Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
STRENGTH.CONF(5)		 openCryptoki		      STRENGTH.CONF(5)

NAME
       strength.conf - Configuration file for openCryptoki strength configura-
       tion.

DESCRIPTION
       openCryptoki  uses  a  strength	configuration  file  at	/etc/opencryp-
       toki/strength.conf

       This configuration file allows users to configure openCryptoki  crypto-
       graphic	key strength determination based on key	attributes.  This file
       is required by openCryptoki.

SYNTAX
       This file starts	with a	version	 specification	of  the	 form  version
       strength-0 followed by the definition of	various	strengths.

       Each  strength  definition is composed of a strength, brackets and key-
       value pairs.

	strength number
	{
	    ...
	}

       Supported numbers are 112, 128, 192, and	256  representing  the	corre-
       sponding	strength in bits.

       Note:  These  definitions are optional.	If a definition	is missing, no
       key can have the	strength.  If no strength definition is	 present,  all
       keys will have strength 0.

       More than one key-value pair may	be used	within a strength description.

       A  key-value  pair is composed of keyword = value where value is	an un-
       signed number.

       The following keywords are valid:

       MOD_EXP
	      Specifies	the minimum number of bits required  for  RSA  moduli,
	      and  DH and DSA primes such that the corresponding key is	of the
	      currently	defined	strength.

	      Note: This key-value pair	is optional.  If not present, no  RSA,
	      DH, or DSA key can have the currently defined strength.

       ECC    Specifies	 the  minimum number of	bits in	the prime field	of the
	      elliptic curve such that the corresponding key is	 of  the  cur-
	      rently defined strength.

	      Note:  This  key-value  pair is optional.	 If not	present, no EC
	      key can have the currently defined strength.

       SYMMETRIC
	      Specifies	the minimum number of bits required for	symmetric keys
	      such that	the corresponding key  is  of  the  currently  defined
	      strength.

	      Note:  This key-value pair is optional.  If not present, no sym-
	      metric key can have the currently	defined	strength.

       digest Specifies	the minimum size in bits of digest outputs required by
	      the currently defined strength.

	      Note: This key-value pair	is optional.   If  not	present,  this
	      strength definition does not constrain the size of digests.

       signature
	      Specifies	the minimum size in bits of signatures required	by the
	      currently	defined	strength.

	      Note:  This  key-value  pair  is optional.  If not present, this
	      strength definition does not constrain the size of signatures.

NOTES
       The strength configuration file has to be owned	by  root:pkcs11,  have
       mode  0640,  and	 be  parsable.	 Otherwise,  openCryptoki  will	return
       CKR_FUNCTION_FAILED on C_Initialize and log a corresponding message  to
       syslog detailing	the reason why the strength configuration could	not be
       used.   In this case, fix the problem described in syslog to be able to
       use openCryptoki	again.

       The pound sign ('#') is used to indicate	a comment.  Both  the  comment
       character  and  any  text  after	it, up to the end of the line, are ig-
       nored. The comment character can	be used	at the	beginning  of  a  line
       (including  before  the file version specification), after a value, and
       before and after	the braces.

SEE ALSO
       strength.conf(5),
       opencryptoki(7),
       /usr/share/doc/opencryptoki/strength-example.conf

3.19.0				September 2021		      STRENGTH.CONF(5)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=strength.conf&sektion=5&manpath=FreeBSD+Ports+14.3.quarterly>

home | help