diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 0a681bd403..1662991311 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -281,6 +281,8 @@ HAVE_INTEL_SPEEDUP HAVE_MDK_RTX HAVE_NETX_BSD HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK +HAVE_PKCS11_STATIC +HAVE_PKCS11_V3_STATIC HAVE_POCO_LIB HAVE_RTP_SYS HAVE_SECURE_GETENV diff --git a/src/ssl_load.c b/src/ssl_load.c index e9e6862955..e963a5d9e1 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -4157,6 +4157,8 @@ int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id, { int ret = 1; + WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_Id"); + /* Dispose of old private key and allocate and copy in id. */ FreeDer(&ctx->privateKey); if (AllocCopyDer(&ctx->privateKey, id, (word32)sz, PRIVATEKEY_TYPE, @@ -4182,6 +4184,7 @@ int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id, #endif } + WOLFSSL_LEAVE("wolfSSL_CTX_use_PrivateKey_Id", ret); return ret; } @@ -4198,12 +4201,17 @@ int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id, int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id, long sz, int devId, long keySz) { - int ret = wolfSSL_CTX_use_PrivateKey_Id(ctx, id, sz, devId); + int ret; + + WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_id"); + + ret = wolfSSL_CTX_use_PrivateKey_Id(ctx, id, sz, devId); if (ret == 1) { /* Set the key size which normally is calculated during decoding. */ ctx->privateKeySz = (int)keySz; } + WOLFSSL_LEAVE("wolfSSL_CTX_use_PrivateKey_id", ret); return ret; } @@ -4221,6 +4229,8 @@ int wolfSSL_CTX_use_PrivateKey_Label(WOLFSSL_CTX* ctx, const char* label, int ret = 1; word32 sz = (word32)XSTRLEN(label) + 1; + WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_Label"); + /* Dispose of old private key and allocate and copy in label. */ FreeDer(&ctx->privateKey); if (AllocCopyDer(&ctx->privateKey, (const byte*)label, (word32)sz, @@ -4246,6 +4256,7 @@ int wolfSSL_CTX_use_PrivateKey_Label(WOLFSSL_CTX* ctx, const char* label, #endif } + WOLFSSL_LEAVE("wolfSSL_CTX_use_PrivateKey_Label", ret); return ret; } @@ -4255,6 +4266,8 @@ int wolfSSL_CTX_use_AltPrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id, { int ret = 1; + WOLFSSL_ENTER("wolfSSL_CTX_use_AltPrivateKey_Id"); + if ((ctx == NULL) || (id == NULL)) { ret = 0; } @@ -4277,17 +4290,23 @@ int wolfSSL_CTX_use_AltPrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id, } } + WOLFSSL_LEAVE("wolfSSL_CTX_use_AltPrivateKey_Id", ret); return ret; } int wolfSSL_CTX_use_AltPrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id, long sz, int devId, long keySz) { - int ret = wolfSSL_CTX_use_AltPrivateKey_Id(ctx, id, sz, devId); + int ret; + + WOLFSSL_ENTER("wolfSSL_CTX_use_AltPrivateKey_id"); + + ret = wolfSSL_CTX_use_AltPrivateKey_Id(ctx, id, sz, devId); if (ret == 1) { ctx->altPrivateKeySz = (word32)keySz; } + WOLFSSL_LEAVE("wolfSSL_CTX_use_AltPrivateKey_id", ret); return ret; } @@ -4297,6 +4316,8 @@ int wolfSSL_CTX_use_AltPrivateKey_Label(WOLFSSL_CTX* ctx, const char* label, int ret = 1; word32 sz; + WOLFSSL_ENTER("wolfSSL_CTX_use_AltPrivateKey_Label"); + if ((ctx == NULL) || (label == NULL)) { ret = 0; } @@ -4320,6 +4341,7 @@ int wolfSSL_CTX_use_AltPrivateKey_Label(WOLFSSL_CTX* ctx, const char* label, } } + WOLFSSL_LEAVE("wolfSSL_CTX_use_AltPrivateKey_Label", ret); return ret; } #endif /* WOLFSSL_DUAL_ALG_CERTS */ diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c index 3ac4911f25..8ad4049804 100644 --- a/wolfcrypt/src/wc_pkcs11.c +++ b/wolfcrypt/src/wc_pkcs11.c @@ -68,10 +68,6 @@ #endif -/* Maximum length of the EC parameter string. */ -#define MAX_EC_PARAM_LEN 16 - - #if defined(HAVE_ECC) && !defined(NO_PKCS11_ECDH) /* Pointer to false required for templates. */ static CK_BBOOL ckFalse = CK_FALSE; @@ -110,7 +106,9 @@ typedef struct CK_AES_CTR_PARAMS { } CK_AES_CTR_PARAMS; #endif +#if !defined(NO_CERTS) static CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; +#endif #ifdef WOLFSSL_DEBUG_PKCS11 /* Enable logging of PKCS#11 calls and return value. */ @@ -120,6 +118,9 @@ static CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; /* Enable logging of PKCS#11 template. */ #define PKCS11_DUMP_TEMPLATE(name, templ, cnt) \ pkcs11_dump_template(name, templ, cnt) +/* Enable logging of PKCS#11 mechanism info. */ +#define PKCS11_DUMP_MECHANSIM(name, mechanism) \ + pkcs11_dump_mechanism(name, mechanism) /* Formats of template items - used to instruct how to log information. */ enum PKCS11_TYPE_FORMATS { @@ -141,7 +142,7 @@ static struct PKCS11_TYPE_STR { int format; } typeStr[] = { { CKA_CLASS, "CKA_CLASS", PKCS11_FMT_CLASS }, - { CKA_TOKEN, "CKA_TOKEN", PKCS11_FMT_POINTER }, + { CKA_TOKEN, "CKA_TOKEN", PKCS11_FMT_BOOLEAN }, { CKA_PRIVATE, "CKA_PRIVATE", PKCS11_FMT_BOOLEAN }, { CKA_LABEL, "CKA_LABEL", PKCS11_FMT_STRING }, { CKA_VALUE, "CKA_VALUE", PKCS11_FMT_DATA }, @@ -327,6 +328,11 @@ static void pkcs11_dump_template(const char* name, CK_ATTRIBUTE* templ, WOLFSSL_MSG(line); break; case PKCS11_FMT_DATA: + if (templ[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) { + XSNPRINTF(line, sizeof(line), "%25s: unavailable", type); + WOLFSSL_MSG(line); + break; + } XSNPRINTF(line, sizeof(line), "%25s: %ld", type, templ[i].ulValueLen); WOLFSSL_MSG(line); @@ -340,7 +346,7 @@ static void pkcs11_dump_template(const char* name, CK_ATTRIBUTE* templ, char hex[6]; XSNPRINTF(hex, sizeof(hex), "0x%02x,", ((byte*)templ[i].pValue)[j]); - XSTRNCAT(line, hex, 5); + XSTRNCAT(line, hex, sizeof(line) - XSTRLEN(line) - 1); if ((j % 8) == 7) { WOLFSSL_MSG(line); XSNPRINTF(line, sizeof(line), "%27s", ""); @@ -365,6 +371,64 @@ static void pkcs11_dump_template(const char* name, CK_ATTRIBUTE* templ, } } +/* Information for logging a mechanism */ +static struct PKCS11_MECHANISM_STR { + /** Mechanism. */ + CK_MECHANISM_TYPE mech; + /** String to log corresponding mechanism. */ + const char* str; +} mechStr[] = { + { CKM_RSA_PKCS_KEY_PAIR_GEN, "CKM_RSA_PKCS_KEY_PAIR_GEN" }, + { CKM_RSA_X_509, "CKM_RSA_X_509" }, + { CKM_DH_PKCS_KEY_PAIR_GEN, "CKM_DH_PKCS_KEY_PAIR_GEN" }, + { CKM_DH_PKCS_DERIVE, "CKM_DH_PKCS_DERIVE" }, + { CKM_MD5_HMAC, "CKM_MD5_HMAC" }, + { CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC" }, + { CKM_SHA256_HMAC, "CKM_SHA256_HMAC" }, + { CKM_SHA224_HMAC, "CKM_SHA224_HMAC" }, + { CKM_SHA384_HMAC, "CKM_SHA384_HMAC" }, + { CKM_SHA512_HMAC, "CKM_SHA512_HMAC" }, + { CKM_GENERIC_SECRET_KEY_GEN, "CKM_GENERIC_SECRET_KEY_GEN" }, + { CKM_EC_KEY_PAIR_GEN, "CKM_EC_KEY_PAIR_GEN" }, + { CKM_ECDSA, "CKM_ECDSA" }, + { CKM_ECDH1_DERIVE, "CKM_ECDH1_DERIVE" }, + { CKM_ECDH1_COFACTOR_DERIVE, "CKM_ECDH1_COFACTOR_DERIVE" }, + { CKM_AES_KEY_GEN, "CKM_AES_KEY_GEN" }, + { CKM_AES_CBC, "CKM_AES_CBC" }, + { CKM_AES_GCM, "CKM_AES_GCM" }, +}; +/* Count of known mechanism for logging. */ +#define PKCS11_MECH_STR_CNT ((int)(sizeof(mechStr) / sizeof(*mechStr))) + +/* + * Dump/log the PKCS #11 mechanism. + * + * This is only for debugging purposes. Only the values needed are recognised. + * + * @param [in] op PKCS #11 operation that was attempted. + * @param [in] mech PKCS #11 mechanism to dump. + */ +static void pkcs11_dump_mechanism(const char* op, CK_MECHANISM_TYPE mech) +{ + char line[80]; + const char *mechName = NULL; + int i; + + for (i = 0; i < PKCS11_MECH_STR_CNT; i++) { + if (mech == mechStr[i].mech) { + mechName = mechStr[i].str; + break; + } + } + if (i == PKCS11_TYPE_STR_CNT) { + mechName = "UNKNOWN"; + } + + XSNPRINTF(line, 80, "%s: %s", op, mechName); + + WOLFSSL_MSG(line); +} + /* * Log a PKCS #11 return value with the name of function called. * @@ -416,6 +480,8 @@ static void pkcs11_val(const char* op, CK_ULONG val) #define PKCS11_VAL(op, val) WC_DO_NOTHING /* Disable logging of PKCS#11 template. */ #define PKCS11_DUMP_TEMPLATE(name, templ, cnt) WC_DO_NOTHING +/* Disable logging of PKCS#11 mechanism info. */ +#define PKCS11_DUMP_MECHANSIM(name, mechanism) WC_DO_NOTHING #endif /** @@ -432,7 +498,7 @@ static void pkcs11_val(const char* op, CK_ULONG val) */ int wc_Pkcs11_Initialize(Pkcs11Dev* dev, const char* library, void* heap) { - return wc_Pkcs11_Initialize_ex(dev, library, heap, NULL); + return wc_Pkcs11_Initialize_v3(dev, library, heap, NULL, NULL, NULL); } /** @@ -451,52 +517,270 @@ int wc_Pkcs11_Initialize(Pkcs11Dev* dev, const char* library, void* heap) */ int wc_Pkcs11_Initialize_ex(Pkcs11Dev* dev, const char* library, void* heap, CK_RV* rvp) +{ + return wc_Pkcs11_Initialize_v3(dev, library, heap, NULL, NULL, rvp); +} + +/** + * Load library, get function list and initialize PKCS#11. + * + * @param [in] dev Device object. + * @param [in] library Library name including path. + * @param [in] heap Heap hint. + * @param [in,out] version On in, desired version of interface. + * On out, actual obtained version of interface. + * @param [in] interfaceName Name of the interface to use. + * @param [out] rvp PKCS#11 return value. Last return value seen. + * May be NULL. + * @return BAD_FUNC_ARG when dev or library are NULL pointers. + * @return BAD_PATH_ERROR when dynamic library cannot be opened. + * @return WC_INIT_E when the initialization PKCS#11 fails. + * @return WC_HW_E when unable to get PKCS#11 function list. + * @return 0 on success. + */ +int wc_Pkcs11_Initialize_v3(Pkcs11Dev* dev, const char* library, + void* heap, int* version, const char* interfaceName, CK_RV* rvp) { int ret = 0; CK_RV rv = CKR_OK; -#ifndef HAVE_PKCS11_STATIC +#if !defined(HAVE_PKCS11_STATIC) && !defined(HAVE_PKCS11_V3_STATIC) void* func; #endif CK_C_INITIALIZE_ARGS args; + CK_VERSION_PTR version_ptr = NULL; + + if (dev == NULL) + ret = BAD_FUNC_ARG; - if (dev == NULL || library == NULL) +#if !defined(HAVE_PKCS11_STATIC) && !defined(HAVE_PKCS11_V3_STATIC) + if (library == NULL) ret = BAD_FUNC_ARG; +#endif if (ret == 0) { dev->heap = heap; -#ifndef HAVE_PKCS11_STATIC +#if defined(HAVE_PKCS11_V3_STATIC) + CK_INTERFACE_PTR interface = NULL; + CK_VERSION pkcs11_version = {0, 0}; + + if (version != NULL) { + if (*version == WC_PCKS11VERSION_2_20) { + pkcs11_version.major = 2; + pkcs11_version.minor = 20; + } + else if (*version == WC_PCKS11VERSION_2_20) { + pkcs11_version.major = 2; + pkcs11_version.minor = 40; + } + else if (*version == WC_PCKS11VERSION_3_0) { + pkcs11_version.major = 3; + pkcs11_version.minor = 0; + } + else if (*version == WC_PCKS11VERSION_3_1) { + pkcs11_version.major = 3; + pkcs11_version.minor = 1; + } + else if (*version == WC_PCKS11VERSION_3_2) { + pkcs11_version.major = 3; + pkcs11_version.minor = 2; + } + version_ptr = &pkcs11_version; + } + else { + version_ptr = NULL; + } + + rv = C_GetInterface((CK_UTF8CHAR_PTR) interfaceName, version_ptr, + &interface, 0); + + if (rv == CKR_OK) { + dev->func = interface->pFunctionList; + version_ptr = (CK_VERSION_PTR) interface->pFunctionList; + if (version_ptr->major == 2 && version_ptr->minor == 20) { + dev->version = WC_PCKS11VERSION_2_20; + } + else if (version_ptr->major == 2 && + version_ptr->minor == 40) { + dev->version = WC_PCKS11VERSION_2_40; + } + else if (version_ptr->major == 3 && + version_ptr->minor == 0) { + dev->version = WC_PCKS11VERSION_3_0; + } + else if (version_ptr->major == 3 && + version_ptr->minor == 1) { + dev->version = WC_PCKS11VERSION_3_1; + } + else if (version_ptr->major == 3 && + version_ptr->minor == 2) { + dev->version = WC_PCKS11VERSION_3_2; + } + else { + WOLFSSL_MSG_EX("Unsupported PKCS#11 version: %d.%d", + version_ptr->major, version_ptr->minor); + ret = WC_HW_E; + } + } + else { + PKCS11_RV("CK_C_GetInterface", rv); + ret = WC_HW_E; + } +#elif defined(HAVE_PKCS11_STATIC) + rv = C_GetFunctionList(&dev->func); + if (rv == CKR_OK) { + version_ptr = (CK_VERSION_PTR) dev->func; + if (version_ptr->major == 2 && + version_ptr->minor == 20) { + dev->version = WC_PCKS11VERSION_2_20; + } + else if (version_ptr->major == 2 && + version_ptr->minor == 40) { + dev->version = WC_PCKS11VERSION_2_40; + } + else { + WOLFSSL_MSG_EX("Unsupported PKCS#11 version: %d.%d", + version_ptr->major, + version_ptr->minor); + ret = WC_HW_E; + } + } + else { + PKCS11_RV("CK_C_GetFunctionList", rv); + ret = WC_HW_E; + } +#else + /* Load dynamic library */ dev->dlHandle = dlopen(library, RTLD_NOW | RTLD_LOCAL); if (dev->dlHandle == NULL) { WOLFSSL_MSG(dlerror()); ret = BAD_PATH_ERROR; } - } - if (ret == 0) { - dev->func = NULL; - func = dlsym(dev->dlHandle, "C_GetFunctionList"); - if (func == NULL) { - WOLFSSL_MSG(dlerror()); - ret = WC_HW_E; + if (ret == 0) { + /* Check if the library supports PKCS#11 version 3.0 (or above) by + * looking for the C_GetInterface method (only present for >= V3.0). + */ + func = dlsym(dev->dlHandle, "C_GetInterface"); + if (func != NULL) { + /* Function is present, use it */ + CK_INTERFACE_PTR interface = NULL; + CK_VERSION pkcs11_version = {0, 0}; + if (version != NULL) { + if (*version == WC_PCKS11VERSION_2_20) { + pkcs11_version.major = 2; + pkcs11_version.minor = 20; + } + else if (*version == WC_PCKS11VERSION_2_40) { + pkcs11_version.major = 2; + pkcs11_version.minor = 40; + } + else if (*version == WC_PCKS11VERSION_3_0) { + pkcs11_version.major = 3; + pkcs11_version.minor = 0; + } + else if (*version == WC_PCKS11VERSION_3_1) { + pkcs11_version.major = 3; + pkcs11_version.minor = 1; + } + else if (*version == WC_PCKS11VERSION_3_2) { + pkcs11_version.major = 3; + pkcs11_version.minor = 2; + } + version_ptr = &pkcs11_version; + } + else { + version_ptr = NULL; + } + + rv = ((CK_C_GetInterface)func)((CK_UTF8CHAR_PTR) interfaceName, + version_ptr, &interface, 0); + if (rv == CKR_OK) { + dev->func = interface->pFunctionList; + version_ptr = (CK_VERSION_PTR) interface->pFunctionList; + if (version_ptr->major == 2 && version_ptr->minor == 20) { + dev->version = WC_PCKS11VERSION_2_20; + } + else if (version_ptr->major == 2 && + version_ptr->minor == 40) { + dev->version = WC_PCKS11VERSION_2_40; + } + else if (version_ptr->major == 3 && + version_ptr->minor == 0) { + dev->version = WC_PCKS11VERSION_3_0; + } + else if (version_ptr->major == 3 && + version_ptr->minor == 1) { + dev->version = WC_PCKS11VERSION_3_1; + } + else if (version_ptr->major == 3 && + version_ptr->minor == 2) { + dev->version = WC_PCKS11VERSION_3_2; + } + else { + WOLFSSL_MSG_EX("Unsupported PKCS#11 version: %d.