1 This is gnutls.info, produced by makeinfo version 6.3 from gnutls.texi.
3 This manual is last updated 23 March 2015 for version 3.3.27 of GnuTLS.
5 Copyright (C) 2001-2013 Free Software Foundation, Inc.\\ Copyright (C)
6 2001-2013 Nikos Mavrogiannopoulos
8 Permission is granted to copy, distribute and/or modify this
9 document under the terms of the GNU Free Documentation License,
10 Version 1.3 or any later version published by the Free Software
11 Foundation; with no Invariant Sections, no Front-Cover Texts, and
12 no Back-Cover Texts. A copy of the license is included in the
13 section entitled "GNU Free Documentation License".
14 INFO-DIR-SECTION Software libraries
16 * GnuTLS: (gnutls). GNU Transport Layer Security Library.
19 INFO-DIR-SECTION System Administration
21 * certtool: (gnutls)Invoking certtool. Manipulate certificates and keys.
22 * gnutls-serv: (gnutls)Invoking gnutls-serv. GnuTLS test server.
23 * gnutls-cli: (gnutls)Invoking gnutls-cli. GnuTLS test client.
24 * gnutls-cli-debug: (gnutls)Invoking gnutls-cli-debug. GnuTLS debug client.
25 * psktool: (gnutls)Invoking psktool. Simple TLS-Pre-Shared-Keys manager.
26 * srptool: (gnutls)Invoking srptool. Simple SRP password tool.
30 File: gnutls.info, Node: OCSP API, Next: OpenPGP API, Prev: X509 certificate API, Up: API reference
35 The following functions are for OCSP certificate status checking. Their
36 prototypes lie in 'gnutls/ocsp.h'.
38 gnutls_ocsp_req_add_cert
39 ------------------------
41 -- Function: int gnutls_ocsp_req_add_cert (gnutls_ocsp_req_t REQ,
42 gnutls_digest_algorithm_t DIGEST, gnutls_x509_crt_t ISSUER,
43 gnutls_x509_crt_t CERT)
44 REQ: should contain a 'gnutls_ocsp_req_t' structure
46 DIGEST: hash algorithm, a 'gnutls_digest_algorithm_t' value
48 ISSUER: issuer of 'subject' certificate
50 CERT: certificate to request status for
52 This function will add another request to the OCSP request for a
53 particular certificate. The issuer name hash, issuer key hash, and
54 serial number fields is populated as follows. The issuer name and
55 the serial number is taken from 'cert' . The issuer key is taken
56 from 'issuer' . The hashed values will be hashed using the
57 'digest' algorithm, normally 'GNUTLS_DIG_SHA1' .
59 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
60 otherwise a negative error code is returned.
62 gnutls_ocsp_req_add_cert_id
63 ---------------------------
65 -- Function: int gnutls_ocsp_req_add_cert_id (gnutls_ocsp_req_t REQ,
66 gnutls_digest_algorithm_t DIGEST, const gnutls_datum_t *
67 ISSUER_NAME_HASH, const gnutls_datum_t * ISSUER_KEY_HASH,
68 const gnutls_datum_t * SERIAL_NUMBER)
69 REQ: should contain a 'gnutls_ocsp_req_t' structure
71 DIGEST: hash algorithm, a 'gnutls_digest_algorithm_t' value
73 ISSUER_NAME_HASH: hash of issuer's DN
75 ISSUER_KEY_HASH: hash of issuer's public key
77 SERIAL_NUMBER: serial number of certificate to check
79 This function will add another request to the OCSP request for a
80 particular certificate having the issuer name hash of
81 'issuer_name_hash' and issuer key hash of 'issuer_key_hash' (both
82 hashed using 'digest' ) and serial number 'serial_number' .
84 The information needed corresponds to the CertID structure:
86 <informalexample><programlisting> CertID ::= SEQUENCE {
87 hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, -
88 Hash of Issuer's DN issuerKeyHash OCTET STRING, - Hash of Issuers
89 public key serialNumber CertificateSerialNumber }
90 </programlisting></informalexample>
92 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
93 otherwise a negative error code is returned.
95 gnutls_ocsp_req_deinit
96 ----------------------
98 -- Function: void gnutls_ocsp_req_deinit (gnutls_ocsp_req_t REQ)
99 REQ: The structure to be deinitialized
101 This function will deinitialize a OCSP request structure.
103 gnutls_ocsp_req_export
104 ----------------------
106 -- Function: int gnutls_ocsp_req_export (gnutls_ocsp_req_t REQ,
107 gnutls_datum_t * DATA)
108 REQ: Holds the OCSP request
110 DATA: newly allocate buffer holding DER encoded OCSP request
112 This function will export the OCSP request to DER format.
114 *Returns:* In case of failure a negative error code will be
115 returned, and 0 on success.
117 gnutls_ocsp_req_get_cert_id
118 ---------------------------
120 -- Function: int gnutls_ocsp_req_get_cert_id (gnutls_ocsp_req_t REQ,
121 unsigned INDX, gnutls_digest_algorithm_t * DIGEST,
122 gnutls_datum_t * ISSUER_NAME_HASH, gnutls_datum_t *
123 ISSUER_KEY_HASH, gnutls_datum_t * SERIAL_NUMBER)
124 REQ: should contain a 'gnutls_ocsp_req_t' structure
126 INDX: Specifies which extension OID to get. Use (0) to get the
129 DIGEST: output variable with 'gnutls_digest_algorithm_t' hash
132 ISSUER_NAME_HASH: output buffer with hash of issuer's DN
134 ISSUER_KEY_HASH: output buffer with hash of issuer's public key
136 SERIAL_NUMBER: output buffer with serial number of certificate to
139 This function will return the certificate information of the 'indx'
140 'ed request in the OCSP request. The information returned
141 corresponds to the CertID structure:
143 <informalexample><programlisting> CertID ::= SEQUENCE {
144 hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, -
145 Hash of Issuer's DN issuerKeyHash OCTET STRING, - Hash of Issuers
146 public key serialNumber CertificateSerialNumber }
147 </programlisting></informalexample>
149 Each of the pointers to output variables may be NULL to indicate
150 that the caller is not interested in that value.
152 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
153 otherwise a negative error code is returned. If you have reached
154 the last CertID available 'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE'
157 gnutls_ocsp_req_get_extension
158 -----------------------------
160 -- Function: int gnutls_ocsp_req_get_extension (gnutls_ocsp_req_t REQ,
161 unsigned INDX, gnutls_datum_t * OID, unsigned int * CRITICAL,
162 gnutls_datum_t * DATA)
163 REQ: should contain a 'gnutls_ocsp_req_t' structure
165 INDX: Specifies which extension OID to get. Use (0) to get the
168 OID: will hold newly allocated buffer with OID of extension, may be
171 CRITICAL: output variable with critical flag, may be NULL.
173 DATA: will hold newly allocated buffer with extension data, may be
176 This function will return all information about the requested
177 extension in the OCSP request. The information returned is the
178 OID, the critical flag, and the data itself. The extension OID
179 will be stored as a string. Any of 'oid' , 'critical' , and 'data'
180 may be NULL which means that the caller is not interested in
181 getting that information back.
183 The caller needs to deallocate memory by calling 'gnutls_free()' on
184 'oid' ->data and 'data' ->data.
186 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
187 otherwise a negative error code is returned. If you have reached
188 the last extension available
189 'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
191 gnutls_ocsp_req_get_nonce
192 -------------------------
194 -- Function: int gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_t REQ,
195 unsigned int * CRITICAL, gnutls_datum_t * NONCE)
196 REQ: should contain a 'gnutls_ocsp_req_t' structure
198 CRITICAL: whether nonce extension is marked critical, or NULL
200 NONCE: will hold newly allocated buffer with nonce data
202 This function will return the OCSP request nonce extension data.
204 The caller needs to deallocate memory by calling 'gnutls_free()' on
207 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
208 otherwise a negative error code is returned.
210 gnutls_ocsp_req_get_version
211 ---------------------------
213 -- Function: int gnutls_ocsp_req_get_version (gnutls_ocsp_req_t REQ)
214 REQ: should contain a 'gnutls_ocsp_req_t' structure
216 This function will return the version of the OCSP request.
217 Typically this is always 1 indicating version 1.
219 *Returns:* version of OCSP request, or a negative error code on
222 gnutls_ocsp_req_import
223 ----------------------
225 -- Function: int gnutls_ocsp_req_import (gnutls_ocsp_req_t REQ, const
226 gnutls_datum_t * DATA)
227 REQ: The structure to store the parsed request.
229 DATA: DER encoded OCSP request.
231 This function will convert the given DER encoded OCSP request to
232 the native 'gnutls_ocsp_req_t' format. The output will be stored
235 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
236 otherwise a negative error value.
241 -- Function: int gnutls_ocsp_req_init (gnutls_ocsp_req_t * REQ)
242 REQ: The structure to be initialized
244 This function will initialize an OCSP request structure.
246 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
247 otherwise a negative error value.
249 gnutls_ocsp_req_print
250 ---------------------
252 -- Function: int gnutls_ocsp_req_print (gnutls_ocsp_req_t REQ,
253 gnutls_ocsp_print_formats_t FORMAT, gnutls_datum_t * OUT)
254 REQ: The structure to be printed
256 FORMAT: Indicate the format to use
258 OUT: Newly allocated datum with (0) terminated string.
260 This function will pretty print a OCSP request, suitable for
263 If the format is 'GNUTLS_OCSP_PRINT_FULL' then all fields of the
264 request will be output, on multiple lines.
266 The output 'out' ->data needs to be deallocate using
269 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
270 otherwise a negative error value.
272 gnutls_ocsp_req_randomize_nonce
273 -------------------------------
275 -- Function: int gnutls_ocsp_req_randomize_nonce (gnutls_ocsp_req_t
277 REQ: should contain a 'gnutls_ocsp_req_t' structure
279 This function will add or update an nonce extension to the OCSP
280 request with a newly generated random value.
282 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
283 otherwise a negative error code is returned.
