253 lines
9.2 KiB
C++
253 lines
9.2 KiB
C++
/**
|
|
* \file pkcs11.h
|
|
*
|
|
* \brief Wrapper for PKCS#11 library libpkcs11-helper
|
|
*
|
|
* \author Adriaan de Jong <dejong@fox-it.com>
|
|
*/
|
|
/*
|
|
* Copyright The Mbed TLS Contributors
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
* not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
#ifndef MBEDTLS_PKCS11_H
|
|
#define MBEDTLS_PKCS11_H
|
|
|
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
|
#include "mbedtls/config.h"
|
|
#else
|
|
#include MBEDTLS_CONFIG_FILE
|
|
#endif
|
|
|
|
#if defined(MBEDTLS_PKCS11_C)
|
|
|
|
#include "mbedtls/x509_crt.h"
|
|
|
|
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
|
|
|
|
#if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
|
|
!defined(inline) && !defined(__cplusplus)
|
|
#define inline __inline
|
|
#endif
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
#if defined(MBEDTLS_DEPRECATED_REMOVED)
|
|
|
|
/**
|
|
* Context for PKCS #11 private keys.
|
|
*/
|
|
typedef struct mbedtls_pkcs11_context {
|
|
pkcs11h_certificate_t pkcs11h_cert;
|
|
int len;
|
|
} mbedtls_pkcs11_context;
|
|
|
|
#if defined(MBEDTLS_DEPRECATED_WARNING)
|
|
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
|
|
#else
|
|
#define MBEDTLS_DEPRECATED
|
|
#endif
|
|
|
|
/**
|
|
* Initialize a mbedtls_pkcs11_context.
|
|
* (Just making memory references valid.)
|
|
*
|
|
* \deprecated This function is deprecated and will be removed in a
|
|
* future version of the library.
|
|
*/
|
|
MBEDTLS_DEPRECATED void mbedtls_pkcs11_init(mbedtls_pkcs11_context *ctx);
|
|
|
|
/**
|
|
* Fill in a Mbed TLS certificate, based on the given PKCS11 helper certificate.
|
|
*
|
|
* \deprecated This function is deprecated and will be removed in a
|
|
* future version of the library.
|
|
*
|
|
* \param cert X.509 certificate to fill
|
|
* \param pkcs11h_cert PKCS #11 helper certificate
|
|
*
|
|
* \return 0 on success.
|
|
*/
|
|
MBEDTLS_DEPRECATED int mbedtls_pkcs11_x509_cert_bind(mbedtls_x509_crt *cert,
|
|
pkcs11h_certificate_t pkcs11h_cert);
|
|
|
|
/**
|
|
* Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
|
|
* mbedtls_pkcs11_context will take over control of the certificate, freeing it when
|
|
* done.
|
|
*
|
|
* \deprecated This function is deprecated and will be removed in a
|
|
* future version of the library.
|
|
*
|
|
* \param priv_key Private key structure to fill.
|
|
* \param pkcs11_cert PKCS #11 helper certificate
|
|
*
|
|
* \return 0 on success
|
|
*/
|
|
MBEDTLS_DEPRECATED int mbedtls_pkcs11_priv_key_bind(
|
|
mbedtls_pkcs11_context *priv_key,
|
|
pkcs11h_certificate_t pkcs11_cert);
|
|
|
|
/**
|
|
* Free the contents of the given private key context. Note that the structure
|
|
* itself is not freed.
|
|
*
|
|
* \deprecated This function is deprecated and will be removed in a
|
|
* future version of the library.
|
|
*
|
|
* \param priv_key Private key structure to cleanup
|
|
*/
|
|
MBEDTLS_DEPRECATED void mbedtls_pkcs11_priv_key_free(
|
|
mbedtls_pkcs11_context *priv_key);
|
|
|
|
/**
|
|
* \brief Do an RSA private key decrypt, then remove the message
|
|
* padding
|
|
*
|
|
* \deprecated This function is deprecated and will be removed in a future
|
|
* version of the library.
|
|
*
|
|
* \param ctx PKCS #11 context
|
|
* \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
|
|
* \param input buffer holding the encrypted data
|
|
* \param output buffer that will hold the plaintext
|
|
* \param olen will contain the plaintext length
|
|
* \param output_max_len maximum length of the output buffer
|
|
*
|
|
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
|
|
*
|
|
* \note The output buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
|
|
* an error is thrown.
