PolarSSL v1.3.2
pkcs11.c
Go to the documentation of this file.
1 
30 #include "polarssl/pkcs11.h"
31 
32 #if defined(POLARSSL_PKCS11_C)
33 
34 #if defined(POLARSSL_MEMORY_C)
35 #include "polarssl/memory.h"
36 #else
37 #define polarssl_malloc malloc
38 #define polarssl_free free
39 #endif
40 
41 #include <stdlib.h>
42 
43 int pkcs11_x509_cert_init( x509_crt *cert, pkcs11h_certificate_t pkcs11_cert )
44 {
45  int ret = 1;
46  unsigned char *cert_blob = NULL;
47  size_t cert_blob_size = 0;
48 
49  if( cert == NULL )
50  {
51  ret = 2;
52  goto cleanup;
53  }
54 
55  if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL, &cert_blob_size ) != CKR_OK )
56  {
57  ret = 3;
58  goto cleanup;
59  }
60 
61  cert_blob = polarssl_malloc( cert_blob_size );
62  if( NULL == cert_blob )
63  {
64  ret = 4;
65  goto cleanup;
66  }
67 
68  if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob, &cert_blob_size ) != CKR_OK )
69  {
70  ret = 5;
71  goto cleanup;
72  }
73 
74  if( 0 != x509_crt_parse(cert, cert_blob, cert_blob_size ) )
75  {
76  ret = 6;
77  goto cleanup;
78  }
79 
80  ret = 0;
81 
82 cleanup:
83  if( NULL != cert_blob )
84  polarssl_free( cert_blob );
85 
86  return ret;
87 }
88 
89 
90 int pkcs11_priv_key_init( pkcs11_context *priv_key,
91  pkcs11h_certificate_t pkcs11_cert )
92 {
93  int ret = 1;
94  x509_crt cert;
95 
96  x509_crt_init( &cert );
97 
98  if( priv_key == NULL )
99  goto cleanup;
100 
101  if( 0 != pkcs11_x509_cert_init( &cert, pkcs11_cert ) )
102  goto cleanup;
103 
104  priv_key->len = cert.rsa.len;
105  priv_key->pkcs11h_cert = pkcs11_cert;
106 
107  ret = 0;
108 
109 cleanup:
110  x509_crt_free( &cert );
111 
112  return ret;
113 }
114 
115 void pkcs11_priv_key_free( pkcs11_context *priv_key )
116 {
117  if( NULL != priv_key )
118  pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
119 }
120 
121 int pkcs11_decrypt( pkcs11_context *ctx,
122  int mode, size_t *olen,
123  const unsigned char *input,
124  unsigned char *output,
125  size_t output_max_len )
126 {
127  size_t input_len, output_len;
128 
129  if( NULL == ctx )
131 
132  if( RSA_PUBLIC == mode )
134 
135  output_len = input_len = ctx->len;
136 
137  if( input_len < 16 || input_len > output_max_len )
139 
140  /* Determine size of output buffer */
141  if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
142  input_len, NULL, &output_len ) != CKR_OK )
143  {
145  }
146 
147  if( output_len > output_max_len )
149 
150  if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
151  input_len, output, &output_len ) != CKR_OK )
152  {
154  }
155  *olen = output_len;
156  return( 0 );
157 }
158 
159 int pkcs11_sign( pkcs11_context *ctx,
160  int mode,
161  int hash_id,
162  unsigned int hashlen,
163  const unsigned char *hash,
164  unsigned char *sig )
165 {
166  size_t olen, asn_len;
167  unsigned char *p = sig;
168 
169  if( NULL == ctx )
171 
172  if( RSA_PUBLIC == mode )
174 
175  olen = ctx->len;
176 
177  switch( hash_id )
178  {
179  case SIG_RSA_RAW:
180  asn_len = 0;
181  memcpy( p, hash, hashlen );
182  break;
183 
