libp11 0.4.12
libp11.h
Go to the documentation of this file.
1/* libp11, a simple layer on to of PKCS#11 API
2 * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17 */
18
24#ifndef _LIB11_H
25#define _LIB11_H
26
27#include "p11_err.h"
28#include <openssl/bio.h>
29#include <openssl/err.h>
30#include <openssl/bn.h>
31#include <openssl/rsa.h>
32#include <openssl/x509.h>
33#include <openssl/evp.h>
34
35#ifdef __cplusplus
36extern "C" {
37#endif
38
39int ERR_load_CKR_strings(void);
40void ERR_unload_CKR_strings(void);
41void ERR_CKR_error(int function, int reason, char *file, int line);
42# define CKRerr(f,r) ERR_CKR_error((f),(r),__FILE__,__LINE__)
43int ERR_get_CKR_code(void);
44
45/*
46 * The purpose of this library is to provide a simple PKCS11
47 * interface to OpenSSL application that wish to use a previously
48 * initialized card (as opposed to initializing it, etc).
49 *
50 * I am therefore making some simplifying assumptions:
51 *
52 * - no support for any operations that alter the card,
53 * i.e. readonly-login
54 */
55
57typedef struct PKCS11_key_st {
58 char *label;
59 unsigned char *id;
60 size_t id_len;
61 unsigned char isPrivate;
62 unsigned char needLogin;
63 void *_private;
65
67typedef struct PKCS11_cert_st {
68 char *label;
69 unsigned char *id;
70 size_t id_len;
71 X509 *x509;
72 void *_private;
74
76typedef struct PKCS11_token_st {
77 char *label;
78 char *manufacturer;
79 char *model;
80 char *serialnr;
81 unsigned char initialized;
82 unsigned char loginRequired;
83 unsigned char secureLogin;
84 unsigned char userPinSet;
85 unsigned char readOnly;
86 unsigned char hasRng;
87 unsigned char userPinCountLow;
88 unsigned char userPinFinalTry;
89 unsigned char userPinLocked;
90 unsigned char userPinToBeChanged;
91 unsigned char soPinCountLow;
92 unsigned char soPinFinalTry;
93 unsigned char soPinLocked;
94 unsigned char soPinToBeChanged;
95 struct PKCS11_slot_st *slot;
97
99typedef struct PKCS11_slot_st {
100 char *manufacturer;
101 char *description;
102 unsigned char removable;
104 void *_private;
106
108typedef struct PKCS11_ctx_st {
109 char *manufacturer;
110 char *description;
111 void *_private;
113
121
127extern void PKCS11_CTX_init_args(PKCS11_CTX * ctx, const char * init_args);
128
137extern int PKCS11_CTX_load(PKCS11_CTX * ctx, const char * ident);
138
144extern void PKCS11_CTX_unload(PKCS11_CTX * ctx);
145
151extern void PKCS11_CTX_free(PKCS11_CTX * ctx);
152
160extern int PKCS11_open_session(PKCS11_SLOT * slot, int rw);
161
172 PKCS11_SLOT **slotsp, unsigned int *nslotsp);
173
189 PKCS11_SLOT **slotsp, unsigned int *nslotsp);
190
197extern unsigned long PKCS11_get_slotid_from_slot(PKCS11_SLOT *slotp);
198
207 PKCS11_SLOT *slots, unsigned int nslots);
208
219 PKCS11_SLOT *slots, unsigned int nslots);
220
232 PKCS11_SLOT *slots, unsigned int nslots,
233 PKCS11_SLOT *slot);
234
244extern int PKCS11_is_logged_in(PKCS11_SLOT * slot, int so, int * res);
245
255extern int PKCS11_login(PKCS11_SLOT * slot, int so, const char *pin);
256
264extern int PKCS11_logout(PKCS11_SLOT * slot);
265
266/* Get a list of private keys associated with this token */
