Willie Solano / mbedtls-slave-prot-prod

mbed TLS Build

Dependents:   Slave-prot-prod

include/mbedtls/pkcs11.h@0:cdf462088d13, 2017-01-05 (annotated)

Committer:
markrad
Date:
Thu Jan 05 00:18:44 2017 +0000
Revision:
0:cdf462088d13
Initial commit

Who changed what in which revision?

UserRevisionLine numberNew contents of line
markrad 0:cdf462088d13 1 /**
markrad 0:cdf462088d13 2 * \file pkcs11.h
markrad 0:cdf462088d13 3 *
markrad 0:cdf462088d13 4 * \brief Wrapper for PKCS#11 library libpkcs11-helper
markrad 0:cdf462088d13 5 *
markrad 0:cdf462088d13 6 * \author Adriaan de Jong <dejong@fox-it.com>
markrad 0:cdf462088d13 7 *
markrad 0:cdf462088d13 8 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
markrad 0:cdf462088d13 9 * SPDX-License-Identifier: Apache-2.0
markrad 0:cdf462088d13 10 *
markrad 0:cdf462088d13 11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
markrad 0:cdf462088d13 12 * not use this file except in compliance with the License.
markrad 0:cdf462088d13 13 * You may obtain a copy of the License at
markrad 0:cdf462088d13 14 *
markrad 0:cdf462088d13 15 * http://www.apache.org/licenses/LICENSE-2.0
markrad 0:cdf462088d13 16 *
markrad 0:cdf462088d13 17 * Unless required by applicable law or agreed to in writing, software
markrad 0:cdf462088d13 18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
markrad 0:cdf462088d13 19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
markrad 0:cdf462088d13 20 * See the License for the specific language governing permissions and
markrad 0:cdf462088d13 21 * limitations under the License.
markrad 0:cdf462088d13 22 *
markrad 0:cdf462088d13 23 * This file is part of mbed TLS (https://tls.mbed.org)
markrad 0:cdf462088d13 24 */
markrad 0:cdf462088d13 25 #ifndef MBEDTLS_PKCS11_H
markrad 0:cdf462088d13 26 #define MBEDTLS_PKCS11_H
markrad 0:cdf462088d13 27
markrad 0:cdf462088d13 28 #if !defined(MBEDTLS_CONFIG_FILE)
markrad 0:cdf462088d13 29 #include "config.h"
markrad 0:cdf462088d13 30 #else
markrad 0:cdf462088d13 31 #include MBEDTLS_CONFIG_FILE
markrad 0:cdf462088d13 32 #endif
markrad 0:cdf462088d13 33
markrad 0:cdf462088d13 34 #if defined(MBEDTLS_PKCS11_C)
markrad 0:cdf462088d13 35
markrad 0:cdf462088d13 36 #include "x509_crt.h"
markrad 0:cdf462088d13 37
markrad 0:cdf462088d13 38 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
markrad 0:cdf462088d13 39
markrad 0:cdf462088d13 40 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
markrad 0:cdf462088d13 41 !defined(inline) && !defined(__cplusplus)
markrad 0:cdf462088d13 42 #define inline __inline
markrad 0:cdf462088d13 43 #endif
markrad 0:cdf462088d13 44
markrad 0:cdf462088d13 45 #ifdef __cplusplus
markrad 0:cdf462088d13 46 extern "C" {
markrad 0:cdf462088d13 47 #endif
markrad 0:cdf462088d13 48
markrad 0:cdf462088d13 49 /**
markrad 0:cdf462088d13 50 * Context for PKCS #11 private keys.
markrad 0:cdf462088d13 51 */
markrad 0:cdf462088d13 52 typedef struct {
markrad 0:cdf462088d13 53 pkcs11h_certificate_t pkcs11h_cert;
markrad 0:cdf462088d13 54 int len;
markrad 0:cdf462088d13 55 } mbedtls_pkcs11_context;
markrad 0:cdf462088d13 56
markrad 0:cdf462088d13 57 /**
markrad 0:cdf462088d13 58 * Initialize a mbedtls_pkcs11_context.
markrad 0:cdf462088d13 59 * (Just making memory references valid.)
markrad 0:cdf462088d13 60 */
markrad 0:cdf462088d13 61 void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
markrad 0:cdf462088d13 62
markrad 0:cdf462088d13 63 /**
markrad 0:cdf462088d13 64 * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
markrad 0:cdf462088d13 65 *
markrad 0:cdf462088d13 66 * \param cert X.509 certificate to fill
markrad 0:cdf462088d13 67 * \param pkcs11h_cert PKCS #11 helper certificate
markrad 0:cdf462088d13 68 *
markrad 0:cdf462088d13 69 * \return 0 on success.
markrad 0:cdf462088d13 70 */
markrad 0:cdf462088d13 71 int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
markrad 0:cdf462088d13 72
markrad 0:cdf462088d13 73 /**
markrad 0:cdf462088d13 74 * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
markrad 0:cdf462088d13 75 * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
markrad 0:cdf462088d13 76 * done.
markrad 0:cdf462088d13 77 *
markrad 0:cdf462088d13 78 * \param priv_key Private key structure to fill.
markrad 0:cdf462088d13 79 * \param pkcs11_cert PKCS #11 helper certificate
markrad 0:cdf462088d13 80 *
markrad 0:cdf462088d13 81 * \return 0 on success
markrad 0:cdf462088d13 82 */
markrad 0:cdf462088d13 83 int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
markrad 0:cdf462088d13 84 pkcs11h_certificate_t pkcs11_cert );
markrad 0:cdf462088d13 85
markrad 0:cdf462088d13 86 /**
markrad 0:cdf462088d13 87 * Free the contents of the given private key context. Note that the structure
