123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176 |
- /**
- * \file pkcs11.h
- *
- * \brief Wrapper for PKCS#11 library libpkcs11-helper
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * SPDX-License-Identifier: GPL-2.0
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
- */
- #ifndef MBEDTLS_PKCS11_H
- #define MBEDTLS_PKCS11_H
- #if !defined(MBEDTLS_CONFIG_FILE)
- #include "config.h"
- #else
- #include MBEDTLS_CONFIG_FILE
- #endif
- #if defined(MBEDTLS_PKCS11_C)
- #include "x509_crt.h"
- #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
- #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
- #define inline __inline
- #endif
- #ifdef __cplusplus
- extern "C" {
- #endif
- /**
- * Context for PKCS #11 private keys.
- */
- typedef struct {
- pkcs11h_certificate_t pkcs11h_cert;
- int len;
- } mbedtls_pkcs11_context;
- /**
- * Initialize a mbedtls_pkcs11_context.
- * (Just making memory references valid.)
- */
- void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
- /**
- * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
- *
- * \param cert X.509 certificate to fill
- * \param pkcs11h_cert PKCS #11 helper certificate
- *
- * \return 0 on success.
- */
- int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
- /**
- * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
- * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
- * done.
- *
- * \param priv_key Private key structure to fill.
- * \param pkcs11_cert PKCS #11 helper certificate
- *
- * \return 0 on success
- */
- int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
- pkcs11h_certificate_t pkcs11_cert );
- /**
- * Free the contents of the given private key context. Note that the structure
- * itself is not freed.
- *
- * \param priv_key Private key structure to cleanup
- */
- void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
- /**
- * \brief Do an RSA private key decrypt, then remove the message
- * padding
- *
- * \param ctx PKCS #11 context
- * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
- * \param input buffer holding the encrypted data
- * \param output buffer that will hold the plaintext
- * \param olen will contain the plaintext length
- * \param output_max_len maximum length of the output buffer
- *
- * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
- *
- * \note The output buffer must be as large as the size
- * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
- * an error is thrown.
- */
- int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
- int mode, size_t *olen,
- const unsigned char *input,
- unsigned char *output,
- size_t output_max_len );
- /**
- * \brief Do a private RSA to sign a message digest
- *
- * \param ctx PKCS #11 context
- * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
- * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
- * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
- * \param hash buffer holding the message digest
- * \param sig buffer that will hold the ciphertext
- *
- * \return 0 if the signing operation was successful,
- * or an MBEDTLS_ERR_RSA_XXX error code
- *
- * \note The "sig" buffer must be as large as the size
- * of ctx->N (eg. 128 bytes if RSA-1024 is used).
- */
- int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
- int mode,
- mbedtls_md_type_t md_alg,
- unsigned int hashlen,
- const unsigned char *hash,
- unsigned char *sig );
- /**
- * SSL/TLS wrappers for PKCS#11 functions
- */
- static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
- const unsigned char *input, unsigned char *output,
- size_t output_max_len )
- {
- return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
- output_max_len );
- }
- static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
- int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
- int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
- const unsigned char *hash, unsigned char *sig )
- {
- ((void) f_rng);
- ((void) p_rng);
- return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
- hashlen, hash, sig );
- }
- static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
- {
- return ( (mbedtls_pkcs11_context *) ctx )->len;
- }
- #ifdef __cplusplus
- }
- #endif
- #endif /* MBEDTLS_PKCS11_C */
- #endif /* MBEDTLS_PKCS11_H */
|