Doug Anson / mbedTLSLibrary

mbed TLS library

Dependents:   HTTPClient-SSL WS_SERVER

include/polarssl/pkcs11.h@0:137634ff4186, 2015-06-11 (annotated)

Committer:
ansond
Date:
Thu Jun 11 03:27:03 2015 +0000
Revision:
0:137634ff4186
initial commit

Who changed what in which revision?

UserRevisionLine numberNew contents of line
ansond 0:137634ff4186 1 /**
ansond 0:137634ff4186 2 * \file pkcs11.h
ansond 0:137634ff4186 3 *
ansond 0:137634ff4186 4 * \brief Wrapper for PKCS#11 library libpkcs11-helper
ansond 0:137634ff4186 5 *
ansond 0:137634ff4186 6 * \author Adriaan de Jong <dejong@fox-it.com>
ansond 0:137634ff4186 7 *
ansond 0:137634ff4186 8 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
ansond 0:137634ff4186 9 *
ansond 0:137634ff4186 10 * This file is part of mbed TLS (https://tls.mbed.org)
ansond 0:137634ff4186 11 *
ansond 0:137634ff4186 12 * This program is free software; you can redistribute it and/or modify
ansond 0:137634ff4186 13 * it under the terms of the GNU General Public License as published by
ansond 0:137634ff4186 14 * the Free Software Foundation; either version 2 of the License, or
ansond 0:137634ff4186 15 * (at your option) any later version.
ansond 0:137634ff4186 16 *
ansond 0:137634ff4186 17 * This program is distributed in the hope that it will be useful,
ansond 0:137634ff4186 18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
ansond 0:137634ff4186 19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
ansond 0:137634ff4186 20 * GNU General Public License for more details.
ansond 0:137634ff4186 21 *
ansond 0:137634ff4186 22 * You should have received a copy of the GNU General Public License along
ansond 0:137634ff4186 23 * with this program; if not, write to the Free Software Foundation, Inc.,
ansond 0:137634ff4186 24 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
ansond 0:137634ff4186 25 */
ansond 0:137634ff4186 26 #ifndef POLARSSL_PKCS11_H
ansond 0:137634ff4186 27 #define POLARSSL_PKCS11_H
ansond 0:137634ff4186 28
ansond 0:137634ff4186 29 #if !defined(POLARSSL_CONFIG_FILE)
ansond 0:137634ff4186 30 #include "config.h"
ansond 0:137634ff4186 31 #else
ansond 0:137634ff4186 32 #include POLARSSL_CONFIG_FILE
ansond 0:137634ff4186 33 #endif
ansond 0:137634ff4186 34
ansond 0:137634ff4186 35 #if defined(POLARSSL_PKCS11_C)
ansond 0:137634ff4186 36
ansond 0:137634ff4186 37 #include "x509_crt.h"
ansond 0:137634ff4186 38
ansond 0:137634ff4186 39 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
ansond 0:137634ff4186 40
ansond 0:137634ff4186 41 #if defined(_MSC_VER) && !defined(inline)
ansond 0:137634ff4186 42 #define inline _inline
ansond 0:137634ff4186 43 #else
ansond 0:137634ff4186 44 #if defined(__ARMCC_VERSION) && !defined(inline)
ansond 0:137634ff4186 45 #define inline __inline
ansond 0:137634ff4186 46 #endif /* __ARMCC_VERSION */
ansond 0:137634ff4186 47 #endif /*_MSC_VER */
ansond 0:137634ff4186 48
ansond 0:137634ff4186 49 #ifdef __cplusplus
ansond 0:137634ff4186 50 extern "C" {
ansond 0:137634ff4186 51 #endif
ansond 0:137634ff4186 52
ansond 0:137634ff4186 53 /**
ansond 0:137634ff4186 54 * Context for PKCS #11 private keys.
ansond 0:137634ff4186 55 */
ansond 0:137634ff4186 56 typedef struct {
ansond 0:137634ff4186 57 pkcs11h_certificate_t pkcs11h_cert;
ansond 0:137634ff4186 58 int len;
ansond 0:137634ff4186 59 } pkcs11_context;
ansond 0:137634ff4186 60
ansond 0:137634ff4186 61 /**
ansond 0:137634ff4186 62 * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
ansond 0:137634ff4186 63 *
ansond 0:137634ff4186 64 * \param cert X.509 certificate to fill
ansond 0:137634ff4186 65 * \param pkcs11h_cert PKCS #11 helper certificate
ansond 0:137634ff4186 66 *
ansond 0:137634ff4186 67 * \return 0 on success.
ansond 0:137634ff4186 68 */
ansond 0:137634ff4186 69 int pkcs11_x509_cert_init( x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
ansond 0:137634ff4186 70
ansond 0:137634ff4186 71 /**
ansond 0:137634ff4186 72 * Initialise a pkcs11_context, storing the given certificate. Note that the
ansond 0:137634ff4186 73 * pkcs11_context will take over control of the certificate, freeing it when
ansond 0:137634ff4186 74 * done.
ansond 0:137634ff4186 75 *
ansond 0:137634ff4186 76 * \param priv_key Private key structure to fill.
ansond 0:137634ff4186 77 * \param pkcs11_cert PKCS #11 helper certificate
ansond 0:137634ff4186 78 *
ansond 0:137634ff4186 79 * \return 0 on success
ansond 0:137634ff4186 80 */
ansond 0:137634ff4186 81 int pkcs11_priv_key_init( pkcs11_context *priv_key,
ansond 0:137634ff4186 82 pkcs11h_certificate_t pkcs11_cert );
ansond 0:137634ff4186 83
ansond 0:137634ff4186 84 /**
ansond 0:137634ff4186 85 * Free the contents of the given private key context. Note that the structure
