Merge pull request #4254 from mstarzyk-mobica/remove_libpkcs11-helper
Remove PKCS#11 library wrapper.
This commit is contained in:
commit
e8e450a394
@ -38,8 +38,6 @@ endif()
|
||||
# Set the project root directory.
|
||||
set(MBEDTLS_DIR ${CMAKE_CURRENT_SOURCE_DIR})
|
||||
|
||||
option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library." OFF)
|
||||
|
||||
option(ENABLE_PROGRAMS "Build mbed TLS programs." ON)
|
||||
|
||||
option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF)
|
||||
|
6
ChangeLog.d/remove_pkcs11.txt
Normal file
6
ChangeLog.d/remove_pkcs11.txt
Normal file
@ -0,0 +1,6 @@
|
||||
Removals
|
||||
* Remove PKCS#11 library wrapper. PKCS#11 has limited functionality,
|
||||
lacks automated tests and has scarce documentation. Also, PSA Crypto
|
||||
provides a more flexible private key management.
|
||||
More details on PCKS#11 wrapper removal can be found in the mailing list
|
||||
https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
|
@ -2477,21 +2477,6 @@
|
||||
*/
|
||||
#define MBEDTLS_PKCS5_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PKCS11_C
|
||||
*
|
||||
* Enable wrapper for PKCS#11 smartcard support.
|
||||
*
|
||||
* Module: library/pkcs11.c
|
||||
* Caller: library/pk.c
|
||||
*
|
||||
* Requires: MBEDTLS_PK_C
|
||||
*
|
||||
* This module enables SSL/TLS PKCS #11 smartcard support.
|
||||
* Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
|
||||
*/
|
||||
//#define MBEDTLS_PKCS11_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PKCS12_C
|
||||
*
|
||||
|
@ -362,18 +362,6 @@
|
||||
#error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PKCS11_C) && !defined(MBEDTLS_PK_C)
|
||||
#error "MBEDTLS_PKCS11_C defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PKCS11_C)
|
||||
#if defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
#error "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
|
||||
#elif defined(MBEDTLS_DEPRECATED_WARNING)
|
||||
#warning "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
|
||||
#endif
|
||||
#endif /* MBEDTLS_PKCS11_C */
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C)
|
||||
#error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites"
|
||||
#endif
|
||||
|
@ -2948,24 +2948,6 @@
|
||||
*/
|
||||
#define MBEDTLS_PKCS5_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PKCS11_C
|
||||
*
|
||||
* Enable wrapper for PKCS#11 smartcard support via the pkcs11-helper library.
|
||||
*
|
||||
* \deprecated This option is deprecated and will be removed in a future
|
||||
* version of Mbed TLS.
|
||||
*
|
||||
* Module: library/pkcs11.c
|
||||
* Caller: library/pk.c
|
||||
*
|
||||
* Requires: MBEDTLS_PK_C
|
||||
*
|
||||
* This module enables SSL/TLS PKCS #11 smartcard support.
|
||||
* Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
|
||||
*/
|
||||
//#define MBEDTLS_PKCS11_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PKCS12_C
|
||||
*
|
||||
|
@ -1,246 +0,0 @@
|
||||
/**
|
||||
* \file pkcs11.h
|
||||
*
|
||||
* \brief Wrapper for PKCS#11 library libpkcs11-helper
|
||||
*
|
||||
* \author Adriaan de Jong <dejong@fox-it.com>
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#ifndef MBEDTLS_PKCS11_H
|
||||
#define MBEDTLS_PKCS11_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PKCS11_C)
|
||||
|
||||
#include "mbedtls/x509_crt.h"
|
||||
|
||||
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
|
||||
|
||||
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
|
||||
!defined(inline) && !defined(__cplusplus)
|
||||
#define inline __inline
|
||||
#endif
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
|
||||
/**
|
||||
* Context for PKCS #11 private keys.
|
||||
*/
|
||||
typedef struct mbedtls_pkcs11_context
|
||||
{
|
||||
pkcs11h_certificate_t pkcs11h_cert;
|
||||
int len;
|
||||
} mbedtls_pkcs11_context;
|
||||
|
||||
#if defined(MBEDTLS_DEPRECATED_WARNING)
|
||||
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
|
||||
#else
|
||||
#define MBEDTLS_DEPRECATED
|
||||
#endif
|
||||
|
||||
/**
|
||||
* Initialize a mbedtls_pkcs11_context.
