include/mbedtls/pkcs11_client.h

/**
 * \file pkcs11_client.h
 *
 * \brief Generic wrapper for Cryptoki (PKCS#11) support
 */
/*
 *  Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */
#ifndef MBEDTLS_PKCS11_CLIENT_H
#define MBEDTLS_PKCS11_CLIENT_H

#if !defined(MBEDTLS_CONFIG_FILE)
#include "config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif

#if defined(MBEDTLS_PKCS11_CLIENT_C)

#include <pkcs11.h>

#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
    !defined(inline) && !defined(__cplusplus)
#define inline __inline
#endif

#ifdef __cplusplus
extern "C" {
#endif

#define MBEDTLS_PKCS11_FLAG_TOKEN    ( (uint32_t) 0x80000000 )

#if defined(MBEDTLS_PK_C)

#define MBEDTLS_PKCS11_FLAG_SENSITIVE    ( (uint32_t) 0x00000001 )
#define MBEDTLS_PKCS11_FLAG_EXTRACTABLE  ( (uint32_t) 0x00000002 )
#define MBEDTLS_PKCS11_FLAG_SIGN         ( (uint32_t) 0x00000010 )
#define MBEDTLS_PKCS11_FLAG_VERIFY       ( (uint32_t) 0x00000020 )
#define MBEDTLS_PKCS11_FLAG_DECRYPT      ( (uint32_t) 0x00000040 )
#define MBEDTLS_PKCS11_FLAG_ENCRYPT      ( (uint32_t) 0x00000080 )

#include "pk.h"

/**
 * \brief               Set up a PK context for a key pair in a PKCS#11 token
 *
 * \param ctx           PK context to fill, which must have been initialized
 *                      with mbedtls_pk_init().
 * \param hSession      Cryptoki session.
 * \param hPublicKey    Cryptoki handle of the public key.
 * \param hPrivateKey   Cryptoki handle of the private key, or
 *                      CK_INVALID_HANDLE for a public key rather than a key
 *                      pair.
 *
 * \return              0 on success,
 *                      or MBEDTLS_ERR_PK_XXX error code.
 *
 * \note                If any of the handles become invalid, then you may no
 *                      longer do anything with the pk object except call
 *                      mbedtls_pk_free on it.
 */
int mbedtls_pkcs11_setup_pk( mbedtls_pk_context *ctx,
                             CK_SESSION_HANDLE hSession,
                             CK_OBJECT_HANDLE hPublicKey,
                             CK_OBJECT_HANDLE hPrivateKey );

/**
 * \brief               Import a transparent key into a PKCS#11 token
 *
 *                      This function imports a PK object containing a
 *                      public key or a private-public key pair into a
 *                      PKCS#11 token. 
 *
 * \param ctx           PK context, which must contain a transparent pk
 *                      object (type #MBEDTLS_PK_RSA,
 *                      #MBEDTLS_PK_RSASSA_PSS, #MBEDTLS_PK_ECKEY or
 *                      #MBEDTLS_PK_ECDSA).
 * \param flags         Mask of #MBEDTLS_PKCS11_FLAG_XXX and
 *                      #MBEDTLS_PK_FLAG_XXX, applying as follows:
 *                      - #MBEDTLS_PKCS11_FLAG_TOKEN: PKCS#11 \c CKA_TOKEN
 *                        flag: if set, import as token object; if clear,
 *                        import as session object.
 *                      - #MBEDTLS_PK_FLAG_EXTRACTABLE: PKCS#11
 *                        \c CKA_EXTRACTABLE flag: if set, the private key
 *                        will be extractable at least in wrapped form; if
 *                        clear, the key will not be extractable at all.
 *                      - #MBEDTLS_PK_FLAG_SENSITIVE: PKCS#11
 *                        \c CKA_SENSITIVE flag: if set, the private key
 *                        will not be extractable in plain form; if clear,
 *                        the key will be extractable in plain form if
 *                        #MBEDTLS_PK_FLAG_EXTRACTABLE is set.
 *                      - #MBEDTLS_PK_FLAG_SIGN: if set, the private key
 *                        will be authorized for signing.
 *                      - #MBEDTLS_PK_FLAG_VERIFY: if set, the public key
 *                        will be authorized for verification.
 *                      - #MBEDTLS_PK_FLAG_DECRYPT: if set, the private key
 *                        will be authorized for decryption.
 *                      - #MBEDTLS_PK_FLAG_ENCRYPT: if set, the public key
 *                        will be authorized for encryption.
 *
 * \param hSession      Cryptoki session. The session must remain valid as long
 *                      as the PK object is in use.
 * \param hPublicKey    If non-null, on output, Cryptoki handle of the public
 *                      key. This handle must remain valid as long as the PK
 *                      object is in use. If null, the public key is not
 *                      imported.
 * \param hPrivateKey   If non-null, on output, Cryptoki handle of the private
 *                      key. This handle must remain valid as long as the PK
 *                      object is in use. If null, the private key is not
 *                      imported.
 *
 * \return              0 on success,
 *                      or MBEDTLS_ERR_PK_XXX error code.
 *
 * \note                If \c hPrivateKey is non-null then \c ctx must contain
 *                      a full key pair. If \c hPrivateKey is null then \c ctx
 *                      may contain a full key pair or just a public key.
 *
 * \note                On failure, the values returned in \c hPublicKey and
 *                      \c hPrivateKey will normally be \c CK_HANDLE_INVALID.
 *                      One of them may be a valid handle in the unlikely case
 *                      where the creation of one key object succeeded but
 *                      the second one failed and destroying the first one
 *                      also failed, for example because the token was
 *                      disconnected.
 */
int mbedtls_pkcs11_import_pk( const mbedtls_pk_context *ctx,
                                 uint32_t flags,
                                 CK_SESSION_HANDLE hSession,
                                 CK_OBJECT_HANDLE *hPublicKey,
                                 CK_OBJECT_HANDLE *hPrivateKey );

#endif /* MBEDTLS_PK_C */

#ifdef __cplusplus
}
#endif

#endif /* MBEDTLS_PKCS11_CLIENT_C */

#endif /* MBEDTLS_PKCS11_H */