int pkcs11_init_tls_session(pkcs11h_certificate_t certificate, struct tls_root_ctx * const ssl_ctx) { int ret = 1; ASSERT (NULL != ssl_ctx); ALLOC_OBJ_CLEAR (ssl_ctx->crt_chain, mbedtls_x509_crt); if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate)) { msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); goto cleanup; } ALLOC_OBJ_CLEAR (ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context); if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate)) { msg (M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object"); goto cleanup; } ALLOC_OBJ_CLEAR (ssl_ctx->priv_key, mbedtls_pk_context); if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key, ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt, mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len))) { goto cleanup; } ret = 0; cleanup: return ret; }
mbedtls_md_context_t * md_ctx_new(void) { mbedtls_md_context_t *ctx; ALLOC_OBJ_CLEAR(ctx, mbedtls_md_context_t); return ctx; }
int tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, X509 *cert) { RSA *rsa = NULL; RSA *pub_rsa; RSA_METHOD *rsa_meth; ASSERT (NULL != ctx); ASSERT (NULL != cert); /* allocate custom RSA method object */ ALLOC_OBJ_CLEAR (rsa_meth, RSA_METHOD); rsa_meth->name = "OpenVPN external private key RSA Method"; rsa_meth->rsa_pub_enc = rsa_pub_enc; rsa_meth->rsa_pub_dec = rsa_pub_dec; rsa_meth->rsa_priv_enc = rsa_priv_enc; rsa_meth->rsa_priv_dec = rsa_priv_dec; rsa_meth->init = NULL; rsa_meth->finish = rsa_finish; rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK; rsa_meth->app_data = NULL; /* allocate RSA object */ rsa = RSA_new(); if (rsa == NULL) { SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); goto err; } /* get the public key */ ASSERT(cert->cert_info->key->pkey); /* NULL before SSL_CTX_use_certificate() is called */ pub_rsa = cert->cert_info->key->pkey->pkey.rsa; /* initialize RSA object */ rsa->n = BN_dup(pub_rsa->n); rsa->flags |= RSA_FLAG_EXT_PKEY; if (!RSA_set_method(rsa, rsa_meth)) goto err; /* bind our custom RSA object to ssl_ctx */ if (!SSL_CTX_use_RSAPrivateKey(ctx->ctx, rsa)) goto err; RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */ return 1; err: if (rsa) RSA_free(rsa); else { if (rsa_meth) free(rsa_meth); } msg (M_SSLERR, "Cannot enable SSL external private key capability"); return 0; }
int pkcs11_init_tls_session(pkcs11h_certificate_t certificate, struct tls_root_ctx *const ssl_ctx) { ASSERT(NULL != ssl_ctx); ssl_ctx->pkcs11_cert = certificate; ALLOC_OBJ_CLEAR(ssl_ctx->crt_chain, mbedtls_x509_crt); if (!pkcs11_get_x509_cert(certificate, ssl_ctx->crt_chain)) { msg(M_WARN, "PKCS#11: Cannot initialize certificate"); return 1; } if (tls_ctx_use_external_signing_func(ssl_ctx, pkcs11_sign, certificate)) { msg(M_WARN, "PKCS#11: Cannot register signing function"); return 1; } return 0; }