- Generalized external private key implementation handling (like PKCS#11) in SSL/TLS
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 538ef81..543b96c 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -612,7 +612,7 @@
/**
* \def POLARSSL_PKCS11_C
*
- * Enable support for PKCS#11 smartcard support.
+ * Enable wrapper for PKCS#11 smartcard support.
*
* Module: library/ssl_srv.c
* Caller: library/ssl_cli.c
@@ -620,7 +620,7 @@
*
* Requires: POLARSSL_SSL_TLS_C
*
- * This module is required for SSL/TLS PKCS #11 smartcard support.
+ * This module enables SSL/TLS PKCS #11 smartcard support.
* Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
#define POLARSSL_PKCS11_C
*/
diff --git a/include/polarssl/pkcs11.h b/include/polarssl/pkcs11.h
index a65a72e..ddfae30 100644
--- a/include/polarssl/pkcs11.h
+++ b/include/polarssl/pkcs11.h
@@ -37,6 +37,14 @@
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
+#if defined(_MSC_VER) && !defined(inline)
+#define inline _inline
+#else
+#if defined(__ARMCC_VERSION) && !defined(inline)
+#define inline __inline
+#endif /* __ARMCC_VERSION */
+#endif /*_MSC_VER */
+
/**
* Context for PKCS #11 private keys.
*/
@@ -121,6 +129,33 @@
const unsigned char *hash,
unsigned char *sig );
+/**
+ * SSL/TLS wrappers for PKCS#11 functions
+ */
+static inline int ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
+ const unsigned char *input, unsigned char *output,
+ unsigned int output_max_len )
+{
+ return pkcs11_decrypt( (pkcs11_context *) ctx, mode, olen, input, output,
+ output_max_len );
+}
+
+static inline int ssl_pkcs11_sign( void *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ int mode, int hash_id, unsigned int hashlen,
+ const unsigned char *hash, unsigned char *sig )
+{
+ ((void) f_rng);
+ ((void) p_rng);
+ return pkcs11_sign( (pkcs11_context *) ctx, mode, hash_id,
+ hashlen, hash, sig );
+}
+
+static inline size_t ssl_pkcs11_key_len( void *ctx )
+{
+ return ( (pkcs11_context *) ctx )->len;
+}
+
#endif /* POLARSSL_PKCS11_C */
#endif /* POLARSSL_PKCS11_H */
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index fcf8a8f..62ffba2 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -42,10 +42,6 @@
#include "dhm.h"
#endif
-#if defined(POLARSSL_PKCS11_C)
-#include "pkcs11.h"
-#endif
-
#if defined(POLARSSL_ZLIB_SUPPORT)
#include "zlib.h"
#endif
@@ -253,6 +249,20 @@
#define TLS_EXT_RENEGOTIATION_INFO 0xFF01
+
+/*
+ * Generic function pointers for allowing external RSA private key
+ * implementations.
+ */
+typedef int (*rsa_decrypt_func)( void *ctx, int mode, size_t *olen,
+ const unsigned char *input, unsigned char *output,
+ size_t output_max_len );
+typedef int (*rsa_sign_func)( void *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ int mode, int hash_id, unsigned int hashlen,
+ const unsigned char *hash, unsigned char *sig );
+typedef size_t (*rsa_key_len_func)( void *ctx );
+
/*
* SSL state machine
*/
@@ -446,10 +456,11 @@
/*
* PKI layer
*/
- rsa_context *rsa_key; /*!< own RSA private key */
-#if defined(POLARSSL_PKCS11_C)
- pkcs11_context *pkcs11_key; /*!< own PKCS#11 RSA private key */
-#endif
+ void *rsa_key; /*!< own RSA private key */
+ rsa_decrypt_func rsa_decrypt; /*!< function for RSA decrypt*/
+ rsa_sign_func rsa_sign; /*!< function for RSA sign */
+ rsa_key_len_func rsa_key_len; /*!< function for RSA key len*/
+
x509_cert *own_cert; /*!< own X.509 certificate */
x509_cert *ca_chain; /*!< own trusted CA chain */
x509_crl *ca_crl; /*!< trusted CA CRLs */
@@ -722,17 +733,26 @@
void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
rsa_context *rsa_key );
-#if defined(POLARSSL_PKCS11_C)
/**
- * \brief Set own certificate and PKCS#11 private key
+ * \brief Set own certificate and alternate non-PolarSSL private
+ * key and handling callbacks, such as the PKCS#11 wrappers
+ * or any other external private key handler.
+ * (see the respective RSA functions in rsa.h for documentation
+ * of the callback parameters, with the only change being
+ * that the rsa_context * is a void * in the callbacks)
*
* \param ssl SSL context
* \param own_cert own public certificate
- * \param pkcs11_key own PKCS#11 RSA key
+ * \param rsa_key alternate implementation private RSA key
+ * \param rsa_decrypt_func alternate implementation of \c rsa_pkcs1_decrypt()
+ * \param rsa_sign_func alternate implementation of \c rsa_pkcs1_sign()
+ * \param rsa_key_len_func function returning length of RSA key in bytes
*/
-void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
- pkcs11_context *pkcs11_key );
-#endif
+void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
+ void *rsa_key,
+ rsa_decrypt_func rsa_decrypt,
+ rsa_sign_func rsa_sign,
+ rsa_key_len_func rsa_key_len );
#if defined(POLARSSL_DHM_C)
/**