2 * GnuTLS PKCS#11 support
3 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
5 * Authors: Nikos Mavrogiannopoulos, Stef Walter
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 2.1 of
10 * the License, or (at your option) any later version.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
27 #include <p11-kit/pkcs11.h>
28 #include <gnutls/pkcs11.h>
29 #include <x509/x509_int.h>
31 #define PKCS11_ID_SIZE 128
32 #define PKCS11_LABEL_SIZE 128
34 #include <p11-kit/uri.h>
35 typedef unsigned char ck_bool_t;
37 struct pkcs11_session_info {
38 struct ck_function_list *module;
39 struct ck_token_info tinfo;
40 ck_session_handle_t pks;
45 struct ck_token_info tinfo;
46 struct ck_slot_info sinfo;
48 struct gnutls_pkcs11_provider_st *prov;
51 struct gnutls_pkcs11_obj_st {
53 gnutls_pkcs11_obj_type_t type;
54 struct p11_kit_uri *info;
56 /* only when pubkey */
57 gnutls_datum_t pubkey[MAX_PUBLIC_PARAMS_SIZE];
58 gnutls_pk_algorithm_t pk_algorithm;
59 unsigned int key_usage;
61 struct pin_info_st pin;
64 /* This must be called on every function that uses a PKCS #11 function
66 int _gnutls_pkcs11_check_init(void);
68 #define PKCS11_CHECK_INIT \
69 ret = _gnutls_pkcs11_check_init(); \
71 return gnutls_assert_val(ret)
73 #define PKCS11_CHECK_INIT_RET(x) \
74 ret = _gnutls_pkcs11_check_init(); \
76 return gnutls_assert_val(x)
78 /* thus function is called for every token in the traverse_tokens
79 * function. Once everything is traversed it is called with NULL tinfo.
80 * It should return 0 if found what it was looking for.
82 typedef int (*find_func_t) (struct pkcs11_session_info *,
83 struct token_info * tinfo, struct ck_info *,
86 int pkcs11_rv_to_err(ck_rv_t rv);
87 int pkcs11_url_to_info(const char *url, struct p11_kit_uri **info);
89 pkcs11_find_slot(struct ck_function_list **module, ck_slot_id_t * slot,
90 struct p11_kit_uri *info, struct token_info *_tinfo);
92 int pkcs11_read_pubkey(struct ck_function_list *module,
93 ck_session_handle_t pks, ck_object_handle_t obj,
94 ck_key_type_t key_type, gnutls_datum_t * pubkey);
96 int pkcs11_get_info(struct p11_kit_uri *info,
97 gnutls_pkcs11_obj_info_t itype, void *output,
98 size_t * output_size);
99 int pkcs11_login(struct pkcs11_session_info *sinfo,
100 struct pin_info_st *pin_info,
101 const struct token_info *tokinfo,
102 struct p11_kit_uri *info, int so);
104 int pkcs11_call_token_func(struct p11_kit_uri *info, const unsigned retry);
106 extern gnutls_pkcs11_token_callback_t _gnutls_token_func;
107 extern void *_gnutls_token_data;
109 void pkcs11_rescan_slots(void);
110 int pkcs11_info_to_url(struct p11_kit_uri *info,
111 gnutls_pkcs11_url_type_t detailed, char **url);
113 #define SESSION_WRITE (1<<0)
114 #define SESSION_LOGIN (1<<1)
115 #define SESSION_SO (1<<2) /* security officer session */
116 #define SESSION_TRUSTED (1<<3) /* session on a marked as trusted (p11-kit) module */
117 int pkcs11_open_session(struct pkcs11_session_info *sinfo,
118 struct pin_info_st *pin_info,
119 struct p11_kit_uri *info, unsigned int flags);
120 int _pkcs11_traverse_tokens(find_func_t find_func, void *input,
121 struct p11_kit_uri *info,
122 struct pin_info_st *pin_info,
124 ck_object_class_t pkcs11_strtype_to_class(const char *type);
126 int pkcs11_token_matches_info(struct p11_kit_uri *info,
127 struct ck_token_info *tinfo,
128 struct ck_info *lib_info);
130 unsigned int pkcs11_obj_flags_to_int(unsigned int flags);
133 _gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key,
134 const gnutls_datum_t * hash,
135 gnutls_datum_t * signature);
138 _gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key,
140 const gnutls_datum_t * ciphertext,
141 gnutls_datum_t * plaintext);
143 static inline int pk_to_mech(gnutls_pk_algorithm_t pk)
