mbed TLS library
Dependents: HTTPClient-SSL WS_SERVER
include/polarssl/pkcs11.h@0:137634ff4186, 2015-06-11 (annotated)
- Committer:
- ansond
- Date:
- Thu Jun 11 03:27:03 2015 +0000
- Revision:
- 0:137634ff4186
initial commit
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
ansond | 0:137634ff4186 | 1 | /** |
ansond | 0:137634ff4186 | 2 | * \file pkcs11.h |
ansond | 0:137634ff4186 | 3 | * |
ansond | 0:137634ff4186 | 4 | * \brief Wrapper for PKCS#11 library libpkcs11-helper |
ansond | 0:137634ff4186 | 5 | * |
ansond | 0:137634ff4186 | 6 | * \author Adriaan de Jong <dejong@fox-it.com> |
ansond | 0:137634ff4186 | 7 | * |
ansond | 0:137634ff4186 | 8 | * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved |
ansond | 0:137634ff4186 | 9 | * |
ansond | 0:137634ff4186 | 10 | * This file is part of mbed TLS (https://tls.mbed.org) |
ansond | 0:137634ff4186 | 11 | * |
ansond | 0:137634ff4186 | 12 | * This program is free software; you can redistribute it and/or modify |
ansond | 0:137634ff4186 | 13 | * it under the terms of the GNU General Public License as published by |
ansond | 0:137634ff4186 | 14 | * the Free Software Foundation; either version 2 of the License, or |
ansond | 0:137634ff4186 | 15 | * (at your option) any later version. |
ansond | 0:137634ff4186 | 16 | * |
ansond | 0:137634ff4186 | 17 | * This program is distributed in the hope that it will be useful, |
ansond | 0:137634ff4186 | 18 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
ansond | 0:137634ff4186 | 19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
ansond | 0:137634ff4186 | 20 | * GNU General Public License for more details. |
ansond | 0:137634ff4186 | 21 | * |
ansond | 0:137634ff4186 | 22 | * You should have received a copy of the GNU General Public License along |
ansond | 0:137634ff4186 | 23 | * with this program; if not, write to the Free Software Foundation, Inc., |
ansond | 0:137634ff4186 | 24 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
ansond | 0:137634ff4186 | 25 | */ |
ansond | 0:137634ff4186 | 26 | #ifndef POLARSSL_PKCS11_H |
ansond | 0:137634ff4186 | 27 | #define POLARSSL_PKCS11_H |
ansond | 0:137634ff4186 | 28 | |
ansond | 0:137634ff4186 | 29 | #if !defined(POLARSSL_CONFIG_FILE) |
ansond | 0:137634ff4186 | 30 | #include "config.h" |
ansond | 0:137634ff4186 | 31 | #else |
ansond | 0:137634ff4186 | 32 | #include POLARSSL_CONFIG_FILE |
ansond | 0:137634ff4186 | 33 | #endif |
ansond | 0:137634ff4186 | 34 | |
ansond | 0:137634ff4186 | 35 | #if defined(POLARSSL_PKCS11_C) |
ansond | 0:137634ff4186 | 36 | |
ansond | 0:137634ff4186 | 37 | #include "x509_crt.h" |
ansond | 0:137634ff4186 | 38 | |
ansond | 0:137634ff4186 | 39 | #include <pkcs11-helper-1.0/pkcs11h-certificate.h> |
ansond | 0:137634ff4186 | 40 | |
ansond | 0:137634ff4186 | 41 | #if defined(_MSC_VER) && !defined(inline) |
ansond | 0:137634ff4186 | 42 | #define inline _inline |
ansond | 0:137634ff4186 | 43 | #else |
ansond | 0:137634ff4186 | 44 | #if defined(__ARMCC_VERSION) && !defined(inline) |
ansond | 0:137634ff4186 | 45 | #define inline __inline |
ansond | 0:137634ff4186 | 46 | #endif /* __ARMCC_VERSION */ |
ansond | 0:137634ff4186 | 47 | #endif /*_MSC_VER */ |
ansond | 0:137634ff4186 | 48 | |
ansond | 0:137634ff4186 | 49 | #ifdef __cplusplus |
ansond | 0:137634ff4186 | 50 | extern "C" { |
ansond | 0:137634ff4186 | 51 | #endif |
ansond | 0:137634ff4186 | 52 | |
ansond | 0:137634ff4186 | 53 | /** |
ansond | 0:137634ff4186 | 54 | * Context for PKCS #11 private keys. |
ansond | 0:137634ff4186 | 55 | */ |
ansond | 0:137634ff4186 | 56 | typedef struct { |