ansond 0:137634ff4186 86 * itself is not freed.
ansond 0:137634ff4186 87 *
ansond 0:137634ff4186 88 * \param priv_key Private key structure to cleanup
ansond 0:137634ff4186 89 */
ansond 0:137634ff4186 90 void pkcs11_priv_key_free( pkcs11_context *priv_key );
ansond 0:137634ff4186 91
ansond 0:137634ff4186 92 /**
ansond 0:137634ff4186 93 * \brief Do an RSA private key decrypt, then remove the message
ansond 0:137634ff4186 94 * padding
ansond 0:137634ff4186 95 *
ansond 0:137634ff4186 96 * \param ctx PKCS #11 context
ansond 0:137634ff4186 97 * \param mode must be RSA_PRIVATE, for compatibility with rsa.c's signature
ansond 0:137634ff4186 98 * \param input buffer holding the encrypted data
ansond 0:137634ff4186 99 * \param output buffer that will hold the plaintext
ansond 0:137634ff4186 100 * \param olen will contain the plaintext length
ansond 0:137634ff4186 101 * \param output_max_len maximum length of the output buffer
ansond 0:137634ff4186 102 *
ansond 0:137634ff4186 103 * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
ansond 0:137634ff4186 104 *
ansond 0:137634ff4186 105 * \note The output buffer must be as large as the size
ansond 0:137634ff4186 106 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
ansond 0:137634ff4186 107 * an error is thrown.
ansond 0:137634ff4186 108 */
ansond 0:137634ff4186 109 int pkcs11_decrypt( pkcs11_context *ctx,
ansond 0:137634ff4186 110 int mode, size_t *olen,
ansond 0:137634ff4186 111 const unsigned char *input,
ansond 0:137634ff4186 112 unsigned char *output,
ansond 0:137634ff4186 113 size_t output_max_len );
ansond 0:137634ff4186 114
ansond 0:137634ff4186 115 /**
ansond 0:137634ff4186 116 * \brief Do a private RSA to sign a message digest
ansond 0:137634ff4186 117 *
ansond 0:137634ff4186 118 * \param ctx PKCS #11 context
ansond 0:137634ff4186 119 * \param mode must be RSA_PRIVATE, for compatibility with rsa.c's signature
ansond 0:137634ff4186 120 * \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
ansond 0:137634ff4186 121 * \param hashlen message digest length (for POLARSSL_MD_NONE only)
ansond 0:137634ff4186 122 * \param hash buffer holding the message digest
ansond 0:137634ff4186 123 * \param sig buffer that will hold the ciphertext
ansond 0:137634ff4186 124 *
ansond 0:137634ff4186 125 * \return 0 if the signing operation was successful,
ansond 0:137634ff4186 126 * or an POLARSSL_ERR_RSA_XXX error code
ansond 0:137634ff4186 127 *
ansond 0:137634ff4186 128 * \note The "sig" buffer must be as large as the size
ansond 0:137634ff4186 129 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
ansond 0:137634ff4186 130 */
ansond 0:137634ff4186 131 int pkcs11_sign( pkcs11_context *ctx,
ansond 0:137634ff4186 132 int mode,
ansond 0:137634ff4186 133 md_type_t md_alg,
ansond 0:137634ff4186 134 unsigned int hashlen,
ansond 0:137634ff4186 135 const unsigned char *hash,
ansond 0:137634ff4186 136 unsigned char *sig );
ansond 0:137634ff4186 137
ansond 0:137634ff4186 138 /**
ansond 0:137634ff4186 139 * SSL/TLS wrappers for PKCS#11 functions
ansond 0:137634ff4186 140 */
ansond 0:137634ff4186 141 static inline int ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
ansond 0:137634ff4186 142 const unsigned char *input, unsigned char *output,
ansond 0:137634ff4186 143 size_t output_max_len )
ansond 0:137634ff4186 144 {
ansond 0:137634ff4186 145 return pkcs11_decrypt( (pkcs11_context *) ctx, mode, olen, input, output,
ansond 0:137634ff4186 146 output_max_len );
ansond 0:137634ff4186 147 }
ansond 0:137634ff4186 148
ansond 0:137634ff4186 149 static inline int ssl_pkcs11_sign( void *ctx,
ansond 0:137634ff4186 150 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
ansond 0:137634ff4186 151 int mode, md_type_t md_alg, unsigned int hashlen,
ansond 0:137634ff4186 152 const unsigned char *hash, unsigned char *sig )
ansond 0:137634ff4186 153 {
ansond 0:137634ff4186 154 ((void) f_rng);
ansond 0:137634ff4186 155 ((void) p_rng);
ansond 0:137634ff4186 156 return pkcs11_sign( (pkcs11_context *) ctx, mode, md_alg,
ansond 0:137634ff4186 157 hashlen, hash, sig );
ansond 0:137634ff4186 158 }
ansond 0:137634ff4186 159
ansond 0:137634ff4186 160 static inline size_t ssl_pkcs11_key_len( void *ctx )
ansond 0:137634ff4186 161 {
ansond 0:137634ff4186 162 return ( (pkcs11_context *) ctx )->len;
ansond 0:137634ff4186 163 }
ansond 0:137634ff4186 164
ansond 0:137634ff4186 165 #ifdef __cplusplus
ansond 0:137634ff4186 166 }
ansond 0:137634ff4186 167 #endif
ansond 0:137634ff4186 168
ansond 0:137634ff4186 169 #endif /* POLARSSL_PKCS11_C */
ansond 0:137634ff4186 170
ansond 0:137634ff4186 171 #endif /* POLARSSL_PKCS11_H */
ansond 0:137634ff4186 172