|
||||
* (Just making memory references valid.)
|
||||
*
|
||||
* \deprecated This function is deprecated and will be removed in a
|
||||
* future version of the library.
|
||||
*/
|
||||
MBEDTLS_DEPRECATED void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
|
||||
|
||||
/**
|
||||
* Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
|
||||
*
|
||||
* \deprecated This function is deprecated and will be removed in a
|
||||
* future version of the library.
|
||||
*
|
||||
* \param cert X.509 certificate to fill
|
||||
* \param pkcs11h_cert PKCS #11 helper certificate
|
||||
*
|
||||
* \return 0 on success.
|
||||
*/
|
||||
MBEDTLS_DEPRECATED int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert,
|
||||
pkcs11h_certificate_t pkcs11h_cert );
|
||||
|
||||
/**
|
||||
* Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
|
||||
* mbedtls_pkcs11_context will take over control of the certificate, freeing it when
|
||||
* done.
|
||||
*
|
||||
* \deprecated This function is deprecated and will be removed in a
|
||||
* future version of the library.
|
||||
*
|
||||
* \param priv_key Private key structure to fill.
|
||||
* \param pkcs11_cert PKCS #11 helper certificate
|
||||
*
|
||||
* \return 0 on success
|
||||
*/
|
||||
MBEDTLS_DEPRECATED int mbedtls_pkcs11_priv_key_bind(
|
||||
mbedtls_pkcs11_context *priv_key,
|
||||
pkcs11h_certificate_t pkcs11_cert );
|
||||
|
||||
/**
|
||||
* Free the contents of the given private key context. Note that the structure
|
||||
* itself is not freed.
|
||||
*
|
||||
* \deprecated This function is deprecated and will be removed in a
|
||||
* future version of the library.
|
||||
*
|
||||
* \param priv_key Private key structure to cleanup
|
||||
*/
|
||||
MBEDTLS_DEPRECATED void mbedtls_pkcs11_priv_key_free(
|
||||
mbedtls_pkcs11_context *priv_key );
|
||||
|
||||
/**
|
||||
* \brief Do an RSA private key decrypt, then remove the message
|
||||
* padding
|
||||
*
|
||||
* \deprecated This function is deprecated and will be removed in a future
|
||||
* version of the library.
|
||||
*
|
||||
* \param ctx PKCS #11 context
|
||||
* \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
|
||||
* \param input buffer holding the encrypted data
|
||||
* \param output buffer that will hold the plaintext
|
||||
* \param olen will contain the plaintext length
|
||||
* \param output_max_len maximum length of the output buffer
|
||||
*
|
||||
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
|
||||
*
|
||||
* \note The output buffer must be as large as the size
|
||||
* of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
|
||||
* an error is thrown.
|
||||
*/
|
||||
MBEDTLS_DEPRECATED int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
|
||||
int mode, size_t *olen,
|
||||
const unsigned char *input,
|
||||
unsigned char *output,
|
||||
size_t output_max_len );
|
||||
|
||||
/**
|
||||
* \brief Do a private RSA to sign a message digest
|
||||
*
|
||||
* \deprecated This function is deprecated and will be removed in a future
|
||||
* version of the library.
|
||||
*
|
||||
* \param ctx PKCS #11 context
|
||||
* \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
|
||||
* \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
|
||||
* \param hashlen message digest length (for MBEDTLS_MD_NONE only)
|
||||
* \param hash buffer holding the message digest
|
||||
* \param sig buffer that will hold the ciphertext
|
||||
*
|
||||
* \return 0 if the signing operation was successful,
|
||||
* or an MBEDTLS_ERR_RSA_XXX error code
|
||||
*
|
||||
* \note The "sig" buffer must be as large as the size
|
||||
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
||||
*/
|
||||
MBEDTLS_DEPRECATED int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
|
||||
int mode,
|
||||
mbedtls_md_type_t md_alg,
|
||||
unsigned int hashlen,
|
||||
const unsigned char *hash,
|
||||
unsigned char *sig );
|
||||
|
||||
/**
|
||||
* SSL/TLS wrappers for PKCS#11 functions
|
||||
*
|
||||
* \deprecated This function is deprecated and will be removed in a future
|
||||
* version of the library.