267extern int PKCS11_enumerate_keys(PKCS11_TOKEN *,
268 PKCS11_KEY **, unsigned int *);
269
270/* Remove the key from this token */
271extern int PKCS11_remove_key(PKCS11_KEY *);
272
273/* Get a list of public keys associated with this token */
274extern int PKCS11_enumerate_public_keys(PKCS11_TOKEN *,
275 PKCS11_KEY **, unsigned int *);
276
277/* Get the key type (as EVP_PKEY_XXX) */
278extern int PKCS11_get_key_type(PKCS11_KEY *);
279
287extern EVP_PKEY *PKCS11_get_private_key(PKCS11_KEY *key);
288
296extern EVP_PKEY *PKCS11_get_public_key(PKCS11_KEY *key);
297
298/* Find the corresponding certificate (if any) */
299extern PKCS11_CERT *PKCS11_find_certificate(PKCS11_KEY *);
300
301/* Find the corresponding key (if any) */
302extern PKCS11_KEY *PKCS11_find_key(PKCS11_CERT *);
303
304/* Get a list of all certificates associated with this token */
305extern int PKCS11_enumerate_certs(PKCS11_TOKEN *, PKCS11_CERT **, unsigned int *);
306
307/* Remove the certificate from this token */
308extern int PKCS11_remove_certificate(PKCS11_CERT *);
309
310/* Set UI method to allow retrieving CKU_CONTEXT_SPECIFIC PINs interactively */
311extern int PKCS11_set_ui_method(PKCS11_CTX *ctx,
312 UI_METHOD *ui_method, void *ui_user_data);
313
323extern int PKCS11_init_token(PKCS11_TOKEN * token, const char *pin,
324 const char *label);
325
334extern int PKCS11_init_pin(PKCS11_TOKEN * token, const char *pin);
335
345extern int PKCS11_change_pin(PKCS11_SLOT * slot, const char *old_pin,
346 const char *new_pin);
347
359extern int PKCS11_store_private_key(PKCS11_TOKEN * token, EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len);
360
372extern int PKCS11_store_public_key(PKCS11_TOKEN * token, EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len);
373
386extern int PKCS11_store_certificate(PKCS11_TOKEN * token, X509 * x509,
387 char *label, unsigned char *id, size_t id_len,
388 PKCS11_CERT **ret_cert);
389
390/* Access the random number generator */
391extern int PKCS11_seed_random(PKCS11_SLOT *slot, const unsigned char *s, unsigned int s_len);
392extern int PKCS11_generate_random(PKCS11_SLOT *slot, unsigned char *r, unsigned int r_len);
393
394/*
395 * PKCS#11 implementation for OpenSSL methods
396 */
397RSA_METHOD *PKCS11_get_rsa_method(void);
398/* Also define unsupported methods to retain backward compatibility */
399#if OPENSSL_VERSION_NUMBER >= 0x10100002L && !defined(LIBRESSL_VERSION_NUMBER)
400EC_KEY_METHOD *PKCS11_get_ec_key_method(void);
401void *PKCS11_get_ecdsa_method(void);
402void *PKCS11_get_ecdh_method(void);
403#else
404void *PKCS11_get_ec_key_method(void);
405ECDSA_METHOD *PKCS11_get_ecdsa_method(void);
406ECDH_METHOD *PKCS11_get_ecdh_method(void);
407#endif
408int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
409 const int **nids, int nid);
410
417extern void ERR_load_PKCS11_strings(void);
418
419#if defined(_LIBP11_INT_H)
420 /* Deprecated functions will no longer be exported in libp11 0.5.0 */
421 /* They are, however, used internally in OpenSSL method definitions */
422#define P11_DEPRECATED(msg)
423#elif defined(_MSC_VER)
424#define P11_DEPRECATED(msg) __declspec(deprecated(msg))
