int
pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
struct tls_root_ctx * const ssl_ctx)
{
int ret = 1;
ASSERT (NULL != ssl_ctx);
ALLOC_OBJ_CLEAR (ssl_ctx->crt_chain, mbedtls_x509_crt);
if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate)) {
msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object");
goto cleanup;
}
ALLOC_OBJ_CLEAR (ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context);
if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate)) {
msg (M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object");
goto cleanup;
}
ALLOC_OBJ_CLEAR (ssl_ctx->priv_key, mbedtls_pk_context);
if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key,
ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt,
mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len))) {
goto cleanup;
}
ret = 0;
cleanup:
return ret;
}
mbedtls_md_context_t *
md_ctx_new(void)
{
mbedtls_md_context_t *ctx;
ALLOC_OBJ_CLEAR(ctx, mbedtls_md_context_t);
return ctx;
}
int
tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, X509 *cert)
{
RSA *rsa = NULL;
RSA *pub_rsa;
RSA_METHOD *rsa_meth;
ASSERT (NULL != ctx);
ASSERT (NULL != cert);
/* allocate custom RSA method object */
ALLOC_OBJ_CLEAR (rsa_meth, RSA_METHOD);
rsa_meth->name = "OpenVPN external private key RSA Method";
rsa_meth->rsa_pub_enc = rsa_pub_enc;
rsa_meth->rsa_pub_dec = rsa_pub_dec;
rsa_meth->rsa_priv_enc = rsa_priv_enc;
rsa_meth->rsa_priv_dec = rsa_priv_dec;
rsa_meth->init = NULL;
rsa_meth->finish = rsa_finish;
rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK;
rsa_meth->app_data = NULL;
/* allocate RSA object */
rsa = RSA_new();
if (rsa == NULL)
{
SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
goto err;
}
/* get the public key */
ASSERT(cert->cert_info->key->pkey); /* NULL before SSL_CTX_use_certificate() is called */
pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
/* initialize RSA object */
rsa->n = BN_dup(pub_rsa->n);
rsa->flags |= RSA_FLAG_EXT_PKEY;
if (!RSA_set_method(rsa, rsa_meth))
goto err;
/* bind our custom RSA object to ssl_ctx */
if (!SSL_CTX_use_RSAPrivateKey(ctx->ctx, rsa))
goto err;
RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */
return 1;
err:
if (rsa)
RSA_free(rsa);
else
{
if (rsa_meth)
free(rsa_meth);
}
msg (M_SSLERR, "Cannot enable SSL external private key capability");
return 0;
}
int
pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
struct tls_root_ctx *const ssl_ctx)
{
ASSERT(NULL != ssl_ctx);
ssl_ctx->pkcs11_cert = certificate;
ALLOC_OBJ_CLEAR(ssl_ctx->crt_chain, mbedtls_x509_crt);
if (!pkcs11_get_x509_cert(certificate, ssl_ctx->crt_chain))
{
msg(M_WARN, "PKCS#11: Cannot initialize certificate");
return 1;
}
if (tls_ctx_use_external_signing_func(ssl_ctx, pkcs11_sign, certificate))
{
msg(M_WARN, "PKCS#11: Cannot register signing function");
return 1;
}
return 0;
}
