#include "config.h"
#include "config.h"
#include MBEDTLS_CONFIG_FILE
#include MBEDTLS_CONFIG_FILE
#include "x509_crt.h"
#include "x509_crt.h"
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
#include
#define MBEDTLS_PKCS11_H
#define inline __inline
void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
/** * Initialize a mbedtls_pkcs11_context. * (Just making memory references valid.) */
int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
/** * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate. * * \param cert X.509 certificate to fill * \param pkcs11h_cert PKCS #11 helper certificate * * \return 0 on success. */
int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
pkcs11h_certificate_t pkcs11_cert );
/** * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the * mbedtls_pkcs11_context will take over control of the certificate, freeing it when * done. * * \param priv_key Private key structure to fill. * \param pkcs11_cert PKCS #11 helper certificate * * \return 0 on success */
void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
/** * Free the contents of the given private key context. Note that the structure * itself is not freed. * * \param priv_key Private key structure to cleanup */
int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
int mode, size_t *olen,
const unsigned char *input,
unsigned char *output,
size_t output_max_len );
/** * \brief Do an RSA private key decrypt, then remove the message * padding * * \param ctx PKCS #11 context * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature * \param input buffer holding the encrypted data * \param output buffer that will hold the plaintext * \param olen will contain the plaintext length * \param output_max_len maximum length of the output buffer * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer must be as large as the size * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise * an error is thrown. */
int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
int mode,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig );
/** * \brief Do a private RSA to sign a message digest * * \param ctx PKCS #11 context * \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) * \param hashlen message digest length (for MBEDTLS_MD_NONE only) * \param hash buffer holding the message digest * \param sig buffer that will hold the ciphertext * * \return 0 if the signing operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * * \note The "sig" buffer must be as large as the size * of ctx->N (eg. 128 bytes if RSA-1024 is used). */
typedef struct mbedtls_pkcs11_context
{
pkcs11h_certificate_t pkcs11h_cert;
int len;
} mbedtls_pkcs11_context;
/** * Context for PKCS #11 private keys. */