285 gnutls_ocsp_req_set_extension
286 -----------------------------
288 -- Function: int gnutls_ocsp_req_set_extension (gnutls_ocsp_req_t REQ,
289 const char * OID, unsigned int CRITICAL, const gnutls_datum_t
291 REQ: should contain a 'gnutls_ocsp_req_t' structure
293 OID: buffer with OID of extension as a string.
295 CRITICAL: critical flag, normally false.
297 DATA: the extension data
299 This function will add an extension to the OCSP request. Calling
300 this function multiple times for the same OID will overwrite values
303 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
304 otherwise a negative error code is returned.
306 gnutls_ocsp_req_set_nonce
307 -------------------------
309 -- Function: int gnutls_ocsp_req_set_nonce (gnutls_ocsp_req_t REQ,
310 unsigned int CRITICAL, const gnutls_datum_t * NONCE)
311 REQ: should contain a 'gnutls_ocsp_req_t' structure
313 CRITICAL: critical flag, normally false.
315 NONCE: the nonce data
317 This function will add an nonce extension to the OCSP request.
318 Calling this function multiple times will overwrite values from
321 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
322 otherwise a negative error code is returned.
324 gnutls_ocsp_resp_check_crt
325 --------------------------
327 -- Function: int gnutls_ocsp_resp_check_crt (gnutls_ocsp_resp_t RESP,
328 unsigned int INDX, gnutls_x509_crt_t CRT)
329 RESP: should contain a 'gnutls_ocsp_resp_t' structure
331 INDX: Specifies response number to get. Use (0) to get the first
334 CRT: The certificate to check
336 This function will check whether the OCSP response is about the
337 provided certificate.
339 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
340 otherwise a negative error code is returned.
344 gnutls_ocsp_resp_deinit
345 -----------------------
347 -- Function: void gnutls_ocsp_resp_deinit (gnutls_ocsp_resp_t RESP)
348 RESP: The structure to be deinitialized
350 This function will deinitialize a OCSP response structure.
352 gnutls_ocsp_resp_export
353 -----------------------
355 -- Function: int gnutls_ocsp_resp_export (gnutls_ocsp_resp_t RESP,
356 gnutls_datum_t * DATA)
357 RESP: Holds the OCSP response
359 DATA: newly allocate buffer holding DER encoded OCSP response
361 This function will export the OCSP response to DER format.
363 *Returns:* In case of failure a negative error code will be
364 returned, and 0 on success.
366 gnutls_ocsp_resp_get_certs
367 --------------------------
369 -- Function: int gnutls_ocsp_resp_get_certs (gnutls_ocsp_resp_t RESP,
370 gnutls_x509_crt_t ** CERTS, size_t * NCERTS)
371 RESP: should contain a 'gnutls_ocsp_resp_t' structure
373 CERTS: newly allocated array with 'gnutls_x509_crt_t' certificates
375 NCERTS: output variable with number of allocated certs.
377 This function will extract the X.509 certificates found in the
378 Basic OCSP Response. The 'certs' output variable will hold a newly
379 allocated zero-terminated array with X.509 certificates.
381 Every certificate in the array needs to be de-allocated with
382 'gnutls_x509_crt_deinit()' and the array itself must be freed using
385 Both the 'certs' and 'ncerts' variables may be NULL. Then the
386 function will work as normal but will not return the NULL:d
387 information. This can be used to get the number of certificates
388 only, or to just get the certificate array without its size.
390 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
391 otherwise a negative error value.
393 gnutls_ocsp_resp_get_extension
394 ------------------------------
396 -- Function: int gnutls_ocsp_resp_get_extension (gnutls_ocsp_resp_t
397 RESP, unsigned INDX, gnutls_datum_t * OID, unsigned int *
398 CRITICAL, gnutls_datum_t * DATA)
399 RESP: should contain a 'gnutls_ocsp_resp_t' structure
401 INDX: Specifies which extension OID to get. Use (0) to get the
404 OID: will hold newly allocated buffer with OID of extension, may be
407 CRITICAL: output variable with critical flag, may be NULL.
409 DATA: will hold newly allocated buffer with extension data, may be
412 This function will return all information about the requested
413 extension in the OCSP response. The information returned is the
414 OID, the critical flag, and the data itself. The extension OID
415 will be stored as a string. Any of 'oid' , 'critical' , and 'data'
416 may be NULL which means that the caller is not interested in
417 getting that information back.
419 The caller needs to deallocate memory by calling 'gnutls_free()' on
420 'oid' ->data and 'data' ->data.
422 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
423 otherwise a negative error code is returned. If you have reached
424 the last extension available
425 'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
427 gnutls_ocsp_resp_get_nonce
428 --------------------------
430 -- Function: int gnutls_ocsp_resp_get_nonce (gnutls_ocsp_resp_t RESP,
431 unsigned int * CRITICAL, gnutls_datum_t * NONCE)
432 RESP: should contain a 'gnutls_ocsp_resp_t' structure
434 CRITICAL: whether nonce extension is marked critical
436 NONCE: will hold newly allocated buffer with nonce data
438 This function will return the Basic OCSP Response nonce extension
441 The caller needs to deallocate memory by calling 'gnutls_free()' on
444 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
445 otherwise a negative error code is returned.
447 gnutls_ocsp_resp_get_produced
448 -----------------------------
450 -- Function: time_t gnutls_ocsp_resp_get_produced (gnutls_ocsp_resp_t
452 RESP: should contain a 'gnutls_ocsp_resp_t' structure
454 This function will return the time when the OCSP response was
457 *Returns:* signing time, or (time_t)-1 on error.
459 gnutls_ocsp_resp_get_responder
460 ------------------------------
462 -- Function: int gnutls_ocsp_resp_get_responder (gnutls_ocsp_resp_t
463 RESP, gnutls_datum_t * DN)
464 RESP: should contain a 'gnutls_ocsp_resp_t' structure
466 DN: newly allocated buffer with name
468 This function will extract the name of the Basic OCSP Response in
469 the provided buffer. The name will be in the form
470 "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
471 will be ASCII or UTF-8 encoded, depending on the certificate data.
473 The caller needs to deallocate memory by calling 'gnutls_free()' on
476 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
477 otherwise a negative error code is returned.
479 gnutls_ocsp_resp_get_response
480 -----------------------------
482 -- Function: int gnutls_ocsp_resp_get_response (gnutls_ocsp_resp_t
483 RESP, gnutls_datum_t * RESPONSE_TYPE_OID, gnutls_datum_t *
485 RESP: should contain a 'gnutls_ocsp_resp_t' structure
487 RESPONSE_TYPE_OID: newly allocated output buffer with response type
490 RESPONSE: newly allocated output buffer with DER encoded response
492 This function will extract the response type OID in and the
493 response data from an OCSP response. Normally the
494 'response_type_oid' is always "1.3.6.1.5.5.7.48.1.1" which means
495 the 'response' should be decoded as a Basic OCSP Response, but
496 technically other response types could be used.
498 This function is typically only useful when you want to extract the
499 response type OID of an response for diagnostic purposes.
500 Otherwise 'gnutls_ocsp_resp_import()' will decode the basic OCSP
501 response part and the caller need not worry about that aspect.
503 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
504 otherwise a negative error value.
506 gnutls_ocsp_resp_get_signature
507 ------------------------------
509 -- Function: int gnutls_ocsp_resp_get_signature (gnutls_ocsp_resp_t
510 RESP, gnutls_datum_t * SIG)
511 RESP: should contain a 'gnutls_ocsp_resp_t' structure
513 SIG: newly allocated output buffer with signature data
515 This function will extract the signature field of a OCSP response.
517 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
518 otherwise a negative error value.
520 gnutls_ocsp_resp_get_signature_algorithm
521 ----------------------------------------
523 -- Function: int gnutls_ocsp_resp_get_signature_algorithm
524 (gnutls_ocsp_resp_t RESP)
525 RESP: should contain a 'gnutls_ocsp_resp_t' structure
527 This function will return a value of the 'gnutls_sign_algorithm_t'
528 enumeration that is the signature algorithm that has been used to
529 sign the OCSP response.
531 *Returns:* a 'gnutls_sign_algorithm_t' value, or a negative error
534 gnutls_ocsp_resp_get_single
535 ---------------------------
537 -- Function: int gnutls_ocsp_resp_get_single (gnutls_ocsp_resp_t RESP,
538 unsigned INDX, gnutls_digest_algorithm_t * DIGEST,
539 gnutls_datum_t * ISSUER_NAME_HASH, gnutls_datum_t *
540 ISSUER_KEY_HASH, gnutls_datum_t * SERIAL_NUMBER, unsigned int
541 * CERT_STATUS, time_t * THIS_UPDATE, time_t * NEXT_UPDATE,
542 time_t * REVOCATION_TIME, unsigned int * REVOCATION_REASON)
543 RESP: should contain a 'gnutls_ocsp_resp_t' structure
545 INDX: Specifies response number to get. Use (0) to get the first
548 DIGEST: output variable with 'gnutls_digest_algorithm_t' hash
551 ISSUER_NAME_HASH: output buffer with hash of issuer's DN
553 ISSUER_KEY_HASH: output buffer with hash of issuer's public key
555 SERIAL_NUMBER: output buffer with serial number of certificate to
558 CERT_STATUS: a certificate status, a 'gnutls_ocsp_cert_status_t'
561 THIS_UPDATE: time at which the status is known to be correct.
563 NEXT_UPDATE: when newer information will be available, or
564 (time_t)-1 if unspecified
566 REVOCATION_TIME: when 'cert_status' is 'GNUTLS_OCSP_CERT_REVOKED' ,
567 holds time of revocation.
569 REVOCATION_REASON: revocation reason, a 'gnutls_x509_crl_reason_t'
572 This function will return the certificate information of the 'indx'
573 'ed response in the Basic OCSP Response 'resp' . The information
574 returned corresponds to the OCSP SingleResponse structure except
575 the final singleExtensions.
577 Each of the pointers to output variables may be NULL to indicate
578 that the caller is not interested in that value.
