TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / eba3ccf785824b700af91fd488df3e99cb0489b0 / . / library / pkcs11.c
blob: 53436592b25ea716166dbede44e9c8b73a30cf68 [file] [log] [blame]
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1/**
2 * \file pkcs11.c
3 *
4 * \brief Wrapper for PKCS#11 library libpkcs11-helper
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]8 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]9 *
10 * This file is part of PolarSSL (http://www.polarssl.org)
11 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
12 *
13 * All rights reserved.
14 *
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License along
26 * with this program; if not, write to the Free Software Foundation, Inc.,
27 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 */
29
30#include "polarssl/pkcs11.h"
31
32#if defined(POLARSSL_PKCS11_C)
33
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]34#if defined(POLARSSL_MEMORY_C)
35#include "polarssl/memory.h"
36#else
37#define polarssl_malloc malloc
38#define polarssl_free free
39#endif
40
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]41#include <stdlib.h>
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]42
43int pkcs11_x509_cert_init( x509_cert *cert, pkcs11h_certificate_t pkcs11_cert )
44{
45 int ret = 1;
46 unsigned char *cert_blob = NULL;
47 size_t cert_blob_size = 0;
48
49 if( cert == NULL )
50 {
51 ret = 2;
52 goto cleanup;
53 }
54
55 if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL, &cert_blob_size ) != CKR_OK )
56 {
57 ret = 3;
58 goto cleanup;
59 }
60
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]61 cert_blob = polarssl_malloc( cert_blob_size );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]62 if( NULL == cert_blob )
63 {
64 ret = 4;
65 goto cleanup;
66 }
67
68 if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob, &cert_blob_size ) != CKR_OK )
69 {
70 ret = 5;
71 goto cleanup;
72 }
73
74 if( 0 != x509parse_crt(cert, cert_blob, cert_blob_size ) )
75 {
76 ret = 6;
77 goto cleanup;
78 }
79
80 ret = 0;
81
82cleanup:
83 if( NULL != cert_blob )
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]84 polarssl_free( cert_blob );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]85
86 return ret;
87}
88
89
90int pkcs11_priv_key_init( pkcs11_context *priv_key,
91 pkcs11h_certificate_t pkcs11_cert )
92{
93 int ret = 1;
94 x509_cert cert;
95
96 memset( &cert, 0, sizeof( cert ) );
97
98 if( priv_key == NULL )
99 goto cleanup;
100
101 if( 0 != pkcs11_x509_cert_init( &cert, pkcs11_cert ) )
102 goto cleanup;
103
104 priv_key->len = cert.rsa.len;
105 priv_key->pkcs11h_cert = pkcs11_cert;
106
107 ret = 0;
108
109cleanup:
110 x509_free( &cert );
111
112 return ret;
113}
114
115void pkcs11_priv_key_free( pkcs11_context *priv_key )
116{
117 if( NULL != priv_key )
118 pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
119}
120
121int pkcs11_decrypt( pkcs11_context *ctx,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]122 int mode, size_t *olen,
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]123 const unsigned char *input,
124 unsigned char *output,
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]125 size_t output_max_len )
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]126{
127 size_t input_len, output_len;
128
129 if( NULL == ctx )
130 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
131
132 if( RSA_PUBLIC == mode )
133 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
134
135 output_len = input_len = ctx->len;
136
137 if( input_len < 16 || input_len > output_max_len )
138 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
139
140 /* Determine size of output buffer */
141 if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
142 input_len, NULL, &output_len ) != CKR_OK )
143 {
144 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
145 }
146
147 if( output_len > output_max_len )
148 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
149
150 if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
151 input_len, output, &output_len ) != CKR_OK )
152 {
153 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
154 }
155 *olen = output_len;
156 return( 0 );
157}
158
159int pkcs11_sign( pkcs11_context *ctx,
160 int mode,
161 int hash_id,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]162 unsigned int hashlen,
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]163 const unsigned char *hash,
164 unsigned char *sig )
165{
166 size_t olen, asn_len;
167 unsigned char *p = sig;
168
169 if( NULL == ctx )
170 return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
171
172 if( RSA_PUBLIC == mode )
173 return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
174
175 olen = ctx->len;
176
177 switch( hash_id )
178 {
179 case SIG_RSA_RAW:
180 asn_len = 0;
181 memcpy( p, hash, hashlen );
182 break;
183
184 case SIG_RSA_MD2:
185 asn_len = OID_SIZE(ASN1_HASH_MDX);
186 memcpy( p, ASN1_HASH_MDX, asn_len );
187 memcpy( p + asn_len, hash, hashlen );
188 p[13] = 2; break;
189
190 case SIG_RSA_MD4:
191 asn_len = OID_SIZE(ASN1_HASH_MDX);
192 memcpy( p, ASN1_HASH_MDX, asn_len );
193 memcpy( p + asn_len, hash, hashlen );
194 p[13] = 4; break;
195
196 case SIG_RSA_MD5:
197 asn_len = OID_SIZE(ASN1_HASH_MDX);
198 memcpy( p, ASN1_HASH_MDX, asn_len );
199 memcpy( p + asn_len, hash, hashlen );
200 p[13] = 5; break;
201
202 case SIG_RSA_SHA1:
203 asn_len = OID_SIZE(ASN1_HASH_SHA1);
204 memcpy( p, ASN1_HASH_SHA1, asn_len );
205 memcpy( p + 15, hash, hashlen );
206 break;
207
208 case SIG_RSA_SHA224:
209 asn_len = OID_SIZE(ASN1_HASH_SHA2X);
210 memcpy( p, ASN1_HASH_SHA2X, asn_len );
211 memcpy( p + asn_len, hash, hashlen );
212 p[1] += hashlen; p[14] = 4; p[18] += hashlen; break;
213
214 case SIG_RSA_SHA256:
215 asn_len = OID_SIZE(ASN1_HASH_SHA2X);
216 memcpy( p, ASN1_HASH_SHA2X, asn_len );
217 memcpy( p + asn_len, hash, hashlen );
218 p[1] += hashlen; p[14] = 1; p[18] += hashlen; break;
219
220 case SIG_RSA_SHA384:
221 asn_len = OID_SIZE(ASN1_HASH_SHA2X);
222 memcpy( p, ASN1_HASH_SHA2X, asn_len );
223 memcpy( p + asn_len, hash, hashlen );
224 p[1] += hashlen; p[14] = 2; p[18] += hashlen; break;
225
226 case SIG_RSA_SHA512:
227 asn_len = OID_SIZE(ASN1_HASH_SHA2X);
228 memcpy( p, ASN1_HASH_SHA2X, asn_len );
229 memcpy( p + asn_len, hash, hashlen );
230 p[1] += hashlen; p[14] = 3; p[18] += hashlen; break;
231
232 default:
233 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
234 }
235
236 if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
237 asn_len + hashlen, sig, &olen ) != CKR_OK )
238 {
239 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
240 }
241
242 return( 0 );
243}
244
245#endif /* defined(POLARSSL_PKCS11_C) */