|
Packit |
6b81fa |
/* libp11, a simple layer on to of PKCS#11 API
|
|
Packit |
6b81fa |
* Copyright (C) 2005 Olaf Kirch <okir@lst.de>
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* This library is free software; you can redistribute it and/or
|
|
Packit |
6b81fa |
* modify it under the terms of the GNU Lesser General Public
|
|
Packit |
6b81fa |
* License as published by the Free Software Foundation; either
|
|
Packit |
6b81fa |
* version 2.1 of the License, or (at your option) any later version.
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* This library is distributed in the hope that it will be useful,
|
|
Packit |
6b81fa |
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
6b81fa |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
6b81fa |
* Lesser General Public License for more details.
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* You should have received a copy of the GNU Lesser General Public
|
|
Packit |
6b81fa |
* License along with this library; if not, write to the Free Software
|
|
Packit |
6b81fa |
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* @file libp11.h
|
|
Packit |
6b81fa |
* @brief libp11 header file
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#ifndef _LIB11_H
|
|
Packit |
6b81fa |
#define _LIB11_H
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#include "p11_err.h"
|
|
Packit |
6b81fa |
#include <openssl/bio.h>
|
|
Packit |
6b81fa |
#include <openssl/err.h>
|
|
Packit |
6b81fa |
#include <openssl/bn.h>
|
|
Packit |
6b81fa |
#include <openssl/rsa.h>
|
|
Packit |
6b81fa |
#include <openssl/x509.h>
|
|
Packit |
6b81fa |
#include <openssl/evp.h>
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#ifdef __cplusplus
|
|
Packit |
6b81fa |
extern "C" {
|
|
Packit |
6b81fa |
#endif
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
int ERR_load_CKR_strings(void);
|
|
Packit |
6b81fa |
void ERR_unload_CKR_strings(void);
|
|
Packit |
6b81fa |
void ERR_CKR_error(int function, int reason, char *file, int line);
|
|
Packit |
6b81fa |
# define CKRerr(f,r) ERR_CKR_error((f),(r),__FILE__,__LINE__)
|
|
Packit |
6b81fa |
int ERR_get_CKR_code(void);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/*
|
|
Packit |
6b81fa |
* The purpose of this library is to provide a simple PKCS11
|
|
Packit |
6b81fa |
* interface to OpenSSL application that wish to use a previously
|
|
Packit |
6b81fa |
* initialized card (as opposed to initializing it, etc).
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* I am therefore making some simplifying assumptions:
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* - no support for any operations that alter the card,
|
|
Packit |
6b81fa |
* i.e. readonly-login
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/** PKCS11 key object (public or private) */
|
|
Packit |
6b81fa |
typedef struct PKCS11_key_st {
|
|
Packit |
6b81fa |
char *label;
|
|
Packit |
6b81fa |
unsigned char *id;
|
|
Packit |
6b81fa |
size_t id_len;
|
|
Packit |
6b81fa |
unsigned char isPrivate; /**< private key present? */
|
|
Packit |
6b81fa |
unsigned char needLogin; /**< login to read private key? */
|
|
Packit |
6b81fa |
EVP_PKEY *evp_key; /**< initially NULL, need to call PKCS11_load_key */
|
|
Packit |
6b81fa |
void *_private;
|
|
Packit |
6b81fa |
} PKCS11_KEY;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/** PKCS11 certificate object */
|
|
Packit |
6b81fa |
typedef struct PKCS11_cert_st {
|
|
Packit |
6b81fa |
char *label;
|
|
Packit |
6b81fa |
unsigned char *id;
|
|
Packit |
6b81fa |
size_t id_len;
|
|
Packit |
6b81fa |
X509 *x509;
|
|
Packit |
6b81fa |
void *_private;
|
|
Packit |
6b81fa |
} PKCS11_CERT;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/** PKCS11 token: smart card or USB key */
|
|
Packit |
6b81fa |
typedef struct PKCS11_token_st {
|
|
Packit |
6b81fa |
char *label;
|
|
Packit |
6b81fa |
char *manufacturer;
|
|
Packit |
6b81fa |
char *model;
|
|
Packit |
6b81fa |
char *serialnr;
|
|
Packit |
6b81fa |
unsigned char initialized;
|
|
Packit |
6b81fa |
unsigned char loginRequired;
|
|
Packit |
6b81fa |
unsigned char secureLogin;
|
|
Packit |
6b81fa |
unsigned char userPinSet;
|
|
Packit |
6b81fa |
unsigned char readOnly;
|
|
Packit |
6b81fa |
unsigned char hasRng;
|
|
Packit |
6b81fa |
unsigned char userPinCountLow;