580 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
581 otherwise a negative error code is returned. If you have reached
582 the last CertID available 'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE'
585 gnutls_ocsp_resp_get_status
586 ---------------------------
588 -- Function: int gnutls_ocsp_resp_get_status (gnutls_ocsp_resp_t RESP)
589 RESP: should contain a 'gnutls_ocsp_resp_t' structure
591 This function will return the status of a OCSP response, an
592 'gnutls_ocsp_resp_status_t' enumeration.
594 *Returns:* status of OCSP request as a 'gnutls_ocsp_resp_status_t'
595 , or a negative error code on error.
597 gnutls_ocsp_resp_get_version
598 ----------------------------
600 -- Function: int gnutls_ocsp_resp_get_version (gnutls_ocsp_resp_t RESP)
601 RESP: should contain a 'gnutls_ocsp_resp_t' structure
603 This function will return the version of the Basic OCSP Response.
604 Typically this is always 1 indicating version 1.
606 *Returns:* version of Basic OCSP response, or a negative error code
609 gnutls_ocsp_resp_import
610 -----------------------
612 -- Function: int gnutls_ocsp_resp_import (gnutls_ocsp_resp_t RESP,
613 const gnutls_datum_t * DATA)
614 RESP: The structure to store the parsed response.
616 DATA: DER encoded OCSP response.
618 This function will convert the given DER encoded OCSP response to
619 the native 'gnutls_ocsp_resp_t' format. It also decodes the Basic
620 OCSP Response part, if any. The output will be stored in 'resp' .
622 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
623 otherwise a negative error value.
625 gnutls_ocsp_resp_init
626 ---------------------
628 -- Function: int gnutls_ocsp_resp_init (gnutls_ocsp_resp_t * RESP)
629 RESP: The structure to be initialized
631 This function will initialize an OCSP response structure.
633 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
634 otherwise a negative error value.
636 gnutls_ocsp_resp_print
637 ----------------------
639 -- Function: int gnutls_ocsp_resp_print (gnutls_ocsp_resp_t RESP,
640 gnutls_ocsp_print_formats_t FORMAT, gnutls_datum_t * OUT)
641 RESP: The structure to be printed
643 FORMAT: Indicate the format to use
645 OUT: Newly allocated datum with (0) terminated string.
647 This function will pretty print a OCSP response, suitable for
650 If the format is 'GNUTLS_OCSP_PRINT_FULL' then all fields of the
651 response will be output, on multiple lines.
653 The output 'out' ->data needs to be deallocate using
656 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
657 otherwise a negative error value.
659 gnutls_ocsp_resp_verify
660 -----------------------
662 -- Function: int gnutls_ocsp_resp_verify (gnutls_ocsp_resp_t RESP,
663 gnutls_x509_trust_list_t TRUSTLIST, unsigned int * VERIFY,
665 RESP: should contain a 'gnutls_ocsp_resp_t' structure
667 TRUSTLIST: trust anchors as a 'gnutls_x509_trust_list_t' structure
669 VERIFY: output variable with verification status, an
670 'gnutls_ocsp_cert_status_t'
672 FLAGS: verification flags, 0 for now.
674 Verify signature of the Basic OCSP Response against the public key
675 in the certificate of a trusted signer. The 'trustlist' should be
676 populated with trust anchors. The function will extract the signer
677 certificate from the Basic OCSP Response and will verify it against
678 the 'trustlist' . A trusted signer is a certificate that is either
679 in 'trustlist' , or it is signed directly by a certificate in
680 'trustlist' and has the id-ad-ocspSigning Extended Key Usage bit
683 The output 'verify' variable will hold verification status codes
684 (e.g., 'GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND' ,
685 'GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM' ) which are only valid if
686 the function returned 'GNUTLS_E_SUCCESS' .
688 Note that the function returns 'GNUTLS_E_SUCCESS' even when
689 verification failed. The caller must always inspect the 'verify'
690 variable to find out the verification status.
692 The 'flags' variable should be 0 for now.
694 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
695 otherwise a negative error value.
697 gnutls_ocsp_resp_verify_direct
698 ------------------------------
700 -- Function: int gnutls_ocsp_resp_verify_direct (gnutls_ocsp_resp_t
701 RESP, gnutls_x509_crt_t ISSUER, unsigned int * VERIFY,
703 RESP: should contain a 'gnutls_ocsp_resp_t' structure
705 ISSUER: certificate believed to have signed the response
707 VERIFY: output variable with verification status, an
708 'gnutls_ocsp_cert_status_t'
710 FLAGS: verification flags, 0 for now.
712 Verify signature of the Basic OCSP Response against the public key
713 in the 'issuer' certificate.
715 The output 'verify' variable will hold verification status codes
716 (e.g., 'GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND' ,
717 'GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM' ) which are only valid if
718 the function returned 'GNUTLS_E_SUCCESS' .
720 Note that the function returns 'GNUTLS_E_SUCCESS' even when
721 verification failed. The caller must always inspect the 'verify'
722 variable to find out the verification status.
724 The 'flags' variable should be 0 for now.
726 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
727 otherwise a negative error value.
730 File: gnutls.info, Node: OpenPGP API, Next: PKCS 12 API, Prev: OCSP API, Up: API reference
735 The following functions are to be used for OpenPGP certificate handling.
736 Their prototypes lie in 'gnutls/openpgp.h'.
738 gnutls_certificate_set_openpgp_key
739 ----------------------------------
741 -- Function: int gnutls_certificate_set_openpgp_key
742 (gnutls_certificate_credentials_t RES, gnutls_openpgp_crt_t
743 CRT, gnutls_openpgp_privkey_t PKEY)
744 RES: is a 'gnutls_certificate_credentials_t' structure.
746 CRT: contains an openpgp public key
748 PKEY: is an openpgp private key
750 This function sets a certificate/private key pair in the
751 gnutls_certificate_credentials_t structure. This function may be
752 called more than once (in case multiple keys/certificates exist for
755 Note that this function requires that the preferred key ids have
756 been set and be used. See
757 'gnutls_openpgp_crt_set_preferred_key_id()' . Otherwise the master
760 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
761 otherwise a negative error code is returned.
763 gnutls_certificate_set_openpgp_key_file
764 ---------------------------------------
766 -- Function: int gnutls_certificate_set_openpgp_key_file
767 (gnutls_certificate_credentials_t RES, const char * CERTFILE,
768 const char * KEYFILE, gnutls_openpgp_crt_fmt_t FORMAT)
769 RES: the destination context to save the data.
771 CERTFILE: the file that contains the public key.
773 KEYFILE: the file that contains the secret key.
775 FORMAT: the format of the keys
777 This funtion is used to load OpenPGP keys into the GnuTLS
778 credentials structure. The file should contain at least one valid
779 non encrypted subkey.
781 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
782 otherwise a negative error value.
784 gnutls_certificate_set_openpgp_key_file2
785 ----------------------------------------
787 -- Function: int gnutls_certificate_set_openpgp_key_file2
788 (gnutls_certificate_credentials_t RES, const char * CERTFILE,
789 const char * KEYFILE, const char * SUBKEY_ID,
790 gnutls_openpgp_crt_fmt_t FORMAT)
791 RES: the destination context to save the data.
793 CERTFILE: the file that contains the public key.
795 KEYFILE: the file that contains the secret key.
797 SUBKEY_ID: a hex encoded subkey id
799 FORMAT: the format of the keys
801 This funtion is used to load OpenPGP keys into the GnuTLS
802 credential structure. The file should contain at least one valid
803 non encrypted subkey.
805 The special keyword "auto" is also accepted as 'subkey_id' . In
806 that case the 'gnutls_openpgp_crt_get_auth_subkey()' will be used
807 to retrieve the subkey.
809 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
810 otherwise a negative error value.
814 gnutls_certificate_set_openpgp_key_mem
815 --------------------------------------
817 -- Function: int gnutls_certificate_set_openpgp_key_mem
818 (gnutls_certificate_credentials_t RES, const gnutls_datum_t *
819 CERT, const gnutls_datum_t * KEY, gnutls_openpgp_crt_fmt_t
821 RES: the destination context to save the data.
823 CERT: the datum that contains the public key.
825 KEY: the datum that contains the secret key.
827 FORMAT: the format of the keys
829 This funtion is used to load OpenPGP keys into the GnuTLS
830 credential structure. The datum should contain at least one valid
831 non encrypted subkey.
833 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
834 otherwise a negative error value.
836 gnutls_certificate_set_openpgp_key_mem2
837 ---------------------------------------
839 -- Function: int gnutls_certificate_set_openpgp_key_mem2
840 (gnutls_certificate_credentials_t RES, const gnutls_datum_t *
841 CERT, const gnutls_datum_t * KEY, const char * SUBKEY_ID,
842 gnutls_openpgp_crt_fmt_t FORMAT)
843 RES: the destination context to save the data.
845 CERT: the datum that contains the public key.
847 KEY: the datum that contains the secret key.
849 SUBKEY_ID: a hex encoded subkey id
851 FORMAT: the format of the keys
853 This funtion is used to load OpenPGP keys into the GnuTLS
854 credentials structure. The datum should contain at least one valid
855 non encrypted subkey.
857 The special keyword "auto" is also accepted as 'subkey_id' . In
858 that case the 'gnutls_openpgp_crt_get_auth_subkey()' will be used
859 to retrieve the subkey.
861 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
862 otherwise a negative error value.
866 gnutls_certificate_set_openpgp_keyring_file
867 -------------------------------------------
869 -- Function: int gnutls_certificate_set_openpgp_keyring_file
870 (gnutls_certificate_credentials_t C, const char * FILE,
871 gnutls_openpgp_crt_fmt_t FORMAT)
872 C: A certificate credentials structure
874 FILE: filename of the keyring.
876 FORMAT: format of keyring.
878 The function is used to set keyrings that will be used internally
879 by various OpenPGP functions. For example to find a key when it is
880 needed for an operations. The keyring will also be used at the
881 verification functions.
883 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
884 otherwise a negative error value.