425#elif defined(__GNUC__)
426#if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= 40500
427 /* GCC >= 4.5.0 supports printing a message */
428#define P11_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
429#else
430#define P11_DEPRECATED(msg) __attribute__ ((deprecated))
431#endif
432#elif defined(__clang__)
433#define P11_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
434#else
435#define P11_DEPRECATED(msg)
436#endif
437
438#define P11_DEPRECATED_FUNC \
439 P11_DEPRECATED("This function will be removed in libp11 0.5.0")
440
441/*
442 * These functions will be removed from libp11, because they partially
443 * duplicate the functionality OpenSSL provides for EVP_PKEY objects
444 */
445
458P11_DEPRECATED_FUNC extern int PKCS11_generate_key(PKCS11_TOKEN * token,
459 int algorithm, unsigned int bits,
460 char *label, unsigned char* id, size_t id_len);
461
462/* Get the RSA key modulus size (in bytes) */
463P11_DEPRECATED_FUNC extern int PKCS11_get_key_size(PKCS11_KEY *);
464
465/* Get the RSA key modules as BIGNUM */
466P11_DEPRECATED_FUNC extern int PKCS11_get_key_modulus(PKCS11_KEY *, BIGNUM **);
467
468/* Get the RSA key public exponent as BIGNUM */
469P11_DEPRECATED_FUNC extern int PKCS11_get_key_exponent(PKCS11_KEY *, BIGNUM **);
470
471/* Sign with the EC private key */
472P11_DEPRECATED_FUNC extern int PKCS11_ecdsa_sign(
473 const unsigned char *m, unsigned int m_len,
474 unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key);
475
476/* Sign with the RSA private key */
477P11_DEPRECATED_FUNC extern int PKCS11_sign(int type,
478 const unsigned char *m, unsigned int m_len,
479 unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key);
480
481/* This function has never been implemented */
482P11_DEPRECATED_FUNC extern int PKCS11_verify(int type,
483 const unsigned char *m, unsigned int m_len,
484 unsigned char *signature, unsigned int siglen, PKCS11_KEY * key);
485
486/* Encrypts data using the private key */
487P11_DEPRECATED_FUNC extern int PKCS11_private_encrypt(
488 int flen, const unsigned char *from,
489 unsigned char *to, PKCS11_KEY * rsa, int padding);
490
501P11_DEPRECATED_FUNC extern int PKCS11_private_decrypt(
502 int flen, const unsigned char *from,
503 unsigned char *to, PKCS11_KEY * key, int padding);
504
505/* Function codes */
506# define CKR_F_PKCS11_CHANGE_PIN 100
507# define CKR_F_PKCS11_CHECK_TOKEN 101
508# define CKR_F_PKCS11_CTX_LOAD 102
509# define CKR_F_PKCS11_ECDH_DERIVE 103
510# define CKR_F_PKCS11_ECDSA_SIGN 104
511# define CKR_F_PKCS11_ENUMERATE_SLOTS 105
512# define CKR_F_PKCS11_FIND_CERTS 106
513# define CKR_F_PKCS11_FIND_KEYS 107
514# define CKR_F_PKCS11_GENERATE_RANDOM 108
515# define CKR_F_PKCS11_GETATTR_ALLOC 109
516# define CKR_F_PKCS11_GETATTR_BN 110
517# define CKR_F_PKCS11_GETATTR_INT 111
518# define CKR_F_PKCS11_INIT_PIN 112
519# define CKR_F_PKCS11_INIT_SLOT 113
520# define CKR_F_PKCS11_INIT_TOKEN 114
521# define CKR_F_PKCS11_IS_LOGGED_IN 115
522# define CKR_F_PKCS11_LOGIN 116
523# define CKR_F_PKCS11_LOGOUT 117
524# define CKR_F_PKCS11_NEXT_CERT 118
525# define CKR_F_PKCS11_NEXT_KEY 119
