Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
pkcs11.h
00001 /** 00002 * \file pkcs11.h 00003 * 00004 * \brief Wrapper for PKCS#11 library libpkcs11-helper 00005 * 00006 * \author Adriaan de Jong <dejong@fox-it.com> 00007 */ 00008 /* 00009 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00010 * SPDX-License-Identifier: Apache-2.0 00011 * 00012 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00013 * not use this file except in compliance with the License. 00014 * You may obtain a copy of the License at 00015 * 00016 * http://www.apache.org/licenses/LICENSE-2.0 00017 * 00018 * Unless required by applicable law or agreed to in writing, software 00019 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00020 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00021 * See the License for the specific language governing permissions and 00022 * limitations under the License. 00023 * 00024 * This file is part of mbed TLS (https://tls.mbed.org) 00025 */ 00026 #ifndef MBEDTLS_PKCS11_H 00027 #define MBEDTLS_PKCS11_H 00028 00029 #if !defined(MBEDTLS_CONFIG_FILE) 00030 #include "config.h" 00031 #else 00032 #include MBEDTLS_CONFIG_FILE 00033 #endif 00034 00035 #if defined(MBEDTLS_PKCS11_C) 00036 00037 #include "x509_crt.h" 00038 00039 #include <pkcs11-helper-1.0/pkcs11h-certificate.h> 00040 00041 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ 00042 !defined(inline) && !defined(__cplusplus) 00043 #define inline __inline 00044 #endif 00045 00046 #ifdef __cplusplus 00047 extern "C" { 00048 #endif 00049 00050 /** 00051 * Context for PKCS #11 private keys. 00052 */ 00053 typedef struct { 00054 pkcs11h_certificate_t pkcs11h_cert; 00055 int len; 00056 } mbedtls_pkcs11_context; 00057 00058 /** 00059 * Initialize a mbedtls_pkcs11_context. 00060 * (Just making memory references valid.) 00061 */ 00062 void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx ); 00063 00064 /** 00065 * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate. 00066 * 00067 * \param cert X.509 certificate to fill 00068 * \param pkcs11h_cert PKCS #11 helper certificate 00069 * 00070 * \return 0 on success. 00071 */ 00072 int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert ); 00073 00074 /** 00075 * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the 00076 * mbedtls_pkcs11_context will take over control of the certificate, freeing it when 00077 * done. 00078 * 00079 * \param priv_key Private key structure to fill. 00080 * \param pkcs11_cert PKCS #11 helper certificate 00081 * 00082 * \return 0 on success 00083 */ 00084 int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key, 00085 pkcs11h_certificate_t pkcs11_cert ); 00086 00087 /** 00088 * Free the contents of the given private key context. Note that the structure 00089 * itself is not freed. 00090 * 00091 * \param priv_key Private key structure to cleanup 00092 */ 00093 void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key ); 00094 00095 /** 00096 * \brief Do an RSA private key decrypt, then remove the message 00097 * padding 00098 * 00099 * \param ctx PKCS #11 context 00100 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature 00101 * \param input buffer holding the encrypted data 00102 * \param output buffer that will hold the plaintext 00103 * \param olen will contain the plaintext length 00104 * \param output_max_len maximum length of the output buffer 00105 * 00106 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 00107 * 00108 * \note The output buffer must be as large as the size 00109 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise 00110 * an error is thrown. 00111 */ 00112 int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx, 00113 int mode, size_t *olen, 00114 const unsigned char *input, 00115 unsigned char *output, 00116 size_t output_max_len ); 00117 00118 /** 00119 * \brief Do a private RSA to sign a message digest 00120 * 00121 * \param ctx PKCS #11 context 00122 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature 00123 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 00124 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 00125 * \param hash buffer holding the message digest 00126 * \param sig buffer that will hold the ciphertext 00127 * 00128 * \return 0 if the signing operation was successful, 00129 * or an MBEDTLS_ERR_RSA_XXX error code 00130 * 00131 * \note The "sig" buffer must be as large as the size 00132 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 00133 */ 00134 int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx, 00135 int mode, 00136 mbedtls_md_type_t md_alg, 00137 unsigned int hashlen, 00138 const unsigned char *hash, 00139 unsigned char *sig ); 00140 00141 /** 00142 * SSL/TLS wrappers for PKCS#11 functions 00143 */ 00144 static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen, 00145 const unsigned char *input, unsigned char *output, 00146 size_t output_max_len ) 00147 { 00148 return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output, 00149 output_max_len ); 00150 } 00151 00152 static inline int mbedtls_ssl_pkcs11_sign( void *ctx, 00153 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 00154 int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, 00155 const unsigned char *hash, unsigned char *sig ) 00156 { 00157 ((void) f_rng); 00158 ((void) p_rng); 00159 return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg, 00160 hashlen, hash, sig ); 00161 } 00162 00163 static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx ) 00164 { 00165 return ( (mbedtls_pkcs11_context *) ctx )->len; 00166 } 00167 00168 #ifdef __cplusplus 00169 } 00170 #endif 00171 00172 #endif /* MBEDTLS_PKCS11_C */ 00173 00174 #endif /* MBEDTLS_PKCS11_H */
Generated on Tue Jul 12 2022 13:31:14 by
