1 /**
2 * \file pkcs11.h
3 *
4 * \brief Wrapper for PKCS#11 library libpkcs11-helper
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 */
8 /*
9 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
10 * SPDX-License-Identifier: Apache-2.0
11 *
12 * Licensed under the Apache License, Version 2.0 (the "License"); you may
13 * not use this file except in compliance with the License.
14 * You may obtain a copy of the License at
15 *
16 * http://www.apache.org/licenses/LICENSE-2.0
17 *
18 * Unless required by applicable law or agreed to in writing, software
19 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
20 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 * See the License for the specific language governing permissions and
22 * limitations under the License.
23 *
24 * This file is part of mbed TLS (https://tls.mbed.org)
25 */
26 #ifndef MBEDTLS_PKCS11_H
27 #define MBEDTLS_PKCS11_H
28
29 #if !defined(MBEDTLS_CONFIG_FILE)
30 #include "config.h"
31 #else
32 #include MBEDTLS_CONFIG_FILE
33 #endif
34
35 #if defined(MBEDTLS_PKCS11_C)
36
37 #include "x509_crt.h"
38
39 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
40
41 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
42 !defined(inline) && !defined(__cplusplus)
43 #define inline __inline
44 #endif
45
46 #ifdef __cplusplus
47 extern "C" {
48 #endif
49
50 /**
51 * Context for PKCS #11 private keys.
52 */
53 typedef struct mbedtls_pkcs11_context
54 {
55 pkcs11h_certificate_t pkcs11h_cert;
56 int len;
57 } mbedtls_pkcs11_context;
58
59 /**
60 * Initialize a mbedtls_pkcs11_context.
61 * (Just making memory references valid.)
62 */
63 void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
64
65 /**
66 * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
67 *
68 * \param cert X.509 certificate to fill
69 * \param pkcs11h_cert PKCS #11 helper certificate
70 *
71 * \return 0 on success.
72 */
73 int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
74
75 /**
76 * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
77 * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
78 * done.
79 *
80 * \param priv_key Private key structure to fill.
81 * \param pkcs11_cert PKCS #11 helper certificate
82 *
83 * \return 0 on success
84 */
85 int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
86 pkcs11h_certificate_t pkcs11_cert );
87
88 /**
89 * Free the contents of the given private key context. Note that the structure
90 * itself is not freed.
91 *
92 * \param priv_key Private key structure to cleanup
93 */
94 void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
95
96 /**
97 * \brief Do an RSA private key decrypt, then remove the message
98 * padding
99 *
100 * \param ctx PKCS #11 context
101 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
102 * \param input buffer holding the encrypted data
103 * \param output buffer that will hold the plaintext
104 * \param olen will contain the plaintext length
105 * \param output_max_len maximum length of the output buffer
106 *
107 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
108 *
109 * \note The output buffer must be as large as the size
110 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
111 * an error is thrown.
112 */
113 int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
114 int mode, size_t *olen,
115 const unsigned char *input,
116 unsigned char *output,
117 size_t output_max_len );
118
119 /**
120 * \brief Do a private RSA to sign a message digest
121 *
122 * \param ctx PKCS #11 context
123 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
124 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
125 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
126 * \param hash buffer holding the message digest
127 * \param sig buffer that will hold the ciphertext
128 *
129 * \return 0 if the signing operation was successful,
130 * or an MBEDTLS_ERR_RSA_XXX error code
131 *
132 * \note The "sig" buffer must be as large as the size
133 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
134 */
135 int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
136 int mode,
137 mbedtls_md_type_t md_alg,
138 unsigned int hashlen,
139 const unsigned char *hash,
140 unsigned char *sig );
141
142 /**
143 * SSL/TLS wrappers for PKCS#11 functions
144 */
mbedtls_ssl_pkcs11_decrypt(void * ctx,int mode,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)145 static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
146 const unsigned char *input, unsigned char *output,
147 size_t output_max_len )
148 {
149 return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
150 output_max_len );
151 }
152
mbedtls_ssl_pkcs11_sign(void * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)153 static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
154 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
155 int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
156 const unsigned char *hash, unsigned char *sig )
157 {
158 ((void) f_rng);
159 ((void) p_rng);
160 return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
161 hashlen, hash, sig );
162 }
163
mbedtls_ssl_pkcs11_key_len(void * ctx)164 static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
165 {
166 return ( (mbedtls_pkcs11_context *) ctx )->len;
167 }
168
169 #ifdef __cplusplus
170 }
171 #endif
172
173 #endif /* MBEDTLS_PKCS11_C */
174
175 #endif /* MBEDTLS_PKCS11_H */
176