526# define CKR_F_PKCS11_OPEN_SESSION 120
527# define CKR_F_PKCS11_PRIVATE_DECRYPT 121
528# define CKR_F_PKCS11_PRIVATE_ENCRYPT 122
529# define CKR_F_PKCS11_RELOAD_KEY 123
530# define CKR_F_PKCS11_SEED_RANDOM 125
531# define CKR_F_PKCS11_STORE_CERTIFICATE 126
532# define CKR_F_PKCS11_STORE_KEY 127
533# define CKR_F_PKCS11_REMOVE_KEY 128
534# define CKR_F_PKCS11_REMOVE_CERTIFICATE 129
535# define CKR_F_PKCS11_GENERATE_KEY 130
536# define CKR_F_PKCS11_RELOAD_CERTIFICATE 131
537# define CKR_F_PKCS11_GET_SESSION 132
538
539/* Backward compatibility of error function codes */
540#define PKCS11_F_PKCS11_CHANGE_PIN CKR_F_PKCS11_CHANGE_PIN
541#define PKCS11_F_PKCS11_CHECK_TOKEN CKR_F_PKCS11_CHECK_TOKEN
542#define PKCS11_F_PKCS11_CTX_LOAD CKR_F_PKCS11_CTX_LOAD
543#define PKCS11_F_PKCS11_ECDH_DERIVE CKR_F_PKCS11_ECDH_DERIVE
544#define PKCS11_F_PKCS11_ECDSA_SIGN CKR_F_PKCS11_ECDSA_SIGN
545#define PKCS11_F_PKCS11_ENUMERATE_SLOTS CKR_F_PKCS11_ENUMERATE_SLOTS
546#define PKCS11_F_PKCS11_FIND_CERTS CKR_F_PKCS11_FIND_CERTS
547#define PKCS11_F_PKCS11_FIND_KEYS CKR_F_PKCS11_FIND_KEYS
548#define PKCS11_F_PKCS11_GENERATE_RANDOM CKR_F_PKCS11_GENERATE_RANDOM
549#define PKCS11_F_PKCS11_GETATTR_ALLOC CKR_F_PKCS11_GETATTR_ALLOC
550#define PKCS11_F_PKCS11_GETATTR_BN CKR_F_PKCS11_GETATTR_BN
551#define PKCS11_F_PKCS11_GETATTR_INT CKR_F_PKCS11_GETATTR_INT
552#define PKCS11_F_PKCS11_INIT_PIN CKR_F_PKCS11_INIT_PIN
553#define PKCS11_F_PKCS11_INIT_SLOT CKR_F_PKCS11_INIT_SLOT
554#define PKCS11_F_PKCS11_INIT_TOKEN CKR_F_PKCS11_INIT_TOKEN
555#define PKCS11_F_PKCS11_IS_LOGGED_IN CKR_F_PKCS11_IS_LOGGED_IN
556#define PKCS11_F_PKCS11_LOGIN CKR_F_PKCS11_LOGIN
557#define PKCS11_F_PKCS11_LOGOUT CKR_F_PKCS11_LOGOUT
558#define PKCS11_F_PKCS11_NEXT_CERT CKR_F_PKCS11_NEXT_CERT
559#define PKCS11_F_PKCS11_NEXT_KEY CKR_F_PKCS11_NEXT_KEY
560#define PKCS11_F_PKCS11_OPEN_SESSION CKR_F_PKCS11_OPEN_SESSION
561#define PKCS11_F_PKCS11_PRIVATE_DECRYPT CKR_F_PKCS11_PRIVATE_DECRYPT
562#define PKCS11_F_PKCS11_PRIVATE_ENCRYPT CKR_F_PKCS11_PRIVATE_ENCRYPT
563#define PKCS11_F_PKCS11_RELOAD_KEY CKR_F_PKCS11_RELOAD_KEY
564#define PKCS11_F_PKCS11_SEED_RANDOM CKR_F_PKCS11_SEED_RANDOM
565#define PKCS11_F_PKCS11_STORE_CERTIFICATE CKR_F_PKCS11_STORE_CERTIFICATE
566#define PKCS11_F_PKCS11_STORE_KEY CKR_F_PKCS11_STORE_KEY
567#define PKCS11_F_PKCS11_REMOVE_KEY CKR_F_PKCS11_REMOVE_KEY
568#define PKCS11_F_PKCS11_REMOVE_CERTIFICATE CKR_F_PKCS11_REMOVE_CERTIFICATE
569#define PKCS11_F_PKCS11_GENERATE_KEY CKR_F_PKCS11_GENERATE_KEY
570
571/* Backward compatibility of error reason codes */
572#define PKCS11_LOAD_MODULE_ERROR P11_R_LOAD_MODULE_ERROR
573#define PKCS11_MODULE_LOADED_ERROR -1
574#define PKCS11_SYMBOL_NOT_FOUND_ERROR -1
575#define PKCS11_NOT_SUPPORTED P11_R_NOT_SUPPORTED
576#define PKCS11_NO_SESSION P11_R_NO_SESSION
577#define PKCS11_KEYGEN_FAILED P11_R_KEYGEN_FAILED
578#define PKCS11_UI_FAILED P11_R_UI_FAILED
579
580/* Backward compatibility emulation of the ERR_LIB_PKCS11 constant.
581 * We currently use two separate variables for library error codes:
582 * one for imported PKCS#11 module errors, and one for our own libp11 errors.