|
|
Packit |
6b81fa |
unsigned char userPinFinalTry;
|
|
Packit |
6b81fa |
unsigned char userPinLocked;
|
|
Packit |
6b81fa |
unsigned char userPinToBeChanged;
|
|
Packit |
6b81fa |
unsigned char soPinCountLow;
|
|
Packit |
6b81fa |
unsigned char soPinFinalTry;
|
|
Packit |
6b81fa |
unsigned char soPinLocked;
|
|
Packit |
6b81fa |
unsigned char soPinToBeChanged;
|
|
Packit |
6b81fa |
void *_private;
|
|
Packit |
6b81fa |
} PKCS11_TOKEN;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/** PKCS11 slot: card reader */
|
|
Packit |
6b81fa |
typedef struct PKCS11_slot_st {
|
|
Packit |
6b81fa |
char *manufacturer;
|
|
Packit |
6b81fa |
char *description;
|
|
Packit |
6b81fa |
unsigned char removable;
|
|
Packit |
6b81fa |
PKCS11_TOKEN *token; /**< NULL if no token present */
|
|
Packit |
6b81fa |
void *_private;
|
|
Packit |
6b81fa |
} PKCS11_SLOT;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/** PKCS11 context */
|
|
Packit |
6b81fa |
typedef struct PKCS11_ctx_st {
|
|
Packit |
6b81fa |
char *manufacturer;
|
|
Packit |
6b81fa |
char *description;
|
|
Packit |
6b81fa |
void *_private;
|
|
Packit |
6b81fa |
} PKCS11_CTX;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Create a new libp11 context
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* This should be the first function called in the use of libp11
|
|
Packit |
6b81fa |
* @return an allocated context
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern PKCS11_CTX *PKCS11_CTX_new(void);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Specify any private PKCS#11 module initialization args, if necessary
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @return none
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern void PKCS11_CTX_init_args(PKCS11_CTX * ctx, const char * init_args);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Load a PKCS#11 module
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param ctx context allocated by PKCS11_CTX_new()
|
|
Packit |
6b81fa |
* @param ident PKCS#11 library filename
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_CTX_load(PKCS11_CTX * ctx, const char * ident);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Reinitialize a PKCS#11 module (after a fork)
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param ctx context allocated by PKCS11_CTX_new()
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_CTX_reload(PKCS11_CTX * ctx);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Unload a PKCS#11 module
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param ctx context allocated by PKCS11_CTX_new()
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern void PKCS11_CTX_unload(PKCS11_CTX * ctx);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Free a libp11 context
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param ctx context allocated by PKCS11_CTX_new()
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern void PKCS11_CTX_free(PKCS11_CTX * ctx);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/** Open a session in RO or RW mode
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param slot slot descriptor returned by PKCS11_find_token() or PKCS11_enumerate_slots()
|
|
Packit |
6b81fa |
* @param rw open in read/write mode is mode != 0, otherwise in read only mode
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_open_session(PKCS11_SLOT * slot, int rw);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Get a list of all slots
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param ctx context allocated by PKCS11_CTX_new()
|
|
Packit |
6b81fa |
* @param slotsp pointer on a list of slots
|
|
Packit |
6b81fa |
* @param nslotsp size of the allocated list
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_enumerate_slots(PKCS11_CTX * ctx,
|
|
Packit |
6b81fa |
PKCS11_SLOT **slotsp, unsigned int *nslotsp);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Get the slot_id from a slot as it is stored in private
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param slotp pointer on a slot
|
|
Packit |
6b81fa |
* @retval the slotid
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern unsigned long PKCS11_get_slotid_from_slot(PKCS11_SLOT *slotp);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Free the list of slots allocated by PKCS11_enumerate_slots()