886 gnutls_certificate_set_openpgp_keyring_mem
887 ------------------------------------------
889 -- Function: int gnutls_certificate_set_openpgp_keyring_mem
890 (gnutls_certificate_credentials_t C, const uint8_t * DATA,
891 size_t DLEN, gnutls_openpgp_crt_fmt_t FORMAT)
892 C: A certificate credentials structure
894 DATA: buffer with keyring data.
896 DLEN: length of data buffer.
898 FORMAT: the format of the keyring
900 The function is used to set keyrings that will be used internally
901 by various OpenPGP functions. For example to find a key when it is
902 needed for an operations. The keyring will also be used at the
903 verification functions.
905 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
906 otherwise a negative error value.
908 gnutls_openpgp_crt_check_hostname
909 ---------------------------------
911 -- Function: int gnutls_openpgp_crt_check_hostname
912 (gnutls_openpgp_crt_t KEY, const char * HOSTNAME)
913 KEY: should contain a 'gnutls_openpgp_crt_t' structure
915 HOSTNAME: A null terminated string that contains a DNS name
917 This function will check if the given key's owner matches the given
918 hostname. This is a basic implementation of the matching described
919 in RFC2818 (HTTPS), which takes into account wildcards.
921 *Returns:* non-zero for a successful match, and zero on failure.
923 gnutls_openpgp_crt_check_hostname2
924 ----------------------------------
926 -- Function: int gnutls_openpgp_crt_check_hostname2
927 (gnutls_openpgp_crt_t KEY, const char * HOSTNAME, unsigned
929 KEY: should contain a 'gnutls_openpgp_crt_t' structure
931 HOSTNAME: A null terminated string that contains a DNS name
933 FLAGS: gnutls_certificate_verify_flags
935 This function will check if the given key's owner matches the given
938 Unless, the flag 'GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS' is
939 specified, wildcards are only considered if the domain name
940 consists of three components or more, and the wildcard starts at
941 the leftmost position.
943 *Returns:* non-zero for a successful match, and zero on failure.
945 gnutls_openpgp_crt_deinit
946 -------------------------
948 -- Function: void gnutls_openpgp_crt_deinit (gnutls_openpgp_crt_t KEY)
949 KEY: The structure to be initialized
951 This function will deinitialize a key structure.
953 gnutls_openpgp_crt_export
954 -------------------------
956 -- Function: int gnutls_openpgp_crt_export (gnutls_openpgp_crt_t KEY,
957 gnutls_openpgp_crt_fmt_t FORMAT, void * OUTPUT_DATA, size_t *
961 FORMAT: One of gnutls_openpgp_crt_fmt_t elements.
963 OUTPUT_DATA: will contain the raw or base64 encoded key
965 OUTPUT_DATA_SIZE: holds the size of output_data (and will be
966 replaced by the actual size of parameters)
968 This function will convert the given key to RAW or Base64 format.
969 If the buffer provided is not long enough to hold the output, then
970 'GNUTLS_E_SHORT_MEMORY_BUFFER' will be returned.
972 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
974 gnutls_openpgp_crt_export2
975 --------------------------
977 -- Function: int gnutls_openpgp_crt_export2 (gnutls_openpgp_crt_t KEY,
978 gnutls_openpgp_crt_fmt_t FORMAT, gnutls_datum_t * OUT)
981 FORMAT: One of gnutls_openpgp_crt_fmt_t elements.
983 OUT: will contain the raw or base64 encoded key
985 This function will convert the given key to RAW or Base64 format.
986 The output buffer is allocated using 'gnutls_malloc()' .
988 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
992 gnutls_openpgp_crt_get_auth_subkey
993 ----------------------------------
995 -- Function: int gnutls_openpgp_crt_get_auth_subkey
996 (gnutls_openpgp_crt_t CRT, gnutls_openpgp_keyid_t KEYID,
998 CRT: the structure that contains the OpenPGP public key.
1000 KEYID: the struct to save the keyid.
1002 FLAG: Non-zero indicates that a valid subkey is always returned.
1004 Returns the 64-bit keyID of the first valid OpenPGP subkey marked
1005 for authentication. If flag is non-zero and no authentication
1006 subkey exists, then a valid subkey will be returned even if it is
1007 not marked for authentication.
1009 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1011 gnutls_openpgp_crt_get_creation_time
1012 ------------------------------------
1014 -- Function: time_t gnutls_openpgp_crt_get_creation_time
1015 (gnutls_openpgp_crt_t KEY)
1016 KEY: the structure that contains the OpenPGP public key.
1018 Get key creation time.
1020 *Returns:* the timestamp when the OpenPGP key was created.
1022 gnutls_openpgp_crt_get_expiration_time
1023 --------------------------------------
1025 -- Function: time_t gnutls_openpgp_crt_get_expiration_time
1026 (gnutls_openpgp_crt_t KEY)
1027 KEY: the structure that contains the OpenPGP public key.
1029 Get key expiration time. A value of '0' means that the key doesn't
1032 *Returns:* the time when the OpenPGP key expires.
1034 gnutls_openpgp_crt_get_fingerprint
1035 ----------------------------------
1037 -- Function: int gnutls_openpgp_crt_get_fingerprint
1038 (gnutls_openpgp_crt_t KEY, void * FPR, size_t * FPRLEN)
1039 KEY: the raw data that contains the OpenPGP public key.
1041 FPR: the buffer to save the fingerprint, must hold at least 20
1044 FPRLEN: the integer to save the length of the fingerprint.
1046 Get key fingerprint. Depending on the algorithm, the fingerprint
1047 can be 16 or 20 bytes.
1049 *Returns:* On success, 0 is returned. Otherwise, an error code.
1051 gnutls_openpgp_crt_get_key_id
1052 -----------------------------
1054 -- Function: int gnutls_openpgp_crt_get_key_id (gnutls_openpgp_crt_t
1055 KEY, gnutls_openpgp_keyid_t KEYID)
1056 KEY: the structure that contains the OpenPGP public key.
1058 KEYID: the buffer to save the keyid.
1062 *Returns:* the 64-bit keyID of the OpenPGP key.
1066 gnutls_openpgp_crt_get_key_usage
1067 --------------------------------
1069 -- Function: int gnutls_openpgp_crt_get_key_usage (gnutls_openpgp_crt_t
1070 KEY, unsigned int * KEY_USAGE)
1071 KEY: should contain a gnutls_openpgp_crt_t structure
1073 KEY_USAGE: where the key usage bits will be stored
1075 This function will return certificate's key usage, by checking the
1076 key algorithm. The key usage value will ORed values of the:
1077 'GNUTLS_KEY_DIGITAL_SIGNATURE' , 'GNUTLS_KEY_KEY_ENCIPHERMENT' .
1079 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1081 gnutls_openpgp_crt_get_name
1082 ---------------------------
1084 -- Function: int gnutls_openpgp_crt_get_name (gnutls_openpgp_crt_t KEY,
1085 int IDX, char * BUF, size_t * SIZEOF_BUF)
1086 KEY: the structure that contains the OpenPGP public key.
1088 IDX: the index of the ID to extract
1090 BUF: a pointer to a structure to hold the name, may be 'NULL' to
1091 only get the 'sizeof_buf' .
1093 SIZEOF_BUF: holds the maximum size of 'buf' , on return hold the
1094 actual/required size of 'buf' .
1096 Extracts the userID from the parsed OpenPGP key.
1098 *Returns:* 'GNUTLS_E_SUCCESS' on success, and if the index of the
1099 ID does not exist 'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' , or an
1102 gnutls_openpgp_crt_get_pk_algorithm
1103 -----------------------------------
1105 -- Function: gnutls_pk_algorithm_t gnutls_openpgp_crt_get_pk_algorithm
1106 (gnutls_openpgp_crt_t KEY, unsigned int * BITS)
1107 KEY: is an OpenPGP key
1109 BITS: if bits is non null it will hold the size of the parameters'
1112 This function will return the public key algorithm of an OpenPGP
1115 If bits is non null, it should have enough size to hold the
1116 parameters size in bits. For RSA the bits returned is the modulus.
1117 For DSA the bits returned are of the public exponent.
1119 *Returns:* a member of the 'gnutls_pk_algorithm_t' enumeration on
1120 success, or GNUTLS_PK_UNKNOWN on error.
1122 gnutls_openpgp_crt_get_pk_dsa_raw
1123 ---------------------------------
1125 -- Function: int gnutls_openpgp_crt_get_pk_dsa_raw
1126 (gnutls_openpgp_crt_t CRT, gnutls_datum_t * P, gnutls_datum_t
1127 * Q, gnutls_datum_t * G, gnutls_datum_t * Y)
1128 CRT: Holds the certificate
1138 This function will export the DSA public key's parameters found in
1139 the given certificate. The new parameters will be allocated using
1140 'gnutls_malloc()' and will be stored in the appropriate datum.
1142 *Returns:* 'GNUTLS_E_SUCCESS' on success, otherwise a negative
1147 gnutls_openpgp_crt_get_pk_rsa_raw
1148 ---------------------------------
1150 -- Function: int gnutls_openpgp_crt_get_pk_rsa_raw
1151 (gnutls_openpgp_crt_t CRT, gnutls_datum_t * M, gnutls_datum_t
1153 CRT: Holds the certificate
1155 M: will hold the modulus
1157 E: will hold the public exponent
1159 This function will export the RSA public key's parameters found in
1160 the given structure. The new parameters will be allocated using
1161 'gnutls_malloc()' and will be stored in the appropriate datum.
1163 *Returns:* 'GNUTLS_E_SUCCESS' on success, otherwise a negative
1168 gnutls_openpgp_crt_get_preferred_key_id
1169 ---------------------------------------
1171 -- Function: int gnutls_openpgp_crt_get_preferred_key_id
1172 (gnutls_openpgp_crt_t KEY, gnutls_openpgp_keyid_t KEYID)
1173 KEY: the structure that contains the OpenPGP public key.
1175 KEYID: the struct to save the keyid.
1177 Get preferred key id. If it hasn't been set it returns
1178 'GNUTLS_E_INVALID_REQUEST' .
1180 *Returns:* the 64-bit preferred keyID of the OpenPGP key.
