1 /**
2  * \file pkcs11.h
3  *
4  * \brief Wrapper for PKCS#11 library libpkcs11-helper
5  *
6  * \author Adriaan de Jong <dejong@fox-it.com>
7  */
8 /*
9  *  Copyright The Mbed TLS Contributors
10  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
11  *
12  *  This file is provided under the Apache License 2.0, or the
13  *  GNU General Public License v2.0 or later.
14  *
15  *  **********
16  *  Apache License 2.0:
17  *
18  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
19  *  not use this file except in compliance with the License.
20  *  You may obtain a copy of the License at
21  *
22  *  http://www.apache.org/licenses/LICENSE-2.0
23  *
24  *  Unless required by applicable law or agreed to in writing, software
25  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
26  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
27  *  See the License for the specific language governing permissions and
28  *  limitations under the License.
29  *
30  *  **********
31  *
32  *  **********
33  *  GNU General Public License v2.0 or later:
34  *
35  *  This program is free software; you can redistribute it and/or modify
36  *  it under the terms of the GNU General Public License as published by
37  *  the Free Software Foundation; either version 2 of the License, or
38  *  (at your option) any later version.
39  *
40  *  This program is distributed in the hope that it will be useful,
41  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
42  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
43  *  GNU General Public License for more details.
44  *
45  *  You should have received a copy of the GNU General Public License along
46  *  with this program; if not, write to the Free Software Foundation, Inc.,
47  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
48  *
49  *  **********
50  */
51 #ifndef MBEDTLS_PKCS11_H
52 #define MBEDTLS_PKCS11_H
53 
54 #if !defined(MBEDTLS_CONFIG_FILE)
55 #include "config.h"
56 #else
57 #include MBEDTLS_CONFIG_FILE
58 #endif
59 
60 #if defined(MBEDTLS_PKCS11_C)
61 
62 #include "x509_crt.h"
63 
64 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
65 
66 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
67     !defined(inline) && !defined(__cplusplus)
68 #define inline __inline
69 #endif
70 
71 #ifdef __cplusplus
72 extern "C" {
73 #endif
74 
75 /**
76  * Context for PKCS #11 private keys.
77  */
78 typedef struct mbedtls_pkcs11_context
79 {
80         pkcs11h_certificate_t pkcs11h_cert;
81         int len;
82 } mbedtls_pkcs11_context;
83 
84 /**
85  * Initialize a mbedtls_pkcs11_context.
86  * (Just making memory references valid.)
87  */
88 void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
89 
90 /**
91  * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
92  *
93  * \param cert          X.509 certificate to fill
94  * \param pkcs11h_cert  PKCS #11 helper certificate
95  *
96  * \return              0 on success.
97  */
98 int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
99 
100 /**
101  * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
102  * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
103  * done.
104  *
105  * \param priv_key      Private key structure to fill.
106  * \param pkcs11_cert   PKCS #11 helper certificate
107  *
108  * \return              0 on success
109  */
110 int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
111         pkcs11h_certificate_t pkcs11_cert );
112 
113 /**
114  * Free the contents of the given private key context. Note that the structure
115  * itself is not freed.
116  *
117  * \param priv_key      Private key structure to cleanup
118  */
119 void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
120 
121 /**
122  * \brief          Do an RSA private key decrypt, then remove the message
123  *                 padding
124  *
125  * \param ctx      PKCS #11 context
126  * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
127  * \param input    buffer holding the encrypted data
128  * \param output   buffer that will hold the plaintext
129  * \param olen     will contain the plaintext length
130  * \param output_max_len    maximum length of the output buffer
131  *
132  * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
133  *
134  * \note           The output buffer must be as large as the size
135  *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
136  *                 an error is thrown.
137  */
138 int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
139                        int mode, size_t *olen,
140                        const unsigned char *input,
141                        unsigned char *output,
142                        size_t output_max_len );
143 
144 /**
145  * \brief          Do a private RSA to sign a message digest
146  *
147  * \param ctx      PKCS #11 context
148  * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
149  * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
150  * \param hashlen  message digest length (for MBEDTLS_MD_NONE only)
151  * \param hash     buffer holding the message digest
152  * \param sig      buffer that will hold the ciphertext
153  *
154  * \return         0 if the signing operation was successful,
155  *                 or an MBEDTLS_ERR_RSA_XXX error code
156  *
157  * \note           The "sig" buffer must be as large as the size
158  *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
159  */
160 int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
161                     int mode,
162                     mbedtls_md_type_t md_alg,
163                     unsigned int hashlen,
164                     const unsigned char *hash,
165                     unsigned char *sig );
166 
167 /**
168  * SSL/TLS wrappers for PKCS#11 functions
169  */
mbedtls_ssl_pkcs11_decrypt(void * ctx,int mode,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)170 static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
171                         const unsigned char *input, unsigned char *output,
172                         size_t output_max_len )
173 {
174     return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
175                            output_max_len );
176 }
177 
mbedtls_ssl_pkcs11_sign(void * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)178 static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
179                      int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
180                      int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
181                      const unsigned char *hash, unsigned char *sig )
182 {
183     ((void) f_rng);
184     ((void) p_rng);
185     return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
186                         hashlen, hash, sig );
187 }
188 
mbedtls_ssl_pkcs11_key_len(void * ctx)189 static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
190 {
191     return ( (mbedtls_pkcs11_context *) ctx )->len;
192 }
193 
194 #ifdef __cplusplus
195 }
196 #endif
197 
198 #endif /* MBEDTLS_PKCS11_C */
199 
200 #endif /* MBEDTLS_PKCS11_H */
201