sandbox
/
mbedtls
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
mbedtls
by 
Christopher Haster
Embed:
(wiki syntax)
Show/hide line numbers
pkcs11.c
Go to the documentation of this file.
00001 /** 00002 * \file pkcs11.c 00003 * 00004 * \brief Wrapper for PKCS#11 library libpkcs11-helper 00005 * 00006 * \author Adriaan de Jong <dejong@fox-it.com> 00007 * 00008 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00009 * SPDX-License-Identifier: Apache-2.0 00010 * 00011 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00012 * not use this file except in compliance with the License. 00013 * You may obtain a copy of the License at 00014 * 00015 * http://www.apache.org/licenses/LICENSE-2.0 00016 * 00017 * Unless required by applicable law or agreed to in writing, software 00018 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00019 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00020 * See the License for the specific language governing permissions and 00021 * limitations under the License. 00022 * 00023 * This file is part of mbed TLS (https://tls.mbed.org) 00024 */ 00025 00026 #include "mbedtls/pkcs11.h" 00027 00028 #if defined(MBEDTLS_PKCS11_C) 00029 00030 #include "mbedtls/md.h" 00031 #include "mbedtls/oid.h" 00032 #include "mbedtls/x509_crt.h" 00033 00034 #if defined(MBEDTLS_PLATFORM_C) 00035 #include "mbedtls/platform.h" 00036 #else 00037 #include <stdlib.h> 00038 #define mbedtls_calloc calloc 00039 #define mbedtls_free free 00040 #endif 00041 00042 #include <string.h> 00043 00044 void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx ) 00045 { 00046 memset( ctx, 0, sizeof( mbedtls_pkcs11_context ) ); 00047 } 00048 00049 int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11_cert ) 00050 { 00051 int ret = 1; 00052 unsigned char *cert_blob = NULL; 00053 size_t cert_blob_size = 0; 00054 00055 if( cert == NULL ) 00056 { 00057 ret = 2; 00058 goto cleanup; 00059 } 00060 00061 if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL, 00062 &cert_blob_size ) != CKR_OK ) 00063 { 00064 ret = 3; 00065 goto cleanup; 00066 } 00067 00068 cert_blob = mbedtls_calloc( 1, cert_blob_size ); 00069 if( NULL == cert_blob ) 00070 { 00071 ret = 4; 00072 goto cleanup; 00073 } 00074 00075 if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob, 00076 &cert_blob_size ) != CKR_OK ) 00077 { 00078 ret = 5; 00079 goto cleanup; 00080 } 00081 00082 if( 0 != mbedtls_x509_crt_parse( cert, cert_blob, cert_blob_size ) ) 00083 { 00084 ret = 6; 00085 goto cleanup; 00086 } 00087 00088 ret = 0; 00089 00090 cleanup: 00091 if( NULL != cert_blob ) 00092 mbedtls_free( cert_blob ); 00093 00094 return( ret ); 00095 } 00096 00097 00098 int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key, 00099 pkcs11h_certificate_t pkcs11_cert ) 00100 { 00101 int ret = 1; 00102 mbedtls_x509_crt cert; 00103 00104 mbedtls_x509_crt_init( &cert ); 00105 00106 if( priv_key == NULL ) 00107 goto cleanup; 00108 00109 if( 0 != mbedtls_pkcs11_x509_cert_bind( &cert, pkcs11_cert ) ) 00110 goto cleanup; 00111 00112 priv_key->len = mbedtls_pk_get_len( &cert.pk ); 00113 priv_key->pkcs11h_cert = pkcs11_cert; 00114 00115 ret = 0; 00116 00117 cleanup: 00118 mbedtls_x509_crt_free( &cert ); 00119 00120 return( ret ); 00121 } 00122 00123 void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key ) 00124 { 00125 if( NULL != priv_key ) 00126 pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert ); 00127 } 00128 00129 int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx, 00130 int mode, size_t *olen, 00131 const unsigned char *input, 00132 unsigned char *output, 00133 size_t output_max_len ) 00134 { 00135 size_t input_len, output_len; 00136 00137 if( NULL == ctx ) 00138 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00139 00140 if( MBEDTLS_RSA_PRIVATE != mode ) 00141 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00142 00143 output_len = input_len = ctx->len; 00144 00145 if( input_len < 16 || input_len > output_max_len ) 00146 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00147 00148 /* Determine size of output buffer */ 00149 if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input, 00150 input_len, NULL, &output_len ) != CKR_OK ) 00151 { 00152 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00153 } 00154 00155 if( output_len > output_max_len ) 00156 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 00157 00158 if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input, 00159 input_len, output, &output_len ) != CKR_OK ) 00160 { 00161 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00162 } 00163 *olen = output_len; 00164 return( 0 ); 00165 } 00166 00167 int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx, 00168 int mode, 00169 mbedtls_md_type_t md_alg, 00170 unsigned int hashlen, 00171 const unsigned char *hash, 00172 unsigned char *sig ) 00173 { 00174 size_t sig_len = 0, asn_len = 0, oid_size = 0; 00175 unsigned char *p = sig; 00176 const char *oid; 00177 00178 if( NULL == ctx ) 00179 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00180 00181 if( MBEDTLS_RSA_PRIVATE != mode ) 00182 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00183 00184 if( md_alg != MBEDTLS_MD_NONE ) 00185 { 00186 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 00187 if( md_info == NULL ) 00188 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00189 00190 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) 00191 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00192 00193 hashlen = mbedtls_md_get_size( md_info ); 00194 asn_len = 10 + oid_size; 00195 } 00196 00197 sig_len = ctx->len; 00198 if( hashlen > sig_len || asn_len > sig_len || 00199 hashlen + asn_len > sig_len ) 00200 { 00201 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00202 } 00203 00204 if( md_alg != MBEDTLS_MD_NONE ) 00205 { 00206 /* 00207 * DigestInfo ::= SEQUENCE { 00208 * digestAlgorithm DigestAlgorithmIdentifier, 00209 * digest Digest } 00210 * 00211 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier 00212 * 00213 * Digest ::= OCTET STRING 00214 */ 00215 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 00216 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); 00217 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 00218 *p++ = (unsigned char) ( 0x04 + oid_size ); 00219 *p++ = MBEDTLS_ASN1_OID; 00220 *p++ = oid_size & 0xFF; 00221 memcpy( p, oid, oid_size ); 00222 p += oid_size; 00223 *p++ = MBEDTLS_ASN1_NULL; 00224 *p++ = 0x00; 00225 *p++ = MBEDTLS_ASN1_OCTET_STRING; 00226 *p++ = hashlen; 00227 } 00228 00229 memcpy( p, hash, hashlen ); 00230 00231 if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig, 00232 asn_len + hashlen, sig, &sig_len ) != CKR_OK ) 00233 { 00234 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00235 } 00236 00237 return( 0 ); 00238 } 00239 00240 #endif /* defined(MBEDTLS_PKCS11_C) */
Generated on Tue Jul 12 2022 12:52:45 by
1.7.2