ansond | 0:137634ff4186 | 57 | pkcs11h_certificate_t pkcs11h_cert; |
ansond | 0:137634ff4186 | 58 | int len; |
ansond | 0:137634ff4186 | 59 | } pkcs11_context; |
ansond | 0:137634ff4186 | 60 | |
ansond | 0:137634ff4186 | 61 | /** |
ansond | 0:137634ff4186 | 62 | * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate. |
ansond | 0:137634ff4186 | 63 | * |
ansond | 0:137634ff4186 | 64 | * \param cert X.509 certificate to fill |
ansond | 0:137634ff4186 | 65 | * \param pkcs11h_cert PKCS #11 helper certificate |
ansond | 0:137634ff4186 | 66 | * |
ansond | 0:137634ff4186 | 67 | * \return 0 on success. |
ansond | 0:137634ff4186 | 68 | */ |
ansond | 0:137634ff4186 | 69 | int pkcs11_x509_cert_init( x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert ); |
ansond | 0:137634ff4186 | 70 | |
ansond | 0:137634ff4186 | 71 | /** |
ansond | 0:137634ff4186 | 72 | * Initialise a pkcs11_context, storing the given certificate. Note that the |
ansond | 0:137634ff4186 | 73 | * pkcs11_context will take over control of the certificate, freeing it when |
ansond | 0:137634ff4186 | 74 | * done. |
ansond | 0:137634ff4186 | 75 | * |
ansond | 0:137634ff4186 | 76 | * \param priv_key Private key structure to fill. |
ansond | 0:137634ff4186 | 77 | * \param pkcs11_cert PKCS #11 helper certificate |
ansond | 0:137634ff4186 | 78 | * |
ansond | 0:137634ff4186 | 79 | * \return 0 on success |
ansond | 0:137634ff4186 | 80 | */ |
ansond | 0:137634ff4186 | 81 | int pkcs11_priv_key_init( pkcs11_context *priv_key, |
ansond | 0:137634ff4186 | 82 | pkcs11h_certificate_t pkcs11_cert ); |
ansond | 0:137634ff4186 | 83 | |
ansond | 0:137634ff4186 | 84 | /** |
ansond | 0:137634ff4186 | 85 | * Free the contents of the given private key context. Note that the structure |
ansond | 0:137634ff4186 | 86 | * itself is not freed. |
ansond | 0:137634ff4186 | 87 | * |
ansond | 0:137634ff4186 | 88 | * \param priv_key Private key structure to cleanup |
ansond | 0:137634ff4186 | 89 | */ |
ansond | 0:137634ff4186 | 90 | void pkcs11_priv_key_free( pkcs11_context *priv_key ); |
ansond | 0:137634ff4186 | 91 | |
ansond | 0:137634ff4186 | 92 | /** |
ansond | 0:137634ff4186 | 93 | * \brief Do an RSA private key decrypt, then remove the message |
ansond | 0:137634ff4186 | 94 | * padding |
ansond | 0:137634ff4186 | 95 | * |
ansond | 0:137634ff4186 | 96 | * \param ctx PKCS #11 context |
ansond | 0:137634ff4186 | 97 | * \param mode must be RSA_PRIVATE, for compatibility with rsa.c's signature |
ansond | 0:137634ff4186 | 98 | * \param input buffer holding the encrypted data |
ansond | 0:137634ff4186 | 99 | * \param output buffer that will hold the plaintext |
ansond | 0:137634ff4186 | 100 | * \param olen will contain the plaintext length |
ansond | 0:137634ff4186 | 101 | * \param output_max_len maximum length of the output buffer |
ansond | 0:137634ff4186 | 102 | * |
ansond | 0:137634ff4186 | 103 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
ansond | 0:137634ff4186 | 104 | * |
ansond | 0:137634ff4186 | 105 | * \note The output buffer must be as large as the size |
ansond | 0:137634ff4186 | 106 | * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise |
ansond | 0:137634ff4186 | 107 | * an error is thrown. |
ansond | 0:137634ff4186 | 108 | */ |
ansond | 0:137634ff4186 | 109 | int pkcs11_decrypt( pkcs11_context *ctx, |
ansond | 0:137634ff4186 | 110 | int mode, size_t *olen, |
ansond | 0:137634ff4186 | 111 | const unsigned char *input, |
ansond | 0:137634ff4186 | 112 | unsigned char *output, |
ansond | 0:137634ff4186 | 113 | size_t output_max_len ); |
