|
|
|
GnuTLS API Reference Manual | |
|---|---|---|---|---|
| Top | Description | ||||
struct gnutls_pubkey_st; typedef gnutls_pubkey_t; int gnutls_pubkey_init (gnutls_pubkey_t *key); void gnutls_pubkey_deinit (gnutls_pubkey_t key); int gnutls_pubkey_get_pk_algorithm (gnutls_pubkey_t key,unsigned int *bits); int gnutls_pubkey_import_x509 (gnutls_pubkey_t key,gnutls_x509_crt_t crt,unsigned int flags); int gnutls_pubkey_import_pkcs11 (gnutls_pubkey_t key,gnutls_pkcs11_obj_t obj,unsigned int flags); int gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,gnutls_openpgp_crt_t crt,unsigned int flags); int gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t key,gnutls_digest_algorithm_t *hash,unsigned int *mand); int gnutls_pubkey_get_pk_rsa_raw (gnutls_pubkey_t key,gnutls_datum_t *m,gnutls_datum_t *e); int gnutls_pubkey_get_pk_dsa_raw (gnutls_pubkey_t key,gnutls_datum_t *p,gnutls_datum_t *q,gnutls_datum_t *g,gnutls_datum_t *y); int gnutls_pubkey_export (gnutls_pubkey_t key,gnutls_x509_crt_fmt_t format,void *output_data,size_t *output_data_size); int gnutls_pubkey_get_key_id (gnutls_pubkey_t key,unsigned int flags,unsigned char *output_data,size_t *output_data_size); int gnutls_pubkey_get_key_usage (gnutls_pubkey_t key,unsigned int *usage); int gnutls_pubkey_set_key_usage (gnutls_pubkey_t key,unsigned int usage); int gnutls_pubkey_import (gnutls_pubkey_t key,const gnutls_datum_t *data,gnutls_x509_crt_fmt_t format); int gnutls_pubkey_import_pkcs11_url (gnutls_pubkey_t key,const char *url,unsigned int flags); int gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key,const gnutls_datum_t *p,const gnutls_datum_t *q,const gnutls_datum_t *g,const gnutls_datum_t *y); int gnutls_pubkey_import_rsa_raw (gnutls_pubkey_t key,const gnutls_datum_t *m,const gnutls_datum_t *e); int gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt,gnutls_pubkey_t key); int gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq,gnutls_pubkey_t key); int gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,const gnutls_datum_t *signature,gnutls_digest_algorithm_t *hash); struct gnutls_privkey_st; typedef gnutls_privkey_t; int gnutls_privkey_init (gnutls_privkey_t *key); void gnutls_privkey_deinit (gnutls_privkey_t key); int gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key,unsigned int *bits); gnutls_privkey_type_t gnutls_privkey_get_type (gnutls_privkey_t key); #define GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE int gnutls_privkey_import_pkcs11 (gnutls_privkey_t pkey,gnutls_pkcs11_privkey_t key,unsigned int flags); int gnutls_privkey_import_x509 (gnutls_privkey_t pkey,gnutls_x509_privkey_t key,unsigned int flags); int gnutls_privkey_import_openpgp (gnutls_privkey_t pkey,gnutls_openpgp_privkey_t key,unsigned int flags); int gnutls_privkey_sign_data (gnutls_privkey_t signer,gnutls_digest_algorithm_t hash,unsigned int flags,const gnutls_datum_t *data,gnutls_datum_t *signature); int gnutls_privkey_sign_hash (gnutls_privkey_t signer,gnutls_digest_algorithm_t hash_algo,unsigned int flags,const gnutls_datum_t *hash_data,gnutls_datum_t *signature); int gnutls_privkey_decrypt_data (gnutls_privkey_t key,unsigned int flags,const gnutls_datum_t *ciphertext,gnutls_datum_t *plaintext); int gnutls_x509_crt_privkey_sign (gnutls_x509_crt_t crt,gnutls_x509_crt_t issuer,gnutls_privkey_t issuer_key,gnutls_digest_algorithm_t dig,unsigned int flags); int gnutls_x509_crl_privkey_sign (gnutls_x509_crl_t crl,gnutls_x509_crt_t issuer,gnutls_privkey_t issuer_key,gnutls_digest_algorithm_t dig,unsigned int flags); int gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq,gnutls_privkey_t key,gnutls_digest_algorithm_t dig,unsigned int flags);
int gnutls_pubkey_init (gnutls_pubkey_t *key);
This function will initialize an public key structure.