1182 gnutls_openpgp_crt_get_revoked_status
1183 -------------------------------------
1185 -- Function: int gnutls_openpgp_crt_get_revoked_status
1186 (gnutls_openpgp_crt_t KEY)
1187 KEY: the structure that contains the OpenPGP public key.
1189 Get revocation status of key.
1191 *Returns:* true (1) if the key has been revoked, or false (0) if it
1196 gnutls_openpgp_crt_get_subkey_count
1197 -----------------------------------
1199 -- Function: int gnutls_openpgp_crt_get_subkey_count
1200 (gnutls_openpgp_crt_t KEY)
1201 KEY: is an OpenPGP key
1203 This function will return the number of subkeys present in the
1204 given OpenPGP certificate.
1206 *Returns:* the number of subkeys, or a negative error code on
1211 gnutls_openpgp_crt_get_subkey_creation_time
1212 -------------------------------------------
1214 -- Function: time_t gnutls_openpgp_crt_get_subkey_creation_time
1215 (gnutls_openpgp_crt_t KEY, unsigned int IDX)
1216 KEY: the structure that contains the OpenPGP public key.
1218 IDX: the subkey index
1220 Get subkey creation time.
1222 *Returns:* the timestamp when the OpenPGP sub-key was created.
1226 gnutls_openpgp_crt_get_subkey_expiration_time
1227 ---------------------------------------------
1229 -- Function: time_t gnutls_openpgp_crt_get_subkey_expiration_time
1230 (gnutls_openpgp_crt_t KEY, unsigned int IDX)
1231 KEY: the structure that contains the OpenPGP public key.
1233 IDX: the subkey index
1235 Get subkey expiration time. A value of '0' means that the key
1236 doesn't expire at all.
1238 *Returns:* the time when the OpenPGP key expires.
1242 gnutls_openpgp_crt_get_subkey_fingerprint
1243 -----------------------------------------
1245 -- Function: int gnutls_openpgp_crt_get_subkey_fingerprint
1246 (gnutls_openpgp_crt_t KEY, unsigned int IDX, void * FPR,
1248 KEY: the raw data that contains the OpenPGP public key.
1250 IDX: the subkey index
1252 FPR: the buffer to save the fingerprint, must hold at least 20
1255 FPRLEN: the integer to save the length of the fingerprint.
1257 Get key fingerprint of a subkey. Depending on the algorithm, the
1258 fingerprint can be 16 or 20 bytes.
1260 *Returns:* On success, 0 is returned. Otherwise, an error code.
1264 gnutls_openpgp_crt_get_subkey_id
1265 --------------------------------
1267 -- Function: int gnutls_openpgp_crt_get_subkey_id (gnutls_openpgp_crt_t
1268 KEY, unsigned int IDX, gnutls_openpgp_keyid_t KEYID)
1269 KEY: the structure that contains the OpenPGP public key.
1271 IDX: the subkey index
1273 KEYID: the buffer to save the keyid.
1275 Get the subkey's key-id.
1277 *Returns:* the 64-bit keyID of the OpenPGP key.
1279 gnutls_openpgp_crt_get_subkey_idx
1280 ---------------------------------
1282 -- Function: int gnutls_openpgp_crt_get_subkey_idx
1283 (gnutls_openpgp_crt_t KEY, const gnutls_openpgp_keyid_t KEYID)
1284 KEY: the structure that contains the OpenPGP public key.
1290 *Returns:* the index of the subkey or a negative error value.
1294 gnutls_openpgp_crt_get_subkey_pk_algorithm
1295 ------------------------------------------
1297 -- Function: gnutls_pk_algorithm_t
1298 gnutls_openpgp_crt_get_subkey_pk_algorithm
1299 (gnutls_openpgp_crt_t KEY, unsigned int IDX, unsigned int *
1301 KEY: is an OpenPGP key
1303 IDX: is the subkey index
1305 BITS: if bits is non null it will hold the size of the parameters'
1308 This function will return the public key algorithm of a subkey of
1309 an OpenPGP certificate.
1311 If bits is non null, it should have enough size to hold the
1312 parameters size in bits. For RSA the bits returned is the modulus.
1313 For DSA the bits returned are of the public exponent.
1315 *Returns:* a member of the 'gnutls_pk_algorithm_t' enumeration on
1316 success, or GNUTLS_PK_UNKNOWN on error.
1320 gnutls_openpgp_crt_get_subkey_pk_dsa_raw
1321 ----------------------------------------
1323 -- Function: int gnutls_openpgp_crt_get_subkey_pk_dsa_raw
1324 (gnutls_openpgp_crt_t CRT, unsigned int IDX, gnutls_datum_t *
1325 P, gnutls_datum_t * Q, gnutls_datum_t * G, gnutls_datum_t * Y)
1326 CRT: Holds the certificate
1328 IDX: Is the subkey index
1338 This function will export the DSA public key's parameters found in
1339 the given certificate. The new parameters will be allocated using
1340 'gnutls_malloc()' and will be stored in the appropriate datum.
1342 *Returns:* 'GNUTLS_E_SUCCESS' on success, otherwise a negative
1347 gnutls_openpgp_crt_get_subkey_pk_rsa_raw
1348 ----------------------------------------
1350 -- Function: int gnutls_openpgp_crt_get_subkey_pk_rsa_raw
1351 (gnutls_openpgp_crt_t CRT, unsigned int IDX, gnutls_datum_t *
1352 M, gnutls_datum_t * E)
1353 CRT: Holds the certificate
1355 IDX: Is the subkey index
1357 M: will hold the modulus
1359 E: will hold the public exponent
1361 This function will export the RSA public key's parameters found in
1362 the given structure. The new parameters will be allocated using
1363 'gnutls_malloc()' and will be stored in the appropriate datum.
1365 *Returns:* 'GNUTLS_E_SUCCESS' on success, otherwise a negative
1370 gnutls_openpgp_crt_get_subkey_revoked_status
1371 --------------------------------------------
1373 -- Function: int gnutls_openpgp_crt_get_subkey_revoked_status
1374 (gnutls_openpgp_crt_t KEY, unsigned int IDX)
1375 KEY: the structure that contains the OpenPGP public key.
1377 IDX: is the subkey index
1379 Get subkey revocation status. A negative error code indicates an
1382 *Returns:* true (1) if the key has been revoked, or false (0) if it
1387 gnutls_openpgp_crt_get_subkey_usage
1388 -----------------------------------
1390 -- Function: int gnutls_openpgp_crt_get_subkey_usage
1391 (gnutls_openpgp_crt_t KEY, unsigned int IDX, unsigned int *
1393 KEY: should contain a gnutls_openpgp_crt_t structure
1395 IDX: the subkey index
1397 KEY_USAGE: where the key usage bits will be stored
1399 This function will return certificate's key usage, by checking the
1400 key algorithm. The key usage value will ORed values of
1401 'GNUTLS_KEY_DIGITAL_SIGNATURE' or 'GNUTLS_KEY_KEY_ENCIPHERMENT' .
1403 A negative error code may be returned in case of parsing error.
1405 *Returns:* key usage value.
1409 gnutls_openpgp_crt_get_version
1410 ------------------------------
1412 -- Function: int gnutls_openpgp_crt_get_version (gnutls_openpgp_crt_t
1414 KEY: the structure that contains the OpenPGP public key.
1416 Extract the version of the OpenPGP key.
1418 *Returns:* the version number is returned, or a negative error code
1421 gnutls_openpgp_crt_import
1422 -------------------------
1424 -- Function: int gnutls_openpgp_crt_import (gnutls_openpgp_crt_t KEY,
1425 const gnutls_datum_t * DATA, gnutls_openpgp_crt_fmt_t FORMAT)
1426 KEY: The structure to store the parsed key.
1428 DATA: The RAW or BASE64 encoded key.
1430 FORMAT: One of gnutls_openpgp_crt_fmt_t elements.
1432 This function will convert the given RAW or Base64 encoded key to
1433 the native 'gnutls_openpgp_crt_t' format. The output will be
1436 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1438 gnutls_openpgp_crt_init
1439 -----------------------
1441 -- Function: int gnutls_openpgp_crt_init (gnutls_openpgp_crt_t * KEY)
1442 KEY: The structure to be initialized
1444 This function will initialize an OpenPGP key structure.
1446 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1448 gnutls_openpgp_crt_print
1449 ------------------------
1451 -- Function: int gnutls_openpgp_crt_print (gnutls_openpgp_crt_t CERT,
1452 gnutls_certificate_print_formats_t FORMAT, gnutls_datum_t *
1454 CERT: The structure to be printed
1456 FORMAT: Indicate the format to use
1458 OUT: Newly allocated datum with (0) terminated string.
1460 This function will pretty print an OpenPGP certificate, suitable
1461 for display to a human.
1463 The format should be (0) for future compatibility.
1465 The output 'out' needs to be deallocate using 'gnutls_free()' .
1467 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1469 gnutls_openpgp_crt_set_preferred_key_id
1470 ---------------------------------------
1472 -- Function: int gnutls_openpgp_crt_set_preferred_key_id
1473 (gnutls_openpgp_crt_t KEY, const gnutls_openpgp_keyid_t KEYID)
1474 KEY: the structure that contains the OpenPGP public key.
1476 KEYID: the selected keyid
1478 This allows setting a preferred key id for the given certificate.
1479 This key will be used by functions that involve key handling.
1481 If the provided 'keyid' is 'NULL' then the master key is set as
1484 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
1485 otherwise a negative error code is returned.
1487 gnutls_openpgp_crt_verify_ring
1488 ------------------------------
1490 -- Function: int gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t
1491 KEY, gnutls_openpgp_keyring_t KEYRING, unsigned int FLAGS,
1492 unsigned int * VERIFY)
1493 KEY: the structure that holds the key.
1495 KEYRING: holds the keyring to check against
1497 FLAGS: unused (should be 0)
1499 VERIFY: will hold the certificate verification output.
1501 Verify all signatures in the key, using the given set of keys
1504 The key verification output will be put in 'verify' and will be one
1505 or more of the 'gnutls_certificate_status_t' enumerated elements
1508 Note that this function does not verify using any "web of trust".
1509 You may use GnuPG for that purpose, or any other external PGP
1512 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1514 gnutls_openpgp_crt_verify_self
1515 ------------------------------
1517 -- Function: int gnutls_openpgp_crt_verify_self (gnutls_openpgp_crt_t
1518 KEY, unsigned int FLAGS, unsigned int * VERIFY)
1519 KEY: the structure that holds the key.
1521 FLAGS: unused (should be 0)
1523 VERIFY: will hold the key verification output.
1525 Verifies the self signature in the key. The key verification
1526 output will be put in 'verify' and will be one or more of the
1527 gnutls_certificate_status_t enumerated elements bitwise or'd.
