1 /**
2  * \file pkcs11.h
3  *
4  * \brief Wrapper for PKCS#11 library libpkcs11-helper
5  *
6  * \author Adriaan de Jong <dejong@fox-it.com>
7  */
8 /*
9  *  Copyright The Mbed TLS Contributors
10  *  SPDX-License-Identifier: Apache-2.0
11  *
12  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
13  *  not use this file except in compliance with the License.
14  *  You may obtain a copy of the License at
15  *
16  *  http://www.apache.org/licenses/LICENSE-2.0
17  *
18  *  Unless required by applicable law or agreed to in writing, software
19  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
20  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21  *  See the License for the specific language governing permissions and
22  *  limitations under the License.
23  */
24 #ifndef MBEDTLS_PKCS11_H
25 #define MBEDTLS_PKCS11_H
26 
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "mbedtls/config.h"
29 #else
30 #include MBEDTLS_CONFIG_FILE
31 #endif
32 
33 #if defined(MBEDTLS_PKCS11_C)
34 
35 #include "mbedtls/x509_crt.h"
36 
37 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
38 
39 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
40     !defined(inline) && !defined(__cplusplus)
41 #define inline __inline
42 #endif
43 
44 #ifdef __cplusplus
45 extern "C" {
46 #endif
47 
48 #if defined(MBEDTLS_DEPRECATED_REMOVED)
49 
50 /**
51  * Context for PKCS #11 private keys.
52  */
53 typedef struct mbedtls_pkcs11_context
54 {
55         pkcs11h_certificate_t pkcs11h_cert;
56         int len;
57 } mbedtls_pkcs11_context;
58 
59 #if defined(MBEDTLS_DEPRECATED_WARNING)
60 #define MBEDTLS_DEPRECATED      __attribute__((deprecated))
61 #else
62 #define MBEDTLS_DEPRECATED
63 #endif
64 
65 /**
66  * Initialize a mbedtls_pkcs11_context.
67  * (Just making memory references valid.)
68  *
69  * \deprecated          This function is deprecated and will be removed in a
70  *                      future version of the library.
71  */
72 MBEDTLS_DEPRECATED void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
73 
74 /**
75  * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
76  *
77  * \deprecated          This function is deprecated and will be removed in a
78  *                      future version of the library.
79  *
80  * \param cert          X.509 certificate to fill
81  * \param pkcs11h_cert  PKCS #11 helper certificate
82  *
83  * \return              0 on success.
84  */
85 MBEDTLS_DEPRECATED int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert,
86                                         pkcs11h_certificate_t pkcs11h_cert );
87 
88 /**
89  * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
90  * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
91  * done.
92  *
93  * \deprecated          This function is deprecated and will be removed in a
94  *                      future version of the library.
95  *
96  * \param priv_key      Private key structure to fill.
97  * \param pkcs11_cert   PKCS #11 helper certificate
98  *
99  * \return              0 on success
100  */
101 MBEDTLS_DEPRECATED int mbedtls_pkcs11_priv_key_bind(
102                                         mbedtls_pkcs11_context *priv_key,
103                                         pkcs11h_certificate_t pkcs11_cert );
104 
105 /**
106  * Free the contents of the given private key context. Note that the structure
107  * itself is not freed.
108  *
109  * \deprecated          This function is deprecated and will be removed in a
110  *                      future version of the library.
111  *
112  * \param priv_key      Private key structure to cleanup
113  */
114 MBEDTLS_DEPRECATED void mbedtls_pkcs11_priv_key_free(
115                                             mbedtls_pkcs11_context *priv_key );
116 
117 /**
118  * \brief          Do an RSA private key decrypt, then remove the message
119  *                 padding
120  *
121  * \deprecated     This function is deprecated and will be removed in a future
122  *                 version of the library.
123  *
124  * \param ctx      PKCS #11 context
125  * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
126  * \param input    buffer holding the encrypted data
127  * \param output   buffer that will hold the plaintext
128  * \param olen     will contain the plaintext length
129  * \param output_max_len    maximum length of the output buffer
130  *
131  * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
132  *
133  * \note           The output buffer must be as large as the size
134  *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
135  *                 an error is thrown.