|
||||
*/
|
||||
MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx,
|
||||
int mode, size_t *olen,
|
||||
const unsigned char *input, unsigned char *output,
|
||||
size_t output_max_len )
|
||||
{
|
||||
return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
|
||||
output_max_len );
|
||||
}
|
||||
|
||||
/**
|
||||
* \brief This function signs a message digest using RSA.
|
||||
*
|
||||
* \deprecated This function is deprecated and will be removed in a future
|
||||
* version of the library.
|
||||
*
|
||||
* \param ctx The PKCS #11 context.
|
||||
* \param f_rng The RNG function. This parameter is unused.
|
||||
* \param p_rng The RNG context. This parameter is unused.
|
||||
* \param mode The operation to run. This must be set to
|
||||
* MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's
|
||||
* signature.
|
||||
* \param md_alg The message digest algorithm. One of the MBEDTLS_MD_XXX
|
||||
* must be passed to this function and MBEDTLS_MD_NONE can be
|
||||
* used for signing raw data.
|
||||
* \param hashlen The message digest length (for MBEDTLS_MD_NONE only).
|
||||
* \param hash The buffer holding the message digest.
|
||||
* \param sig The buffer that will hold the ciphertext.
|
||||
*
|
||||
* \return \c 0 if the signing operation was successful.
|
||||
* \return A non-zero error code on failure.
|
||||
*
|
||||
* \note The \p sig buffer must be as large as the size of
|
||||
* <code>ctx->N</code>. For example, 128 bytes if RSA-1024 is
|
||||
* used.
|
||||
*/
|
||||
MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
|
||||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||
int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
|
||||
const unsigned char *hash, unsigned char *sig )
|
||||
{
|
||||
((void) f_rng);
|
||||
((void) p_rng);
|
||||
return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
|
||||
hashlen, hash, sig );
|
||||
}
|
||||
|
||||
/**
|
||||
* This function gets the length of the private key.
|
||||
*
|
||||
* \deprecated This function is deprecated and will be removed in a future
|
||||
* version of the library.
|
||||
*
|
||||
* \param ctx The PKCS #11 context.
|
||||
*
|
||||
* \return The length of the private key.
|
||||
*/
|
||||
MBEDTLS_DEPRECATED static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
|
||||
{
|
||||
return ( (mbedtls_pkcs11_context *) ctx )->len;
|
||||
}
|
||||
|
||||
#undef MBEDTLS_DEPRECATED
|
||||
|
||||
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_PKCS11_C */
|
||||
|
||||
#endif /* MBEDTLS_PKCS11_H */
|
@ -89,7 +89,6 @@ set(src_crypto
|
||||
list(APPEND src_crypto ${thirdparty_src})
|
||||
|
||||
set(src_x509
|
||||
pkcs11.c
|
||||
x509.c
|
||||
x509_create.c
|
||||
x509_crl.c
|
||||
@ -136,10 +135,6 @@ if(HAIKU)
|
||||
set(libs ${libs} network)
|
||||
endif(HAIKU)
|
||||
|
||||
if(USE_PKCS11_HELPER_LIBRARY)
|
||||
set(libs ${libs} pkcs11-helper)
|
||||
endif(USE_PKCS11_HELPER_LIBRARY)
|
||||
|
||||
if(LINK_WITH_PTHREAD)
|
||||
set(libs ${libs} pthread)
|
||||
endif()
|
||||
|
@ -148,7 +148,6 @@ LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
|
||||
OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS)
|
||||
|
||||
OBJS_X509= \
|
||||
pkcs11.o \
|
||||
x509.o \
|
||||
x509_create.o \
|
||||
x509_crl.o \
|
||||
|
238
library/pkcs11.c
238
library/pkcs11.c
@ -1,238 +0,0 @@
|
||||
/**
|
||||
* \file pkcs11.c
|
||||
*
|
||||
* \brief Wrapper for PKCS#11 library libpkcs11-helper
|
||||
*
|
||||
* \author Adriaan de Jong <dejong@fox-it.com>
|
||||