%d", + version_ptr->major, version_ptr->minor); + ret = WC_HW_E; + } + } + else { + PKCS11_RV("CK_C_GetInterface", rv); + ret = WC_HW_E; + } + } + else { + /* Function not present, try a 2.x library by looking for + * C_GetFunctionList. */ + func = dlsym(dev->dlHandle, "C_GetFunctionList"); + if (func == NULL) { + #if defined(_WIN32) + WOLFSSL_MSG_EX("GetProcAddress(): %d", GetLastError()); + #else + WOLFSSL_MSG(dlerror()); + #endif + ret = WC_HW_E; + } + if (ret == 0) { + rv = ((CK_C_GetFunctionList)func)(&dev->func); + if (rv == CKR_OK) { + version_ptr = (CK_VERSION_PTR) dev->func; + if (version_ptr->major == 2 && + version_ptr->minor == 20) { + dev->version = WC_PCKS11VERSION_2_20; + } + else if (version_ptr->major == 2 && + version_ptr->minor == 40) { + dev->version = WC_PCKS11VERSION_2_40; + } + else { + WOLFSSL_MSG_EX("Unsupported PKCS#11 version: %d.%d", + version_ptr->major, + version_ptr->minor); + ret = WC_HW_E; + } + } + else { + PKCS11_RV("CK_C_GetFunctionList", rv); + ret = WC_HW_E; + } + } + } } - } - if (ret == 0) { - rv = ((CK_C_GetFunctionList)func)(&dev->func); -#else - rv = C_GetFunctionList(&dev->func); #endif - if (rv != CKR_OK) { - PKCS11_RV("CK_C_GetFunctionList", ret); - ret = WC_HW_E; - } } + if (ret == 0 && version != NULL) + *version = dev->version; + if (ret == 0) { XMEMSET(&args, 0x00, sizeof(args)); args.flags = CKF_OS_LOCKING_OK; rv = dev->func->C_Initialize(&args); - if (rv != CKR_OK) { - PKCS11_RV("C_Initialize", ret); + if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED) { + WOLFSSL_MSG("PKCS#11 already initialized"); + rv = CKR_OK; + } + else if (rv != CKR_OK) { + PKCS11_RV("C_Initialize", rv); ret = WC_INIT_E; } } @@ -520,7 +804,7 @@ int wc_Pkcs11_Initialize_ex(Pkcs11Dev* dev, const char* library, void* heap, void wc_Pkcs11_Finalize(Pkcs11Dev* dev) { if (dev != NULL -#ifndef HAVE_PKCS11_STATIC +#if !defined(HAVE_PKCS11_STATIC) && !defined(HAVE_PKCS11_V3_STATIC) && dev->dlHandle != NULL #endif ) { @@ -528,7 +812,7 @@ void wc_Pkcs11_Finalize(Pkcs11Dev* dev) dev->func->C_Finalize(NULL); dev->func = NULL; } -#ifndef HAVE_PKCS11_STATIC +#if !defined(HAVE_PKCS11_STATIC) && !defined(HAVE_PKCS11_V3_STATIC) dlclose(dev->dlHandle); dev->dlHandle = NULL; #endif @@ -633,6 +917,7 @@ static int Pkcs11Token_Init(Pkcs11Token* token, Pkcs11Dev* dev, int slotId, token->userPin = NULL_PTR; token->userPinSz = 0; token->userPinLogin = 0; + token->version = dev->version; } XFREE(slot, dev->heap, DYNAMIC_TYPE_TMP_BUFFER); @@ -809,6 +1094,7 @@ static int Pkcs11OpenSession(Pkcs11Token* token, Pkcs11Session* session, if (ret == 0) { session->func = token->func; session->slotId = token->slotId; + session->version = token->version; } return ret; @@ -1060,13 +1346,24 @@ static int Pkcs11EccSetParams(ecc_key* key, CK_ATTRIBUTE* tmpl, int idx) { int ret = 0; - if (key->dp != NULL && key->dp->oid != NULL) { + if (key != NULL && key->dp != NULL && key->dp->oid != NULL) { unsigned char* derParams = tmpl[idx].pValue; + #if defined(HAVE_OID_ENCODING) + word32 oidSz = ECC_MAX_OID_LEN - 2; + ret = wc_EncodeObjectId(key->dp->oid, key->dp->oidSz, derParams+2, &oidSz); + if (ret != 0) { + return ret; + } + tmpl[idx].ulValueLen = oidSz + 2; + derParams[0] = ASN_OBJECT_ID; + derParams[1] = oidSz; + #else /* ASN.1 encoding: OBJ + ecc parameters OID */ tmpl[idx].ulValueLen = key->dp->oidSz + 2; derParams[0] = ASN_OBJECT_ID; derParams[1] = key->dp->oidSz; XMEMCPY(derParams + 2, key->dp->oid, key->dp->oidSz); + #endif } else ret = NOT_COMPILED_IN; @@ -1096,7 +1393,7 @@ static int Pkcs11CreateEccPublicKey(CK_OBJECT_HANDLE* publicKey, unsigned char* ecPoint = NULL; word32 len; CK_RV rv; - CK_UTF8CHAR params[MAX_EC_PARAM_LEN]; + CK_UTF8CHAR params[ECC_MAX_OID_LEN]; /* Empty entries for optional label/ID. */ CK_ATTRIBUTE keyTemplate[] = { { CKA_CLASS, &pubKeyClass, sizeof(pubKeyClass) }, @@ -1180,7 +1477,7 @@ static int Pkcs11CreateEccPrivateKey(CK_OBJECT_HANDLE* privateKey, { int ret = 0; CK_RV rv; - CK_UTF8CHAR params[MAX_EC_PARAM_LEN]; + CK_UTF8CHAR params[ECC_MAX_OID_LEN]; /* Empty entries for optional label/ID. */ CK_ATTRIBUTE keyTemplate[] = { { CKA_CLASS, &privKeyClass, sizeof(privKeyClass) }, @@ -1209,16 +1506,30 @@ static int Pkcs11CreateEccPrivateKey(CK_OBJECT_HANDLE* privateKey, ret = Pkcs11EccSetParams(private_key, keyTemplate, 3); if (ret == 0) { - keyTemplate[4].pValue = wc_ecc_key_get_priv(private_key)->raw.buf; - keyTemplate[4].ulValueLen = wc_ecc_key_get_priv(private_key)->raw.len; + word32 privLen = private_key->dp->size; + byte* priv = (byte*)XMALLOC(privLen, private_key->heap, + DYNAMIC_TYPE_TMP_BUFFER); + if (priv == NULL) { + ret = MEMORY_E; + } + if (ret == 0) { + PRIVATE_KEY_LOCK(); + ret = wc_ecc_export_private_only(private_key, priv, &privLen); + PRIVATE_KEY_UNLOCK(); + } + if (ret == 0) { + keyTemplate[4].pValue = priv; + keyTemplate[4].ulValueLen = privLen; - PKCS11_DUMP_TEMPLATE("Ec Private Key", keyTemplate, keyTmplCnt); - rv = session->func->C_CreateObject(session->handle, keyTemplate, + PKCS11_DUMP_TEMPLATE("Ec Private Key", keyTemplate, keyTmplCnt); + rv = session->func->C_CreateObject(session->handle, keyTemplate, keyTmplCnt, privateKey); - PKCS11_RV("C_CreateObject", rv); - if (rv != CKR_OK) { - ret = WC_HW_E; + PKCS11_RV("C_CreateObject", rv); + if (rv != CKR_OK) { + ret = WC_HW_E; + } } + XFREE(priv, private_key->heap, DYNAMIC_TYPE_TMP_BUFFER); } return ret; @@ -1230,22 +1541,28 @@ static int Pkcs11CreateEccPrivateKey(CK_OBJECT_HANDLE* privateKey, /** * Check if mechanism is available in session on token. * - * @param [in] session Session object. - * @param [in] mech Mechanism to look for. + * @param [in] session Session object. + * @param [in] mech Mechanism to look for. + * @param [out] mechInfoPtr Mechanism info return data (optional). * @return NOT_COMPILED_IN when mechanism not available. * @return 0 when mechanism is available. */ -static int Pkcs11MechAvail(Pkcs11Session* session, CK_MECHANISM_TYPE mech) +static int Pkcs11MechAvail(Pkcs11Session* session, CK_MECHANISM_TYPE mech, + CK_MECHANISM_INFO_PTR mechInfoPtr) { int ret = 0; CK_RV rv; CK_MECHANISM_INFO mechInfo; + PKCS11_DUMP_MECHANSIM("PKCS#11: Check if mechanism is available", mech); rv = session->func->C_GetMechanismInfo(session->slotId, mech, &mechInfo); PKCS11_RV("C_GetMechanismInfo", rv); if (rv != CKR_OK) { ret = NOT_COMPILED_IN; } + if (mechInfoPtr != NULL) { + *mechInfoPtr = mechInfo; + } return ret; } @@ -1335,7 +1652,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) case PKCS11_KEY_TYPE_AES_GCM: { Aes* aes = (Aes*)key; - ret = Pkcs11MechAvail(&session, CKM_AES_GCM); + ret = Pkcs11MechAvail(&session, CKM_AES_GCM, NULL); if (ret == 0) { ret = Pkcs11CreateSecretKey(&privKey, &session, CKK_AES, (unsigned char*)aes->devKey, @@ -1353,7 +1670,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) case PKCS11_KEY_TYPE_AES_CBC: { Aes* aes = (Aes*)key; - ret = Pkcs11MechAvail(&session, CKM_AES_CBC); + ret = Pkcs11MechAvail(&session, CKM_AES_CBC, NULL); if (ret == 0) { ret = Pkcs11CreateSecretKey(&privKey, &session, CKK_AES, (unsigned char*)aes->devKey, @@ -1378,7 +1695,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) break; if (ret == 0) - ret = Pkcs11MechAvail(&session, mechType); + ret = Pkcs11MechAvail(&session, mechType, NULL); if (ret == 0) { ret = Pkcs11CreateSecretKey(&privKey, &session, keyType, (unsigned char*)hmac->keyRaw, @@ -1403,7 +1720,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) case PKCS11_KEY_TYPE_RSA: { RsaKey* rsaKey = (RsaKey*)key; - ret = Pkcs11MechAvail(&session, CKM_RSA_X_509); + ret = Pkcs11MechAvail(&session, CKM_RSA_X_509, NULL); if (ret == 0) ret = Pkcs11CreateRsaPrivateKey(&privKey, &session, rsaKey, 1); @@ -1426,7 +1743,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) #ifndef NO_PKCS11_ECDH if ((eccKey->flags & WC_ECC_FLAG_DEC_SIGN) == 0) { /* Try ECDH mechanism first. */ - ret = Pkcs11MechAvail(&session, CKM_ECDH1_DERIVE); + ret = Pkcs11MechAvail(&session, CKM_ECDH1_DERIVE, NULL); if (ret == 0) { ret = Pkcs11CreateEccPrivateKey(&privKey, &session, eccKey, CKA_DERIVE); @@ -1435,7 +1752,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) #endif if (ret == 0 || ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN)) { /* Try ECDSA mechanism next. */ - ret2 = Pkcs11MechAvail(&session, CKM_ECDSA); + ret2 = Pkcs11MechAvail(&session, CKM_ECDSA, NULL); if (ret2 == 0) { ret2 = Pkcs11CreateEccPrivateKey(&privKey, &session, eccKey, CKA_SIGN); @@ -2188,7 +2505,6 @@ static int Pkcs11RsaSign(Pkcs11Session* session, wc_CryptoInfo* info, static int Pkcs11Rsa(Pkcs11Session* session, wc_CryptoInfo* info) { int ret = 0; - CK_RV rv; CK_MECHANISM_INFO mechInfo; CK_MECHANISM_TYPE mechanism = 0x0UL; int sessionKey = 0; @@ -2214,12 +2530,7 @@ static int Pkcs11Rsa(Pkcs11Session* session, wc_CryptoInfo* info) } /* Check operation is supported. */ - rv = session->func->C_GetMechanismInfo(session->slotId, mechanism, - &mechInfo); - PKCS11_RV("C_GetMechanismInfo", rv); - if (rv != CKR_OK) { - ret = NOT_COMPILED_IN; - } + ret = Pkcs11MechAvail(session, mechanism, &mechInfo); if (ret == 0) { if ((type == RSA_PUBLIC_ENCRYPT) || (type == RSA_PUBLIC_DECRYPT)) { @@ -2318,7 +2629,7 @@ static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) int privTmplCnt = 2; int i; - ret = Pkcs11MechAvail(session, CKM_RSA_PKCS_KEY_PAIR_GEN); + ret = Pkcs11MechAvail(session, CKM_RSA_PKCS_KEY_PAIR_GEN, NULL); if (ret == 0) { WOLFSSL_MSG("PKCS#11: RSA Key Generation Operation"); @@ -2394,9 +2705,8 @@ static int Pkcs11FindEccKey(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass, int i; unsigned char* ecPoint = NULL; word32 len = 0; - CK_RV rv; CK_ULONG count; - CK_UTF8CHAR params[MAX_EC_PARAM_LEN]; + CK_UTF8CHAR params[ECC_MAX_OID_LEN]; CK_ATTRIBUTE keyTemplate[] = { { CKA_CLASS, &keyClass, sizeof(keyClass) }, { CKA_KEY_TYPE, &ecKeyType, sizeof(ecKeyType) }, @@ -2433,26 +2743,7 @@ static int Pkcs11FindEccKey(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass, attrCnt++; } if (ret == 0) { - PKCS11_DUMP_TEMPLATE("Find Ec Key", keyTemplate, attrCnt); - rv = session->func->C_FindObjectsInit(session->handle, keyTemplate, - attrCnt); - PKCS11_RV("C_FindObjectsInit", rv); - if (rv != CKR_OK) { - ret = WC_HW_E; - } - } - if (ret == 0) { - rv = session->func->C_FindObjects(session->handle, key, 1, &count); - PKCS11_RV("C_FindObjects", rv); - PKCS11_VAL("C_FindObjects Count", count); - if (rv != CKR_OK) { - ret = WC_HW_E; - } - rv = session->func->C_FindObjectsFinal(session->handle); - PKCS11_RV("C_FindObjectsFinal", rv); - if (rv != CKR_OK) { - ret = WC_HW_E; - } + ret = Pkcs11FindKeyByTemplate(key, session, keyTemplate, attrCnt, &count); } XFREE(ecPoint, eccKey->heap, DYNAMIC_TYPE_ECC); @@ -2560,7 +2851,7 @@ static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) CK_RV rv; CK_OBJECT_HANDLE pubKey = NULL_PTR, privKey = NULL_PTR; CK_MECHANISM mech; - CK_UTF8CHAR params[MAX_EC_PARAM_LEN]; + CK_UTF8CHAR params[ECC_MAX_OID_LEN]; CK_ATTRIBUTE pubKeyTmpl[] = { { CKA_EC_PARAMS, params, 0 }, { CKA_VERIFY, &ckTrue, sizeof(ckTrue) }, @@ -2584,7 +2875,7 @@ static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) /* Mandatory entries + 2 optional. */ int privTmplCnt = 1; - ret = Pkcs11MechAvail(session, CKM_EC_KEY_PAIR_GEN); + ret = Pkcs11MechAvail(session, CKM_EC_KEY_PAIR_GEN, NULL); if (ret == 0) { WOLFSSL_MSG("PKCS#11: EC Key Generation Operation"); @@ -2670,7 +2961,9 @@ static int Pkcs11ExtractSecret(Pkcs11Session* session, CK_OBJECT_HANDLE secret, } PKCS11_DUMP_TEMPLATE("Secret Length", tmpl, tmplCnt); if (ret == 0) { - if (tmpl[0].ulValueLen > *outLen) + if (tmpl[0].ulValueLen == CK_UNAVAILABLE_INFORMATION) + ret = WC_HW_E; + else if (tmpl[0].ulValueLen > *outLen) ret = BUFFER_E; } if (ret == 0) { @@ -2720,7 +3013,7 @@ static int Pkcs11ECDH(Pkcs11Session* session, wc_CryptoInfo* info) }; CK_ULONG tmplCnt = sizeof(tmpl) / sizeof(*tmpl); - ret = Pkcs11MechAvail(session, CKM_ECDH1_DERIVE); + ret = Pkcs11MechAvail(session, CKM_ECDH1_DERIVE, NULL); if (ret == 0 && info->pk.ecdh.outlen == NULL) { ret = BAD_FUNC_ARG; } @@ -3008,12 +3301,10 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info) CK_OBJECT_HANDLE privateKey = NULL_PTR; /* Check operation is supported. */ - rv = session->func->C_GetMechanismInfo(session->slotId, CKM_ECDSA, - &mechInfo); - PKCS11_RV("C_GetMechanismInfo", rv); - if (rv != CKR_OK || (mechInfo.flags & CKF_SIGN) == 0) + ret = Pkcs11MechAvail(session, CKM_ECDSA, &mechInfo); + if (ret == 0 && (mechInfo.flags & CKF_SIGN) == 0) { ret = NOT_COMPILED_IN; - + } if (ret == 0 && info->pk.eccsign.outlen == NULL) { ret = BAD_FUNC_ARG; } @@ -3105,20 +3396,20 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info) static int Pkcs11ECDSA_Verify(Pkcs11Session* session, wc_CryptoInfo* info) { int ret = 0; + int sessionKey = 0; CK_RV rv; CK_MECHANISM mech; CK_MECHANISM_INFO mechInfo; CK_OBJECT_HANDLE publicKey = NULL_PTR; unsigned char* sig = NULL; - word32 sz = info->pk.eccverify.key->dp->size; + ecc_key* key = info->pk.eccverify.key; + word32 sz = key->dp->size; /* Check operation is supported. */ - rv = session->func->C_GetMechanismInfo(session->slotId, CKM_ECDSA, - &mechInfo); - PKCS11_RV("C_GetMechanismInfo", rv); - if (rv != CKR_OK || (mechInfo.flags & CKF_VERIFY) == 0) + ret = Pkcs11MechAvail(session, CKM_ECDSA, &mechInfo); + if (ret == 0 && (mechInfo.flags & CKF_VERIFY) == 0) { ret = NOT_COMPILED_IN; - + } if (ret == 0 && info->pk.eccverify.res == NULL) { ret = BAD_FUNC_ARG; } @@ -3126,12 +3417,32 @@ static int Pkcs11ECDSA_Verify(Pkcs11Session* session, wc_CryptoInfo* info) if (ret == 0) { WOLFSSL_MSG("PKCS#11: EC Verification Operation"); - ret = Pkcs11CreateEccPublicKey(&publicKey, session, - info->pk.eccverify.key, CKA_VERIFY); + if (key->labelLen > 0) { + ret = Pkcs11FindKeyByLabel(&publicKey, CKO_PUBLIC_KEY, CKK_EC, + session, key->label, key->labelLen); + if (ret == 0 && key->dp == NULL) { + ret = Pkcs11GetEccParams(session, publicKey, key); + } + } + else if (key->idLen > 0) { + ret = Pkcs11FindKeyById(&publicKey, CKO_PUBLIC_KEY, CKK_EC, + session, key->id, key->idLen); + if (ret == 0 && key->dp == NULL) { + ret = Pkcs11GetEccParams(session, publicKey, key); + } + } + else if (!mp_iszero(key->pubkey.x)) { + ret = Pkcs11CreateEccPublicKey(&publicKey, session, key, + CKA_VERIFY); + sessionKey = 1; + } + else + ret = Pkcs11FindEccKey(&publicKey, CKO_PUBLIC_KEY, session, + info->pk.eccsign.key, CKA_VERIFY); } if (ret == 0) { - sig = (unsigned char *)XMALLOC(sz * 2, info->pk.eccverify.key->heap, + sig = (unsigned char *)XMALLOC(sz * 2, key->heap, DYNAMIC_TYPE_TMP_BUFFER); if (sig == NULL) ret = MEMORY_E; @@ -3168,7 +3479,7 @@ static int Pkcs11ECDSA_Verify(Pkcs11Session* session, wc_CryptoInfo* info) *info->pk.eccverify.res = 1; } - if (publicKey != NULL_PTR) + if (sessionKey && publicKey != NULL_PTR) session->func->C_DestroyObject(session->handle, publicKey); if (sig != NULL) @@ -3429,12 +3740,10 @@ static int Pkcs11AesGcmEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) CK_ULONG outLen; /* Check operation is supported. */ - rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_GCM, - &mechInfo); - PKCS11_RV("C_GetMechanismInfo", rv); - if (rv != CKR_OK || (mechInfo.flags & CKF_ENCRYPT) == 0) + ret = Pkcs11MechAvail(session, CKM_AES_GCM, &mechInfo); + if (ret == 0 && (mechInfo.flags & CKF_ENCRYPT) == 0) { ret = NOT_COMPILED_IN; - + } if (ret == 0) { WOLFSSL_MSG("PKCS#11: AES-GCM Encryption Operation"); @@ -3524,12 +3833,10 @@ static int Pkcs11AesGcmDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) word32 len; /* Check operation is supported. */ - rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_GCM, - &mechInfo); - PKCS11_RV("C_GetMechanismInfo", rv); - if (rv != CKR_OK || (mechInfo.flags & CKF_DECRYPT) == 0) + ret = Pkcs11MechAvail(session, CKM_AES_GCM, &mechInfo); + if (ret == 0 && (mechInfo.flags & CKF_DECRYPT) == 0) { ret = NOT_COMPILED_IN; - + } if (ret == 0) { WOLFSSL_MSG("PKCS#11: AES-GCM Decryption Operation"); @@ -3633,12 +3940,10 @@ static int Pkcs11AesCbcEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) CK_ULONG outLen; /* Check operation is supported. */ - rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_CBC, - &mechInfo); - PKCS11_RV("C_GetMechanismInfo", rv); - if (rv != CKR_OK || (mechInfo.flags & CKF_ENCRYPT) == 0) + ret = Pkcs11MechAvail(session, CKM_AES_CBC, &mechInfo); + if (ret == 0 && (mechInfo.flags & CKF_ENCRYPT) == 0) { ret = NOT_COMPILED_IN; - + } if (ret == 0) { WOLFSSL_MSG("PKCS#11: AES-CBC Encryption Operation"); @@ -3709,12 +4014,10 @@ static int Pkcs11AesCbcDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) CK_ULONG outLen; /* Check operation is supported. */ - rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_CBC, - &mechInfo); - PKCS11_RV("C_GetMechanismInfo", rv); - if (rv != CKR_OK || (mechInfo.flags & CKF_DECRYPT) == 0) + ret = Pkcs11MechAvail(session, CKM_AES_CBC, &mechInfo); + if (ret == 0 && (mechInfo.flags & CKF_DECRYPT) == 0) { ret = NOT_COMPILED_IN; - + } if (ret == 0) { WOLFSSL_MSG("PKCS#11: AES-CBC Decryption Operation"); @@ -3789,12 +4092,10 @@ static int Pkcs11AesCtrEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) CK_ULONG outLen; /* Check operation is supported. */ - rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_CTR, - &mechInfo); - PKCS11_RV("C_GetMechanismInfo", rv); - if (rv != CKR_OK || (mechInfo.flags & CKF_ENCRYPT) == 0) + ret = Pkcs11MechAvail(session, CKM_AES_CTR, &mechInfo); + if (ret == 0 && (mechInfo.flags & CKF_ENCRYPT) == 0) { ret = NOT_COMPILED_IN; - + } if (ret == 0) { WOLFSSL_MSG("PKCS#11: AES-CTR Encryption Operation"); @@ -3870,12 +4171,10 @@ static int Pkcs11AesCtrDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) CK_ULONG outLen; /* Check operation is supported. */ - rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_CTR, - &mechInfo); - PKCS11_RV("C_GetMechanismInfo", rv); - if (rv != CKR_OK || (mechInfo.flags & CKF_DECRYPT) == 0) + ret = Pkcs11MechAvail(session, CKM_AES_CTR, &mechInfo); + if (ret == 0 && (mechInfo.flags & CKF_DECRYPT) == 0) { ret = NOT_COMPILED_IN; - + } if (ret == 0) { WOLFSSL_MSG("PKCS#11: AES-CTR Decryption Operation"); @@ -3960,11 +4259,10 @@ static int Pkcs11Hmac(Pkcs11Session* session, wc_CryptoInfo* info) ret = Pkcs11HmacTypes(info->hmac.macType, &mechType, &keyType); if (ret == 0) { /* Check operation is supported. */ - rv = session->func->C_GetMechanismInfo(session->slotId, mechType, - &mechInfo); - PKCS11_RV("C_GetMechanismInfo", rv); - if (rv != CKR_OK || (mechInfo.flags & CKF_SIGN) == 0) + ret = Pkcs11MechAvail(session, mechType, &mechInfo); + if (ret == 0 && (mechInfo.flags & CKF_SIGN) == 0) { ret = NOT_COMPILED_IN; + } } /* Check whether key been used to initialized. */ diff --git a/wolfssl/wolfcrypt/pkcs11.h b/wolfssl/wolfcrypt/pkcs11.h index 2413e724e0..4cf7ae7011 100644 --- a/wolfssl/wolfcrypt/pkcs11.h +++ b/wolfssl/wolfcrypt/pkcs11.h @@ -34,6 +34,7 @@ extern "C" { #define CK_INVALID_HANDLE 0UL +#define CK_UNAVAILABLE_INFORMATION (~0UL) #define CKN_SURRENDER 0UL @@ -184,6 +185,7 @@ extern "C" { #define CKR_OK 0x00000000UL #define CKR_MECHANISM_INVALID 0x00000070UL #define CKR_SIGNATURE_INVALID 0x000000C0UL +#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191UL #define CKD_NULL 0x00000001UL #define CKZ_DATA_SPECIFIED 0x00000001UL @@ -384,15 +386,47 @@ typedef struct CK_RSA_PKCS_OAEP_PARAMS { } CK_RSA_PKCS_OAEP_PARAMS; typedef CK_RSA_PKCS_OAEP_PARAMS *CK_RSA_PKCS_OAEP_PARAMS_PTR; +typedef struct CK_ASYNC_DATA { + CK_ULONG ulVersion; + CK_BYTE_PTR pValue; + CK_ULONG ulValueLen; + CK_OBJECT_HANDLE hObject; + CK_OBJECT_HANDLE hAdditionalObject; +} CK_ASYNC_DATA; +typedef CK_ASYNC_DATA* CK_ASYNC_DATA_PTR; + /* Function list types. */ typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST; +typedef struct CK_FUNCTION_LIST_3_0 CK_FUNCTION_LIST_3_0; +typedef struct CK_FUNCTION_LIST_3_2 CK_FUNCTION_LIST_3_2; + typedef CK_FUNCTION_LIST* CK_FUNCTION_LIST_PTR; +typedef CK_FUNCTION_LIST_3_0* CK_FUNCTION_LIST_3_0_PTR; +typedef CK_FUNCTION_LIST_3_2* CK_FUNCTION_LIST_3_2_PTR; + typedef CK_FUNCTION_LIST_PTR* CK_FUNCTION_LIST_PTR_PTR; +typedef CK_FUNCTION_LIST_3_0_PTR* CK_FUNCTION_LIST_3_0_PTR_PTR; +typedef CK_FUNCTION_LIST_3_2_PTR* CK_FUNCTION_LIST_3_2_PTR_PTR; typedef CK_RV (*CK_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR ppFunctionList); -#ifdef HAVE_PKCS11_STATIC +typedef struct CK_INTERFACE { + CK_UTF8CHAR_PTR pInterfaceName; + CK_VOID_PTR pFunctionList; + CK_FLAGS flags; +} CK_INTERFACE; + +typedef CK_INTERFACE* CK_INTERFACE_PTR; +typedef CK_INTERFACE_PTR* CK_INTERFACE_PTR_PTR; + +typedef CK_RV (*CK_C_GetInterface)(CK_UTF8CHAR_PTR pInterfaceName, + CK_VERSION_PTR pVersion, CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags); + +#if defined(HAVE_PKCS11_STATIC) CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList); +#elif defined(HAVE_PKCS11_V3_STATIC) +CK_RV C_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion, + CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags); #endif struct CK_FUNCTION_LIST { @@ -578,6 +612,533 @@ struct CK_FUNCTION_LIST { }; +struct CK_FUNCTION_LIST_3_0 { + CK_VERSION version; + + CK_RV (*C_Initialize)(CK_VOID_PTR pInitArgs); + CK_RV (*C_Finalize)(CK_VOID_PTR pReserved); + CK_RV (*C_GetInfo)(CK_INFO_PTR pInfo); + CK_RV (*C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR ppFunctionList); + CK_RV (*C_GetSlotList)(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, + CK_ULONG_PTR pulCount); + CK_RV (*C_GetSlotInfo)(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo); + CK_RV (*C_GetTokenInfo)(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo); + CK_RV (*C_GetMechanismList)(CK_SLOT_ID slotID, + CK_MECHANISM_TYPE_PTR pMechanismList, + CK_ULONG_PTR pulCount); + CK_RV (*C_GetMechanismInfo)(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, + CK_MECHANISM_INFO_PTR pInfo); + CK_RV (*C_InitToken)(CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, + CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pLabel); + CK_RV (*C_InitPIN)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, + CK_ULONG ulPinLen); + CK_RV (*C_SetPIN)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin, + CK_ULONG ulOldLen, CK_UTF8CHAR_PTR pNewPin, + CK_ULONG ulNewLen); + CK_RV (*C_OpenSession)(CK_SLOT_ID slotID, CK_FLAGS flags, + CK_VOID_PTR pApplication, CK_NOTIFY Notify, + CK_SESSION_HANDLE_PTR phSession); + CK_RV (*C_CloseSession)(CK_SESSION_HANDLE hSession); + CK_RV (*C_CloseAllSessions)(CK_SLOT_ID slotID); + CK_RV (*C_GetSessionInfo)(CK_SESSION_HANDLE hSession, + CK_SESSION_INFO_PTR pInfo); + CK_RV (*C_GetOperationState)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pOperationState, + CK_ULONG_PTR pulOperationStateLen); + CK_RV (*C_SetOperationState)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pOperationState, + CK_ULONG ulOperationStateLen, + CK_OBJECT_HANDLE hEncryptionKey, + CK_OBJECT_HANDLE hAuthenticationKey); + CK_RV (*C_Login)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, + CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen); + CK_RV (*C_Logout)(CK_SESSION_HANDLE hSession); + CK_RV (*C_CreateObject)(CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phObject); + CK_RV (*C_CopyObject)(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phNewObject); + CK_RV (*C_DestroyObject)(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject); + CK_RV (*C_GetObjectSize)(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize); + CK_RV (*C_GetAttributeValue)(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); + CK_RV (*C_SetAttributeValue)(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); + CK_RV (*C_FindObjectsInit)(CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); + CK_RV (*C_FindObjects)(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE_PTR phObject, + CK_ULONG ulMaxObjectCount, + CK_ULONG_PTR pulObjectCount); + CK_RV (*C_FindObjectsFinal)(CK_SESSION_HANDLE hSession); + CK_RV (*C_EncryptInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); + CK_RV (*C_Encrypt)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, + CK_ULONG_PTR pulEncryptedDataLen); + CK_RV (*C_EncryptUpdate)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen); + CK_RV (*C_EncryptFinal)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pLastEncryptedPart, + CK_ULONG_PTR pulLastEncryptedPartLen); + CK_RV (*C_DecryptInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); + CK_RV (*C_Decrypt)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData, + CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, + CK_ULONG_PTR pulDataLen); + CK_RV (*C_DecryptUpdate)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart, + CK_ULONG_PTR pulPartLen); + CK_RV (*C_DecryptFinal)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart, + CK_ULONG_PTR pulLastPartLen); + CK_RV (*C_DigestInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism); + CK_RV (*C_Digest)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pDigest, + CK_ULONG_PTR pulDigestLen); + CK_RV (*C_DigestUpdate)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen); + CK_RV (*C_DigestKey)(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey); + CK_RV (*C_DigestFinal)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, + CK_ULONG_PTR pulDigestLen); + CK_RV (*C_SignInit)(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_Sign)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen); + CK_RV (*C_SignUpdate)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen); + CK_RV (*C_SignFinal)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen); + CK_RV (*C_SignRecoverInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_SignRecover)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen); + CK_RV (*C_VerifyInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); + CK_RV (*C_Verify)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen); + CK_RV (*C_VerifyUpdate)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen); + CK_RV (*C_VerifyFinal)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen); + CK_RV (*C_VerifyRecoverInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_VerifyRecover)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen, + CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen); + CK_RV (*C_DigestEncryptUpdate)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, CK_ULONG ulPartLen, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen); + CK_RV (*C_DecryptDigestUpdate)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG ulEncryptedPartLen, + CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen); + CK_RV (*C_SignEncryptUpdate)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, CK_ULONG ulPartLen, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen); + CK_RV (*C_DecryptVerifyUpdate)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG ulEncryptedPartLen, + CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen); + CK_RV (*C_GenerateKey)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phKey); + CK_RV (*C_GenerateKeyPair)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_ATTRIBUTE_PTR pPublicKeyTemplate, + CK_ULONG ulPublicKeyAttributeCount, + CK_ATTRIBUTE_PTR pPrivateKeyTemplate, + CK_ULONG ulPrivateKeyAttributeCount, + CK_OBJECT_HANDLE_PTR phPublicKey, + CK_OBJECT_HANDLE_PTR phPrivateKey); + CK_RV (*C_WrapKey)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey, + CK_BYTE_PTR pWrappedKey, + CK_ULONG_PTR pulWrappedKeyLen); + CK_RV (*C_UnwrapKey)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hUnwrappingKey, + CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey); + CK_RV (*C_DeriveKey)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hBaseKey, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey); + CK_RV (*C_SeedRandom)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, + CK_ULONG ulSeedLen); + CK_RV (*C_GenerateRandom)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen); + CK_RV (*C_GetFunctionStatus)(CK_SESSION_HANDLE hSession); + CK_RV (*C_CancelFunction)(CK_SESSION_HANDLE hSession); + CK_RV (*C_WaitForSlotEvent)(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, + CK_VOID_PTR pReserved); + /* PKCS#11 V 3.0 functions */ + CK_RV (*C_GetInterfaceList)(CK_INTERFACE_PTR pInterfacesList, + CK_ULONG_PTR pulCount); + CK_RV (*C_GetInterface)(CK_UTF8CHAR_PTR pInterfaceName, + CK_VERSION_PTR pVersion, + CK_INTERFACE_PTR_PTR ppInterface, + CK_FLAGS flags); + CK_RV (*C_LoginUser)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, + CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, + CK_UTF8CHAR_PTR pUsername, CK_ULONG ulUsernameLen); + CK_RV (*C_SessionCancel)(CK_SESSION_HANDLE hSession, CK_FLAGS flags); + CK_RV (*C_MessageEncryptInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_EncryptMessage)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pPlaintext, + CK_ULONG ulPlaintextLen, CK_BYTE_PTR pCiphertext, + CK_ULONG_PTR pulCiphertextLen); + CK_RV (*C_EncryptMessageBegin)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen); + CK_RV (*C_EncryptMessageNext)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pPlaintextPart, + CK_ULONG ulPlaintextPartLen, CK_BYTE_PTR pCiphertextPart, + CK_ULONG_PTR pulCiphertextPartLen, CK_FLAGS flags); + CK_RV (*C_MessageEncryptFinal)(CK_SESSION_HANDLE hSession); + CK_RV (*C_MessageDecryptInit)(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_DecryptMessage)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pCiphertext, + CK_ULONG ulCiphertextLen, CK_BYTE_PTR pPlaintext, + CK_ULONG_PTR pulPlaintextLen); + CK_RV (*C_DecryptMessageBegin)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen); + CK_RV (*C_DecryptMessageNext)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pCiphertextPart, + CK_ULONG ulCiphertextPartLen, CK_BYTE_PTR pPlaintextPart, + CK_ULONG_PTR pulPlaintextPartLen, CK_FLAGS flags); + CK_RV (*C_MessageDecryptFinal)(CK_SESSION_HANDLE hSession); + CK_RV (*C_MessageSignInit)(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_SignMessage)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen); + CK_RV (*C_SignMessageBegin)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen); + CK_RV (*C_SignMessageNext)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen); + CK_RV (*C_MessageSignFinal)(CK_SESSION_HANDLE hSession); + CK_RV (*C_MessageVerifyInit)(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_VerifyMessage)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen); + CK_RV (*C_VerifyMessageBegin)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen); + CK_RV (*C_VerifyMessageNext)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen); + CK_RV (*C_MessageVerifyFinal)(CK_SESSION_HANDLE hSession); +}; + +struct CK_FUNCTION_LIST_3_2 { + CK_VERSION version; + + CK_RV (*C_Initialize)(CK_VOID_PTR pInitArgs); + CK_RV (*C_Finalize)(CK_VOID_PTR pReserved); + CK_RV (*C_GetInfo)(CK_INFO_PTR pInfo); + CK_RV (*C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR ppFunctionList); + CK_RV (*C_GetSlotList)(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, + CK_ULONG_PTR pulCount); + CK_RV (*C_GetSlotInfo)(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo); + CK_RV (*C_GetTokenInfo)(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo); + CK_RV (*C_GetMechanismList)(CK_SLOT_ID slotID, + CK_MECHANISM_TYPE_PTR pMechanismList, + CK_ULONG_PTR pulCount); + CK_RV (*C_GetMechanismInfo)(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, + CK_MECHANISM_INFO_PTR pInfo); + CK_RV (*C_InitToken)(CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, + CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pLabel); + CK_RV (*C_InitPIN)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, + CK_ULONG ulPinLen); + CK_RV (*C_SetPIN)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin, + CK_ULONG ulOldLen, CK_UTF8CHAR_PTR pNewPin, + CK_ULONG ulNewLen); + CK_RV (*C_OpenSession)(CK_SLOT_ID slotID, CK_FLAGS flags, + CK_VOID_PTR pApplication, CK_NOTIFY Notify, + CK_SESSION_HANDLE_PTR phSession); + CK_RV (*C_CloseSession)(CK_SESSION_HANDLE hSession); + CK_RV (*C_CloseAllSessions)(CK_SLOT_ID slotID); + CK_RV (*C_GetSessionInfo)(CK_SESSION_HANDLE hSession, + CK_SESSION_INFO_PTR pInfo); + CK_RV (*C_GetOperationState)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pOperationState, + CK_ULONG_PTR pulOperationStateLen); + CK_RV (*C_SetOperationState)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pOperationState, + CK_ULONG ulOperationStateLen, + CK_OBJECT_HANDLE hEncryptionKey, + CK_OBJECT_HANDLE hAuthenticationKey); + CK_RV (*C_Login)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, + CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen); + CK_RV (*C_Logout)(CK_SESSION_HANDLE hSession); + CK_RV (*C_CreateObject)(CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phObject); + CK_RV (*C_CopyObject)(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phNewObject); + CK_RV (*C_DestroyObject)(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject); + CK_RV (*C_GetObjectSize)(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize); + CK_RV (*C_GetAttributeValue)(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); + CK_RV (*C_SetAttributeValue)(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); + CK_RV (*C_FindObjectsInit)(CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); + CK_RV (*C_FindObjects)(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE_PTR phObject, + CK_ULONG ulMaxObjectCount, + CK_ULONG_PTR pulObjectCount); + CK_RV (*C_FindObjectsFinal)(CK_SESSION_HANDLE hSession); + CK_RV (*C_EncryptInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); + CK_RV (*C_Encrypt)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, + CK_ULONG_PTR pulEncryptedDataLen); + CK_RV (*C_EncryptUpdate)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen); + CK_RV (*C_EncryptFinal)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pLastEncryptedPart, + CK_ULONG_PTR pulLastEncryptedPartLen); + CK_RV (*C_DecryptInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); + CK_RV (*C_Decrypt)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData, + CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, + CK_ULONG_PTR pulDataLen); + CK_RV (*C_DecryptUpdate)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart, + CK_ULONG_PTR pulPartLen); + CK_RV (*C_DecryptFinal)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart, + CK_ULONG_PTR pulLastPartLen); + CK_RV (*C_DigestInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism); + CK_RV (*C_Digest)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pDigest, + CK_ULONG_PTR pulDigestLen); + CK_RV (*C_DigestUpdate)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen); + CK_RV (*C_DigestKey)(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey); + CK_RV (*C_DigestFinal)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, + CK_ULONG_PTR pulDigestLen); + CK_RV (*C_SignInit)(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_Sign)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen); + CK_RV (*C_SignUpdate)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen); + CK_RV (*C_SignFinal)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen); + CK_RV (*C_SignRecoverInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_SignRecover)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen); + CK_RV (*C_VerifyInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); + CK_RV (*C_Verify)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen); + CK_RV (*C_VerifyUpdate)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen); + CK_RV (*C_VerifyFinal)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen); + CK_RV (*C_VerifyRecoverInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_VerifyRecover)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen, + CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen); + CK_RV (*C_DigestEncryptUpdate)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, CK_ULONG ulPartLen, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen); + CK_RV (*C_DecryptDigestUpdate)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG ulEncryptedPartLen, + CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen); + CK_RV (*C_SignEncryptUpdate)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, CK_ULONG ulPartLen, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen); + CK_RV (*C_DecryptVerifyUpdate)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG ulEncryptedPartLen, + CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen); + CK_RV (*C_GenerateKey)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phKey); + CK_RV (*C_GenerateKeyPair)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_ATTRIBUTE_PTR pPublicKeyTemplate, + CK_ULONG ulPublicKeyAttributeCount, + CK_ATTRIBUTE_PTR pPrivateKeyTemplate, + CK_ULONG ulPrivateKeyAttributeCount, + CK_OBJECT_HANDLE_PTR phPublicKey, + CK_OBJECT_HANDLE_PTR phPrivateKey); + CK_RV (*C_WrapKey)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey, + CK_BYTE_PTR pWrappedKey, + CK_ULONG_PTR pulWrappedKeyLen); + CK_RV (*C_UnwrapKey)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hUnwrappingKey, + CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey); + CK_RV (*C_DeriveKey)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hBaseKey, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey); + CK_RV (*C_SeedRandom)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, + CK_ULONG ulSeedLen); + CK_RV (*C_GenerateRandom)(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen); + CK_RV (*C_GetFunctionStatus)(CK_SESSION_HANDLE hSession); + CK_RV (*C_CancelFunction)(CK_SESSION_HANDLE hSession); + CK_RV (*C_WaitForSlotEvent)(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, + CK_VOID_PTR pReserved); + + /* PKCS#11 V 3.0 functions */ + CK_RV (*C_GetInterfaceList)(CK_INTERFACE_PTR pInterfacesList, + CK_ULONG_PTR pulCount); + CK_RV (*C_GetInterface)(CK_UTF8CHAR_PTR pInterfaceName, + CK_VERSION_PTR pVersion, + CK_INTERFACE_PTR_PTR ppInterface, + CK_FLAGS flags); + CK_RV (*C_LoginUser)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, + CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, + CK_UTF8CHAR_PTR pUsername, CK_ULONG ulUsernameLen); + CK_RV (*C_SessionCancel)(CK_SESSION_HANDLE hSession, CK_FLAGS flags); + CK_RV (*C_MessageEncryptInit)(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_EncryptMessage)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pPlaintext, + CK_ULONG ulPlaintextLen, CK_BYTE_PTR pCiphertext, + CK_ULONG_PTR pulCiphertextLen); + CK_RV (*C_EncryptMessageBegin)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen); + CK_RV (*C_EncryptMessageNext)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pPlaintextPart, + CK_ULONG ulPlaintextPartLen, CK_BYTE_PTR pCiphertextPart, + CK_ULONG_PTR pulCiphertextPartLen, CK_FLAGS flags); + CK_RV (*C_MessageEncryptFinal)(CK_SESSION_HANDLE hSession); + CK_RV (*C_MessageDecryptInit)(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_DecryptMessage)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pCiphertext, + CK_ULONG ulCiphertextLen, CK_BYTE_PTR pPlaintext, + CK_ULONG_PTR pulPlaintextLen); + CK_RV (*C_DecryptMessageBegin)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen); + CK_RV (*C_DecryptMessageNext)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pCiphertextPart, + CK_ULONG ulCiphertextPartLen, CK_BYTE_PTR pPlaintextPart, + CK_ULONG_PTR pulPlaintextPartLen, CK_FLAGS flags); + CK_RV (*C_MessageDecryptFinal)(CK_SESSION_HANDLE hSession); + CK_RV (*C_MessageSignInit)(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_SignMessage)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen); + CK_RV (*C_SignMessageBegin)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen); + CK_RV (*C_SignMessageNext)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen); + CK_RV (*C_MessageSignFinal)(CK_SESSION_HANDLE hSession); + CK_RV (*C_MessageVerifyInit)(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey); + CK_RV (*C_VerifyMessage)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen); + CK_RV (*C_VerifyMessageBegin)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen); + CK_RV (*C_VerifyMessageNext)(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen); + CK_RV (*C_MessageVerifyFinal)(CK_SESSION_HANDLE hSession); + + /* PKCS#11 V 3.2 functions */ + CK_RV (*C_EncapsulateKey)(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hPublicKey, CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey, + CK_BYTE_PTR pCiphertext, CK_ULONG_PTR pulCiphertextLen); + CK_RV (*C_DecapsulateKey)(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hPrivateKey, CK_BYTE_PTR pCiphertext, + CK_ULONG ulCiphertextLen, CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey); + CK_RV (*C_VerifySignatureInit)(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen); + CK_RV (*C_VerifySignature)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen); + CK_RV (*C_VerifySignatureUpdate)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen); + CK_RV (*C_VerifySignatureFinal)(CK_SESSION_HANDLE hSession); + CK_RV (*C_GetSessionValidationFlags)(CK_SESSION_HANDLE hSession, CK_ULONG type, + CK_FLAGS * pFlags); + CK_RV (*C_AsyncComplete)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pFunctionName, + CK_ASYNC_DATA_PTR pResult); + CK_RV (*C_AsyncGetID)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pFunctionName, + CK_ULONG_PTR pulID); + CK_RV (*C_AsyncJoin)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pFunctionName, + CK_ULONG ulID, CK_BYTE_PTR pData, CK_ULONG ulData); +}; + #ifdef __cplusplus } #endif diff --git a/wolfssl/wolfcrypt/wc_pkcs11.h b/wolfssl/wolfcrypt/wc_pkcs11.h index 803a1a6c05..b4805690c7 100644 --- a/wolfssl/wolfcrypt/wc_pkcs11.h +++ b/wolfssl/wolfcrypt/wc_pkcs11.h @@ -37,13 +37,21 @@ extern "C" { #endif +enum Pkcs11InterfaceVersionType { + WC_PCKS11VERSION_2_20, + WC_PCKS11VERSION_2_40, + WC_PCKS11VERSION_3_0, + WC_PCKS11VERSION_3_1, + WC_PCKS11VERSION_3_2, +}; typedef struct Pkcs11Dev { -#ifndef HAVE_PKCS11_STATIC +#if !defined(HAVE_PKCS11_STATIC) && !defined(HAVE_PKCS11_V3_STATIC) void* dlHandle; /* Handle to library */ #endif CK_FUNCTION_LIST* func; /* Array of functions */ void* heap; + int version; /* Pkcs11InterfaceVersionType */ } Pkcs11Dev; typedef struct Pkcs11Token { @@ -53,12 +61,14 @@ typedef struct Pkcs11Token { CK_UTF8CHAR_PTR userPin; /* User's PIN to login with */ CK_ULONG userPinSz; /* Size of user's PIN in bytes */ byte userPinLogin:1; /* Login with User's PIN */ + int version; /* Pkcs11InterfaceVersionType */ } Pkcs11Token; typedef struct Pkcs11Session { CK_FUNCTION_LIST* func; /* Table of PKCS#11 function from lib */ CK_SLOT_ID slotId; /* Id of slot to use */ CK_SESSION_HANDLE handle; /* Handle to active session */ + int version; /* Pkcs11InterfaceVersionType */ } Pkcs11Session; /* Types of keys that can be stored. */ @@ -74,6 +84,8 @@ WOLFSSL_API int wc_Pkcs11_Initialize(Pkcs11Dev* dev, const char* library, void* heap); WOLFSSL_API int wc_Pkcs11_Initialize_ex(Pkcs11Dev* dev, const char* library, void* heap, CK_RV* rvp); +WOLFSSL_API int wc_Pkcs11_Initialize_v3(Pkcs11Dev* dev, const char* library, + void* heap, int* version, const char* interfaceName, CK_RV* rvp); WOLFSSL_API void wc_Pkcs11_Finalize(Pkcs11Dev* dev); WOLFSSL_API int wc_Pkcs11Token_Init(Pkcs11Token* token, Pkcs11Dev* dev,