1529 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1531 gnutls_openpgp_keyring_check_id
1532 -------------------------------
1534 -- Function: int gnutls_openpgp_keyring_check_id
1535 (gnutls_openpgp_keyring_t RING, const gnutls_openpgp_keyid_t
1536 KEYID, unsigned int FLAGS)
1537 RING: holds the keyring to check against
1539 KEYID: will hold the keyid to check for.
1541 FLAGS: unused (should be 0)
1543 Check if a given key ID exists in the keyring.
1545 *Returns:* 'GNUTLS_E_SUCCESS' on success (if keyid exists) and a
1546 negative error code on failure.
1548 gnutls_openpgp_keyring_deinit
1549 -----------------------------
1551 -- Function: void gnutls_openpgp_keyring_deinit
1552 (gnutls_openpgp_keyring_t KEYRING)
1553 KEYRING: A pointer to the type to be initialized
1555 This function will deinitialize a keyring structure.
1557 gnutls_openpgp_keyring_get_crt
1558 ------------------------------
1560 -- Function: int gnutls_openpgp_keyring_get_crt
1561 (gnutls_openpgp_keyring_t RING, unsigned int IDX,
1562 gnutls_openpgp_crt_t * CERT)
1563 RING: Holds the keyring.
1565 IDX: the index of the certificate to export
1567 CERT: An uninitialized 'gnutls_openpgp_crt_t' type
1569 This function will extract an OpenPGP certificate from the given
1570 keyring. If the index given is out of range
1571 'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned. The
1572 returned structure needs to be deinited.
1574 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1576 gnutls_openpgp_keyring_get_crt_count
1577 ------------------------------------
1579 -- Function: int gnutls_openpgp_keyring_get_crt_count
1580 (gnutls_openpgp_keyring_t RING)
1581 RING: is an OpenPGP key ring
1583 This function will return the number of OpenPGP certificates
1584 present in the given keyring.
1586 *Returns:* the number of subkeys, or a negative error code on
1589 gnutls_openpgp_keyring_import
1590 -----------------------------
1592 -- Function: int gnutls_openpgp_keyring_import
1593 (gnutls_openpgp_keyring_t KEYRING, const gnutls_datum_t *
1594 DATA, gnutls_openpgp_crt_fmt_t FORMAT)
1595 KEYRING: The structure to store the parsed key.
1597 DATA: The RAW or BASE64 encoded keyring.
1599 FORMAT: One of 'gnutls_openpgp_keyring_fmt' elements.
1601 This function will convert the given RAW or Base64 encoded keyring
1602 to the native 'gnutls_openpgp_keyring_t' format. The output will
1603 be stored in 'keyring'.
1605 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1607 gnutls_openpgp_keyring_init
1608 ---------------------------
1610 -- Function: int gnutls_openpgp_keyring_init (gnutls_openpgp_keyring_t
1612 KEYRING: A pointer to the type to be initialized
1614 This function will initialize an keyring structure.
1616 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1618 gnutls_openpgp_privkey_deinit
1619 -----------------------------
1621 -- Function: void gnutls_openpgp_privkey_deinit
1622 (gnutls_openpgp_privkey_t KEY)
1623 KEY: The structure to be initialized
1625 This function will deinitialize a key structure.
1627 gnutls_openpgp_privkey_export
1628 -----------------------------
1630 -- Function: int gnutls_openpgp_privkey_export
1631 (gnutls_openpgp_privkey_t KEY, gnutls_openpgp_crt_fmt_t
1632 FORMAT, const char * PASSWORD, unsigned int FLAGS, void *
1633 OUTPUT_DATA, size_t * OUTPUT_DATA_SIZE)
1636 FORMAT: One of gnutls_openpgp_crt_fmt_t elements.
1638 PASSWORD: the password that will be used to encrypt the key.
1641 FLAGS: (0) for future compatibility
1643 OUTPUT_DATA: will contain the key base64 encoded or raw
1645 OUTPUT_DATA_SIZE: holds the size of output_data (and will be
1646 replaced by the actual size of parameters)
1648 This function will convert the given key to RAW or Base64 format.
1649 If the buffer provided is not long enough to hold the output, then
1650 GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
1652 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1656 gnutls_openpgp_privkey_export2
1657 ------------------------------
1659 -- Function: int gnutls_openpgp_privkey_export2
1660 (gnutls_openpgp_privkey_t KEY, gnutls_openpgp_crt_fmt_t
1661 FORMAT, const char * PASSWORD, unsigned int FLAGS,
1662 gnutls_datum_t * OUT)
1665 FORMAT: One of gnutls_openpgp_crt_fmt_t elements.
1667 PASSWORD: the password that will be used to encrypt the key.
1670 FLAGS: (0) for future compatibility
1672 OUT: will contain the raw or based64 encoded key
1674 This function will convert the given key to RAW or Base64 format.
1675 The output buffer is allocated using 'gnutls_malloc()' .
1677 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
1681 gnutls_openpgp_privkey_export_dsa_raw
1682 -------------------------------------
1684 -- Function: int gnutls_openpgp_privkey_export_dsa_raw
1685 (gnutls_openpgp_privkey_t PKEY, gnutls_datum_t * P,
1686 gnutls_datum_t * Q, gnutls_datum_t * G, gnutls_datum_t * Y,
1688 PKEY: Holds the certificate
1700 This function will export the DSA private key's parameters found in
1701 the given certificate. The new parameters will be allocated using
1702 'gnutls_malloc()' and will be stored in the appropriate datum.
1704 *Returns:* 'GNUTLS_E_SUCCESS' on success, otherwise a negative
1709 gnutls_openpgp_privkey_export_rsa_raw
1710 -------------------------------------
1712 -- Function: int gnutls_openpgp_privkey_export_rsa_raw
1713 (gnutls_openpgp_privkey_t PKEY, gnutls_datum_t * M,
1714 gnutls_datum_t * E, gnutls_datum_t * D, gnutls_datum_t * P,
1715 gnutls_datum_t * Q, gnutls_datum_t * U)
1716 PKEY: Holds the certificate
1718 M: will hold the modulus
1720 E: will hold the public exponent
1722 D: will hold the private exponent
1724 P: will hold the first prime (p)
1726 Q: will hold the second prime (q)
1728 U: will hold the coefficient
1730 This function will export the RSA private key's parameters found in
1731 the given structure. The new parameters will be allocated using
1732 'gnutls_malloc()' and will be stored in the appropriate datum.
1734 *Returns:* 'GNUTLS_E_SUCCESS' on success, otherwise a negative
1739 gnutls_openpgp_privkey_export_subkey_dsa_raw
1740 --------------------------------------------
1742 -- Function: int gnutls_openpgp_privkey_export_subkey_dsa_raw
1743 (gnutls_openpgp_privkey_t PKEY, unsigned int IDX,
1744 gnutls_datum_t * P, gnutls_datum_t * Q, gnutls_datum_t * G,
1745 gnutls_datum_t * Y, gnutls_datum_t * X)
1746 PKEY: Holds the certificate
1748 IDX: Is the subkey index
1760 This function will export the DSA private key's parameters found in
1761 the given certificate. The new parameters will be allocated using
1762 'gnutls_malloc()' and will be stored in the appropriate datum.
1764 *Returns:* 'GNUTLS_E_SUCCESS' on success, otherwise a negative
1769 gnutls_openpgp_privkey_export_subkey_rsa_raw
1770 --------------------------------------------
1772 -- Function: int gnutls_openpgp_privkey_export_subkey_rsa_raw
1773 (gnutls_openpgp_privkey_t PKEY, unsigned int IDX,
1774 gnutls_datum_t * M, gnutls_datum_t * E, gnutls_datum_t * D,
1775 gnutls_datum_t * P, gnutls_datum_t * Q, gnutls_datum_t * U)
1776 PKEY: Holds the certificate
1778 IDX: Is the subkey index
1780 M: will hold the modulus
1782 E: will hold the public exponent
1784 D: will hold the private exponent
1786 P: will hold the first prime (p)
1788 Q: will hold the second prime (q)
1790 U: will hold the coefficient
1792 This function will export the RSA private key's parameters found in
1793 the given structure. The new parameters will be allocated using
1794 'gnutls_malloc()' and will be stored in the appropriate datum.
1796 *Returns:* 'GNUTLS_E_SUCCESS' on success, otherwise a negative
1801 gnutls_openpgp_privkey_get_fingerprint
1802 --------------------------------------
1804 -- Function: int gnutls_openpgp_privkey_get_fingerprint
1805 (gnutls_openpgp_privkey_t KEY, void * FPR, size_t * FPRLEN)
1806 KEY: the raw data that contains the OpenPGP secret key.
1808 FPR: the buffer to save the fingerprint, must hold at least 20
1811 FPRLEN: the integer to save the length of the fingerprint.
1813 Get the fingerprint of the OpenPGP key. Depends on the algorithm,
1814 the fingerprint can be 16 or 20 bytes.
1816 *Returns:* On success, 0 is returned, or an error code.
1820 gnutls_openpgp_privkey_get_key_id
1821 ---------------------------------
1823 -- Function: int gnutls_openpgp_privkey_get_key_id
1824 (gnutls_openpgp_privkey_t KEY, gnutls_openpgp_keyid_t KEYID)
1825 KEY: the structure that contains the OpenPGP secret key.
1827 KEYID: the buffer to save the keyid.
1831 *Returns:* the 64-bit keyID of the OpenPGP key.