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param ctx context allocated by PKCS11_CTX_new()
|
|
Packit |
6b81fa |
* @param slots list of slots allocated by PKCS11_enumerate_slots()
|
|
Packit |
6b81fa |
* @param nslots size of the list
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern void PKCS11_release_all_slots(PKCS11_CTX * ctx,
|
|
Packit |
6b81fa |
PKCS11_SLOT *slots, unsigned int nslots);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Find the first slot with a token
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param ctx context allocated by PKCS11_CTX_new()
|
|
Packit |
6b81fa |
* @param slots list of slots allocated by PKCS11_enumerate_slots()
|
|
Packit |
6b81fa |
* @param nslots size of the list
|
|
Packit |
6b81fa |
* @retval !=NULL pointer on a slot structure
|
|
Packit |
6b81fa |
* @retval NULL error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
PKCS11_SLOT *PKCS11_find_token(PKCS11_CTX * ctx,
|
|
Packit |
6b81fa |
PKCS11_SLOT *slots, unsigned int nslots);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Find the next slot with a token
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param ctx context allocated by PKCS11_CTX_new()
|
|
Packit |
6b81fa |
* @param slots list of slots allocated by PKCS11_enumerate_slots()
|
|
Packit |
6b81fa |
* @param nslots size of the list
|
|
Packit |
6b81fa |
* @param slot current slot
|
|
Packit |
6b81fa |
* @retval !=NULL pointer on a slot structure
|
|
Packit |
6b81fa |
* @retval NULL error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
PKCS11_SLOT *PKCS11_find_next_token(PKCS11_CTX * ctx,
|
|
Packit |
6b81fa |
PKCS11_SLOT *slots, unsigned int nslots,
|
|
Packit |
6b81fa |
PKCS11_SLOT *slot);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Check if user is already authenticated to a card
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param slot slot returned by PKCS11_find_token()
|
|
Packit |
6b81fa |
* @param so kind of login to check: CKU_SO if != 0, otherwise CKU_USER
|
|
Packit |
6b81fa |
* @param res pointer to return value: 1 if logged in, 0 if not logged in
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_is_logged_in(PKCS11_SLOT * slot, int so, int * res);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Authenticate to the card
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param slot slot returned by PKCS11_find_token()
|
|
Packit |
6b81fa |
* @param so login as CKU_SO if != 0, otherwise login as CKU_USER
|
|
Packit |
6b81fa |
* @param pin PIN value
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_login(PKCS11_SLOT * slot, int so, const char *pin);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* De-authenticate from the card
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param slot slot returned by PKCS11_find_token()
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_logout(PKCS11_SLOT * slot);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Get a list of private keys associated with this token */
|
|
Packit |
6b81fa |
extern int PKCS11_enumerate_keys(PKCS11_TOKEN *,
|
|
Packit |
6b81fa |
PKCS11_KEY **, unsigned int *);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Remove the key from this token */
|
|
Packit |
6b81fa |
extern int PKCS11_remove_key(PKCS11_KEY *);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Get a list of public keys associated with this token */
|
|
Packit |
6b81fa |
extern int PKCS11_enumerate_public_keys(PKCS11_TOKEN *,
|
|
Packit |
6b81fa |
PKCS11_KEY **, unsigned int *);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Get the key type (as EVP_PKEY_XXX) */
|
|
Packit |
6b81fa |
extern int PKCS11_get_key_type(PKCS11_KEY *);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Returns a EVP_PKEY object for the private key
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param key PKCS11_KEY object
|
|
Packit |
6b81fa |
* @retval !=NULL reference to the EVP_PKEY object
|
|
Packit |
6b81fa |
* @retval NULL error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern EVP_PKEY *PKCS11_get_private_key(PKCS11_KEY *key);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Returns a EVP_PKEY object with the public key
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param key PKCS11_KEY object
|
|
Packit |
6b81fa |