184  case SIG_RSA_MD2:
185  asn_len = OID_SIZE(ASN1_HASH_MDX);
186  memcpy( p, ASN1_HASH_MDX, asn_len );
187  memcpy( p + asn_len, hash, hashlen );
188  p[13] = 2; break;
189 
190  case SIG_RSA_MD4:
191  asn_len = OID_SIZE(ASN1_HASH_MDX);
192  memcpy( p, ASN1_HASH_MDX, asn_len );
193  memcpy( p + asn_len, hash, hashlen );
194  p[13] = 4; break;
195 
196  case SIG_RSA_MD5:
197  asn_len = OID_SIZE(ASN1_HASH_MDX);
198  memcpy( p, ASN1_HASH_MDX, asn_len );
199  memcpy( p + asn_len, hash, hashlen );
200  p[13] = 5; break;
201 
202  case SIG_RSA_SHA1:
203  asn_len = OID_SIZE(ASN1_HASH_SHA1);
204  memcpy( p, ASN1_HASH_SHA1, asn_len );
205  memcpy( p + 15, hash, hashlen );
206  break;
207 
208  case SIG_RSA_SHA224:
209  asn_len = OID_SIZE(ASN1_HASH_SHA2X);
210  memcpy( p, ASN1_HASH_SHA2X, asn_len );
211  memcpy( p + asn_len, hash, hashlen );
212  p[1] += hashlen; p[14] = 4; p[18] += hashlen; break;
213 
214  case SIG_RSA_SHA256:
215  asn_len = OID_SIZE(ASN1_HASH_SHA2X);
216  memcpy( p, ASN1_HASH_SHA2X, asn_len );
217  memcpy( p + asn_len, hash, hashlen );
218  p[1] += hashlen; p[14] = 1; p[18] += hashlen; break;
219 
220  case SIG_RSA_SHA384:
221  asn_len = OID_SIZE(ASN1_HASH_SHA2X);
222  memcpy( p, ASN1_HASH_SHA2X, asn_len );
223  memcpy( p + asn_len, hash, hashlen );
224  p[1] += hashlen; p[14] = 2; p[18] += hashlen; break;
225 
226  case SIG_RSA_SHA512:
227  asn_len = OID_SIZE(ASN1_HASH_SHA2X);
228  memcpy( p, ASN1_HASH_SHA2X, asn_len );
229  memcpy( p + asn_len, hash, hashlen );
230  p[1] += hashlen; p[14] = 3; p[18] += hashlen; break;
231 
232  default:
234  }
235 
236  if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
237  asn_len + hashlen, sig, &olen ) != CKR_OK )
238  {
240  }
241 
242  return( 0 );
243 }
244 
245 #endif /* defined(POLARSSL_PKCS11_C) */
#define SIG_RSA_SHA512
Definition: compat-1.2.h:165
#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE
The output buffer for decryption is not large enough.
Definition: rsa.h:49
Memory allocation layer.
void *(* polarssl_malloc)(size_t len)
#define RSA_PUBLIC
Definition: rsa.h:55
int x509_crt_parse(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one or more certificates and add them to the chained list.
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
#define SIG_RSA_SHA256
Definition: compat-1.2.h:163
#define SIG_RSA_SHA1
Definition: compat-1.2.h:161
#define SIG_RSA_MD5
Definition: compat-1.2.h:160
#define OID_SIZE(x)
Returns the size of the binary string, without the trailing \0.
Definition: asn1.h:94
Container for an X.509 certificate.
Definition: x509_crt.h:53
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
void(* polarssl_free)(void *ptr)
#define SIG_RSA_MD4
Definition: compat-1.2.h:159
#define SIG_RSA_SHA384
Definition: compat-1.2.h:164
#define POLARSSL_ERR_RSA_BAD_INPUT_DATA
Bad input parameters to function.
Definition: rsa.h:42
#define SIG_RSA_MD2
Definition: compat-1.2.h:158
#define SIG_RSA_SHA224
Definition: compat-1.2.h:162
Wrapper for PKCS#11 library libpkcs11-helper.
#define SIG_RSA_RAW
Definition: compat-1.2.h:157