TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / refs/heads/dev/mbed-crypto-0.1.0-alpha / . / include / mbedcrypto / pkcs11.h
blob: 2233ec8782da5fd324ee85879a5fca4ff9dc9545 [file] [log] [blame]
Jaeden Ameroe54e6932018-08-06 16:19:58 +0100[diff] [blame]1/**
2 * \file pkcs11.h
3 *
4 * \brief Wrapper for PKCS#11 library libpkcs11-helper
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 */
8/*
9 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
10 * SPDX-License-Identifier: Apache-2.0
11 *
12 * Licensed under the Apache License, Version 2.0 (the "License"); you may
13 * not use this file except in compliance with the License.
14 * You may obtain a copy of the License at
15 *
16 * http://www.apache.org/licenses/LICENSE-2.0
17 *
18 * Unless required by applicable law or agreed to in writing, software
19 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
20 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 * See the License for the specific language governing permissions and
22 * limitations under the License.
23 *
24 * This file is part of Mbed Crypto (https://tls.mbed.org)
25 */
26#ifndef MBEDCRYPTO_PKCS11_H
27#define MBEDCRYPTO_PKCS11_H
28
29#if !defined(MBEDCRYPTO_CONFIG_FILE)
30#include "config.h"
31#else
32#include MBEDCRYPTO_CONFIG_FILE
33#endif
34
35#if defined(MBEDCRYPTO_PKCS11_C)
36
37#include "x509_crt.h"
38
39#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
40
41#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
42 !defined(inline) && !defined(__cplusplus)
43#define inline __inline
44#endif
45
46#ifdef __cplusplus
47extern "C" {
48#endif
49
50/**
51 * Context for PKCS #11 private keys.
52 */
53typedef struct {
54 pkcs11h_certificate_t pkcs11h_cert;
55 int len;
56} mbedcrypto_pkcs11_context;
57
58/**
59 * Initialize a mbedcrypto_pkcs11_context.
60 * (Just making memory references valid.)
61 */
62void mbedcrypto_pkcs11_init( mbedcrypto_pkcs11_context *ctx );
63
64/**
65 * Fill in a Mbed Crypto certificate, based on the given PKCS11 helper certificate.
66 *
67 * \param cert X.509 certificate to fill
68 * \param pkcs11h_cert PKCS #11 helper certificate
69 *
70 * \return 0 on success.
71 */
72int mbedcrypto_pkcs11_x509_cert_bind( mbedcrypto_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
73
74/**
75 * Set up a mbedcrypto_pkcs11_context storing the given certificate. Note that the
76 * mbedcrypto_pkcs11_context will take over control of the certificate, freeing it when
77 * done.
78 *
79 * \param priv_key Private key structure to fill.
80 * \param pkcs11_cert PKCS #11 helper certificate
81 *
82 * \return 0 on success
83 */
84int mbedcrypto_pkcs11_priv_key_bind( mbedcrypto_pkcs11_context *priv_key,
85 pkcs11h_certificate_t pkcs11_cert );
86
87/**
88 * Free the contents of the given private key context. Note that the structure
89 * itself is not freed.
90 *
91 * \param priv_key Private key structure to cleanup
92 */
93void mbedcrypto_pkcs11_priv_key_free( mbedcrypto_pkcs11_context *priv_key );
94
95/**
96 * \brief Do an RSA private key decrypt, then remove the message
97 * padding
98 *
99 * \param ctx PKCS #11 context
100 * \param mode must be MBEDCRYPTO_RSA_PRIVATE, for compatibility with rsa.c's signature
101 * \param input buffer holding the encrypted data
102 * \param output buffer that will hold the plaintext
103 * \param olen will contain the plaintext length
104 * \param output_max_len maximum length of the output buffer
105 *
106 * \return 0 if successful, or an MBEDCRYPTO_ERR_RSA_XXX error code
107 *
108 * \note The output buffer must be as large as the size
109 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
110 * an error is thrown.
111 */
112int mbedcrypto_pkcs11_decrypt( mbedcrypto_pkcs11_context *ctx,
113 int mode, size_t *olen,
114 const unsigned char *input,
115 unsigned char *output,
116 size_t output_max_len );
117
118/**
119 * \brief Do a private RSA to sign a message digest
120 *
121 * \param ctx PKCS #11 context
122 * \param mode must be MBEDCRYPTO_RSA_PRIVATE, for compatibility with rsa.c's signature
123 * \param md_alg a MBEDCRYPTO_MD_XXX (use MBEDCRYPTO_MD_NONE for signing raw data)
124 * \param hashlen message digest length (for MBEDCRYPTO_MD_NONE only)
125 * \param hash buffer holding the message digest
126 * \param sig buffer that will hold the ciphertext
127 *
128 * \return 0 if the signing operation was successful,
129 * or an MBEDCRYPTO_ERR_RSA_XXX error code
130 *
131 * \note The "sig" buffer must be as large as the size
132 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
133 */
134int mbedcrypto_pkcs11_sign( mbedcrypto_pkcs11_context *ctx,
135 int mode,
136 mbedcrypto_md_type_t md_alg,
137 unsigned int hashlen,
138 const unsigned char *hash,
139 unsigned char *sig );
140
141/**
142 * SSL/TLS wrappers for PKCS#11 functions
143 */
144static inline int mbedcrypto_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
145 const unsigned char *input, unsigned char *output,
146 size_t output_max_len )
147{
148 return mbedcrypto_pkcs11_decrypt( (mbedcrypto_pkcs11_context *) ctx, mode, olen, input, output,
149 output_max_len );
150}
151
152static inline int mbedcrypto_ssl_pkcs11_sign( void *ctx,
153 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
154 int mode, mbedcrypto_md_type_t md_alg, unsigned int hashlen,
155 const unsigned char *hash, unsigned char *sig )
156{
157 ((void) f_rng);
158 ((void) p_rng);
159 return mbedcrypto_pkcs11_sign( (mbedcrypto_pkcs11_context *) ctx, mode, md_alg,
160 hashlen, hash, sig );
161}
162
163static inline size_t mbedcrypto_ssl_pkcs11_key_len( void *ctx )
164{
165 return ( (mbedcrypto_pkcs11_context *) ctx )->len;
166}
167
168#ifdef __cplusplus
169}
170#endif
171
172#endif /* MBEDCRYPTO_PKCS11_C */
173
174#endif /* MBEDCRYPTO_PKCS11_H */