* @retval !=NULL reference to the EVP_PKEY object
|
|
Packit |
6b81fa |
* @retval NULL error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern EVP_PKEY *PKCS11_get_public_key(PKCS11_KEY *key);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Find the corresponding certificate (if any) */
|
|
Packit |
6b81fa |
extern PKCS11_CERT *PKCS11_find_certificate(PKCS11_KEY *);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Find the corresponding key (if any) */
|
|
Packit |
6b81fa |
extern PKCS11_KEY *PKCS11_find_key(PKCS11_CERT *);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Get a list of all certificates associated with this token */
|
|
Packit |
6b81fa |
extern int PKCS11_enumerate_certs(PKCS11_TOKEN *, PKCS11_CERT **, unsigned int *);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Remove the certificate from this token */
|
|
Packit |
6b81fa |
extern int PKCS11_remove_certificate(PKCS11_CERT *);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Set UI method to allow retrieving CKU_CONTEXT_SPECIFIC PINs interactively */
|
|
Packit |
6b81fa |
extern int PKCS11_set_ui_method(PKCS11_CTX *ctx,
|
|
Packit |
6b81fa |
UI_METHOD *ui_method, void *ui_user_data);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Initialize a token
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param token token descriptor (in general slot->token)
|
|
Packit |
6b81fa |
* @param pin Security Officer PIN value
|
|
Packit |
6b81fa |
* @param label new name of the token
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_init_token(PKCS11_TOKEN * token, const char *pin,
|
|
Packit |
6b81fa |
const char *label);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Initialize the user PIN on a token
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param token token descriptor (in general slot->token)
|
|
Packit |
6b81fa |
* @param pin new user PIN value
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_init_pin(PKCS11_TOKEN * token, const char *pin);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Change the currently used (either USER or SO) PIN on a token.
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param slot slot returned by PKCS11_find_token()
|
|
Packit |
6b81fa |
* @param old_pin old PIN value
|
|
Packit |
6b81fa |
* @param new_pin new PIN value
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_change_pin(PKCS11_SLOT * slot, const char *old_pin,
|
|
Packit |
6b81fa |
const char *new_pin);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Store private key on a token
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param token token returned by PKCS11_find_token()
|
|
Packit |
6b81fa |
* @param pk private key
|
|
Packit |
6b81fa |
* @param label label for this key
|
|
Packit |
6b81fa |
* @param id bytes to use as the id value
|
|
Packit |
6b81fa |
* @param id_len length of the id value
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_store_private_key(PKCS11_TOKEN * token, EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Store public key on a token
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param token token returned by PKCS11_find_token()
|
|
Packit |
6b81fa |
* @param pk private key
|
|
Packit |
6b81fa |
* @param label label for this key
|
|
Packit |
6b81fa |
* @param id bytes to use as the id value
|
|
Packit |
6b81fa |
* @param id_len length of the id value
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_store_public_key(PKCS11_TOKEN * token, EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Store certificate on a token
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param token token returned by PKCS11_find_token()
|
|
Packit |
6b81fa |
* @param x509 x509 certificate object
|
|
Packit |
6b81fa |
* @param label label for this certificate
|
|
Packit |
6b81fa |
* @param id bytes to use as the id value
|
|
Packit |
6b81fa |
* @param id_len length of the id value
|
|
Packit |
6b81fa |
* @param ret_cert put new PKCS11_CERT object here
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern int PKCS11_store_certificate(PKCS11_TOKEN * token, X509 * x509,
|
|
Packit |
6b81fa |
char *label, unsigned char *id, size_t id_len,
|
|
Packit |
6b81fa |
PKCS11_CERT **ret_cert);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Access the random number generator */
