TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / e83ac1d7d1dc8503d150ba836ebadab542fd740f / . / library / pkcs11.c
blob: a5ad23c7ed6f587397951c4bc86d5c5153e4a599 [file] [log] [blame]
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1/**
2 * \file pkcs11.c
3 *
4 * \brief Wrapper for PKCS#11 library libpkcs11-helper
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]8 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]9 *
Manuel Pégourié-Gonnard860b5162015-01-28 17:12:07 +0000[diff] [blame]10 * This file is part of mbed TLS (https://polarssl.org)
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]11 *
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
16 *
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License along
23 * with this program; if not, write to the Free Software Foundation, Inc.,
24 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 */
26
27#include "polarssl/pkcs11.h"
28
29#if defined(POLARSSL_PKCS11_C)
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]30#include "polarssl/md.h"
31#include "polarssl/oid.h"
32#include "polarssl/x509_crt.h"
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]33
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]34#if defined(POLARSSL_PLATFORM_C)
35#include "polarssl/platform.h"
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]36#else
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]37#include <stdlib.h>
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]38#define polarssl_malloc malloc
39#define polarssl_free free
40#endif
41
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200[diff] [blame]42int pkcs11_x509_cert_init( x509_crt *cert, pkcs11h_certificate_t pkcs11_cert )
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]43{
44 int ret = 1;
45 unsigned char *cert_blob = NULL;
46 size_t cert_blob_size = 0;
47
48 if( cert == NULL )
49 {
50 ret = 2;
51 goto cleanup;
52 }
53
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]54 if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL,
55 &cert_blob_size ) != CKR_OK )
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]56 {
57 ret = 3;
58 goto cleanup;
59 }
60
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]61 cert_blob = polarssl_malloc( cert_blob_size );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]62 if( NULL == cert_blob )
63 {
64 ret = 4;
65 goto cleanup;
66 }
67
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]68 if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob,
69 &cert_blob_size ) != CKR_OK )
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]70 {
71 ret = 5;
72 goto cleanup;
73 }
74
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]75 if( 0 != x509_crt_parse( cert, cert_blob, cert_blob_size ) )
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]76 {
77 ret = 6;
78 goto cleanup;
79 }
80
81 ret = 0;
82
83cleanup:
84 if( NULL != cert_blob )
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]85 polarssl_free( cert_blob );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]86
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]87 return( ret );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]88}
89
90
91int pkcs11_priv_key_init( pkcs11_context *priv_key,
92 pkcs11h_certificate_t pkcs11_cert )
93{
94 int ret = 1;
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200[diff] [blame]95 x509_crt cert;
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]96
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200[diff] [blame]97 x509_crt_init( &cert );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]98
99 if( priv_key == NULL )
100 goto cleanup;
101
102 if( 0 != pkcs11_x509_cert_init( &cert, pkcs11_cert ) )
103 goto cleanup;
104
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]105 priv_key->len = pk_get_len( &cert.pk );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]106 priv_key->pkcs11h_cert = pkcs11_cert;
107
108 ret = 0;
109
110cleanup:
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200[diff] [blame]111 x509_crt_free( &cert );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]112
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]113 return( ret );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]114}
115
116void pkcs11_priv_key_free( pkcs11_context *priv_key )
117{
118 if( NULL != priv_key )
119 pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
120}
121
122int pkcs11_decrypt( pkcs11_context *ctx,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]123 int mode, size_t *olen,
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]124 const unsigned char *input,
125 unsigned char *output,
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]126 size_t output_max_len )
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]127{
128 size_t input_len, output_len;
129
130 if( NULL == ctx )
131 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
132
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]133 if( RSA_PRIVATE != mode )
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]134 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
135
136 output_len = input_len = ctx->len;
137
138 if( input_len < 16 || input_len > output_max_len )
139 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
140
141 /* Determine size of output buffer */
142 if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
143 input_len, NULL, &output_len ) != CKR_OK )
144 {
145 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
146 }
147
148 if( output_len > output_max_len )
149 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
150
151 if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
152 input_len, output, &output_len ) != CKR_OK )
153 {
154 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
155 }
156 *olen = output_len;
157 return( 0 );
158}
159
160int pkcs11_sign( pkcs11_context *ctx,
161 int mode,
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]162 md_type_t md_alg,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]163 unsigned int hashlen,
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]164 const unsigned char *hash,
165 unsigned char *sig )
166{
Paul Bakkerdb1f0592014-03-26 14:53:47 +0100[diff] [blame]167 size_t sig_len = 0, asn_len = 0, oid_size = 0;
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]168 unsigned char *p = sig;
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]169 const char *oid;
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]170
171 if( NULL == ctx )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]172 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]173
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]174 if( RSA_PRIVATE != mode )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]175 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]176
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]177 if( md_alg != POLARSSL_MD_NONE )
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]178 {
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]179 const md_info_t *md_info = md_info_from_type( md_alg );
180 if( md_info == NULL )
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]181 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]182
183 if( oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
184 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
185
186 hashlen = md_get_size( md_info );
Paul Bakkerdb1f0592014-03-26 14:53:47 +0100[diff] [blame]187 asn_len = 10 + oid_size;
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]188 }
189
Paul Bakkerdb1f0592014-03-26 14:53:47 +0100[diff] [blame]190 sig_len = ctx->len;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]191 if( hashlen > sig_len || asn_len > sig_len ||
192 hashlen + asn_len > sig_len )
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]193 {
Paul Bakkerdb1f0592014-03-26 14:53:47 +0100[diff] [blame]194 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]195 }
Paul Bakkerdb1f0592014-03-26 14:53:47 +0100[diff] [blame]196
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]197 if( md_alg != POLARSSL_MD_NONE )
Steffan Karger28d81a02013-11-13 16:57:58 +0100[diff] [blame]198 {
199 /*
200 * DigestInfo ::= SEQUENCE {
201 * digestAlgorithm DigestAlgorithmIdentifier,
202 * digest Digest }
203 *
204 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
205 *
206 * Digest ::= OCTET STRING
207 */
208 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
209 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
210 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
211 *p++ = (unsigned char) ( 0x04 + oid_size );
212 *p++ = ASN1_OID;
213 *p++ = oid_size & 0xFF;
214 memcpy( p, oid, oid_size );
215 p += oid_size;
216 *p++ = ASN1_NULL;
217 *p++ = 0x00;
218 *p++ = ASN1_OCTET_STRING;
219 *p++ = hashlen;
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]220 }
221
Paul Bakkerdb1f0592014-03-26 14:53:47 +0100[diff] [blame]222 memcpy( p, hash, hashlen );
223
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]224 if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
Paul Bakkerdb1f0592014-03-26 14:53:47 +0100[diff] [blame]225 asn_len + hashlen, sig, &sig_len ) != CKR_OK )
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]226 {
227 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
228 }
229
230 return( 0 );
231}
232
233#endif /* defined(POLARSSL_PKCS11_C) */