1 /**
2 * \file pkcs11.h
3 *
4 * \brief Wrapper for PKCS#11 library libpkcs11-helper
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 */
8 /*
9 * Copyright The Mbed TLS Contributors
10 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
11 */
12 #ifndef MBEDTLS_PKCS11_H
13 #define MBEDTLS_PKCS11_H
14
15 #if !defined(MBEDTLS_CONFIG_FILE)
16 #include "mbedtls/config.h"
17 #else
18 #include MBEDTLS_CONFIG_FILE
19 #endif
20
21 #if defined(MBEDTLS_PKCS11_C)
22
23 #include "mbedtls/x509_crt.h"
24
25 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
26
27 #if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
28 !defined(inline) && !defined(__cplusplus)
29 #define inline __inline
30 #endif
31
32 #ifdef __cplusplus
33 extern "C" {
34 #endif
35
36 #if defined(MBEDTLS_DEPRECATED_REMOVED)
37
38 /**
39 * Context for PKCS #11 private keys.
40 */
41 typedef struct mbedtls_pkcs11_context {
42 pkcs11h_certificate_t pkcs11h_cert;
43 int len;
44 } mbedtls_pkcs11_context;
45
46 #if defined(MBEDTLS_DEPRECATED_WARNING)
47 #define MBEDTLS_DEPRECATED __attribute__((deprecated))
48 #else
49 #define MBEDTLS_DEPRECATED
50 #endif
51
52 /**
53 * Initialize a mbedtls_pkcs11_context.
54 * (Just making memory references valid.)
55 *
56 * \deprecated This function is deprecated and will be removed in a
57 * future version of the library.
58 */
59 MBEDTLS_DEPRECATED void mbedtls_pkcs11_init(mbedtls_pkcs11_context *ctx);
60
61 /**
62 * Fill in a Mbed TLS certificate, based on the given PKCS11 helper certificate.
63 *
64 * \deprecated This function is deprecated and will be removed in a
65 * future version of the library.
66 *
67 * \param cert X.509 certificate to fill
68 * \param pkcs11h_cert PKCS #11 helper certificate
69 *
70 * \return 0 on success.
71 */
72 MBEDTLS_DEPRECATED int mbedtls_pkcs11_x509_cert_bind(mbedtls_x509_crt *cert,
73 pkcs11h_certificate_t pkcs11h_cert);
74
75 /**
76 * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
77 * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
78 * done.
79 *
80 * \deprecated This function is deprecated and will be removed in a
81 * future version of the library.
82 *
83 * \param priv_key Private key structure to fill.
84 * \param pkcs11_cert PKCS #11 helper certificate
85 *
86 * \return 0 on success
87 */
88 MBEDTLS_DEPRECATED int mbedtls_pkcs11_priv_key_bind(
89 mbedtls_pkcs11_context *priv_key,
90 pkcs11h_certificate_t pkcs11_cert);
91
92 /**
93 * Free the contents of the given private key context. Note that the structure
94 * itself is not freed.
95 *
96 * \deprecated This function is deprecated and will be removed in a
97 * future version of the library.
98 *
99 * \param priv_key Private key structure to cleanup
100 */
101 MBEDTLS_DEPRECATED void mbedtls_pkcs11_priv_key_free(
102 mbedtls_pkcs11_context *priv_key);
103
104 /**
105 * \brief Do an RSA private key decrypt, then remove the message
106 * padding
107 *
108 * \deprecated This function is deprecated and will be removed in a future
109 * version of the library.
110 *
111 * \param ctx PKCS #11 context
112 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
113 * \param input buffer holding the encrypted data
114 * \param output buffer that will hold the plaintext
115 * \param olen will contain the plaintext length
116 * \param output_max_len maximum length of the output buffer
117 *
118 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
119 *
120 * \note The output buffer must be as large as the size
121 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
122 * an error is thrown.