|
|
Packit |
6b81fa |
extern int PKCS11_seed_random(PKCS11_SLOT *slot, const unsigned char *s, unsigned int s_len);
|
|
Packit |
6b81fa |
extern int PKCS11_generate_random(PKCS11_SLOT *slot, unsigned char *r, unsigned int r_len);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/*
|
|
Packit |
6b81fa |
* PKCS#11 implementation for OpenSSL methods
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
RSA_METHOD *PKCS11_get_rsa_method(void);
|
|
Packit |
6b81fa |
/* Also define unsupported methods to retain backward compatibility */
|
|
Packit |
6b81fa |
#if OPENSSL_VERSION_NUMBER >= 0x10100002L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
Packit |
6b81fa |
EC_KEY_METHOD *PKCS11_get_ec_key_method(void);
|
|
Packit |
6b81fa |
void *PKCS11_get_ecdsa_method(void);
|
|
Packit |
6b81fa |
void *PKCS11_get_ecdh_method(void);
|
|
Packit |
6b81fa |
#else
|
|
Packit |
6b81fa |
void *PKCS11_get_ec_key_method(void);
|
|
Packit |
6b81fa |
ECDSA_METHOD *PKCS11_get_ecdsa_method(void);
|
|
Packit |
6b81fa |
ECDH_METHOD *PKCS11_get_ecdh_method(void);
|
|
Packit |
6b81fa |
#endif
|
|
Packit |
6b81fa |
int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
|
|
Packit |
6b81fa |
const int **nids, int nid);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Load PKCS11 error strings
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* Call this function to be able to use ERR_reason_error_string(ERR_get_error())
|
|
Packit |
6b81fa |
* to get an textual version of the latest error code
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
extern void ERR_load_PKCS11_strings(void);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#if defined(_LIBP11_INT_H)
|
|
Packit |
6b81fa |
/* Deprecated functions will no longer be exported in libp11 0.5.0 */
|
|
Packit |
6b81fa |
/* They are, however, used internally in OpenSSL method definitions */
|
|
Packit |
6b81fa |
#define P11_DEPRECATED(msg)
|
|
Packit |
6b81fa |
#elif defined(_MSC_VER)
|
|
Packit |
6b81fa |
#define P11_DEPRECATED(msg) __declspec(deprecated(msg))
|
|
Packit |
6b81fa |
#elif defined(__GNUC__)
|
|
Packit |
6b81fa |
#if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= 40500
|
|
Packit |
6b81fa |
/* GCC >= 4.5.0 supports printing a message */
|
|
Packit |
6b81fa |
#define P11_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
|
|
Packit |
6b81fa |
#else
|
|
Packit |
6b81fa |
#define P11_DEPRECATED(msg) __attribute__ ((deprecated))
|
|
Packit |
6b81fa |
#endif
|
|
Packit |
6b81fa |
#elif defined(__clang__)
|
|
Packit |
6b81fa |
#define P11_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
|
|
Packit |
6b81fa |
#else
|
|
Packit |
6b81fa |
#define P11_DEPRECATED(msg)
|
|
Packit |
6b81fa |
#endif
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#define P11_DEPRECATED_FUNC \
|
|
Packit |
6b81fa |
P11_DEPRECATED("This function will be removed in libp11 0.5.0")
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/*
|
|
Packit |
6b81fa |
* These functions will be removed from libp11, because they partially
|
|
Packit |
6b81fa |
* duplicate the functionality OpenSSL provides for EVP_PKEY objects
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Generate a private key on the token
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param token token returned by PKCS11_find_token()
|
|
Packit |
6b81fa |
* @param algorithm IGNORED (still here for backward compatibility)
|
|
Packit |
6b81fa |
* @param bits size of the modulus in bits
|
|
Packit |
6b81fa |
* @param label label for this key
|
|
Packit |
6b81fa |
* @param id bytes to use as the id value
|
|
Packit |
6b81fa |
* @param id_len length of the id value
|
|
Packit |
6b81fa |
* @retval 0 success
|
|
Packit |
6b81fa |
* @retval -1 error
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
P11_DEPRECATED_FUNC extern int PKCS11_generate_key(PKCS11_TOKEN * token,
|
|
Packit |
6b81fa |
int algorithm, unsigned int bits,
|
|
Packit |
6b81fa |
char *label, unsigned char* id, size_t id_len);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Get the RSA key modulus size (in bytes) */
|
|
Packit |
6b81fa |
P11_DEPRECATED_FUNC extern int PKCS11_get_key_size(PKCS11_KEY *);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Get the RSA key modules as BIGNUM */
|
|
Packit |
6b81fa |
