4 * \brief Wrapper for PKCS#11 library libpkcs11-helper
6 * \author Adriaan de Jong <dejong@fox-it.com>
8 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
9 * SPDX-License-Identifier: Apache-2.0
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
15 * http://www.apache.org/licenses/LICENSE-2.0
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
23 * This file is part of mbed TLS (https://tls.mbed.org)
26 #include "mbedtls/pkcs11.h"
28 #if defined(MBEDTLS_PKCS11_C)
30 #include "mbedtls/md.h"
31 #include "mbedtls/oid.h"
32 #include "mbedtls/x509_crt.h"
34 #if defined(MBEDTLS_PLATFORM_C)
35 #include "mbedtls/platform.h"
38 #define mbedtls_calloc calloc
39 #define mbedtls_free free
44 void mbedtls_pkcs11_init( mbedtls_pkcs11_context
*ctx
)
46 memset( ctx
, 0, sizeof( mbedtls_pkcs11_context
) );
49 int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt
*cert
, pkcs11h_certificate_t pkcs11_cert
)
52 unsigned char *cert_blob
= NULL
;
53 size_t cert_blob_size
= 0;
61 if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert
, NULL
,
62 &cert_blob_size
) != CKR_OK
)
68 cert_blob
= mbedtls_calloc( 1, cert_blob_size
);
69 if( NULL
== cert_blob
)
75 if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert
, cert_blob
,
76 &cert_blob_size
) != CKR_OK
)
82 if( 0 != mbedtls_x509_crt_parse( cert
, cert_blob
, cert_blob_size
) )
91 if( NULL
!= cert_blob
)
92 mbedtls_free( cert_blob
);
98 int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context
*priv_key
,
99 pkcs11h_certificate_t pkcs11_cert
)
102 mbedtls_x509_crt cert
;
104 mbedtls_x509_crt_init( &cert
);
106 if( priv_key
== NULL
)
109 if( 0 != mbedtls_pkcs11_x509_cert_bind( &cert
, pkcs11_cert
) )
112 priv_key
->len
= mbedtls_pk_get_len( &cert
.pk
);
113 priv_key
->pkcs11h_cert
= pkcs11_cert
;
118 mbedtls_x509_crt_free( &cert
);
123 void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context
*priv_key
)
125 if( NULL
!= priv_key
)
126 pkcs11h_certificate_freeCertificate( priv_key
->pkcs11h_cert
);
129 int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context
*ctx
,
130 int mode
, size_t *olen
,
131 const unsigned char *input
,
132 unsigned char *output
,
133 size_t output_max_len
)
135 size_t input_len
, output_len
;
138 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
140 if( MBEDTLS_RSA_PRIVATE
!= mode
)
141 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
143 output_len
= input_len
= ctx
->len
;
145 if( input_len
< 16 || input_len
> output_max_len
)
146 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
148 /* Determine size of output buffer */
149 if( pkcs11h_certificate_decryptAny( ctx
->pkcs11h_cert
, CKM_RSA_PKCS
, input
,
150 input_len
, NULL
, &output_len
) != CKR_OK
)
152 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
155 if( output_len
> output_max_len
)
156 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
);
158 if( pkcs11h_certificate_decryptAny( ctx
->pkcs11h_cert
, CKM_RSA_PKCS
, input
,
159 input_len
, output
, &output_len
) != CKR_OK
)
161 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
167 int mbedtls_pkcs11_sign( mbedtls_pkcs11_context
*ctx
,
169 mbedtls_md_type_t md_alg
,
170 unsigned int hashlen
,
171 const unsigned char *hash
,
174 size_t sig_len
= 0, asn_len
= 0, oid_size
= 0;
175 unsigned char *p
= sig
;
179 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
181 if( MBEDTLS_RSA_PRIVATE
!= mode
)
182 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
184 if( md_alg
!= MBEDTLS_MD_NONE
)
186 const mbedtls_md_info_t
*md_info
= mbedtls_md_info_from_type( md_alg
);
187 if( md_info
== NULL
)
188 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
190 if( mbedtls_oid_get_oid_by_md( md_alg
, &oid
, &oid_size
) != 0 )
191 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
193 hashlen
= mbedtls_md_get_size( md_info
);
194 asn_len
= 10 + oid_size
;
198 if( hashlen
> sig_len
|| asn_len
> sig_len
||
199 hashlen
+ asn_len
> sig_len
)
201 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
204 if( md_alg
!= MBEDTLS_MD_NONE
)
207 * DigestInfo ::= SEQUENCE {
208 * digestAlgorithm DigestAlgorithmIdentifier,
211 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
213 * Digest ::= OCTET STRING
215 *p
++ = MBEDTLS_ASN1_SEQUENCE
| MBEDTLS_ASN1_CONSTRUCTED
;
216 *p
++ = (unsigned char) ( 0x08 + oid_size
+ hashlen
);
217 *p
++ = MBEDTLS_ASN1_SEQUENCE
| MBEDTLS_ASN1_CONSTRUCTED
;
218 *p
++ = (unsigned char) ( 0x04 + oid_size
);
219 *p
++ = MBEDTLS_ASN1_OID
;
220 *p
++ = oid_size
& 0xFF;
221 memcpy( p
, oid
, oid_size
);
223 *p
++ = MBEDTLS_ASN1_NULL
;
225 *p
++ = MBEDTLS_ASN1_OCTET_STRING
;
229 memcpy( p
, hash
, hashlen
);
231 if( pkcs11h_certificate_signAny( ctx
->pkcs11h_cert
, CKM_RSA_PKCS
, sig
,
232 asn_len
+ hashlen
, sig
, &sig_len
) != CKR_OK
)
234 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
240 #endif /* defined(MBEDTLS_PKCS11_C) */