NAME

       strength.conf - Configuration file for openCryptoki strength configuration.

DESCRIPTION

       openCryptoki uses a strength configuration file at /etc/opencryptoki/strength.conf

       This  configuration file allows users to configure openCryptoki cryptographic key strength
       determination based on key attributes.  This file is required by openCryptoki.

SYNTAX

       This file starts with a version specification of the form version strength-0  followed  by
       the definition of various strengths.

       Each strength definition is composed of a strength, brackets and key-value pairs.

        strength number
        {
            ...
        }

       Supported  numbers  are  112, 128, 192, and 256 representing the corresponding strength in
       bits.

       Note: These definitions are optional.  If a definition is missing, no  key  can  have  the
       strength.  If no strength definition is present, all keys will have strength 0.

       More than one key-value pair may be used within a strength description.

       A key-value pair is composed of keyword = value where value is an unsigned number.

       The following keywords are valid:

       MOD_EXP
              Specifies the minimum number of bits required for RSA moduli, and DH and DSA primes
              such that the corresponding key is of the currently defined strength.

              Note: This key-value pair is optional.  If not present, no RSA, DH, or DSA key  can
              have the currently defined strength.

       ECC    Specifies  the minimum number of bits in the prime field of the elliptic curve such
              that the corresponding key is of the currently defined strength.

              Note: This key-value pair is optional.  If not present, no  EC  key  can  have  the
              currently defined strength.

       SYMMETRIC
              Specifies  the  minimum  number  of  bits required for symmetric keys such that the
              corresponding key is of the currently defined strength.

              Note: This key-value pair is optional.  If not present, no symmetric key  can  have
              the currently defined strength.

       digest Specifies  the  minimum  size  in  bits of digest outputs required by the currently
              defined strength.

              Note: This key-value pair is optional.  If not present,  this  strength  definition
              does not constrain the size of digests.

       signature
              Specifies  the minimum size in bits of signatures required by the currently defined
              strength.

              Note: This key-value pair is optional.  If not present,  this  strength  definition
              does not constrain the size of signatures.

NOTES

       The  strength  configuration  file  has to be owned by root:pkcs11, have mode 0640, and be
       parsable.  Otherwise, openCryptoki will return CKR_FUNCTION_FAILED on C_Initialize and log
       a  corresponding  message  to  syslog  detailing the reason why the strength configuration
       could not be used.  In this case, fix the problem described in syslog to be  able  to  use
       openCryptoki again.

       The  pound  sign  ('#') is used to indicate a comment.  Both the comment character and any
       text after it, up to the end of the line, are ignored. The comment character can  be  used
       at  the  beginning  of  a  line (including before the file version specification), after a
       value, and before and after the braces.

SEE ALSO

       strength.conf(5),
       opencryptoki(7),
       /usr/share/doc/opencryptoki/strength-example.conf