markrad 0:cdf462088d13 88 * itself is not freed.
markrad 0:cdf462088d13 89 *
markrad 0:cdf462088d13 90 * \param priv_key Private key structure to cleanup
markrad 0:cdf462088d13 91 */
markrad 0:cdf462088d13 92 void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
markrad 0:cdf462088d13 93
markrad 0:cdf462088d13 94 /**
markrad 0:cdf462088d13 95 * \brief Do an RSA private key decrypt, then remove the message
markrad 0:cdf462088d13 96 * padding
markrad 0:cdf462088d13 97 *
markrad 0:cdf462088d13 98 * \param ctx PKCS #11 context
markrad 0:cdf462088d13 99 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
markrad 0:cdf462088d13 100 * \param input buffer holding the encrypted data
markrad 0:cdf462088d13 101 * \param output buffer that will hold the plaintext
markrad 0:cdf462088d13 102 * \param olen will contain the plaintext length
markrad 0:cdf462088d13 103 * \param output_max_len maximum length of the output buffer
markrad 0:cdf462088d13 104 *
markrad 0:cdf462088d13 105 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
markrad 0:cdf462088d13 106 *
markrad 0:cdf462088d13 107 * \note The output buffer must be as large as the size
markrad 0:cdf462088d13 108 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
markrad 0:cdf462088d13 109 * an error is thrown.
markrad 0:cdf462088d13 110 */
markrad 0:cdf462088d13 111 int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
markrad 0:cdf462088d13 112 int mode, size_t *olen,
markrad 0:cdf462088d13 113 const unsigned char *input,
markrad 0:cdf462088d13 114 unsigned char *output,
markrad 0:cdf462088d13 115 size_t output_max_len );
markrad 0:cdf462088d13 116
markrad 0:cdf462088d13 117 /**
markrad 0:cdf462088d13 118 * \brief Do a private RSA to sign a message digest
markrad 0:cdf462088d13 119 *
markrad 0:cdf462088d13 120 * \param ctx PKCS #11 context
markrad 0:cdf462088d13 121 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
markrad 0:cdf462088d13 122 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
markrad 0:cdf462088d13 123 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
markrad 0:cdf462088d13 124 * \param hash buffer holding the message digest
markrad 0:cdf462088d13 125 * \param sig buffer that will hold the ciphertext
markrad 0:cdf462088d13 126 *
markrad 0:cdf462088d13 127 * \return 0 if the signing operation was successful,
markrad 0:cdf462088d13 128 * or an MBEDTLS_ERR_RSA_XXX error code
markrad 0:cdf462088d13 129 *
markrad 0:cdf462088d13 130 * \note The "sig" buffer must be as large as the size
markrad 0:cdf462088d13 131 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
markrad 0:cdf462088d13 132 */
markrad 0:cdf462088d13 133 int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
markrad 0:cdf462088d13 134 int mode,
markrad 0:cdf462088d13 135 mbedtls_md_type_t md_alg,
markrad 0:cdf462088d13 136 unsigned int hashlen,
markrad 0:cdf462088d13 137 const unsigned char *hash,
markrad 0:cdf462088d13 138 unsigned char *sig );
markrad 0:cdf462088d13 139
markrad 0:cdf462088d13 140 /**
markrad 0:cdf462088d13 141 * SSL/TLS wrappers for PKCS#11 functions
markrad 0:cdf462088d13 142 */
markrad 0:cdf462088d13 143 static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
markrad 0:cdf462088d13 144 const unsigned char *input, unsigned char *output,
markrad 0:cdf462088d13 145 size_t output_max_len )
markrad 0:cdf462088d13 146 {
markrad 0:cdf462088d13 147 return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
markrad 0:cdf462088d13 148 output_max_len );
markrad 0:cdf462088d13 149 }
markrad 0:cdf462088d13 150
markrad 0:cdf462088d13 151 static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
markrad 0:cdf462088d13 152 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
markrad 0:cdf462088d13 153 int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
markrad 0:cdf462088d13 154 const unsigned char *hash, unsigned char *sig )
markrad 0:cdf462088d13 155 {
markrad 0:cdf462088d13 156 ((void) f_rng);
markrad 0:cdf462088d13 157 ((void) p_rng);
markrad 0:cdf462088d13 158 return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
markrad 0:cdf462088d13 159 hashlen, hash, sig );
markrad 0:cdf462088d13 160 }
markrad 0:cdf462088d13 161
markrad 0:cdf462088d13 162 static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
markrad 0:cdf462088d13 163 {
markrad 0:cdf462088d13 164 return ( (mbedtls_pkcs11_context *) ctx )->len;
markrad 0:cdf462088d13 165 }
markrad 0:cdf462088d13 166
markrad 0:cdf462088d13 167 #ifdef __cplusplus
markrad 0:cdf462088d13 168 }
markrad 0:cdf462088d13 169 #endif
markrad 0:cdf462088d13 170
markrad 0:cdf462088d13 171 #endif /* MBEDTLS_PKCS11_C */
markrad 0:cdf462088d13 172
markrad 0:cdf462088d13 173 #endif /* MBEDTLS_PKCS11_H */