*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "mbedtls/pkcs11.h"
|
||||
|
||||
#if defined(MBEDTLS_PKCS11_C)
|
||||
|
||||
#include "mbedtls/md.h"
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/x509_crt.h"
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#include <stdlib.h>
|
||||
#define mbedtls_calloc calloc
|
||||
#define mbedtls_free free
|
||||
#endif
|
||||
|
||||
#include <string.h>
|
||||
|
||||
void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx )
|
||||
{
|
||||
memset( ctx, 0, sizeof( mbedtls_pkcs11_context ) );
|
||||
}
|
||||
|
||||
int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11_cert )
|
||||
{
|
||||
int ret = 1;
|
||||
unsigned char *cert_blob = NULL;
|
||||
size_t cert_blob_size = 0;
|
||||
|
||||
if( cert == NULL )
|
||||
{
|
||||
ret = 2;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL,
|
||||
&cert_blob_size ) != CKR_OK )
|
||||
{
|
||||
ret = 3;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
cert_blob = mbedtls_calloc( 1, cert_blob_size );
|
||||
if( NULL == cert_blob )
|
||||
{
|
||||
ret = 4;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob,
|
||||
&cert_blob_size ) != CKR_OK )
|
||||
{
|
||||
ret = 5;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if( 0 != mbedtls_x509_crt_parse( cert, cert_blob, cert_blob_size ) )
|
||||
{
|
||||
ret = 6;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
|
||||
cleanup:
|
||||
if( NULL != cert_blob )
|
||||
mbedtls_free( cert_blob );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
|
||||
int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
|
||||
pkcs11h_certificate_t pkcs11_cert )
|
||||
{
|
||||
int ret = 1;
|
||||
mbedtls_x509_crt cert;
|
||||
|
||||
mbedtls_x509_crt_init( &cert );
|
||||
|
||||
if( priv_key == NULL )
|
||||
goto cleanup;
|
||||
|
||||
if( 0 != mbedtls_pkcs11_x509_cert_bind( &cert, pkcs11_cert ) )
|
||||
goto cleanup;
|
||||
|
||||
priv_key->len = mbedtls_pk_get_len( &cert.pk );
|
||||
priv_key->pkcs11h_cert = pkcs11_cert;
|
||||
|
||||
ret = 0;
|
||||
|
||||
cleanup:
|
||||
mbedtls_x509_crt_free( &cert );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key )
|
||||
{
|
||||
if( NULL != priv_key )
|
||||
pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
|
||||
}
|
||||
|
||||
int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
|
||||
int mode, size_t *olen,
|
||||
const unsigned char *input,
|
||||
unsigned char *output,
|
||||
size_t output_max_len )
|
||||
{
|
||||
size_t input_len, output_len;
|
||||
|
||||
if( NULL == ctx )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
if( MBEDTLS_RSA_PRIVATE != mode )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
output_len = input_len = ctx->len;
|
||||
|
||||
if( input_len < 16 || input_len > output_max_len )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
/* Determine size of output buffer */
|
||||
if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
|
||||
input_len, NULL, &output_len ) != CKR_OK )
|
||||
{
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
if( output_len > output_max_len )
|
||||
return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
|
||||
|
||||
if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
|
||||
input_len, output, &output_len ) != CKR_OK )
|
||||
{
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
}
|
||||
*olen = output_len;
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
|
||||
int mode,
|
||||
mbedtls_md_type_t md_alg,
|
||||
unsigned int hashlen,
|
||||
const unsigned char *hash,
|
||||
