src/libpolarssl/pkcs11.c

   1 /**
   2  * \file pkcs11.c
   3  *
   4  * \brief Wrapper for PKCS#11 library libpkcs11-helper
   5  *
   6  * \author Adriaan de Jong <dejong@fox-it.com>
   7  *
   8  *  Copyright (C) 2006-2010, Brainspark B.V.
   9  *
  10  *  This file is part of PolarSSL (http://www.polarssl.org)
  11  *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
  12  *
  13  *  All rights reserved.
  14  *
  15  *  This program is free software; you can redistribute it and/or modify
  16  *  it under the terms of the GNU General Public License as published by
  17  *  the Free Software Foundation; either version 2 of the License, or
  18  *  (at your option) any later version.
  19  *
  20  *  This program is distributed in the hope that it will be useful,
  21  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  22  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  23  *  GNU General Public License for more details.
  24  *
  25  *  You should have received a copy of the GNU General Public License along
  26  *  with this program; if not, write to the Free Software Foundation, Inc.,
  27  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  28  */
  29
  30 #include "pkcs11.h"
  31
  32 #if defined(POLARSSL_PKCS11_C)
  33
  34 #include <stdlib.h>
  35
  36 int pkcs11_x509_cert_init( x509_cert *cert, pkcs11h_certificate_t pkcs11_cert )
  37 {
  38     int ret = 1;
  39     unsigned char *cert_blob = NULL;
  40     size_t cert_blob_size = 0;
  41
  42     if( cert == NULL )
  43     {
  44         ret = 2;
  45         goto cleanup;
  46     }
  47
  48     if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL, &cert_blob_size ) != CKR_OK )
  49     {
  50         ret = 3;
  51         goto cleanup;
  52     }
  53
  54     cert_blob = malloc( cert_blob_size );
  55     if( NULL == cert_blob )
  56     {
  57         ret = 4;
  58         goto cleanup;
  59     }
  60
  61     if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob, &cert_blob_size ) != CKR_OK )
  62     {
  63         ret = 5;
  64         goto cleanup;
  65     }
  66
  67     if( 0 != x509parse_crt(cert, cert_blob, cert_blob_size ) )
  68     {
  69         ret = 6;
  70         goto cleanup;
  71     }
  72
  73     ret = 0;
  74
  75 cleanup:
  76     if( NULL != cert_blob )
  77         free( cert_blob );
  78
  79     return ret;
  80 }
  81
  82
  83 int pkcs11_priv_key_init( pkcs11_context *priv_key,
  84         pkcs11h_certificate_t pkcs11_cert )
  85 {
  86     int ret = 1;
  87     x509_cert cert;
  88
  89     memset( &cert, 0, sizeof( cert ) );
  90
  91     if( priv_key == NULL )
  92         goto cleanup;
  93
  94     if( 0 != pkcs11_x509_cert_init( &cert, pkcs11_cert ) )
  95         goto cleanup;
  96
  97     priv_key->len = cert.rsa.len;
  98     priv_key->pkcs11h_cert = pkcs11_cert;
  99
 100     ret = 0;
 101
 102 cleanup:
 103     x509_free( &cert );
 104
 105     return ret;
 106 }
 107
 108 void pkcs11_priv_key_free( pkcs11_context *priv_key )
 109 {
 110     if( NULL != priv_key )
 111         pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
 112 }
 113
 114 int pkcs11_decrypt( pkcs11_context *ctx,
 115                        int mode, size_t *olen,
 116                        const unsigned char *input,
 117                        unsigned char *output,
 118                        size_t output_max_len )
 119 {
 120     size_t input_len, output_len;
 121
 122     if( NULL == ctx )
 123         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 124
 125     if( RSA_PUBLIC == mode )
 126         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 127
 128     output_len = input_len = ctx->len;
 129
 130     if( input_len < 16 || input_len > output_max_len )
 131         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 132
