1STRENGTH.CONF(5) openCryptoki STRENGTH.CONF(5)
2
3
4
6 strength.conf - Configuration file for openCryptoki strength configura‐
7 tion.
8
9
11 openCryptoki uses a strength configuration file at /etc/opencryp‐
12 toki/strength.conf
13
14 This configuration file allows users to configure openCryptoki crypto‐
15 graphic key strength determination based on key attributes. This file
16 is required by openCryptoki.
17
18
20 This file starts with a version specification of the form version
21 strength-0 followed by the definition of various strengths.
22
23
24 Each strength definition is composed of a strength, brackets and key-
25 value pairs.
26
27 strength number
28 {
29 ...
30 }
31
32 Supported numbers are 112, 128, 192, and 256 representing the corre‐
33 sponding strength in bits.
34
35 Note: These definitions are optional. If a definition is missing, no
36 key can have the strength. If no strength definition is present, all
37 keys will have strength 0.
38
39 More than one key-value pair may be used within a strength description.
40
41 A key-value pair is composed of keyword = value where value is an un‐
42 signed number.
43
44 The following keywords are valid:
45
46
47 MOD_EXP
48 Specifies the minimum number of bits required for RSA moduli,
49 and DH and DSA primes such that the corresponding key is of the
50 currently defined strength.
51
52 Note: This key-value pair is optional. If not present, no RSA,
53 DH, or DSA key can have the currently defined strength.
54
55 ECC Specifies the minimum number of bits in the prime field of the
56 elliptic curve such that the corresponding key is of the cur‐
57 rently defined strength.
58
59 Note: This key-value pair is optional. If not present, no EC
60 key can have the currently defined strength.
61
62 SYMMETRIC
63 Specifies the minimum number of bits required for symmetric keys
64 such that the corresponding key is of the currently defined
65 strength.
66
67 Note: This key-value pair is optional. If not present, no sym‐
68 metric key can have the currently defined strength.
69
70 digest Specifies the minimum size in bits of digest outputs required by
71 the currently defined strength.
72
73 Note: This key-value pair is optional. If not present, this
74 strength definition does not constrain the size of digests.
75
76 signature
77 Specifies the minimum size in bits of signatures required by the
78 currently defined strength.
79
80 Note: This key-value pair is optional. If not present, this
81 strength definition does not constrain the size of signatures.
82
83
85 The strength configuration file has to be owned by root:pkcs11, have
86 mode 0640, and be parsable. Otherwise, openCryptoki will return
87 CKR_FUNCTION_FAILED on C_Initialize and log a corresponding message to
88 syslog detailing the reason why the strength configuration could not be
89 used. In this case, fix the problem described in syslog to be able to
90 use openCryptoki again.
91
92
93 The pound sign ('#') is used to indicate a comment. Both the comment
94 character and any text after it, up to the end of the line, are ig‐
95 nored. The comment character can be used at the beginning of a line
96 (including before the file version specification), after a value, and
97 before and after the braces.
98
99
101 strength.conf(5),
102 opencryptoki(7),
103 /usr/share/doc/opencryptoki/strength-example.conf
104
105
106
1073.20.0 September 2021 STRENGTH.CONF(5)