unsigned char *sig )
|
||||
{
|
||||
size_t sig_len = 0, asn_len = 0, oid_size = 0;
|
||||
unsigned char *p = sig;
|
||||
const char *oid;
|
||||
|
||||
if( NULL == ctx )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
if( MBEDTLS_RSA_PRIVATE != mode )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
if( md_alg != MBEDTLS_MD_NONE )
|
||||
{
|
||||
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
|
||||
if( md_info == NULL )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
hashlen = mbedtls_md_get_size( md_info );
|
||||
asn_len = 10 + oid_size;
|
||||
}
|
||||
|
||||
sig_len = ctx->len;
|
||||
if( hashlen > sig_len || asn_len > sig_len ||
|
||||
hashlen + asn_len > sig_len )
|
||||
{
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
if( md_alg != MBEDTLS_MD_NONE )
|
||||
{
|
||||
/*
|
||||
* DigestInfo ::= SEQUENCE {
|
||||
* digestAlgorithm DigestAlgorithmIdentifier,
|
||||
* digest Digest }
|
||||
*
|
||||
* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
|
||||
*
|
||||
* Digest ::= OCTET STRING
|
||||
*/
|
||||
*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
|
||||
*p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
|
||||
*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
|
||||
*p++ = (unsigned char) ( 0x04 + oid_size );
|
||||
*p++ = MBEDTLS_ASN1_OID;
|
||||
*p++ = oid_size & 0xFF;
|
||||
memcpy( p, oid, oid_size );
|
||||
p += oid_size;
|
||||
*p++ = MBEDTLS_ASN1_NULL;
|
||||
*p++ = 0x00;
|
||||
*p++ = MBEDTLS_ASN1_OCTET_STRING;
|
||||
*p++ = hashlen;
|
||||
}
|
||||
|
||||
memcpy( p, hash, hashlen );
|
||||
|
||||
if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
|
||||
asn_len + hashlen, sig, &sig_len ) != CKR_OK )
|
||||
{
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* defined(MBEDTLS_PKCS11_C) */
|
@ -726,9 +726,6 @@ static const char * const features[] = {
|
||||
#if defined(MBEDTLS_PKCS5_C)
|
||||
"MBEDTLS_PKCS5_C",
|
||||
#endif /* MBEDTLS_PKCS5_C */
|
||||
#if defined(MBEDTLS_PKCS11_C)
|
||||
"MBEDTLS_PKCS11_C",
|
||||
#endif /* MBEDTLS_PKCS11_C */
|
||||
#if defined(MBEDTLS_PKCS12_C)
|
||||
"MBEDTLS_PKCS12_C",
|
||||
#endif /* MBEDTLS_PKCS12_C */
|
||||
|
@ -1,6 +1,5 @@
|
||||
|
||||
# To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS
|
||||
# To compile with PKCS11: add "-lpkcs11-helper" to LDFLAGS
|
||||
|
||||
CFLAGS ?= -O2
|
||||
WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
|
||||
|
@ -2,10 +2,6 @@ set(libs
|
||||
${mbedtls_target}
|
||||
)
|
||||
|
||||
if(USE_PKCS11_HELPER_LIBRARY)
|
||||
set(libs ${libs} pkcs11-helper)
|
||||
endif(USE_PKCS11_HELPER_LIBRARY)
|
||||
|
||||
find_library(FUZZINGENGINE_LIB FuzzingEngine)
|
||||
if(FUZZINGENGINE_LIB)
|
||||
project(fuzz CXX)
|
||||
|
@ -5,10 +5,6 @@ set(libs
|
||||
${mbedtls_target}
|
||||
)
|
||||
|
||||
if(USE_PKCS11_HELPER_LIBRARY)
|
||||
set(libs ${libs} pkcs11-helper)
|
||||
endif(USE_PKCS11_HELPER_LIBRARY)
|
||||
|
||||
set(executables
|
||||
dtls_client
|
||||
dtls_server
|
||||
|
@ -2,10 +2,6 @@ set(libs
|
||||
${mbedtls_target}
|
||||
)
|
||||
|
||||
if(USE_PKCS11_HELPER_LIBRARY)
|
||||
set(libs ${libs} pkcs11-helper)
|
||||
endif(USE_PKCS11_HELPER_LIBRARY)
|
||||
|
||||
set(executables_libs
|
||||
selftest
|
||||
udp_proxy
|
||||
|
@ -63,7 +63,6 @@
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/pem.h"
|
||||
#include "mbedtls/pk.h"
|
||||
#include "mbedtls/pkcs11.h"
|
||||
#include "mbedtls/pkcs12.h"
|
||||
#include "mbedtls/pkcs5.h"
|
||||
#include "mbedtls/platform_time.h"
|
||||
|
@ -73,7 +73,6 @@
