Go to most recent revision | Details | Last modification | View Log | RSS feed
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 5496 | leency | 1 | /** |
| 2 | * \file pkcs11.h |
||
| 3 | * |
||
| 4 | * \brief Wrapper for PKCS#11 library libpkcs11-helper |
||
| 5 | * |
||
| 6 | * \author Adriaan de Jong |
||
| 7 | * |
||
| 8 | * Copyright (C) 2006-2011, Brainspark B.V. |
||
| 9 | * |
||
| 10 | * This file is part of PolarSSL (http://www.polarssl.org) |
||
| 11 | * Lead Maintainer: Paul Bakker |
||
| 12 | * |
||
| 13 | * All rights reserved. |
||
| 14 | * |
||
| 15 | * This program is free software; you can redistribute it and/or modify |
||
| 16 | * it under the terms of the GNU General Public License as published by |
||
| 17 | * the Free Software Foundation; either version 2 of the License, or |
||
| 18 | * (at your option) any later version. |
||
| 19 | * |
||
| 20 | * This program is distributed in the hope that it will be useful, |
||
| 21 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
| 22 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
| 23 | * GNU General Public License for more details. |
||
| 24 | * |
||
| 25 | * You should have received a copy of the GNU General Public License along |
||
| 26 | * with this program; if not, write to the Free Software Foundation, Inc., |
||
| 27 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
||
| 28 | */ |
||
| 29 | #ifndef POLARSSL_PKCS11_H |
||
| 30 | #define POLARSSL_PKCS11_H |
||
| 31 | |||
| 32 | #include "config.h" |
||
| 33 | |||
| 34 | #if defined(POLARSSL_PKCS11_C) |
||
| 35 | |||
| 36 | #include "x509.h" |
||
| 37 | |||
| 38 | #include |
||
| 39 | |||
| 40 | #if defined(_MSC_VER) && !defined(inline) |
||
| 41 | #define inline _inline |
||
| 42 | #else |
||
| 43 | #if defined(__ARMCC_VERSION) && !defined(inline) |
||
| 44 | #define inline __inline |
||
| 45 | #endif /* __ARMCC_VERSION */ |
||
| 46 | #endif /*_MSC_VER */ |
||
| 47 | |||
| 48 | /** |
||
| 49 | * Context for PKCS #11 private keys. |
||
| 50 | */ |
||
| 51 | typedef struct { |
||
| 52 | pkcs11h_certificate_t pkcs11h_cert; |
||
| 53 | int len; |
||
| 54 | } pkcs11_context; |
||
| 55 | |||
| 56 | /** |
||
| 57 | * Fill in a PolarSSL certificate, based on the given PKCS11 helper certificate. |
||
| 58 | * |
||
| 59 | * \param cert X.509 certificate to fill |
||
| 60 | * \param pkcs11h_cert PKCS #11 helper certificate |
||
| 61 | * |
||
| 62 | * \return 0 on success. |
||
| 63 | */ |
||
| 64 | int pkcs11_x509_cert_init( x509_cert *cert, pkcs11h_certificate_t pkcs11h_cert ); |
||
| 65 | |||
| 66 | /** |
||
| 67 | * Initialise a pkcs11_context, storing the given certificate. Note that the |
||
| 68 | * pkcs11_context will take over control of the certificate, freeing it when |
||
| 69 | * done. |
||
| 70 | * |
||
| 71 | * \param priv_key Private key structure to fill. |
||
| 72 | * \param pkcs11_cert PKCS #11 helper certificate |
||
| 73 | * |
||
| 74 | * \return 0 on success |
||
| 75 | */ |
||
| 76 | int pkcs11_priv_key_init( pkcs11_context *priv_key, |
||
| 77 | pkcs11h_certificate_t pkcs11_cert ); |
||
| 78 | |||
| 79 | /** |
||
| 80 | * Free the contents of the given private key context. Note that the structure |
||
| 81 | * itself is not freed. |
||
| 82 | * |
||