P11_DEPRECATED_FUNC extern int PKCS11_get_key_modulus(PKCS11_KEY *, BIGNUM **);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Get the RSA key public exponent as BIGNUM */
|
|
Packit |
6b81fa |
P11_DEPRECATED_FUNC extern int PKCS11_get_key_exponent(PKCS11_KEY *, BIGNUM **);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Sign with the EC private key */
|
|
Packit |
6b81fa |
P11_DEPRECATED_FUNC extern int PKCS11_ecdsa_sign(
|
|
Packit |
6b81fa |
const unsigned char *m, unsigned int m_len,
|
|
Packit |
6b81fa |
unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Sign with the RSA private key */
|
|
Packit |
6b81fa |
P11_DEPRECATED_FUNC extern int PKCS11_sign(int type,
|
|
Packit |
6b81fa |
const unsigned char *m, unsigned int m_len,
|
|
Packit |
6b81fa |
unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* This function has never been implemented */
|
|
Packit |
6b81fa |
P11_DEPRECATED_FUNC extern int PKCS11_verify(int type,
|
|
Packit |
6b81fa |
const unsigned char *m, unsigned int m_len,
|
|
Packit |
6b81fa |
unsigned char *signature, unsigned int siglen, PKCS11_KEY * key);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Encrypts data using the private key */
|
|
Packit |
6b81fa |
P11_DEPRECATED_FUNC extern int PKCS11_private_encrypt(
|
|
Packit |
6b81fa |
int flen, const unsigned char *from,
|
|
Packit |
6b81fa |
unsigned char *to, PKCS11_KEY * rsa, int padding);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/**
|
|
Packit |
6b81fa |
* Decrypts data using the private key
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* @param flen length of the encrypted data
|
|
Packit |
6b81fa |
* @param from encrypted data
|
|
Packit |
6b81fa |
* @param to output buffer (MUST be a least flen bytes long)
|
|
Packit |
6b81fa |
* @param key private key object
|
|
Packit |
6b81fa |
* @param padding padding algorithm to be used
|
|
Packit |
6b81fa |
* @return the length of the decrypted data or 0 if an error occurred
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
P11_DEPRECATED_FUNC extern int PKCS11_private_decrypt(
|
|
Packit |
6b81fa |
int flen, const unsigned char *from,
|
|
Packit |
6b81fa |
unsigned char *to, PKCS11_KEY * key, int padding);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Function codes */
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_CHANGE_PIN 100
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_CHECK_TOKEN 101
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_CTX_LOAD 102
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_ECDH_DERIVE 103
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_ECDSA_SIGN 104
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_ENUMERATE_SLOTS 105
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_FIND_CERTS 106
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_FIND_KEYS 107
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_GENERATE_RANDOM 108
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_GETATTR_ALLOC 109
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_GETATTR_BN 110
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_GETATTR_INT 111
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_INIT_PIN 112
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_INIT_SLOT 113
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_INIT_TOKEN 114
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_IS_LOGGED_IN 115
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_LOGIN 116
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_LOGOUT 117
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_NEXT_CERT 118
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_NEXT_KEY 119
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_OPEN_SESSION 120
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_PRIVATE_DECRYPT 121
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_PRIVATE_ENCRYPT 122
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_RELOAD_KEY 123
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_REOPEN_SESSION 124
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_SEED_RANDOM 125
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_STORE_CERTIFICATE 126
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_STORE_KEY 127
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_REMOVE_KEY 128
