strength.conf - Man Page

openCryptoki uses a strength configuration file at /etc/opencryptoki/strength.conf

This configuration file allows users to configure openCryptoki cryptographic key strength determination based on key attributes. This file is required by openCryptoki.

This file starts with a version specification of the form version strength-0 followed by the definition of various strengths.

Each strength definition is composed of a strength, brackets and key-value pairs.

strength number
{
    ...
}

Supported numbers are 112, 128, 192, and 256 representing the corresponding strength in bits.

Note: These definitions are optional.  If a definition is missing, no key can have the strength.  If no strength definition is present, all keys will have strength 0.

More than one key-value pair may be used within a strength description.

A key-value pair is composed of keyword = value where value is an unsigned number.

The following keywords are valid:

MOD_EXP

Specifies the minimum number of bits required for RSA moduli, and DH and DSA primes such that the corresponding key is of the currently defined strength.

Note: This key-value pair is optional.  If not present, no RSA, DH, or DSA key can have the currently defined strength.

ECC

Specifies the minimum number of bits in the prime field of the elliptic curve such that the corresponding key is of the currently defined strength.

Note: This key-value pair is optional.  If not present, no EC key can have the currently defined strength.

SYMMETRIC

Specifies the minimum number of bits required for symmetric keys such that the corresponding key is of the currently defined strength.

Note: This key-value pair is optional.  If not present, no symmetric key can have the currently defined strength.

digest

Specifies the minimum size in bits of digest outputs required by the currently defined strength.

Note: This key-value pair is optional.  If not present, this strength definition does not constrain the size of digests.

signature

Specifies the minimum size in bits of signatures required by the currently defined strength.

Note: This key-value pair is optional.  If not present, this strength definition does not constrain the size of signatures.

The strength configuration file has to be owned by root:pkcs11, have mode 0640, and be parsable.  Otherwise, openCryptoki will return CKR_FUNCTION_FAILED on C_Initialize and log a corresponding message to syslog detailing the reason why the strength configuration could not be used.  In this case, fix the problem described in syslog to be able to use openCryptoki again.

The pound sign ('#') is used to indicate a comment.  Both the comment character and any text after it, up to the end of the line, are ignored. The comment character can be used at the beginning of a line (including before the file version specification), after a value, and before and after the braces.

strength.conf(5),

opencryptoki(7),

/usr/share/doc/opencryptoki/strength-example.conf

pkcsstats(1), policy.conf(5).