4 * \brief Wrapper for PKCS#11 library libpkcs11-helper
6 * \author Adriaan de Jong <dejong@fox-it.com>
8 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
9 * SPDX-License-Identifier: Apache-2.0
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
15 * http://www.apache.org/licenses/LICENSE-2.0
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
23 * This file is part of mbed TLS (https://tls.mbed.org)
25 #ifndef MBEDTLS_PKCS11_H
26 #define MBEDTLS_PKCS11_H
28 #if !defined(MBEDTLS_CONFIG_FILE)
31 #include MBEDTLS_CONFIG_FILE
34 #if defined(MBEDTLS_PKCS11_C)
38 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
40 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && !defined(inline)
41 #define inline __inline
49 * Context for PKCS #11 private keys.
52 pkcs11h_certificate_t pkcs11h_cert
;
54 } mbedtls_pkcs11_context
;
57 * Initialize a mbetls_pkcs11_context.
58 * (Just making memory references valid.)
60 void mbedtls_pkcs11_init( mbedtls_pkcs11_context
*ctx
);
63 * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
65 * \param cert X.509 certificate to fill
66 * \param pkcs11h_cert PKCS #11 helper certificate
68 * \return 0 on success.
70 int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt
*cert
, pkcs11h_certificate_t pkcs11h_cert
);
73 * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
74 * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
77 * \param priv_key Private key structure to fill.
78 * \param pkcs11_cert PKCS #11 helper certificate
80 * \return 0 on success
82 int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context
*priv_key
,
83 pkcs11h_certificate_t pkcs11_cert
);
86 * Free the contents of the given private key context. Note that the structure
87 * itself is not freed.
89 * \param priv_key Private key structure to cleanup
91 void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context
*priv_key
);
94 * \brief Do an RSA private key decrypt, then remove the message
97 * \param ctx PKCS #11 context
98 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
99 * \param input buffer holding the encrypted data
100 * \param output buffer that will hold the plaintext
101 * \param olen will contain the plaintext length
102 * \param output_max_len maximum length of the output buffer
104 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
106 * \note The output buffer must be as large as the size
107 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
108 * an error is thrown.
110 int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context
*ctx
,
111 int mode
, size_t *olen
,
112 const unsigned char *input
,
113 unsigned char *output
,
114 size_t output_max_len
);
117 * \brief Do a private RSA to sign a message digest
119 * \param ctx PKCS #11 context
120 * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
121 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
122 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
123 * \param hash buffer holding the message digest
124 * \param sig buffer that will hold the ciphertext
126 * \return 0 if the signing operation was successful,
127 * or an MBEDTLS_ERR_RSA_XXX error code
129 * \note The "sig" buffer must be as large as the size
130 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
132 int mbedtls_pkcs11_sign( mbedtls_pkcs11_context
*ctx
,
134 mbedtls_md_type_t md_alg
,
135 unsigned int hashlen
,
136 const unsigned char *hash
,
137 unsigned char *sig
);
140 * SSL/TLS wrappers for PKCS#11 functions
142 static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx
, int mode
, size_t *olen
,
143 const unsigned char *input
, unsigned char *output
,
144 size_t output_max_len
)
146 return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context
*) ctx
, mode
, olen
, input
, output
,
150 static inline int mbedtls_ssl_pkcs11_sign( void *ctx
,
151 int (*f_rng
)(void *, unsigned char *, size_t), void *p_rng
,
152 int mode
, mbedtls_md_type_t md_alg
, unsigned int hashlen
,
153 const unsigned char *hash
, unsigned char *sig
)
157 return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context
*) ctx
, mode
, md_alg
,
158 hashlen
, hash
, sig
);
161 static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx
)
163 return ( (mbedtls_pkcs11_context
*) ctx
)->len
;
170 #endif /* MBEDTLS_PKCS11_C */
172 #endif /* MBEDTLS_PKCS11_H */