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_REMOVE_CERTIFICATE 129
|
|
Packit |
6b81fa |
# define CKR_F_PKCS11_GENERATE_KEY 130
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Backward compatibility of error function codes */
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_CHANGE_PIN CKR_F_PKCS11_CHANGE_PIN
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_CHECK_TOKEN CKR_F_PKCS11_CHECK_TOKEN
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_CTX_LOAD CKR_F_PKCS11_CTX_LOAD
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_ECDH_DERIVE CKR_F_PKCS11_ECDH_DERIVE
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_ECDSA_SIGN CKR_F_PKCS11_ECDSA_SIGN
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_ENUMERATE_SLOTS CKR_F_PKCS11_ENUMERATE_SLOTS
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_FIND_CERTS CKR_F_PKCS11_FIND_CERTS
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_FIND_KEYS CKR_F_PKCS11_FIND_KEYS
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_GENERATE_RANDOM CKR_F_PKCS11_GENERATE_RANDOM
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_GETATTR_ALLOC CKR_F_PKCS11_GETATTR_ALLOC
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_GETATTR_BN CKR_F_PKCS11_GETATTR_BN
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_GETATTR_INT CKR_F_PKCS11_GETATTR_INT
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_INIT_PIN CKR_F_PKCS11_INIT_PIN
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_INIT_SLOT CKR_F_PKCS11_INIT_SLOT
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_INIT_TOKEN CKR_F_PKCS11_INIT_TOKEN
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_IS_LOGGED_IN CKR_F_PKCS11_IS_LOGGED_IN
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_LOGIN CKR_F_PKCS11_LOGIN
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_LOGOUT CKR_F_PKCS11_LOGOUT
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_NEXT_CERT CKR_F_PKCS11_NEXT_CERT
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_NEXT_KEY CKR_F_PKCS11_NEXT_KEY
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_OPEN_SESSION CKR_F_PKCS11_OPEN_SESSION
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_PRIVATE_DECRYPT CKR_F_PKCS11_PRIVATE_DECRYPT
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_PRIVATE_ENCRYPT CKR_F_PKCS11_PRIVATE_ENCRYPT
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_RELOAD_KEY CKR_F_PKCS11_RELOAD_KEY
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_REOPEN_SESSION CKR_F_PKCS11_REOPEN_SESSION
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_SEED_RANDOM CKR_F_PKCS11_SEED_RANDOM
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_STORE_CERTIFICATE CKR_F_PKCS11_STORE_CERTIFICATE
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_STORE_KEY CKR_F_PKCS11_STORE_KEY
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_REMOVE_KEY CKR_F_PKCS11_REMOVE_KEY
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_REMOVE_CERTIFICATE CKR_F_PKCS11_REMOVE_CERTIFICATE
|
|
Packit |
6b81fa |
#define PKCS11_F_PKCS11_GENERATE_KEY CKR_F_PKCS11_GENERATE_KEY
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Backward compatibility of error reason codes */
|
|
Packit |
6b81fa |
#define PKCS11_LOAD_MODULE_ERROR P11_R_LOAD_MODULE_ERROR
|
|
Packit |
6b81fa |
#define PKCS11_MODULE_LOADED_ERROR -1
|
|
Packit |
6b81fa |
#define PKCS11_SYMBOL_NOT_FOUND_ERROR -1
|
|
Packit |
6b81fa |
#define PKCS11_NOT_SUPPORTED P11_R_NOT_SUPPORTED
|
|
Packit |
6b81fa |
#define PKCS11_NO_SESSION P11_R_NO_SESSION
|
|
Packit |
6b81fa |
#define PKCS11_KEYGEN_FAILED P11_R_KEYGEN_FAILED
|
|
Packit |
6b81fa |
#define PKCS11_UI_FAILED P11_R_UI_FAILED
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Backward compatibility emulation of the ERR_LIB_PKCS11 constant.
|
|
Packit |
6b81fa |
* We currently use two separate variables for library error codes:
|
|
Packit |
6b81fa |
* one for imported PKCS#11 module errors, and one for our own libp11 errors.
|
|
Packit |
6b81fa |
* We return the value for PKCS#11, as it is more likely to be needed. */
|
|
Packit |
6b81fa |
#define ERR_LIB_PKCS11 (ERR_get_CKR_code())
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#ifdef __cplusplus
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
#endif
|
|
Packit |
6b81fa |
#endif
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* vim: set noexpandtab: */
|