pkcs11.h

00001 /**
00002  * \file pkcs11.h
00003  *
00004  * \brief Wrapper for PKCS#11 library libpkcs11-helper
00005  *
00006  * \author Adriaan de Jong <dejong@fox-it.com>
00007  */
00008 /*
00009  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00010  *  SPDX-License-Identifier: Apache-2.0
00011  *
00012  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00013  *  not use this file except in compliance with the License.
00014  *  You may obtain a copy of the License at
00015  *
00016  *  http://www.apache.org/licenses/LICENSE-2.0
00017  *
00018  *  Unless required by applicable law or agreed to in writing, software
00019  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00020  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00021  *  See the License for the specific language governing permissions and
00022  *  limitations under the License.
00023  *
00024  *  This file is part of mbed TLS (https://tls.mbed.org)
00025  */
00026 #ifndef MBEDTLS_PKCS11_H
00027 #define MBEDTLS_PKCS11_H
00028 
00029 #if !defined(MBEDTLS_CONFIG_FILE)
00030 #include "config.h"
00031 #else
00032 #include MBEDTLS_CONFIG_FILE
00033 #endif
00034 
00035 #if defined(MBEDTLS_PKCS11_C)
00036 
00037 #include "x509_crt.h"
00038 
00039 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
00040 
00041 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
00042     !defined(inline) && !defined(__cplusplus)
00043 #define inline __inline
00044 #endif
00045 
00046 #ifdef __cplusplus
00047 extern "C" {
00048 #endif
00049 
00050 /**
00051  * Context for PKCS #11 private keys.
00052  */
00053 typedef struct mbedtls_pkcs11_context
00054 {
00055         pkcs11h_certificate_t pkcs11h_cert;
00056         int len;
00057 } mbedtls_pkcs11_context;
00058 
00059 /**
00060  * Initialize a mbedtls_pkcs11_context.
00061  * (Just making memory references valid.)
00062  */
00063 void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
00064 
00065 /**
00066  * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
00067  *
00068  * \param cert          X.509 certificate to fill
00069  * \param pkcs11h_cert  PKCS #11 helper certificate
00070  *
00071  * \return              0 on success.
00072  */
00073 int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
00074 
00075 /**
00076  * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
00077  * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
00078  * done.
00079  *
00080  * \param priv_key      Private key structure to fill.
00081  * \param pkcs11_cert   PKCS #11 helper certificate
00082  *
00083  * \return              0 on success
00084  */
00085 int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
00086         pkcs11h_certificate_t pkcs11_cert );
00087 
00088 /**
00089  * Free the contents of the given private key context. Note that the structure
00090  * itself is not freed.
00091  *
00092  * \param priv_key      Private key structure to cleanup
00093  */
00094 void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
00095 
00096 /**
00097  * \brief          Do an RSA private key decrypt, then remove the message
00098  *                 padding
00099  *
00100  * \param ctx      PKCS #11 context
00101  * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
00102  * \param input    buffer holding the encrypted data
00103  * \param output   buffer that will hold the plaintext
00104  * \param olen     will contain the plaintext length
00105  * \param output_max_len    maximum length of the output buffer
00106  *
00107  * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
00108  *
00109  * \note           The output buffer must be as large as the size
00110  *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
00111  *                 an error is thrown.
00112  */
00113 int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
00114                        int mode, size_t *olen,
00115                        const unsigned char *input,
00116                        unsigned char *output,
00117                        size_t output_max_len );
00118 
00119 /**
00120  * \brief          Do a private RSA to sign a message digest
00121  *
00122  * \param ctx      PKCS #11 context
00123  * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
00124  * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
00125  * \param hashlen  message digest length (for MBEDTLS_MD_NONE only)
00126  * \param hash     buffer holding the message digest
00127  * \param sig      buffer that will hold the ciphertext
00128  *
00129  * \return         0 if the signing operation was successful,
00130  *                 or an MBEDTLS_ERR_RSA_XXX error code
00131  *
00132  * \note           The "sig" buffer must be as large as the size
00133  *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
00134  */
00135 int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
00136                     int mode,
00137                     mbedtls_md_type_t md_alg,
00138                     unsigned int hashlen,
00139                     const unsigned char *hash,
00140                     unsigned char *sig );
00141 
00142 /**
00143  * SSL/TLS wrappers for PKCS#11 functions
00144  */
00145 static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
00146                         const unsigned char *input, unsigned char *output,
00147                         size_t output_max_len )
00148 {
00149     return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
00150                            output_max_len );
00151 }
00152 
00153 static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
00154                      int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
00155                      int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
00156                      const unsigned char *hash, unsigned char *sig )
00157 {
00158     ((void) f_rng);
00159     ((void) p_rng);
00160     return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
00161                         hashlen, hash, sig );
00162 }
00163 
00164 static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
00165 {
00166     return ( (mbedtls_pkcs11_context *) ctx )->len;
00167 }
00168 
00169 #ifdef __cplusplus
00170 }
00171 #endif
00172 
00173 #endif /* MBEDTLS_PKCS11_C */
00174 
00175 #endif /* MBEDTLS_PKCS11_H */