nil {
			return nil, errors.Wrapf(err, "Failed to initialize software key store")
		ks = fks
	case swOpts.InmemKeystore != nil:
		ks = sw.NewInMemoryKeyStore()
		// Default to ephemeral key store
		ks = sw.NewDummyKeyStore()

	return sw.NewWithParams(swOpts.SecLevel, swOpts.HashFamily, ks)//Key core

So in fact, the core method for SWFactory to instantiate BCCSP suite should be NewWithParams(), so what exactly does NewWithParams do?

The specific types of AES, ECDSA and SHA in the Fabric shown in the figure above are set by the setSecurityLevel method in the fabric/bccsp/sw/conf.go file

4.2. Conclusion:

The following are the BCCSP suite based on SW implementation

  1. The BCCSP suite of Fabric can be dynamically selected, but there are default configurations, SecurityLevel=256,HashFamily=SHA2
  2. BCCSP suite selects the specific categories of AES, SHA and ECDSA according to the two parameters of SecurityLevel and HashFamily:
    1. When HashFamily=SHA2
      1. When SecurityLevel=256, Sha = sha2-256 (implemented by crypto/sha256 standard package sha256.New), the elliptic curve of ECDSA is P256 (implemented as elliptic. P256() of crypto/elliptic standard library), and the length of AES is 32 (default configuration)
      2. When SecurityLevel=384, Sha = sha2-512 (implemented by crypto/sha512 standard package sha512.New384), the elliptic curve of ECDSA is p384 (implemented as elliptic. P384() of crypto/elliptic standard library), and the length of AES is 32
    2. When HashFamily=SHA3
      1. When SecurityLevel=256, Sha = sha3-256 (implemented by sha3.new256 in the third-party package golang.org/x/crypto/sha3), the elliptic curve of ECDSA is P256 (implemented by elliptic. P256() of crypto/elliptic standard library), and the length of AES is 32
      2. When SecurityLevel=384, Sha = sha3-384 (implemented by the third-party package sha3.new384 in golang.org/x/crypto/sha3), the elliptic curve of ECDSA is p384 (implemented as elliptic. P384() of crypto/elliptic standard library), and the length of AES is 32

Tags: Blockchain

Posted by marky2coats on Sun, 17 Apr 2022 12:36:05 +0930