NAME

       strength.conf - Configuration file for openCryptoki strength configuration.

DESCRIPTION

       openCryptoki uses a strength configuration file at /etc/opencryptoki/strength.conf

       This  configuration  file allows users to configure openCryptoki cryptographic key strength determination
       based on key attributes.  This file is required by openCryptoki.

SYNTAX

       This file starts with a version specification of the form version strength-0 followed by  the  definition
       of various strengths.

       Each strength definition is composed of a strength, brackets and key-value pairs.

        strength number
        {
            ...
        }

       Supported numbers are 112, 128, 192, and 256 representing the corresponding strength in bits.

       Note:  These  definitions are optional.  If a definition is missing, no key can have the strength.  If no
       strength definition is present, all keys will have strength 0.

       More than one key-value pair may be used within a strength description.

       A key-value pair is composed of keyword = value where value is an unsigned number.

       The following keywords are valid:

       MOD_EXP
              Specifies the minimum number of bits required for RSA moduli, and DH and DSA primes such that  the
              corresponding key is of the currently defined strength.

              Note:  This  key-value  pair  is  optional.   If  not present, no RSA, DH, or DSA key can have the
              currently defined strength.

       ECC    Specifies the minimum number of bits in the prime field  of  the  elliptic  curve  such  that  the
              corresponding key is of the currently defined strength.

              Note:  This  key-value pair is optional.  If not present, no EC key can have the currently defined
              strength.

       SYMMETRIC
              Specifies the minimum number of bits required for symmetric keys such that the  corresponding  key
              is of the currently defined strength.

              Note:  This  key-value  pair is optional.  If not present, no symmetric key can have the currently
              defined strength.

       digest Specifies the minimum size in bits of digest outputs required by the currently defined strength.

              Note: This key-value pair is  optional.   If  not  present,  this  strength  definition  does  not
              constrain the size of digests.

       signature
              Specifies the minimum size in bits of signatures required by the currently defined strength.

              Note:  This  key-value  pair  is  optional.   If  not  present,  this strength definition does not
              constrain the size of signatures.

NOTES

       The strength configuration file has to be  owned  by  root:pkcs11,  have  mode  0640,  and  be  parsable.
       Otherwise,  openCryptoki  will return CKR_FUNCTION_FAILED on C_Initialize and log a corresponding message
       to syslog detailing the reason why the strength configuration could not be used.  In this case,  fix  the
       problem described in syslog to be able to use openCryptoki again.

       The pound sign ('#') is used to indicate a comment.  Both the comment character and any text after it, up
       to the end of the line, are ignored. The comment character can  be  used  at  the  beginning  of  a  line
       (including before the file version specification), after a value, and before and after the braces.

SEE ALSO

       strength.conf(5),
       opencryptoki(7),
       /usr/share/doc/opencryptoki/strength-example.conf