in platform/posix/transport/src/mbedtls_pkcs11_posix.c [110:229]
static MbedtlsPkcs11Status_t configureMbedtls( MbedtlsPkcs11Context_t * pMbedtlsPkcs11Context,
const char * pHostName,
const MbedtlsPkcs11Credentials_t * pMbedtlsPkcs11Credentials,
uint32_t recvTimeoutMs );
/**
* @brief Configure the client and Root CA in the MbedTLS SSL context.
*
* @param[in] pMbedtlsPkcs11Context Network context.
* @param[in] pMbedtlsPkcs11Credentials TLS setup parameters.
*
* @return #MBEDTLS_PKCS11_SUCCESS on success,
* #MBEDTLS_PKCS11_INVALID_CREDENTIALS on error.
*/
static MbedtlsPkcs11Status_t configureMbedtlsCertificates( MbedtlsPkcs11Context_t * pMbedtlsPkcs11Context,
const MbedtlsPkcs11Credentials_t * pMbedtlsPkcs11Credentials );
/**
* @brief Configure the SNI and ALPN in the MbedTLS SSL context.
*
* @param[in] pMbedtlsPkcs11Context Network context.
* @param[in] pMbedtlsPkcs11Credentials TLS setup parameters.
* @param[in] pHostName Remote host name, used for server name indication.
*
* @return #MBEDTLS_PKCS11_SUCCESS on success,
* #MBEDTLS_PKCS11_INVALID_CREDENTIALS on error.
*/
static MbedtlsPkcs11Status_t configureMbedtlsSniAlpn( MbedtlsPkcs11Context_t * pMbedtlsPkcs11Context,
const MbedtlsPkcs11Credentials_t * pMbedtlsPkcs11Credentials,
const char * pHostName );
/**
* @brief Configure the Maximum Fragment Length in the MbedTLS SSL context.
*
* @param[in] pMbedtlsPkcs11Context Network context.
*
* @return #MBEDTLS_PKCS11_SUCCESS on success,
* #MBEDTLS_PKCS11_INVALID_CREDENTIALS on error.
*/
static MbedtlsPkcs11Status_t configureMbedtlsFragmentLength( MbedtlsPkcs11Context_t * pMbedtlsPkcs11Context );
/**
* @brief Callback that wraps PKCS #11 for pseudo-random number generation. This
* is passed to MbedTLS.
*
* @param[in] pCtx Caller context.
* @param[in] pRandom Byte array to fill with random data.
* @param[in] randomLength Length of byte array.
*
* @return Zero on success.
*/
static int32_t generateRandomBytes( void * pCtx,
unsigned char * pRandom,
size_t randomLength );
/**
* @brief Helper for reading the specified certificate object, if present,
* out of storage, into RAM, and then into an mbedTLS certificate context
* object.
*
* @param[in] pContext Caller TLS context.
* @param[in] pLabelName PKCS #11 certificate object label.
* @param[out] pCertificateContext Certificate context.
*
* @return True on success.
*/
static bool readCertificateIntoContext( MbedtlsPkcs11Context_t * pContext,
char * pLabelName,
mbedtls_x509_crt * pCertificateContext );
/**
* @brief Helper for configuring MbedTLS to use client private key from PKCS #11.
*
* @param pContext Caller context.
* @param pPrivateKeyLabel PKCS #11 label for the private key.
*
* @return True on success.
*/
static bool initializeClientKeys( MbedtlsPkcs11Context_t * pContext,
const char * pPrivateKeyLabel );
/**
* @brief Sign a cryptographic hash with the private key. This is passed as a
* callback to MbedTLS.
*
* @param[in] pContext Crypto context.
* @param[in] mdAlg Unused.
* @param[in] pHash Length in bytes of hash to be signed.
* @param[in] hashLen Byte array of hash to be signed.
* @param[out] pSig RSA signature bytes.
* @param[in] pSigLen Length in bytes of signature buffer.
* @param[in] pRng Unused.
* @param[in] pRngContext Unused.
*
* @return Zero on success.
*/
static int32_t privateKeySigningCallback( mbedtls_pk_context * pContext,
mbedtls_md_type_t mdAlg,
const unsigned char * pHash,
size_t hashLen,
unsigned char * pSig,
size_t sig_size,
size_t * pSigLen,
int32_t ( * pRng )( void *, unsigned char *, size_t ),
void * pRngContext );
/*-----------------------------------------------------------*/
static void contextInit( MbedtlsPkcs11Context_t * pContext )
{
assert( pContext != NULL );
mbedtls_net_init( &( pContext->socketContext ) );
mbedtls_ssl_init( &( pContext->context ) );
mbedtls_ssl_config_init( &( pContext->config ) );
mbedtls_x509_crt_init( &( pContext->rootCa ) );
mbedtls_x509_crt_init( &( pContext->clientCert ) );
C_GetFunctionList( &( pContext->pP11FunctionList ) );
}