583 * We return the value for PKCS#11, as it is more likely to be needed. */
584#define ERR_LIB_PKCS11 (ERR_get_CKR_code())
585
586#ifdef __cplusplus
587}
588#endif
589#endif
590
591/* vim: set noexpandtab: */
struct PKCS11_ctx_st PKCS11_CTX
PKCS11 context.
unsigned long PKCS11_get_slotid_from_slot(PKCS11_SLOT *slotp)
Get the slot_id from a slot as it is stored in private.
int PKCS11_store_public_key(PKCS11_TOKEN *token, EVP_PKEY *pk, char *label, unsigned char *id, size_t id_len)
Store public key on a token.
void PKCS11_CTX_free(PKCS11_CTX *ctx)
Free a libp11 context.
struct PKCS11_slot_st PKCS11_SLOT
PKCS11 slot: card reader.
int PKCS11_change_pin(PKCS11_SLOT *slot, const char *old_pin, const char *new_pin)
Change the currently used (either USER or SO) PIN on a token.
struct PKCS11_key_st PKCS11_KEY
PKCS11 key object (public or private)
P11_DEPRECATED_FUNC int PKCS11_generate_key(PKCS11_TOKEN *token, int algorithm, unsigned int bits, char *label, unsigned char *id, size_t id_len)
Generate a private key on the token.
int PKCS11_init_pin(PKCS11_TOKEN *token, const char *pin)
Initialize the user PIN on a token.
int PKCS11_store_certificate(PKCS11_TOKEN *token, X509 *x509, char *label, unsigned char *id, size_t id_len, PKCS11_CERT **ret_cert)
Store certificate on a token.
EVP_PKEY * PKCS11_get_public_key(PKCS11_KEY *key)
Returns a EVP_PKEY object with the public key.
int PKCS11_login(PKCS11_SLOT *slot, int so, const char *pin)
Authenticate to the card.
void PKCS11_CTX_unload(PKCS11_CTX *ctx)
Unload a PKCS#11 module.
PKCS11_SLOT * PKCS11_find_next_token(PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int nslots, PKCS11_SLOT *slot)
Find the next slot with a token.
int PKCS11_init_token(PKCS11_TOKEN *token, const char *pin, const char *label)
Initialize a token.
int PKCS11_enumerate_slots(PKCS11_CTX *ctx, PKCS11_SLOT **slotsp, unsigned int *nslotsp)
Get a list of all slots.
PKCS11_CTX * PKCS11_CTX_new(void)
Create a new libp11 context.
EVP_PKEY * PKCS11_get_private_key(PKCS11_KEY *key)
Returns a EVP_PKEY object for the private key.
int PKCS11_is_logged_in(PKCS11_SLOT *slot, int so, int *res)
Check if user is already authenticated to a card.
int PKCS11_update_slots(PKCS11_CTX *ctx, PKCS11_SLOT **slotsp, unsigned int *nslotsp)
Get or update a list of all slots.
void PKCS11_CTX_init_args(PKCS11_CTX *ctx, const char *init_args)
Specify any private PKCS#11 module initialization args, if necessary.
struct PKCS11_token_st PKCS11_TOKEN
PKCS11 token: smart card or USB key.
struct PKCS11_cert_st PKCS11_CERT
PKCS11 certificate object.
int PKCS11_CTX_load(PKCS11_CTX *ctx, const char *ident)
Load a PKCS#11 module.
void PKCS11_release_all_slots(PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int nslots)
Free the list of slots allocated by PKCS11_enumerate_slots()
P11_DEPRECATED_FUNC int PKCS11_private_decrypt(int flen, const unsigned char *from, unsigned char *to, PKCS11_KEY *key, int padding)
Decrypts data using the private key.
PKCS11_SLOT * PKCS11_find_token(PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int nslots)
Find the first slot with a token.
int PKCS11_open_session(PKCS11_SLOT *slot, int rw)
Open a session in RO or RW mode.
int PKCS11_store_private_key(PKCS11_TOKEN *token, EVP_PKEY *pk, char *label, unsigned char *id, size_t id_len)
Store private key on a token.
void ERR_load_PKCS11_strings(void)
Load PKCS11 error strings.
int PKCS11_logout(PKCS11_SLOT *slot)
De-authenticate from the card.
PKCS11 certificate object.
Definition libp11.h:67
PKCS11 context.
Definition libp11.h:108
PKCS11 key object (public or private)
Definition libp11.h:57
unsigned char isPrivate
private key present?
Definition libp11.h:61
unsigned char needLogin
login to read private key?
Definition libp11.h:62
PKCS11 slot: card reader.
Definition libp11.h:99
PKCS11_TOKEN * token
NULL if no token present.
Definition libp11.h:103
PKCS11 token: smart card or USB key.
Definition libp11.h:76

libp11, Copyright (C) 2005 Olaf Kirch <okir@lst.de>OpenSC-Project.org Logo