ansond | 0:137634ff4186 | 114 | |
ansond | 0:137634ff4186 | 115 | /** |
ansond | 0:137634ff4186 | 116 | * \brief Do a private RSA to sign a message digest |
ansond | 0:137634ff4186 | 117 | * |
ansond | 0:137634ff4186 | 118 | * \param ctx PKCS #11 context |
ansond | 0:137634ff4186 | 119 | * \param mode must be RSA_PRIVATE, for compatibility with rsa.c's signature |
ansond | 0:137634ff4186 | 120 | * \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data) |
ansond | 0:137634ff4186 | 121 | * \param hashlen message digest length (for POLARSSL_MD_NONE only) |
ansond | 0:137634ff4186 | 122 | * \param hash buffer holding the message digest |
ansond | 0:137634ff4186 | 123 | * \param sig buffer that will hold the ciphertext |
ansond | 0:137634ff4186 | 124 | * |
ansond | 0:137634ff4186 | 125 | * \return 0 if the signing operation was successful, |
ansond | 0:137634ff4186 | 126 | * or an POLARSSL_ERR_RSA_XXX error code |
ansond | 0:137634ff4186 | 127 | * |
ansond | 0:137634ff4186 | 128 | * \note The "sig" buffer must be as large as the size |
ansond | 0:137634ff4186 | 129 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). |
ansond | 0:137634ff4186 | 130 | */ |
ansond | 0:137634ff4186 | 131 | int pkcs11_sign( pkcs11_context *ctx, |
ansond | 0:137634ff4186 | 132 | int mode, |
ansond | 0:137634ff4186 | 133 | md_type_t md_alg, |
ansond | 0:137634ff4186 | 134 | unsigned int hashlen, |
ansond | 0:137634ff4186 | 135 | const unsigned char *hash, |
ansond | 0:137634ff4186 | 136 | unsigned char *sig ); |
ansond | 0:137634ff4186 | 137 | |
ansond | 0:137634ff4186 | 138 | /** |
ansond | 0:137634ff4186 | 139 | * SSL/TLS wrappers for PKCS#11 functions |
ansond | 0:137634ff4186 | 140 | */ |
ansond | 0:137634ff4186 | 141 | static inline int ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen, |
ansond | 0:137634ff4186 | 142 | const unsigned char *input, unsigned char *output, |
ansond | 0:137634ff4186 | 143 | size_t output_max_len ) |
ansond | 0:137634ff4186 | 144 | { |
ansond | 0:137634ff4186 | 145 | return pkcs11_decrypt( (pkcs11_context *) ctx, mode, olen, input, output, |
ansond | 0:137634ff4186 | 146 | output_max_len ); |
ansond | 0:137634ff4186 | 147 | } |
ansond | 0:137634ff4186 | 148 | |
ansond | 0:137634ff4186 | 149 | static inline int ssl_pkcs11_sign( void *ctx, |
ansond | 0:137634ff4186 | 150 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, |
ansond | 0:137634ff4186 | 151 | int mode, md_type_t md_alg, unsigned int hashlen, |
ansond | 0:137634ff4186 | 152 | const unsigned char *hash, unsigned char *sig ) |
ansond | 0:137634ff4186 | 153 | { |
ansond | 0:137634ff4186 | 154 | ((void) f_rng); |
ansond | 0:137634ff4186 | 155 | ((void) p_rng); |
ansond | 0:137634ff4186 | 156 | return pkcs11_sign( (pkcs11_context *) ctx, mode, md_alg, |
ansond | 0:137634ff4186 | 157 | hashlen, hash, sig ); |
ansond | 0:137634ff4186 | 158 | } |
ansond | 0:137634ff4186 | 159 | |
ansond | 0:137634ff4186 | 160 | static inline size_t ssl_pkcs11_key_len( void *ctx ) |
ansond | 0:137634ff4186 | 161 | { |
ansond | 0:137634ff4186 | 162 | return ( (pkcs11_context *) ctx )->len; |
ansond | 0:137634ff4186 | 163 | } |
ansond | 0:137634ff4186 | 164 | |
ansond | 0:137634ff4186 | 165 | #ifdef __cplusplus |
ansond | 0:137634ff4186 | 166 | } |
ansond | 0:137634ff4186 | 167 | #endif |
ansond | 0:137634ff4186 | 168 | |
ansond | 0:137634ff4186 | 169 | #endif /* POLARSSL_PKCS11_C */ |
ansond | 0:137634ff4186 | 170 | |
ansond | 0:137634ff4186 | 171 | #endif /* POLARSSL_PKCS11_H */ |
ansond | 0:137634ff4186 | 172 |