1835 gnutls_openpgp_privkey_get_pk_algorithm
1836 ---------------------------------------
1838 -- Function: gnutls_pk_algorithm_t
1839 gnutls_openpgp_privkey_get_pk_algorithm
1840 (gnutls_openpgp_privkey_t KEY, unsigned int * BITS)
1841 KEY: is an OpenPGP key
1843 BITS: if bits is non null it will hold the size of the parameters'
1846 This function will return the public key algorithm of an OpenPGP
1849 If bits is non null, it should have enough size to hold the
1850 parameters size in bits. For RSA the bits returned is the modulus.
1851 For DSA the bits returned are of the public exponent.
1853 *Returns:* a member of the 'gnutls_pk_algorithm_t' enumeration on
1854 success, or a negative error code on error.
1858 gnutls_openpgp_privkey_get_preferred_key_id
1859 -------------------------------------------
1861 -- Function: int gnutls_openpgp_privkey_get_preferred_key_id
1862 (gnutls_openpgp_privkey_t KEY, gnutls_openpgp_keyid_t KEYID)
1863 KEY: the structure that contains the OpenPGP public key.
1865 KEYID: the struct to save the keyid.
1867 Get the preferred key-id for the key.
1869 *Returns:* the 64-bit preferred keyID of the OpenPGP key, or if it
1870 hasn't been set it returns 'GNUTLS_E_INVALID_REQUEST' .
1872 gnutls_openpgp_privkey_get_revoked_status
1873 -----------------------------------------
1875 -- Function: int gnutls_openpgp_privkey_get_revoked_status
1876 (gnutls_openpgp_privkey_t KEY)
1877 KEY: the structure that contains the OpenPGP private key.
1879 Get revocation status of key.
1881 *Returns:* true (1) if the key has been revoked, or false (0) if it
1882 has not, or a negative error code indicates an error.
1886 gnutls_openpgp_privkey_get_subkey_count
1887 ---------------------------------------
1889 -- Function: int gnutls_openpgp_privkey_get_subkey_count
1890 (gnutls_openpgp_privkey_t KEY)
1891 KEY: is an OpenPGP key
1893 This function will return the number of subkeys present in the
1894 given OpenPGP certificate.
1896 *Returns:* the number of subkeys, or a negative error code on
1901 gnutls_openpgp_privkey_get_subkey_creation_time
1902 -----------------------------------------------
1904 -- Function: time_t gnutls_openpgp_privkey_get_subkey_creation_time
1905 (gnutls_openpgp_privkey_t KEY, unsigned int IDX)
1906 KEY: the structure that contains the OpenPGP private key.
1908 IDX: the subkey index
1910 Get subkey creation time.
1912 *Returns:* the timestamp when the OpenPGP key was created.
1916 gnutls_openpgp_privkey_get_subkey_expiration_time
1917 -------------------------------------------------
1919 -- Function: time_t gnutls_openpgp_privkey_get_subkey_expiration_time
1920 (gnutls_openpgp_privkey_t KEY, unsigned int IDX)
1921 KEY: the structure that contains the OpenPGP private key.
1923 IDX: the subkey index
1925 Get subkey expiration time. A value of '0' means that the key
1926 doesn't expire at all.
1928 *Returns:* the time when the OpenPGP key expires.
1932 gnutls_openpgp_privkey_get_subkey_fingerprint
1933 ---------------------------------------------
1935 -- Function: int gnutls_openpgp_privkey_get_subkey_fingerprint
1936 (gnutls_openpgp_privkey_t KEY, unsigned int IDX, void * FPR,
1938 KEY: the raw data that contains the OpenPGP secret key.
1940 IDX: the subkey index
1942 FPR: the buffer to save the fingerprint, must hold at least 20
1945 FPRLEN: the integer to save the length of the fingerprint.
1947 Get the fingerprint of an OpenPGP subkey. Depends on the
1948 algorithm, the fingerprint can be 16 or 20 bytes.
1950 *Returns:* On success, 0 is returned, or an error code.
1954 gnutls_openpgp_privkey_get_subkey_id
1955 ------------------------------------
1957 -- Function: int gnutls_openpgp_privkey_get_subkey_id
1958 (gnutls_openpgp_privkey_t KEY, unsigned int IDX,
1959 gnutls_openpgp_keyid_t KEYID)
1960 KEY: the structure that contains the OpenPGP secret key.
1962 IDX: the subkey index
1964 KEYID: the buffer to save the keyid.
1966 Get the key-id for the subkey.
1968 *Returns:* the 64-bit keyID of the OpenPGP key.
1972 gnutls_openpgp_privkey_get_subkey_idx
1973 -------------------------------------
1975 -- Function: int gnutls_openpgp_privkey_get_subkey_idx
1976 (gnutls_openpgp_privkey_t KEY, const gnutls_openpgp_keyid_t
1978 KEY: the structure that contains the OpenPGP private key.
1982 Get index of subkey.
1984 *Returns:* the index of the subkey or a negative error value.
1988 gnutls_openpgp_privkey_get_subkey_pk_algorithm
1989 ----------------------------------------------
1991 -- Function: gnutls_pk_algorithm_t
1992 gnutls_openpgp_privkey_get_subkey_pk_algorithm
1993 (gnutls_openpgp_privkey_t KEY, unsigned int IDX, unsigned int
1995 KEY: is an OpenPGP key
1997 IDX: is the subkey index
1999 BITS: if bits is non null it will hold the size of the parameters'
2002 This function will return the public key algorithm of a subkey of
2003 an OpenPGP certificate.
2005 If bits is non null, it should have enough size to hold the
2006 parameters size in bits. For RSA the bits returned is the modulus.
2007 For DSA the bits returned are of the public exponent.
2009 *Returns:* a member of the 'gnutls_pk_algorithm_t' enumeration on
2010 success, or a negative error code on error.
2014 gnutls_openpgp_privkey_get_subkey_revoked_status
2015 ------------------------------------------------
2017 -- Function: int gnutls_openpgp_privkey_get_subkey_revoked_status
2018 (gnutls_openpgp_privkey_t KEY, unsigned int IDX)
2019 KEY: the structure that contains the OpenPGP private key.
2021 IDX: is the subkey index
2023 Get revocation status of key.
2025 *Returns:* true (1) if the key has been revoked, or false (0) if it
2026 has not, or a negative error code indicates an error.
2030 gnutls_openpgp_privkey_import
2031 -----------------------------
2033 -- Function: int gnutls_openpgp_privkey_import
2034 (gnutls_openpgp_privkey_t KEY, const gnutls_datum_t * DATA,
2035 gnutls_openpgp_crt_fmt_t FORMAT, const char * PASSWORD,
2037 KEY: The structure to store the parsed key.
2039 DATA: The RAW or BASE64 encoded key.
2041 FORMAT: One of 'gnutls_openpgp_crt_fmt_t' elements.
2043 PASSWORD: not used for now
2045 FLAGS: should be (0)
2047 This function will convert the given RAW or Base64 encoded key to
2048 the native gnutls_openpgp_privkey_t format. The output will be
2051 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
2053 gnutls_openpgp_privkey_init
2054 ---------------------------
2056 -- Function: int gnutls_openpgp_privkey_init (gnutls_openpgp_privkey_t
2058 KEY: The structure to be initialized
2060 This function will initialize an OpenPGP key structure.
2062 *Returns:* 'GNUTLS_E_SUCCESS' on success, or an error code.
2064 gnutls_openpgp_privkey_sec_param
2065 --------------------------------
2067 -- Function: gnutls_sec_param_t gnutls_openpgp_privkey_sec_param
2068 (gnutls_openpgp_privkey_t KEY)
2069 KEY: a key structure
2071 This function will return the security parameter appropriate with
2074 *Returns:* On success, a valid security parameter is returned
2075 otherwise 'GNUTLS_SEC_PARAM_UNKNOWN' is returned.
2079 gnutls_openpgp_privkey_set_preferred_key_id
2080 -------------------------------------------
2082 -- Function: int gnutls_openpgp_privkey_set_preferred_key_id
2083 (gnutls_openpgp_privkey_t KEY, const gnutls_openpgp_keyid_t
2085 KEY: the structure that contains the OpenPGP public key.
2087 KEYID: the selected keyid
2089 This allows setting a preferred key id for the given certificate.
2090 This key will be used by functions that involve key handling.
2092 If the provided 'keyid' is 'NULL' then the master key is set as
2095 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2096 otherwise a negative error code is returned.
2098 gnutls_openpgp_set_recv_key_function
2099 ------------------------------------
2101 -- Function: void gnutls_openpgp_set_recv_key_function
2102 (gnutls_session_t SESSION, gnutls_openpgp_recv_key_func FUNC)
2103 SESSION: a TLS session
2107 This funtion will set a key retrieval function for OpenPGP keys.
2108 This callback is only useful in server side, and will be used if
2109 the peer sent a key fingerprint instead of a full key.
2111 The retrieved key must be allocated using 'gnutls_malloc()' .
2114 File: gnutls.info, Node: PKCS 12 API, Next: PKCS 11 API, Prev: OpenPGP API, Up: API reference
2119 The following functions are to be used for PKCS 12 handling. Their
2120 prototypes lie in 'gnutls/pkcs12.h'.
2122 gnutls_pkcs12_bag_decrypt
2123 -------------------------
2125 -- Function: int gnutls_pkcs12_bag_decrypt (gnutls_pkcs12_bag_t BAG,
2129 PASS: The password used for encryption, must be ASCII.
2131 This function will decrypt the given encrypted bag and return 0 on
2134 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2135 otherwise a negative error code is returned.
2137 gnutls_pkcs12_bag_deinit
2138 ------------------------
2140 -- Function: void gnutls_pkcs12_bag_deinit (gnutls_pkcs12_bag_t BAG)
2141 BAG: The structure to be initialized
2143 This function will deinitialize a PKCS12 Bag structure.
2145 gnutls_pkcs12_bag_encrypt
2146 -------------------------
2148 -- Function: int gnutls_pkcs12_bag_encrypt (gnutls_pkcs12_bag_t BAG,
2149 const char * PASS, unsigned int FLAGS)
2152 PASS: The password used for encryption, must be ASCII
2154 FLAGS: should be one of 'gnutls_pkcs_encrypt_flags_t' elements
2157 This function will encrypt the given bag.
2159 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2160 otherwise a negative error code is returned.