 133     /* Determine size of output buffer */
 134     if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
 135             input_len, NULL, &output_len ) != CKR_OK )
 136     {
 137         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 138     }
 139
 140     if( output_len > output_max_len )
 141         return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
 142
 143     if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
 144             input_len, output, &output_len ) != CKR_OK )
 145     {
 146         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 147     }
 148     *olen = output_len;
 149     return( 0 );
 150 }
 151
 152 int pkcs11_sign( pkcs11_context *ctx,
 153                     int mode,
 154                     int hash_id,
 155                     unsigned int hashlen,
 156                     const unsigned char *hash,
 157                     unsigned char *sig )
 158 {
 159     size_t olen, asn_len;
 160     unsigned char *p = sig;
 161
 162     if( NULL == ctx )
 163         return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
 164
 165     if( RSA_PUBLIC == mode )
 166         return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
 167
 168     olen = ctx->len;
 169
 170     switch( hash_id )
 171     {
 172         case SIG_RSA_RAW:
 173             asn_len = 0;
 174             memcpy( p, hash, hashlen );
 175             break;
 176
 177         case SIG_RSA_MD2:
 178             asn_len = OID_SIZE(ASN1_HASH_MDX);
 179             memcpy( p, ASN1_HASH_MDX, asn_len );
 180             memcpy( p + asn_len, hash, hashlen );
 181             p[13] = 2; break;
 182
 183         case SIG_RSA_MD4:
 184             asn_len = OID_SIZE(ASN1_HASH_MDX);
 185             memcpy( p, ASN1_HASH_MDX, asn_len );
 186             memcpy( p + asn_len, hash, hashlen );
 187             p[13] = 4; break;
 188
 189         case SIG_RSA_MD5:
 190             asn_len = OID_SIZE(ASN1_HASH_MDX);
 191             memcpy( p, ASN1_HASH_MDX, asn_len );
 192             memcpy( p + asn_len, hash, hashlen );
 193             p[13] = 5; break;
 194
 195         case SIG_RSA_SHA1:
 196             asn_len = OID_SIZE(ASN1_HASH_SHA1);
 197             memcpy( p, ASN1_HASH_SHA1, asn_len );
 198             memcpy( p + 15, hash, hashlen );
 199             break;
 200
 201         case SIG_RSA_SHA224:
 202             asn_len = OID_SIZE(ASN1_HASH_SHA2X);
 203             memcpy( p, ASN1_HASH_SHA2X, asn_len );
 204             memcpy( p + asn_len, hash, hashlen );
 205             p[1] += hashlen; p[14] = 4; p[18] += hashlen; break;
 206
 207         case SIG_RSA_SHA256:
 208             asn_len = OID_SIZE(ASN1_HASH_SHA2X);
 209             memcpy( p, ASN1_HASH_SHA2X, asn_len );
 210             memcpy( p + asn_len, hash, hashlen );
 211             p[1] += hashlen; p[14] = 1; p[18] += hashlen; break;
 212
 213         case SIG_RSA_SHA384:
 214             asn_len = OID_SIZE(ASN1_HASH_SHA2X);
 215             memcpy( p, ASN1_HASH_SHA2X, asn_len );
 216             memcpy( p + asn_len, hash, hashlen );
 217             p[1] += hashlen; p[14] = 2; p[18] += hashlen; break;
 218
 219         case SIG_RSA_SHA512:
 220             asn_len = OID_SIZE(ASN1_HASH_SHA2X);
 221             memcpy( p, ASN1_HASH_SHA2X, asn_len );
 222             memcpy( p + asn_len, hash, hashlen );
 223             p[1] += hashlen; p[14] = 3; p[18] += hashlen; break;
 224
 225         default:
 226             return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 227     }
 228
 229     if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
 230             asn_len + hashlen, sig, &olen ) != CKR_OK )
 231     {
 232         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 233     }
 234
 235     return( 0 );
 236 }
 237
 238 #endif /* defined(POLARSSL_PKCS11_C) */