| Paul Bakker | 43b7e35 | 2011-01-18 15:27:19 +0000 | [diff] [blame] | 1 | /** |
| 2 | * \file pkcs11.h |
| 3 | * |
| 4 | * \brief Wrapper for PKCS#11 library libpkcs11-helper |
| 5 | * |
| 6 | * \author Adriaan de Jong <dejong@fox-it.com> |
| 7 | * |
| Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 8 | * Copyright (C) 2006-2011, Brainspark B.V. |
| Paul Bakker | 43b7e35 | 2011-01-18 15:27:19 +0000 | [diff] [blame] | 9 | * |
| 10 | * This file is part of PolarSSL (http://www.polarssl.org) |
| 11 | * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> |
| 12 | * |
| 13 | * All rights reserved. |
| 14 | * |
| 15 | * This program is free software; you can redistribute it and/or modify |
| 16 | * it under the terms of the GNU General Public License as published by |
| 17 | * the Free Software Foundation; either version 2 of the License, or |
| 18 | * (at your option) any later version. |
| 19 | * |
| 20 | * This program is distributed in the hope that it will be useful, |
| 21 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 22 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 23 | * GNU General Public License for more details. |
| 24 | * |
| 25 | * You should have received a copy of the GNU General Public License along |
| 26 | * with this program; if not, write to the Free Software Foundation, Inc., |
| 27 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| 28 | */ |
| Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 29 | #ifndef POLARSSL_PKCS11_H |
| 30 | #define POLARSSL_PKCS11_H |
| Paul Bakker | 43b7e35 | 2011-01-18 15:27:19 +0000 | [diff] [blame] | 31 | |
| Paul Bakker | 314052f | 2011-08-15 09:07:52 +0000 | [diff] [blame] | 32 | #include "config.h" |
| Paul Bakker | 43b7e35 | 2011-01-18 15:27:19 +0000 | [diff] [blame] | 33 | |
| 34 | #if defined(POLARSSL_PKCS11_C) |
| 35 | |
| Paul Bakker | 314052f | 2011-08-15 09:07:52 +0000 | [diff] [blame] | 36 | #include "x509.h" |
| Paul Bakker | 43b7e35 | 2011-01-18 15:27:19 +0000 | [diff] [blame] | 37 | |
| 38 | #include <pkcs11-helper-1.0/pkcs11h-certificate.h> |
| 39 | |
| 40 | /** |
| 41 | * Context for PKCS #11 private keys. |
| 42 | */ |
| 43 | typedef struct { |
| 44 | pkcs11h_certificate_t pkcs11h_cert; |
| 45 | int len; |
| 46 | } pkcs11_context; |
| 47 | |
| 48 | /** |
| 49 | * Fill in a PolarSSL certificate, based on the given PKCS11 helper certificate. |
| 50 | * |
| 51 | * \param cert X.509 certificate to fill |
| 52 | * \param pkcs11h_cert PKCS #11 helper certificate |
| 53 | * |
| 54 | * \return 0 on success. |
| 55 | */ |
| 56 | int pkcs11_x509_cert_init( x509_cert *cert, pkcs11h_certificate_t pkcs11h_cert ); |
| 57 | |
| 58 | /** |
| 59 | * Initialise a pkcs11_context, storing the given certificate. Note that the |
| 60 | * pkcs11_context will take over control of the certificate, freeing it when |
| 61 | * done. |
| 62 | * |
| 63 | * \param priv_key Private key structure to fill. |
| 64 | * \param pkcs11_cert PKCS #11 helper certificate |
| 65 | * |
| 66 | * \return 0 on success |
| 67 | */ |
| 68 | int pkcs11_priv_key_init( pkcs11_context *priv_key, |
| 69 | pkcs11h_certificate_t pkcs11_cert ); |
| 70 | |
| 71 | /** |
| 72 | * Free the contents of the given private key context. Note that the structure |
| 73 | * itself is not freed. |
| 74 | * |
| 75 | * \param priv_key Private key structure to cleanup |
| 76 | */ |
| 77 | void pkcs11_priv_key_free( pkcs11_context *priv_key ); |
| 78 | |
| 79 | /** |
| 80 | * \brief Do an RSA private key decrypt, then remove the message padding |
| 81 | * |
| 82 | * \param ctx PKCS #11 context |
| 83 | * \param mode must be RSA_PRIVATE, for compatibility with rsa.c's signature |
| 84 | * \param input buffer holding the encrypted data |
| 85 | * \param output buffer that will hold the plaintext |
| 86 | * \param olen will contain the plaintext length |
| 87 | * \param output_max_len maximum length of the output buffer |
| 88 | * |
| 89 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 90 | * |
| 91 | * \note The output buffer must be as large as the size |
| 92 | * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise |
| 93 | * an error is thrown. |
| 94 | */ |
| 95 | int pkcs11_decrypt( pkcs11_context *ctx, |
| Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 96 | int mode, size_t *olen, |
| Paul Bakker | 43b7e35 | 2011-01-18 15:27:19 +0000 | [diff] [blame] | 97 | const unsigned char *input, |
| 98 | unsigned char *output, |
| Paul Bakker | d61e7d9 | 2011-01-18 16:17:47 +0000 | [diff] [blame] | 99 | unsigned int output_max_len ); |
| Paul Bakker | 43b7e35 | 2011-01-18 15:27:19 +0000 | [diff] [blame] | 100 | |
| 101 | /** |
| 102 | * \brief Do a private RSA to sign a message digest |
| 103 | * |
| 104 | * \param ctx PKCS #11 context |
| 105 | * \param mode must be RSA_PRIVATE, for compatibility with rsa.c's signature |
| 106 | * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512} |
| 107 | * \param hashlen message digest length (for SIG_RSA_RAW only) |
| 108 | * \param hash buffer holding the message digest |
| 109 | * \param sig buffer that will hold the ciphertext |
| 110 | * |
| 111 | * \return 0 if the signing operation was successful, |
| 112 | * or an POLARSSL_ERR_RSA_XXX error code |
| 113 | * |
| 114 | * \note The "sig" buffer must be as large as the size |
| 115 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). |
| 116 | */ |
| 117 | int pkcs11_sign( pkcs11_context *ctx, |
| 118 | int mode, |
| 119 | int hash_id, |
| Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 120 | unsigned int hashlen, |
| Paul Bakker | 43b7e35 | 2011-01-18 15:27:19 +0000 | [diff] [blame] | 121 | const unsigned char *hash, |
| 122 | unsigned char *sig ); |
| 123 | |
| 124 | #endif /* POLARSSL_PKCS11_C */ |
| 125 | |
| Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 126 | #endif /* POLARSSL_PKCS11_H */ |