|
The structure to be initialized |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
void gnutls_pubkey_deinit (gnutls_pubkey_t key);
This function will deinitialize a public key structure.
|
The structure to be deinitialized |
Since 2.12.0
int gnutls_pubkey_get_pk_algorithm (gnutls_pubkey_t key,unsigned int *bits);
This function will return the public key algorithm of a public key and if possible will return a number of bits that indicates the security parameter of the key.
|
should contain a gnutls_pubkey_t structure |
|
If set will return the number of bits of the parameters (may be NULL) |
Returns : |
a member of the gnutls_pk_algorithm_t enumeration on success, or a negative error code on error. |
Since 2.12.0
int gnutls_pubkey_import_x509 (gnutls_pubkey_t key,gnutls_x509_crt_t crt,unsigned int flags);
This function will import the given public key to the abstract gnutls_pubkey_t structure.
|
The public key |
|
The certificate to be imported |
|
should be zero |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_pubkey_import_pkcs11 (gnutls_pubkey_t key,gnutls_pkcs11_obj_t obj,unsigned int flags);
Imports a public key from a pkcs11 key. This function will import the given public key to the abstract gnutls_pubkey_t structure.
|
The public key |
|
The parameters to be imported |
|
should be zero |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,gnutls_openpgp_crt_t crt,unsigned int flags);
Imports a public key from an openpgp key. This function will import the given public key to the abstract gnutls_pubkey_t structure. The subkey set as preferred will be imported or the master key otherwise.
|
The public key |
|
The certificate to be imported |
|
should be zero |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t key,gnutls_digest_algorithm_t *hash,unsigned int *mand);
This function will read the certifcate and return the appropriate digest algorithm to use for signing with this certificate. Some certificates (i.e. DSA might not be able to sign without the preferred algorithm).
|
Holds the certificate |
|
The result of the call with the hash algorithm used for signature |
|
If non zero it means that the algorithm MUST use this hash. May be NULL. |
Returns : |
the 0 if the hash algorithm is found. A negative error code is returned on error. |
Since 2.12.0
int gnutls_pubkey_get_pk_rsa_raw (gnutls_pubkey_t key,gnutls_datum_t *m,gnutls_datum_t *e);
This function will export the RSA public key's parameters found in
the given structure. The new parameters will be allocated using
gnutls_malloc() and will be stored in the appropriate datum.
|
Holds the certificate |
|
will hold the modulus |
|
will hold the public exponent |
Returns : |
GNUTLS_E_SUCCESS on success, otherwise a negative error code. |
Since 2.12.0
int gnutls_pubkey_get_pk_dsa_raw (gnutls_pubkey_t key,gnutls_datum_t *p,gnutls_datum_t *q,gnutls_datum_t *g,gnutls_datum_t *y);
This function will export the DSA public key's parameters found in
the given certificate. The new parameters will be allocated using
gnutls_malloc() and will be stored in the appropriate datum.
|
Holds the public key |
|
will hold the p |
|
will hold the q |
|
will hold the g |
|
will hold the y |
Returns : |
GNUTLS_E_SUCCESS on success, otherwise a negative error code. |
Since 2.12.0
int gnutls_pubkey_export (gnutls_pubkey_t key,gnutls_x509_crt_fmt_t format,void *output_data,size_t *output_data_size);
This function will export the public key to DER or PEM format. The contents of the exported data is the SubjectPublicKeyInfo X.509 structure.
If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.
If the structure is PEM encoded, it will have a header of "BEGIN CERTIFICATE".
|
Holds the certificate |
|
the format of output params. One of PEM or DER. |
|
will contain a certificate PEM or DER encoded |
|
holds the size of output_data (and will be replaced by the actual size of parameters) |
Returns : |
In case of failure a negative error code will be returned, and 0 on success. |
Since 2.12.0
int gnutls_pubkey_get_key_id (gnutls_pubkey_t key,unsigned int flags,unsigned char *output_data,size_t *output_data_size);
This function will return a unique ID that depends on the public key parameters. This ID can be used in checking whether a certificate corresponds to the given public key.