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/pem.h"
|
||||
#include "mbedtls/pk.h"
|
||||
#include "mbedtls/pkcs11.h"
|
||||
#include "mbedtls/pkcs12.h"
|
||||
#include "mbedtls/pkcs5.h"
|
||||
#include "mbedtls/platform_time.h"
|
||||
@ -1988,14 +1987,6 @@ int query_config( const char *config )
|
||||
}
|
||||
#endif /* MBEDTLS_PKCS5_C */
|
||||
|
||||
#if defined(MBEDTLS_PKCS11_C)
|
||||
if( strcmp( "MBEDTLS_PKCS11_C", config ) == 0 )
|
||||
{
|
||||
MACRO_EXPANSION_TO_STR( MBEDTLS_PKCS11_C );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_PKCS11_C */
|
||||
|
||||
#if defined(MBEDTLS_PKCS12_C)
|
||||
if( strcmp( "MBEDTLS_PKCS12_C", config ) == 0 )
|
||||
{
|
||||
|
@ -2,10 +2,6 @@ set(libs
|
||||
${mbedx509_target}
|
||||
)
|
||||
|
||||
if(USE_PKCS11_HELPER_LIBRARY)
|
||||
set(libs ${libs} pkcs11-helper)
|
||||
endif(USE_PKCS11_HELPER_LIBRARY)
|
||||
|
||||
set(executables
|
||||
cert_app
|
||||
cert_req
|
||||
|
@ -183,7 +183,6 @@ EXCLUDE_FROM_FULL = frozenset([
|
||||
'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature
|
||||
'MBEDTLS_NO_PLATFORM_ENTROPY', # removes a feature
|
||||
'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum
|
||||
'MBEDTLS_PKCS11_C', # build dependency (libpkcs11-helper)
|
||||
'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature
|
||||
'MBEDTLS_PSA_CRYPTO_CONFIG', # toggles old/new style PSA config
|
||||
'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG', # behavior change + build dependency
|
||||
@ -277,7 +276,6 @@ def include_in_crypto(name):
|
||||
if name in [
|
||||
'MBEDTLS_DEBUG_C', # part of libmbedtls
|
||||
'MBEDTLS_NET_C', # part of libmbedtls
|
||||
'MBEDTLS_PKCS11_C', # part of libmbedx509
|
||||
]:
|
||||
return False
|
||||
return True
|
||||
|
@ -73,7 +73,6 @@
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/pem.h"
|
||||
#include "mbedtls/pk.h"
|
||||
#include "mbedtls/pkcs11.h"
|
||||
#include "mbedtls/pkcs12.h"
|
||||
#include "mbedtls/pkcs5.h"
|
||||
#include "mbedtls/platform_time.h"
|
||||
|
@ -9,10 +9,6 @@ if(NOT DEFINED MBEDTLS_DIR)
|
||||
set(MBEDTLS_DIR ${CMAKE_SOURCE_DIR})
|
||||
endif()
|
||||
|
||||
if(USE_PKCS11_HELPER_LIBRARY)
|
||||
set(libs ${libs} pkcs11-helper)
|
||||
endif(USE_PKCS11_HELPER_LIBRARY)
|
||||
|
||||
if(NOT MBEDTLS_PYTHON_EXECUTABLE)
|
||||
message(FATAL_ERROR "Cannot build test suites without Python 3")
|
||||
endif()
|
||||
|
@ -1,6 +1,5 @@
|
||||
|
||||
# To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS
|
||||
# To compile with PKCS11: add "-lpkcs11-helper" to LDFLAGS
|
||||
|
||||
CFLAGS ?= -O2
|
||||
WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
|
||||
|
@ -182,7 +182,6 @@
|
||||
<ClInclude Include="..\..\include\mbedtls\oid.h" />
|
||||
<ClInclude Include="..\..\include\mbedtls\pem.h" />
|
||||
<ClInclude Include="..\..\include\mbedtls\pk.h" />
|
||||
<ClInclude Include="..\..\include\mbedtls\pkcs11.h" />
|
||||
<ClInclude Include="..\..\include\mbedtls\pkcs12.h" />
|
||||
<ClInclude Include="..\..\include\mbedtls\pkcs5.h" />
|
||||
<ClInclude Include="..\..\include\mbedtls\platform.h" />
|
||||
@ -321,7 +320,6 @@
|
||||
<ClCompile Include="..\..\library\pem.c" />
|
||||
<ClCompile Include="..\..\library\pk.c" />
|
||||
<ClCompile Include="..\..\library\pk_wrap.c" />
|
||||
<ClCompile Include="..\..\library\pkcs11.c" />
|
||||
<ClCompile Include="..\..\library\pkcs12.c" />
|
||||
<ClCompile Include="..\..\library\pkcs5.c" />
|
||||
<ClCompile Include="..\..\library\pkparse.c" />
|
||||
|
Loading…
Reference in New Issue
Block a user