Blame - library/pkcs11.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: 20803bfd632dc04af8f801c273938f79b0de88ae [file] [log] [blame]

Paul Bakker	43b7e35	2011-01-18 15:27:19 +0000	[diff] [blame]	1	/**
				2	* \file pkcs11.c
				3	*
				4	* \brief Wrapper for PKCS#11 library libpkcs11-helper
				5	*
				6	* \author Adriaan de Jong <dejong@fox-it.com>
				7	*
Manuel Pégourié-Gonnard	0edee5e	2015-01-26 15:29:40 +0000	[diff] [blame]	8	* Copyright (C) 2006-2010, ARM Limited, All Rights Reserved
Paul Bakker	43b7e35	2011-01-18 15:27:19 +0000	[diff] [blame]	9	*
Manuel Pégourié-Gonnard	e12abf9	2015-01-28 17:13:45 +0000	[diff] [blame^]	10	* This file is part of mbed TLS (https://polarssl.org)
Paul Bakker	43b7e35	2011-01-18 15:27:19 +0000	[diff] [blame]	11	*
				12	* This program is free software; you can redistribute it and/or modify
				13	* it under the terms of the GNU General Public License as published by
				14	* the Free Software Foundation; either version 2 of the License, or
				15	* (at your option) any later version.
				16	*
				17	* This program is distributed in the hope that it will be useful,
				18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
				19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				20	* GNU General Public License for more details.
				21	*
				22	* You should have received a copy of the GNU General Public License along
				23	* with this program; if not, write to the Free Software Foundation, Inc.,
				24	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
				25	*/
				26
				27	#include "polarssl/pkcs11.h"
				28
				29	#if defined(POLARSSL_PKCS11_C)
				30
				31	#include <stdlib.h>
Paul Bakker	43b7e35	2011-01-18 15:27:19 +0000	[diff] [blame]	32
				33	int pkcs11_x509_cert_init( x509_cert *cert, pkcs11h_certificate_t pkcs11_cert )
				34	{
				35	int ret = 1;
				36	unsigned char *cert_blob = NULL;
				37	size_t cert_blob_size = 0;
				38
				39	if( cert == NULL )
				40	{
				41	ret = 2;
				42	goto cleanup;
				43	}
				44
				45	if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL, &cert_blob_size ) != CKR_OK )
				46	{
				47	ret = 3;
				48	goto cleanup;
				49	}
				50
				51	cert_blob = malloc( cert_blob_size );
				52	if( NULL == cert_blob )
				53	{
				54	ret = 4;
				55	goto cleanup;
				56	}
				57
				58	if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob, &cert_blob_size ) != CKR_OK )
				59	{
				60	ret = 5;
				61	goto cleanup;
				62	}
				63
				64	if( 0 != x509parse_crt(cert, cert_blob, cert_blob_size ) )
				65	{
				66	ret = 6;
				67	goto cleanup;
				68	}
				69
				70	ret = 0;
				71
				72	cleanup:
				73	if( NULL != cert_blob )
				74	free( cert_blob );
				75
				76	return ret;
				77	}
				78
				79
				80	int pkcs11_priv_key_init( pkcs11_context *priv_key,
				81	pkcs11h_certificate_t pkcs11_cert )
				82	{
				83	int ret = 1;
				84	x509_cert cert;
				85
				86	memset( &cert, 0, sizeof( cert ) );
				87
				88	if( priv_key == NULL )
				89	goto cleanup;
				90
				91	if( 0 != pkcs11_x509_cert_init( &cert, pkcs11_cert ) )
				92	goto cleanup;
				93
				94	priv_key->len = cert.rsa.len;
				95	priv_key->pkcs11h_cert = pkcs11_cert;
				96
				97	ret = 0;
				98
				99	cleanup:
				100	x509_free( &cert );
				101
				102	return ret;
				103	}
				104
				105	void pkcs11_priv_key_free( pkcs11_context *priv_key )
				106	{
				107	if( NULL != priv_key )
				108	pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
				109	}
				110
				111	int pkcs11_decrypt( pkcs11_context *ctx,
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	112	int mode, size_t *olen,
Paul Bakker	43b7e35	2011-01-18 15:27:19 +0000	[diff] [blame]	113	const unsigned char *input,
				114	unsigned char *output,
Paul Bakker	9a73632	2012-11-14 12:39:52 +0000	[diff] [blame]	115	size_t output_max_len )
Paul Bakker	43b7e35	2011-01-18 15:27:19 +0000	[diff] [blame]	116	{
				117	size_t input_len, output_len;
