1 /**
2 * \file pkcs11.h
3 *
4 * \brief Wrapper for PKCS#11 library libpkcs11-helper
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
9 * SPDX-License-Identifier: Apache-2.0
10 *
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
14 *
15 * http://www.apache.org/licenses/LICENSE-2.0
16 *
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
22 *
23 * This file is part of mbed TLS (https://tls.mbed.org)
24 */
25 #ifndef MBEDTLS_PKCS11_H
26 #define MBEDTLS_PKCS11_H
27
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "config.h"
30 #else
31 #include MBEDTLS_CONFIG_FILE
32 #endif
33
34 #if defined(MBEDTLS_PKCS11_C)
35
36 #include "x509_crt.h"
37
38 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
39
40 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
41 !defined(inline) && !defined(__cplusplus)
42 #define inline __inline
43 #endif
44
45 #ifdef __cplusplus
46 extern "C" {
47 #endif
48
49 /**
50 * Context for PKCS #11 private keys.
51 */
52 typedef struct {
53 pkcs11h_certificate_t pkcs11h_cert;
54 int len;
55 } mbedtls_pkcs11_context;
56
57 /**
58 * Initialize a mbedtls_pkcs11_context.
59 * (Just making memory references valid.)
60 */
61 void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
62
63 /**
64 * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
65 *
66 * \param cert X.509 certificate to fill
67 * \param pkcs11h_cert PKCS #11 helper certificate
68 *
69 * \return 0 on success.
70 */
71 int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
72
73 /**
74 * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
75 * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
76 * done.
77 *
78 * \param priv_key Private key structure to fill.
79 * \param pkcs11_cert PKCS #11 helper certificate
80 *
81 * \return 0 on success
82 */
83 int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
84 pkcs11h_certificate_t pkcs11_cert );
85
86 /**
87 * Free the contents of the given private key context. Note that the structure
88 * itself is not freed.
89 *
90 * \param priv_key Private key structure to cleanup
91 */
92 void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
93
94 /**
95 * \brief Do an RSA private key decrypt, then remove the message
96 * padding
97 *
98 * \param ctx PKCS #11 context
99 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
100 * \param input buffer holding the encrypted data
101 * \param output buffer that will hold the plaintext
102 * \param olen will contain the plaintext length
103 * \param output_max_len maximum length of the output buffer
104 *
105 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
106 *
107 * \note The output buffer must be as large as the size
108 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
109 * an error is thrown.
110 */
111 int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
112 int mode, size_t *olen,
113 const unsigned char *input,
114 unsigned char *output,
115 size_t output_max_len );
116
117 /**
118 * \brief Do a private RSA to sign a message digest
119 *
120 * \param ctx PKCS #11 context
121 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
122 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
123 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
124 * \param hash buffer holding the message digest
125 * \param sig buffer that will hold the ciphertext
126 *
127 * \return 0 if the signing operation was successful,
128 * or an MBEDTLS_ERR_RSA_XXX error code
129 *
130 * \note The "sig" buffer must be as large as the size
131 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
132 */
133 int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
134 int mode,
135 mbedtls_md_type_t md_alg,
136 unsigned int hashlen,
137 const unsigned char *hash,
138 unsigned char *sig );
139
140 /**
141 * SSL/TLS wrappers for PKCS#11 functions
142 */
mbedtls_ssl_pkcs11_decrypt(void * ctx,int mode,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)143 static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
144 const unsigned char *input, unsigned char *output,
145 size_t output_max_len )
146 {
147 return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
148 output_max_len );
149 }
150
mbedtls_ssl_pkcs11_sign(void * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)151 static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
152 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
153 int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
154 const unsigned char *hash, unsigned char *sig )
155 {
156 ((void) f_rng);
157 ((void) p_rng);
158 return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
159 hashlen, hash, sig );
160 }
161
mbedtls_ssl_pkcs11_key_len(void * ctx)162 static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
163 {
164 return ( (mbedtls_pkcs11_context *) ctx )->len;
165 }
166
167 #ifdef __cplusplus
168 }
169 #endif
170
171 #endif /* MBEDTLS_PKCS11_C */
172
173 #endif /* MBEDTLS_PKCS11_H */
174