If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned. The output will normally be a SHA-1 hash output,
which is 20 bytes.
|
Holds the public key |
|
should be 0 for now |
|
will contain the key ID |
|
holds the size of output_data (and will be replaced by the actual size of parameters) |
Returns : |
In case of failure a negative error code will be returned, and 0 on success. |
Since 2.12.0
int gnutls_pubkey_get_key_usage (gnutls_pubkey_t key,unsigned int *usage);
This function will return the key usage of the public key.
|
should contain a gnutls_pubkey_t structure |
|
If set will return the number of bits of the parameters (may be NULL) |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_pubkey_set_key_usage (gnutls_pubkey_t key,unsigned int usage);
This function will set the key usage flags of the public key. This is only useful if the key is to be exported to a certificate or certificate request.
|
a certificate of type gnutls_x509_crt_t |
|
an ORed sequence of the GNUTLS_KEY_* elements. |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_pubkey_import (gnutls_pubkey_t key,const gnutls_datum_t *data,gnutls_x509_crt_fmt_t format);
This function will import the provided public key in
a SubjectPublicKeyInfo X.509 structure to a native
gnutls_pubkey_t structure. The output will be stored
in key. If the public key is PEM encoded it should have a header
of "PUBLIC KEY".
|
The structure to store the parsed public key. |
|
The DER or PEM encoded certificate. |
|
One of DER or PEM |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_pubkey_import_pkcs11_url (gnutls_pubkey_t key,const char *url,unsigned int flags);
This function will import a PKCS 11 certificate to a gnutls_pubkey_t structure.
|
A key of type gnutls_pubkey_t |
|
A PKCS 11 url |
|
One of GNUTLS_PKCS11_OBJ_* flags |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key,const gnutls_datum_t *p,const gnutls_datum_t *q,const gnutls_datum_t *g,const gnutls_datum_t *y);
This function will convert the given DSA raw parameters to the
native gnutls_pubkey_t format. The output will be stored
in key.
|
The structure to store the parsed key |
|
holds the p |
|
holds the q |
|
holds the g |
|
holds the y |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_pubkey_import_rsa_raw (gnutls_pubkey_t key,const gnutls_datum_t *m,const gnutls_datum_t *e);
This function will replace the parameters in the given structure. The new parameters should be stored in the appropriate gnutls_datum.
|
Is a structure will hold the parameters |
|
holds the modulus |
|
holds the public exponent |
Returns : |
GNUTLS_E_SUCCESS on success, or an negative error code. |
Since 2.12.0
int gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt,gnutls_pubkey_t key);
This function will set the public parameters from the given public key to the request.
|
should contain a gnutls_x509_crt_t structure |
|
holds a public key |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq,gnutls_pubkey_t key);
This function will set the public parameters from the given public key to the request.
|
should contain a gnutls_x509_crq_t structure |
|
holds a public key |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,const gnutls_datum_t *signature,gnutls_digest_algorithm_t *hash);
This function will read the certifcate and the signed data to determine the hash algorithm used to generate the signature.
|
Holds the certificate |
|
contains the signature |
|
The result of the call with the hash algorithm used for signature |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_privkey_init (gnutls_privkey_t *key);
This function will initialize an private key structure.
|
The structure to be initialized |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
void gnutls_privkey_deinit (gnutls_privkey_t key);
This function will deinitialize a private key structure.
|
The structure to be deinitialized |
Since 2.12.0
int gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key,unsigned int *bits);
This function will return the public key algorithm of a private key and if possible will return a number of bits that indicates the security parameter of the key.
|
should contain a gnutls_privkey_t structure |
|
If set will return the number of bits of the parameters (may be NULL) |
Returns : |
a member of the gnutls_pk_algorithm_t enumeration on success, or a negative error code on error. |
Since 2.12.0
gnutls_privkey_type_t gnutls_privkey_get_type (gnutls_privkey_t key);
This function will return the type of the private key. This is actually the type of the subsystem used to set this private key.
|
should contain a gnutls_privkey_t structure |
Returns : |
a member of the gnutls_privkey_type_t enumeration on success, or a negative error code on error. |
Since 2.12.0
int gnutls_privkey_import_pkcs11 (gnutls_privkey_t pkey,gnutls_pkcs11_privkey_t key,unsigned int flags);
This function will import the given private key to the abstract gnutls_privkey_t structure.
The gnutls_pkcs11_privkey_t object must not be deallocated during the lifetime of this structure.
flags might be zero or one of GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
and GNUTLS_PRIVKEY_IMPORT_COPY.
|
The private key |
|
The private key to be imported |
|
Flags for the import |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_privkey_import_x509 (gnutls_privkey_t pkey,gnutls_x509_privkey_t key,unsigned int flags);
This function will import the given private key to the abstract gnutls_privkey_t structure.