145 if (pk == GNUTLS_PK_DSA)
147 else if (pk == GNUTLS_PK_EC)
153 static inline gnutls_pk_algorithm_t mech_to_pk(ck_key_type_t m)
156 return GNUTLS_PK_RSA;
157 else if (m == CKK_DSA)
158 return GNUTLS_PK_DSA;
159 else if (m == CKK_ECDSA)
162 return GNUTLS_PK_UNKNOWN;
165 static inline int pk_to_genmech(gnutls_pk_algorithm_t pk)
167 if (pk == GNUTLS_PK_DSA)
168 return CKM_DSA_KEY_PAIR_GEN;
169 else if (pk == GNUTLS_PK_EC)
170 return CKM_ECDSA_KEY_PAIR_GEN;
172 return CKM_RSA_PKCS_KEY_PAIR_GEN;
176 pkcs11_generate_key_pair(struct ck_function_list * module,
177 ck_session_handle_t sess,
178 struct ck_mechanism * mechanism,
179 struct ck_attribute * pub_templ,
180 unsigned long pub_templ_count,
181 struct ck_attribute * priv_templ,
182 unsigned long priv_templ_count,
183 ck_object_handle_t * pub,
184 ck_object_handle_t * priv);
187 pkcs11_get_slot_list(struct ck_function_list *module,
188 unsigned char token_present,
189 ck_slot_id_t * slot_list, unsigned long *count);
192 pkcs11_get_module_info(struct ck_function_list *module,
193 struct ck_info *info);
196 pkcs11_get_slot_info(struct ck_function_list *module,
197 ck_slot_id_t slot_id, struct ck_slot_info *info);
200 pkcs11_get_token_info(struct ck_function_list *module,
201 ck_slot_id_t slot_id, struct ck_token_info *info);
204 pkcs11_find_objects_init(struct ck_function_list *module,
205 ck_session_handle_t sess,
206 struct ck_attribute *templ, unsigned long count);
209 pkcs11_find_objects(struct ck_function_list *module,
210 ck_session_handle_t sess,
211 ck_object_handle_t * objects,
212 unsigned long max_object_count,
213 unsigned long *object_count);
215 ck_rv_t pkcs11_find_objects_final(struct pkcs11_session_info *);
217 ck_rv_t pkcs11_close_session(struct pkcs11_session_info *);
220 pkcs11_get_attribute_value(struct ck_function_list *module,
221 ck_session_handle_t sess,
222 ck_object_handle_t object,
223 struct ck_attribute *templ,
224 unsigned long count);
227 pkcs11_get_mechanism_list(struct ck_function_list *module,
228 ck_slot_id_t slot_id,
229 ck_mechanism_type_t * mechanism_list,
230 unsigned long *count);
233 pkcs11_sign_init(struct ck_function_list *module,
234 ck_session_handle_t sess,
235 struct ck_mechanism *mechanism, ck_object_handle_t key);
238 pkcs11_sign(struct ck_function_list *module,
239 ck_session_handle_t sess,
241 unsigned long data_len,
242 unsigned char *signature, unsigned long *signature_len);
245 pkcs11_decrypt_init(struct ck_function_list *module,
246 ck_session_handle_t sess,
247 struct ck_mechanism *mechanism,
248 ck_object_handle_t key);
251 pkcs11_decrypt(struct ck_function_list *module,
252 ck_session_handle_t sess,
253 unsigned char *encrypted_data,
254 unsigned long encrypted_data_len,
255 unsigned char *data, unsigned long *data_len);
258 pkcs11_create_object(struct ck_function_list *module,
259 ck_session_handle_t sess,
260 struct ck_attribute *templ,
261 unsigned long count, ck_object_handle_t * object);
264 pkcs11_destroy_object(struct ck_function_list *module,
265 ck_session_handle_t sess, ck_object_handle_t object);
268 pkcs11_init_token(struct ck_function_list *module,
269 ck_slot_id_t slot_id, unsigned char *pin,
270 unsigned long pin_len, unsigned char *label);
273 pkcs11_init_pin(struct ck_function_list *module,
274 ck_session_handle_t sess,
275 unsigned char *pin, unsigned long pin_len);
278 pkcs11_set_pin(struct ck_function_list *module,
279 ck_session_handle_t sess,
281 unsigned long old_len,
282 const char *new_pin, unsigned long new_len);
285 _gnutls_pkcs11_get_random(struct ck_function_list *module,
286 ck_session_handle_t sess, void *data, size_t len);
289 const char *pkcs11_strerror(ck_rv_t rv);
291 #endif /* ENABLE_PKCS11 */