|
|
*/
|
|
MBEDTLS_DEPRECATED int mbedtls_pkcs11_decrypt(mbedtls_pkcs11_context *ctx,
|
|
int mode, size_t *olen,
|
|
const unsigned char *input,
|
|
unsigned char *output,
|
|
size_t output_max_len);
|
|
|
|
/**
|
|
* \brief Do a private RSA to sign a message digest
|
|
*
|
|
* \deprecated This function is deprecated and will be removed in a future
|
|
* version of the library.
|
|
*
|
|
* \param ctx PKCS #11 context
|
|
* \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
|
|
* \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
|
|
* \param hashlen message digest length (for MBEDTLS_MD_NONE only)
|
|
* \param hash buffer holding the message digest
|
|
* \param sig buffer that will hold the ciphertext
|
|
*
|
|
* \return 0 if the signing operation was successful,
|
|
* or an MBEDTLS_ERR_RSA_XXX error code
|
|
*
|
|
* \note The "sig" buffer must be as large as the size
|
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
|
*/
|
|
MBEDTLS_DEPRECATED int mbedtls_pkcs11_sign(mbedtls_pkcs11_context *ctx,
|
|
int mode,
|
|
mbedtls_md_type_t md_alg,
|
|
unsigned int hashlen,
|
|
const unsigned char *hash,
|
|
unsigned char *sig);
|
|
|
|
/**
|
|
* SSL/TLS wrappers for PKCS#11 functions
|
|
*
|
|
* \deprecated This function is deprecated and will be removed in a future
|
|
* version of the library.
|
|
*/
|
|
MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_decrypt(void *ctx,
|
|
int mode,
|
|
size_t *olen,
|
|
const unsigned char *input,
|
|
unsigned char *output,
|
|
size_t output_max_len)
|
|
{
|
|
return mbedtls_pkcs11_decrypt((mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
|
|
output_max_len);
|
|
}
|
|
|
|
/**
|
|
* \brief This function signs a message digest using RSA.
|
|
*
|
|
* \deprecated This function is deprecated and will be removed in a future
|
|
* version of the library.
|
|
*
|
|
* \param ctx The PKCS #11 context.
|
|
* \param f_rng The RNG function. This parameter is unused.
|
|
* \param p_rng The RNG context. This parameter is unused.
|
|
* \param mode The operation to run. This must be set to
|
|
* MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's
|
|
* signature.
|
|
* \param md_alg The message digest algorithm. One of the MBEDTLS_MD_XXX
|
|
* must be passed to this function and MBEDTLS_MD_NONE can be
|
|
* used for signing raw data.
|
|
* \param hashlen The message digest length (for MBEDTLS_MD_NONE only).
|
|
* \param hash The buffer holding the message digest.
|
|
* \param sig The buffer that will hold the ciphertext.
|
|
*
|
|
* \return \c 0 if the signing operation was successful.
|
|
* \return A non-zero error code on failure.
|
|
*
|
|
* \note The \p sig buffer must be as large as the size of
|
|
* <code>ctx->N</code>. For example, 128 bytes if RSA-1024 is
|
|
* used.
|
|
*/
|
|
MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_sign(void *ctx,
|
|
int (*f_rng)(void *,
|
|
unsigned char *,
|
|
size_t),
|
|
void *p_rng,
|
|
int mode,
|
|
mbedtls_md_type_t md_alg,
|
|
unsigned int hashlen,
|
|
const unsigned char *hash,
|
|
unsigned char *sig)
|
|
{
|
|
((void) f_rng);
|
|
((void) p_rng);
|
|
return mbedtls_pkcs11_sign((mbedtls_pkcs11_context *) ctx, mode, md_alg,
|
|
hashlen, hash, sig);
|
|
}
|
|
|
|
/**
|
|
* This function gets the length of the private key.
|
|
*
|
|
* \deprecated This function is deprecated and will be removed in a future
|
|
* version of the library.
|
|
*
|
|
* \param ctx The PKCS #11 context.
|
|
*
|
|
* \return The length of the private key.
|
|
*/
|
|
MBEDTLS_DEPRECATED static inline size_t mbedtls_ssl_pkcs11_key_len(void *ctx)
|
|
{
|
|
return ((mbedtls_pkcs11_context *) ctx)->len;
|
|
}
|
|
|
|
#undef MBEDTLS_DEPRECATED
|
|
|
|
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif /* MBEDTLS_PKCS11_C */
|
|
|
|
#endif /* MBEDTLS_PKCS11_H */
|