The gnutls_x509_privkey_t object must not be deallocated during the lifetime of this structure.
flags might be zero or one of GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
and GNUTLS_PRIVKEY_IMPORT_COPY.
|
The private key |
|
The private key to be imported |
|
Flags for the import |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_privkey_import_openpgp (gnutls_privkey_t pkey,gnutls_openpgp_privkey_t key,unsigned int flags);
This function will import the given private key to the abstract gnutls_privkey_t structure.
The gnutls_openpgp_privkey_t object must not be deallocated during the lifetime of this structure. The subkey set as preferred will be used, or the master key otherwise.
flags might be zero or one of GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
and GNUTLS_PRIVKEY_IMPORT_COPY.
|
The private key |
|
The private key to be imported |
|
Flags for the import |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_privkey_sign_data (gnutls_privkey_t signer,gnutls_digest_algorithm_t hash,unsigned int flags,const gnutls_datum_t *data,gnutls_datum_t *signature);
This function will sign the given data using a signature algorithm supported by the private key. Signature algorithms are always used together with a hash functions. Different hash functions may be used for the RSA algorithm, but only the SHA family for the DSA keys.
You may use gnutls_pubkey_get_preferred_hash_algorithm() to determine
the hash algorithm.
|
Holds the key |
|
should be a digest algorithm |
|
should be 0 for now |
|
holds the data to be signed |
|
will contain the signature allocate with gnutls_malloc()
|
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_privkey_sign_hash (gnutls_privkey_t signer,gnutls_digest_algorithm_t hash_algo,unsigned int flags,const gnutls_datum_t *hash_data,gnutls_datum_t *signature);
This function will sign the given hashed data using a signature algorithm supported by the private key. Signature algorithms are always used together with a hash functions. Different hash functions may be used for the RSA algorithm, but only SHA-XXX for the DSA keys.
You may use gnutls_pubkey_get_preferred_hash_algorithm() to determine
the hash algorithm.
|
Holds the signer's key |
|
The hash algorithm used |
|
zero for now |
|
holds the data to be signed |
|
will contain newly allocated signature |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_privkey_decrypt_data (gnutls_privkey_t key,unsigned int flags,const gnutls_datum_t *ciphertext,gnutls_datum_t *plaintext);
This function will decrypt the given data using the algorithm supported by the private key.
|
Holds the key |
|
zero for now |
|
holds the data to be decrypted |
|
will contain the decrypted data, allocated with gnutls_malloc()
|
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
Since 2.12.0
int gnutls_x509_crt_privkey_sign (gnutls_x509_crt_t crt,gnutls_x509_crt_t issuer,gnutls_privkey_t issuer_key,gnutls_digest_algorithm_t dig,unsigned int flags);
This function will sign the certificate with the issuer's private key, and will copy the issuer's information into the certificate.
This must be the last step in a certificate generation since all the previously set parameters are now signed.
|
a certificate of type gnutls_x509_crt_t |
|
is the certificate of the certificate issuer |
|
holds the issuer's private key |
|
The message digest to use, GNUTLS_DIG_SHA1 is a safe choice |
|
must be 0 |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value. |
int gnutls_x509_crl_privkey_sign (gnutls_x509_crl_t crl,gnutls_x509_crt_t issuer,gnutls_privkey_t issuer_key,gnutls_digest_algorithm_t dig,unsigned int flags);
This function will sign the CRL with the issuer's private key, and will copy the issuer's information into the CRL.
This must be the last step in a certificate CRL since all the previously set parameters are now signed.
|
should contain a gnutls_x509_crl_t structure |
|
is the certificate of the certificate issuer |
|
holds the issuer's private key |
|
The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing. |
|
must be 0 |
Returns : |
On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since 2.12.0 |
int gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq,gnutls_privkey_t key,gnutls_digest_algorithm_t dig,unsigned int flags);
This function will sign the certificate request with a private key.
This must be the same key as the one used in
gnutls_x509_crt_set_key() since a certificate request is self
signed.
This must be the last step in a certificate request generation since all the previously set parameters are now signed.
|
should contain a gnutls_x509_crq_t structure |
|
holds a private key |
|
The message digest to use, i.e., GNUTLS_DIG_SHA1
|
|
must be 0 |
Returns : |
GNUTLS_E_SUCCESS on success, otherwise a negative error code.
GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all
information in the certificate request (e.g., the version using
gnutls_x509_crq_set_version()). |
Since 2.12.0