123 */
124 MBEDTLS_DEPRECATED int mbedtls_pkcs11_decrypt(mbedtls_pkcs11_context *ctx,
125 int mode, size_t *olen,
126 const unsigned char *input,
127 unsigned char *output,
128 size_t output_max_len);
129
130 /**
131 * \brief Do a private RSA to sign a message digest
132 *
133 * \deprecated This function is deprecated and will be removed in a future
134 * version of the library.
135 *
136 * \param ctx PKCS #11 context
137 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
138 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
139 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
140 * \param hash buffer holding the message digest
141 * \param sig buffer that will hold the ciphertext
142 *
143 * \return 0 if the signing operation was successful,
144 * or an MBEDTLS_ERR_RSA_XXX error code
145 *
146 * \note The "sig" buffer must be as large as the size
147 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
148 */
149 MBEDTLS_DEPRECATED int mbedtls_pkcs11_sign(mbedtls_pkcs11_context *ctx,
150 int mode,
151 mbedtls_md_type_t md_alg,
152 unsigned int hashlen,
153 const unsigned char *hash,
154 unsigned char *sig);
155
156 /**
157 * SSL/TLS wrappers for PKCS#11 functions
158 *
159 * \deprecated This function is deprecated and will be removed in a future
160 * version of the library.
161 */
mbedtls_ssl_pkcs11_decrypt(void * ctx,int mode,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)162 MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_decrypt(void *ctx,
163 int mode,
164 size_t *olen,
165 const unsigned char *input,
166 unsigned char *output,
167 size_t output_max_len)
168 {
169 return mbedtls_pkcs11_decrypt((mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
170 output_max_len);
171 }
172
173 /**
174 * \brief This function signs a message digest using RSA.
175 *
176 * \deprecated This function is deprecated and will be removed in a future
177 * version of the library.
178 *
179 * \param ctx The PKCS #11 context.
180 * \param f_rng The RNG function. This parameter is unused.
181 * \param p_rng The RNG context. This parameter is unused.
182 * \param mode The operation to run. This must be set to
183 * MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's
184 * signature.
185 * \param md_alg The message digest algorithm. One of the MBEDTLS_MD_XXX
186 * must be passed to this function and MBEDTLS_MD_NONE can be
187 * used for signing raw data.
188 * \param hashlen The message digest length (for MBEDTLS_MD_NONE only).
189 * \param hash The buffer holding the message digest.
190 * \param sig The buffer that will hold the ciphertext.
191 *
192 * \return \c 0 if the signing operation was successful.
193 * \return A non-zero error code on failure.
194 *
195 * \note The \p sig buffer must be as large as the size of
196 * <code>ctx->N</code>. For example, 128 bytes if RSA-1024 is
197 * used.
198 */
mbedtls_ssl_pkcs11_sign(void * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)199 MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_sign(void *ctx,
200 int (*f_rng)(void *,
201 unsigned char *,
202 size_t),
203 void *p_rng,
204 int mode,
205 mbedtls_md_type_t md_alg,
206 unsigned int hashlen,
207 const unsigned char *hash,
208 unsigned char *sig)
209 {
210 ((void) f_rng);
211 ((void) p_rng);
212 return mbedtls_pkcs11_sign((mbedtls_pkcs11_context *) ctx, mode, md_alg,
213 hashlen, hash, sig);
214 }
215
216 /**
217 * This function gets the length of the private key.
218 *
219 * \deprecated This function is deprecated and will be removed in a future
220 * version of the library.
221 *
222 * \param ctx The PKCS #11 context.
223 *
224 * \return The length of the private key.
225 */
mbedtls_ssl_pkcs11_key_len(void * ctx)226 MBEDTLS_DEPRECATED static inline size_t mbedtls_ssl_pkcs11_key_len(void *ctx)
227 {
228 return ((mbedtls_pkcs11_context *) ctx)->len;
229 }
230
231 #undef MBEDTLS_DEPRECATED
232
233 #endif /* MBEDTLS_DEPRECATED_REMOVED */
234
235 #ifdef __cplusplus
236 }
237 #endif
238
239 #endif /* MBEDTLS_PKCS11_C */
240
241 #endif /* MBEDTLS_PKCS11_H */
242