136  */
137 MBEDTLS_DEPRECATED int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
138                                                int mode, size_t *olen,
139                                                const unsigned char *input,
140                                                unsigned char *output,
141                                                size_t output_max_len );
142 
143 /**
144  * \brief          Do a private RSA to sign a message digest
145  *
146  * \deprecated     This function is deprecated and will be removed in a future
147  *                 version of the library.
148  *
149  * \param ctx      PKCS #11 context
150  * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
151  * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
152  * \param hashlen  message digest length (for MBEDTLS_MD_NONE only)
153  * \param hash     buffer holding the message digest
154  * \param sig      buffer that will hold the ciphertext
155  *
156  * \return         0 if the signing operation was successful,
157  *                 or an MBEDTLS_ERR_RSA_XXX error code
158  *
159  * \note           The "sig" buffer must be as large as the size
160  *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
161  */
162 MBEDTLS_DEPRECATED int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
163                                             int mode,
164                                             mbedtls_md_type_t md_alg,
165                                             unsigned int hashlen,
166                                             const unsigned char *hash,
167                                             unsigned char *sig );
168 
169 /**
170  * SSL/TLS wrappers for PKCS#11 functions
171  *
172  * \deprecated     This function is deprecated and will be removed in a future
173  *                 version of the library.
174  */
mbedtls_ssl_pkcs11_decrypt(void * ctx,int mode,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)175 MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx,
176                             int mode, size_t *olen,
177                             const unsigned char *input, unsigned char *output,
178                             size_t output_max_len )
179 {
180     return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
181                            output_max_len );
182 }
183 
184 /**
185  * \brief          This function signs a message digest using RSA.
186  *
187  * \deprecated     This function is deprecated and will be removed in a future
188  *                 version of the library.
189  *
190  * \param ctx      The PKCS #11 context.
191  * \param f_rng    The RNG function. This parameter is unused.
192  * \param p_rng    The RNG context. This parameter is unused.
193  * \param mode     The operation to run. This must be set to
194  *                 MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's
195  *                 signature.
196  * \param md_alg   The message digest algorithm. One of the MBEDTLS_MD_XXX
197  *                 must be passed to this function and MBEDTLS_MD_NONE can be
198  *                 used for signing raw data.
199  * \param hashlen  The message digest length (for MBEDTLS_MD_NONE only).
200  * \param hash     The buffer holding the message digest.
201  * \param sig      The buffer that will hold the ciphertext.
202  *
203  * \return         \c 0 if the signing operation was successful.
204  * \return         A non-zero error code on failure.
205  *
206  * \note           The \p sig buffer must be as large as the size of
207  *                 <code>ctx->N</code>. For example, 128 bytes if RSA-1024 is
208  *                 used.
209  */
mbedtls_ssl_pkcs11_sign(void * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)210 MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
211                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
212                     int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
213                     const unsigned char *hash, unsigned char *sig )
214 {
215     ((void) f_rng);
216     ((void) p_rng);
217     return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
218                         hashlen, hash, sig );
219 }
220 
221 /**
222  * This function gets the length of the private key.
223  *
224  * \deprecated     This function is deprecated and will be removed in a future
225  *                 version of the library.
226  *
227  * \param ctx      The PKCS #11 context.
228  *
229  * \return         The length of the private key.
230  */
mbedtls_ssl_pkcs11_key_len(void * ctx)231 MBEDTLS_DEPRECATED static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
232 {
233     return ( (mbedtls_pkcs11_context *) ctx )->len;
234 }
235 
236 #undef MBEDTLS_DEPRECATED
237 
238 #endif /* MBEDTLS_DEPRECATED_REMOVED */
239 
240 #ifdef __cplusplus
241 }
242 #endif
243 
244 #endif /* MBEDTLS_PKCS11_C */
245 
246 #endif /* MBEDTLS_PKCS11_H */
247