| 83 | * \param priv_key Private key structure to cleanup |
||
| 84 | */ |
||
| 85 | void pkcs11_priv_key_free( pkcs11_context *priv_key ); |
||
| 86 | |||
| 87 | /** |
||
| 88 | * \brief Do an RSA private key decrypt, then remove the message padding |
||
| 89 | * |
||
| 90 | * \param ctx PKCS #11 context |
||
| 91 | * \param mode must be RSA_PRIVATE, for compatibility with rsa.c's signature |
||
| 92 | * \param input buffer holding the encrypted data |
||
| 93 | * \param output buffer that will hold the plaintext |
||
| 94 | * \param olen will contain the plaintext length |
||
| 95 | * \param output_max_len maximum length of the output buffer |
||
| 96 | * |
||
| 97 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
||
| 98 | * |
||
| 99 | * \note The output buffer must be as large as the size |
||
| 100 | * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise |
||
| 101 | * an error is thrown. |
||
| 102 | */ |
||
| 103 | int pkcs11_decrypt( pkcs11_context *ctx, |
||
| 104 | int mode, size_t *olen, |
||
| 105 | const unsigned char *input, |
||
| 106 | unsigned char *output, |
||
| 107 | size_t output_max_len ); |
||
| 108 | |||
| 109 | /** |
||
| 110 | * \brief Do a private RSA to sign a message digest |
||
| 111 | * |
||
| 112 | * \param ctx PKCS #11 context |
||
| 113 | * \param mode must be RSA_PRIVATE, for compatibility with rsa.c's signature |
||
| 114 | * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512} |
||
| 115 | * \param hashlen message digest length (for SIG_RSA_RAW only) |
||
| 116 | * \param hash buffer holding the message digest |
||
| 117 | * \param sig buffer that will hold the ciphertext |
||
| 118 | * |
||
| 119 | * \return 0 if the signing operation was successful, |
||
| 120 | * or an POLARSSL_ERR_RSA_XXX error code |
||
| 121 | * |
||
| 122 | * \note The "sig" buffer must be as large as the size |
||
| 123 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). |
||
| 124 | */ |
||
| 125 | int pkcs11_sign( pkcs11_context *ctx, |
||
| 126 | int mode, |
||
| 127 | int hash_id, |
||
| 128 | unsigned int hashlen, |
||
| 129 | const unsigned char *hash, |
||
| 130 | unsigned char *sig ); |
||
| 131 | |||
| 132 | /** |
||
| 133 | * SSL/TLS wrappers for PKCS#11 functions |
||
| 134 | */ |
||
| 135 | static inline int ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen, |
||
| 136 | const unsigned char *input, unsigned char *output, |
||
| 137 | size_t output_max_len ) |
||
| 138 | { |
||
| 139 | return pkcs11_decrypt( (pkcs11_context *) ctx, mode, olen, input, output, |
||
| 140 | output_max_len ); |
||
| 141 | } |
||
| 142 | |||
| 143 | static inline int ssl_pkcs11_sign( void *ctx, |
||
| 144 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, |
||
| 145 | int mode, int hash_id, unsigned int hashlen, |
||
| 146 | const unsigned char *hash, unsigned char *sig ) |
||
| 147 | { |
||
| 148 | ((void) f_rng); |
||
| 149 | ((void) p_rng); |
||
| 150 | return pkcs11_sign( (pkcs11_context *) ctx, mode, hash_id, |
||
| 151 | hashlen, hash, sig ); |
||
| 152 | } |
||
| 153 | |||
| 154 | static inline size_t ssl_pkcs11_key_len( void *ctx ) |
||
| 155 | { |
||
| 156 | return ( (pkcs11_context *) ctx )->len; |
||
| 157 | } |
||
| 158 | |||
| 159 | #endif /* POLARSSL_PKCS11_C */ |
||
| 160 | |||
| 161 | #endif /* POLARSSL_PKCS11_H */ |