mbed-os/pkcs11_8h_source.html

/**

 * \file pkcs11.h

 *

 * \brief Wrapper for PKCS#11 library libpkcs11-helper

 *

 * \author Adriaan de Jong <dejong@fox-it.com>

 */

/*

 *  Copyright The Mbed TLS Contributors

 *  SPDX-License-Identifier: Apache-2.0

 *

 *  Licensed under the Apache License, Version 2.0 (the "License"); you may

 *  not use this file except in compliance with the License.

 *  You may obtain a copy of the License at

 *

 *  http://www.apache.org/licenses/LICENSE-2.0

 *

 *  Unless required by applicable law or agreed to in writing, software

 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 *  See the License for the specific language governing permissions and

 *  limitations under the License.

 */

#ifndef MBEDTLS_PKCS11_H

#define MBEDTLS_PKCS11_H


#if !defined(MBEDTLS_CONFIG_FILE)

#include "mbedtls/config.h"

#else

#include MBEDTLS_CONFIG_FILE

#endif


#if defined(MBEDTLS_PKCS11_C)


#include "mbedtls/x509_crt.h"


#include <pkcs11-helper-1.0/pkcs11h-certificate.h>


#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \

    !defined(inline) && !defined(__cplusplus)

#define inline __inline

#endif


#ifdef __cplusplus

extern "C" {

#endif


#if defined(MBEDTLS_DEPRECATED_REMOVED)


/**

 * Context for PKCS #11 private keys.

 */

typedef struct mbedtls_pkcs11_context

{

        pkcs11h_certificate_t pkcs11h_cert;

        int len;

} mbedtls_pkcs11_context;


#if defined(MBEDTLS_DEPRECATED_WARNING)

#define MBEDTLS_DEPRECATED      __attribute__((deprecated))

#else

#define MBEDTLS_DEPRECATED

#endif


/**

 * Initialize a mbedtls_pkcs11_context.

 * (Just making memory references valid.)

 *

 * \deprecated          This function is deprecated and will be removed in a

 *                      future version of the library.

 */

MBEDTLS_DEPRECATED void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );


/**

 * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.

 *

 * \deprecated          This function is deprecated and will be removed in a

 *                      future version of the library.

 *

 * \param cert          X.509 certificate to fill

 * \param pkcs11h_cert  PKCS #11 helper certificate

 *

 * \return              0 on success.

 */

MBEDTLS_DEPRECATED int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert,

                                        pkcs11h_certificate_t pkcs11h_cert );


/**

 * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the

 * mbedtls_pkcs11_context will take over control of the certificate, freeing it when

 * done.

 *

 * \deprecated          This function is deprecated and will be removed in a

 *                      future version of the library.

 *

 * \param priv_key      Private key structure to fill.

 * \param pkcs11_cert   PKCS #11 helper certificate

 *

 * \return              0 on success

 */

MBEDTLS_DEPRECATED int mbedtls_pkcs11_priv_key_bind(

                                        mbedtls_pkcs11_context *priv_key,

                                        pkcs11h_certificate_t pkcs11_cert );


/**

 * Free the contents of the given private key context. Note that the structure

 * itself is not freed.

 *

 * \deprecated          This function is deprecated and will be removed in a

 *                      future version of the library.

 *

 * \param priv_key      Private key structure to cleanup

 */

MBEDTLS_DEPRECATED void mbedtls_pkcs11_priv_key_free(

                                            mbedtls_pkcs11_context *priv_key );


/**

 * \brief          Do an RSA private key decrypt, then remove the message

 *                 padding

 *

 * \deprecated     This function is deprecated and will be removed in a future

 *                 version of the library.

 *

 * \param ctx      PKCS #11 context

 * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature

 * \param input    buffer holding the encrypted data

 * \param output   buffer that will hold the plaintext

 * \param olen     will contain the plaintext length

 * \param output_max_len    maximum length of the output buffer

 *

 * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code

 *

 * \note           The output buffer must be as large as the size

 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise

 *                 an error is thrown.

 */

MBEDTLS_DEPRECATED int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,

                                               int mode, size_t *olen,

                                               const unsigned char *input,

                                               unsigned char *output,

                                               size_t output_max_len );


/**

 * \brief          Do a private RSA to sign a message digest

 *

 * \deprecated     This function is deprecated and will be removed in a future

 *                 version of the library.

 *

 * \param ctx      PKCS #11 context

 * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature

 * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)

 * \param hashlen  message digest length (for MBEDTLS_MD_NONE only)

 * \param hash     buffer holding the message digest

 * \param sig      buffer that will hold the ciphertext

 *

 * \return         0 if the signing operation was successful,

 *                 or an MBEDTLS_ERR_RSA_XXX error code

 *

 * \note           The "sig" buffer must be as large as the size

 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).

 */

MBEDTLS_DEPRECATED int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,

                                            int mode,

                                            mbedtls_md_type_t md_alg,

                                            unsigned int hashlen,

                                            const unsigned char *hash,

                                            unsigned char *sig );


/**

 * SSL/TLS wrappers for PKCS#11 functions

 *

 * \deprecated     This function is deprecated and will be removed in a future

 *                 version of the library.

 */

MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx,

                            int mode, size_t *olen,

                            const unsigned char *input, unsigned char *output,

                            size_t output_max_len )

{

    return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,

                           output_max_len );

}


/**

 * \brief          This function signs a message digest using RSA.

 *

 * \deprecated     This function is deprecated and will be removed in a future

 *                 version of the library.

 *

 * \param ctx      The PKCS #11 context.

 * \param f_rng    The RNG function. This parameter is unused.

 * \param p_rng    The RNG context. This parameter is unused.

 * \param mode     The operation to run. This must be set to

 *                 MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's

 *                 signature.

 * \param md_alg   The message digest algorithm. One of the MBEDTLS_MD_XXX

 *                 must be passed to this function and MBEDTLS_MD_NONE can be

 *                 used for signing raw data.

 * \param hashlen  The message digest length (for MBEDTLS_MD_NONE only).

 * \param hash     The buffer holding the message digest.

 * \param sig      The buffer that will hold the ciphertext.

 *

 * \return         \c 0 if the signing operation was successful.

 * \return         A non-zero error code on failure.

 *

 * \note           The \p sig buffer must be as large as the size of

 *                 <code>ctx->N</code>. For example, 128 bytes if RSA-1024 is

 *                 used.

 */

MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_sign( void *ctx,

                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,

                    int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,

                    const unsigned char *hash, unsigned char *sig )

{

    ((void) f_rng);

    ((void) p_rng);

    return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,

                        hashlen, hash, sig );

}


/**

 * This function gets the length of the private key.

 *

 * \deprecated     This function is deprecated and will be removed in a future

 *                 version of the library.

 *

 * \param ctx      The PKCS #11 context.

 *

 * \return         The length of the private key.

 */

MBEDTLS_DEPRECATED static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )

{

    return ( (mbedtls_pkcs11_context *) ctx )->len;

}


#undef MBEDTLS_DEPRECATED


#endif /* MBEDTLS_DEPRECATED_REMOVED */


#ifdef __cplusplus

}

#endif


#endif /* MBEDTLS_PKCS11_C */


#endif /* MBEDTLS_PKCS11_H */

config.h
Configuration options (set of defines)

mbedtls_md_type_t
mbedtls_md_type_t
Supported message digests.
Definition: md.h:64

mbedtls_x509_crt
Container for an X.509 certificate.
Definition: x509_crt.h:53

x509_crt.h
X.509 certificate parsing and writing.