				118
				119	if( NULL == ctx )
				120	return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
				121
				122	if( RSA_PUBLIC == mode )
				123	return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
				124
				125	output_len = input_len = ctx->len;
				126
				127	if( input_len < 16 \|\| input_len > output_max_len )
				128	return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
				129
				130	/* Determine size of output buffer */
				131	if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
				132	input_len, NULL, &output_len ) != CKR_OK )
				133	{
				134	return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
				135	}
				136
				137	if( output_len > output_max_len )
				138	return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
				139
				140	if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
				141	input_len, output, &output_len ) != CKR_OK )
				142	{
				143	return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
				144	}
				145	*olen = output_len;
				146	return( 0 );
				147	}
				148
				149	int pkcs11_sign( pkcs11_context *ctx,
				150	int mode,
				151	int hash_id,
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	152	unsigned int hashlen,
Paul Bakker	43b7e35	2011-01-18 15:27:19 +0000	[diff] [blame]	153	const unsigned char *hash,
				154	unsigned char *sig )
				155	{
				156	size_t olen, asn_len;
				157	unsigned char *p = sig;
				158
				159	if( NULL == ctx )
				160	return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
				161
				162	if( RSA_PUBLIC == mode )
				163	return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
				164
				165	olen = ctx->len;
				166
				167	switch( hash_id )
				168	{
				169	case SIG_RSA_RAW:
				170	asn_len = 0;
				171	memcpy( p, hash, hashlen );
				172	break;
				173
				174	case SIG_RSA_MD2:
				175	asn_len = OID_SIZE(ASN1_HASH_MDX);
				176	memcpy( p, ASN1_HASH_MDX, asn_len );
				177	memcpy( p + asn_len, hash, hashlen );
				178	p[13] = 2; break;
				179
				180	case SIG_RSA_MD4:
				181	asn_len = OID_SIZE(ASN1_HASH_MDX);
				182	memcpy( p, ASN1_HASH_MDX, asn_len );
				183	memcpy( p + asn_len, hash, hashlen );
				184	p[13] = 4; break;
				185
				186	case SIG_RSA_MD5:
				187	asn_len = OID_SIZE(ASN1_HASH_MDX);
				188	memcpy( p, ASN1_HASH_MDX, asn_len );
				189	memcpy( p + asn_len, hash, hashlen );
				190	p[13] = 5; break;
				191
				192	case SIG_RSA_SHA1:
				193	asn_len = OID_SIZE(ASN1_HASH_SHA1);
				194	memcpy( p, ASN1_HASH_SHA1, asn_len );
				195	memcpy( p + 15, hash, hashlen );
				196	break;
				197
				198	case SIG_RSA_SHA224:
				199	asn_len = OID_SIZE(ASN1_HASH_SHA2X);
				200	memcpy( p, ASN1_HASH_SHA2X, asn_len );
				201	memcpy( p + asn_len, hash, hashlen );
				202	p[1] += hashlen; p[14] = 4; p[18] += hashlen; break;
				203
				204	case SIG_RSA_SHA256:
				205	asn_len = OID_SIZE(ASN1_HASH_SHA2X);
				206	memcpy( p, ASN1_HASH_SHA2X, asn_len );
				207	memcpy( p + asn_len, hash, hashlen );
				208	p[1] += hashlen; p[14] = 1; p[18] += hashlen; break;
				209
				210	case SIG_RSA_SHA384:
				211	asn_len = OID_SIZE(ASN1_HASH_SHA2X);
				212	memcpy( p, ASN1_HASH_SHA2X, asn_len );
				213	memcpy( p + asn_len, hash, hashlen );
				214	p[1] += hashlen; p[14] = 2; p[18] += hashlen; break;
				215
				216	case SIG_RSA_SHA512:
				217	asn_len = OID_SIZE(ASN1_HASH_SHA2X);
				218	memcpy( p, ASN1_HASH_SHA2X, asn_len );
				219	memcpy( p + asn_len, hash, hashlen );
				220	p[1] += hashlen; p[14] = 3; p[18] += hashlen; break;
				221
				222	default:
				223	return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
				224	}
				225
				226	if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
				227	asn_len + hashlen, sig, &olen ) != CKR_OK )
				228	{
				229	return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
				230	}
				231
				232	return( 0 );
				233	}
				234
				235	#endif /* defined(POLARSSL_PKCS11_C) */