2162 gnutls_pkcs12_bag_get_count
2163 ---------------------------
2165 -- Function: int gnutls_pkcs12_bag_get_count (gnutls_pkcs12_bag_t BAG)
2168 This function will return the number of the elements withing the
2171 *Returns:* Number of elements in bag, or an negative error code on
2174 gnutls_pkcs12_bag_get_data
2175 --------------------------
2177 -- Function: int gnutls_pkcs12_bag_get_data (gnutls_pkcs12_bag_t BAG,
2178 int INDX, gnutls_datum_t * DATA)
2181 INDX: The element of the bag to get the data from
2183 DATA: where the bag's data will be. Should be treated as constant.
2185 This function will return the bag's data. The data is a constant
2186 that is stored into the bag. Should not be accessed after the bag
2189 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2190 otherwise a negative error value.
2192 gnutls_pkcs12_bag_get_friendly_name
2193 -----------------------------------
2195 -- Function: int gnutls_pkcs12_bag_get_friendly_name
2196 (gnutls_pkcs12_bag_t BAG, int INDX, char ** NAME)
2199 INDX: The bag's element to add the id
2201 NAME: will hold a pointer to the name (to be treated as const)
2203 This function will return the friendly name, of the specified bag
2204 element. The key ID is usually used to distinguish the local
2205 private key and the certificate pair.
2207 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2208 otherwise a negative error value. or a negative error code on
2211 gnutls_pkcs12_bag_get_key_id
2212 ----------------------------
2214 -- Function: int gnutls_pkcs12_bag_get_key_id (gnutls_pkcs12_bag_t BAG,
2215 int INDX, gnutls_datum_t * ID)
2218 INDX: The bag's element to add the id
2220 ID: where the ID will be copied (to be treated as const)
2222 This function will return the key ID, of the specified bag element.
2223 The key ID is usually used to distinguish the local private key and
2224 the certificate pair.
2226 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2227 otherwise a negative error value. or a negative error code on
2230 gnutls_pkcs12_bag_get_type
2231 --------------------------
2233 -- Function: gnutls_pkcs12_bag_type_t gnutls_pkcs12_bag_get_type
2234 (gnutls_pkcs12_bag_t BAG, int INDX)
2237 INDX: The element of the bag to get the type
2239 This function will return the bag's type.
2241 *Returns:* One of the 'gnutls_pkcs12_bag_type_t' enumerations.
2243 gnutls_pkcs12_bag_init
2244 ----------------------
2246 -- Function: int gnutls_pkcs12_bag_init (gnutls_pkcs12_bag_t * BAG)
2247 BAG: The structure to be initialized
2249 This function will initialize a PKCS12 bag structure. PKCS12 Bags
2250 usually contain private keys, lists of X.509 Certificates and X.509
2251 Certificate revocation lists.
2253 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2254 otherwise a negative error value.
2256 gnutls_pkcs12_bag_set_crl
2257 -------------------------
2259 -- Function: int gnutls_pkcs12_bag_set_crl (gnutls_pkcs12_bag_t BAG,
2260 gnutls_x509_crl_t CRL)
2263 CRL: the CRL to be copied.
2265 This function will insert the given CRL into the bag. This is just
2266 a wrapper over 'gnutls_pkcs12_bag_set_data()' .
2268 *Returns:* the index of the added bag on success, or a negative
2269 error code on failure.
2271 gnutls_pkcs12_bag_set_crt
2272 -------------------------
2274 -- Function: int gnutls_pkcs12_bag_set_crt (gnutls_pkcs12_bag_t BAG,
2275 gnutls_x509_crt_t CRT)
2278 CRT: the certificate to be copied.
2280 This function will insert the given certificate into the bag. This
2281 is just a wrapper over 'gnutls_pkcs12_bag_set_data()' .
2283 *Returns:* the index of the added bag on success, or a negative
2286 gnutls_pkcs12_bag_set_data
2287 --------------------------
2289 -- Function: int gnutls_pkcs12_bag_set_data (gnutls_pkcs12_bag_t BAG,
2290 gnutls_pkcs12_bag_type_t TYPE, const gnutls_datum_t * DATA)
2293 TYPE: The data's type
2295 DATA: the data to be copied.
2297 This function will insert the given data of the given type into the
2300 *Returns:* the index of the added bag on success, or a negative
2303 gnutls_pkcs12_bag_set_friendly_name
2304 -----------------------------------
2306 -- Function: int gnutls_pkcs12_bag_set_friendly_name
2307 (gnutls_pkcs12_bag_t BAG, int INDX, const char * NAME)
2310 INDX: The bag's element to add the id
2314 This function will add the given key friendly name, to the
2315 specified, by the index, bag element. The name will be encoded as
2316 a 'Friendly name' bag attribute, which is usually used to set a
2317 user name to the local private key and the certificate pair.
2319 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2320 otherwise a negative error value. or a negative error code on
2323 gnutls_pkcs12_bag_set_key_id
2324 ----------------------------
2326 -- Function: int gnutls_pkcs12_bag_set_key_id (gnutls_pkcs12_bag_t BAG,
2327 int INDX, const gnutls_datum_t * ID)
2330 INDX: The bag's element to add the id
2334 This function will add the given key ID, to the specified, by the
2335 index, bag element. The key ID will be encoded as a 'Local key
2336 identifier' bag attribute, which is usually used to distinguish the
2337 local private key and the certificate pair.
2339 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2340 otherwise a negative error value. or a negative error code on
2343 gnutls_pkcs12_deinit
2344 --------------------
2346 -- Function: void gnutls_pkcs12_deinit (gnutls_pkcs12_t PKCS12)
2347 PKCS12: The structure to be initialized
2349 This function will deinitialize a PKCS12 structure.
2351 gnutls_pkcs12_export
2352 --------------------
2354 -- Function: int gnutls_pkcs12_export (gnutls_pkcs12_t PKCS12,
2355 gnutls_x509_crt_fmt_t FORMAT, void * OUTPUT_DATA, size_t *
2357 PKCS12: Holds the pkcs12 structure
2359 FORMAT: the format of output params. One of PEM or DER.
2361 OUTPUT_DATA: will contain a structure PEM or DER encoded
2363 OUTPUT_DATA_SIZE: holds the size of output_data (and will be
2364 replaced by the actual size of parameters)
2366 This function will export the pkcs12 structure to DER or PEM
2369 If the buffer provided is not long enough to hold the output, then
2370 *output_data_size will be updated and GNUTLS_E_SHORT_MEMORY_BUFFER
2373 If the structure is PEM encoded, it will have a header of "BEGIN
2376 *Returns:* In case of failure a negative error code will be
2377 returned, and 0 on success.
2379 gnutls_pkcs12_export2
2380 ---------------------
2382 -- Function: int gnutls_pkcs12_export2 (gnutls_pkcs12_t PKCS12,
2383 gnutls_x509_crt_fmt_t FORMAT, gnutls_datum_t * OUT)
2384 PKCS12: Holds the pkcs12 structure
2386 FORMAT: the format of output params. One of PEM or DER.
2388 OUT: will contain a structure PEM or DER encoded
2390 This function will export the pkcs12 structure to DER or PEM
2393 The output buffer is allocated using 'gnutls_malloc()' .
2395 If the structure is PEM encoded, it will have a header of "BEGIN
2398 *Returns:* In case of failure a negative error code will be
2399 returned, and 0 on success.
2403 gnutls_pkcs12_generate_mac
2404 --------------------------
2406 -- Function: int gnutls_pkcs12_generate_mac (gnutls_pkcs12_t PKCS12,
2408 PKCS12: should contain a gnutls_pkcs12_t structure
2410 PASS: The password for the MAC
2412 This function will generate a MAC for the PKCS12 structure.
2414 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2415 otherwise a negative error value.
2417 gnutls_pkcs12_get_bag
2418 ---------------------
2420 -- Function: int gnutls_pkcs12_get_bag (gnutls_pkcs12_t PKCS12, int
2421 INDX, gnutls_pkcs12_bag_t BAG)
2422 PKCS12: should contain a gnutls_pkcs12_t structure
2424 INDX: contains the index of the bag to extract
2426 BAG: An initialized bag, where the contents of the bag will be
2429 This function will return a Bag from the PKCS12 structure.
2431 After the last Bag has been read
2432 'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
2434 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2435 otherwise a negative error value.
2437 gnutls_pkcs12_import
2438 --------------------
2440 -- Function: int gnutls_pkcs12_import (gnutls_pkcs12_t PKCS12, const
2441 gnutls_datum_t * DATA, gnutls_x509_crt_fmt_t FORMAT, unsigned
2443 PKCS12: The structure to store the parsed PKCS12.
2445 DATA: The DER or PEM encoded PKCS12.
2447 FORMAT: One of DER or PEM
2449 FLAGS: an ORed sequence of gnutls_privkey_pkcs8_flags
2451 This function will convert the given DER or PEM encoded PKCS12 to
2452 the native gnutls_pkcs12_t format. The output will be stored in
2455 If the PKCS12 is PEM encoded it should have a header of "PKCS12".
2457 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2458 otherwise a negative error value.
2463 -- Function: int gnutls_pkcs12_init (gnutls_pkcs12_t * PKCS12)
2464 PKCS12: The structure to be initialized
2466 This function will initialize a PKCS12 structure. PKCS12
2467 structures usually contain lists of X.509 Certificates and X.509
2468 Certificate revocation lists.
2470 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2471 otherwise a negative error value.
2473 gnutls_pkcs12_set_bag
2474 ---------------------
2476 -- Function: int gnutls_pkcs12_set_bag (gnutls_pkcs12_t PKCS12,
2477 gnutls_pkcs12_bag_t BAG)
2478 PKCS12: should contain a gnutls_pkcs12_t structure
2480 BAG: An initialized bag
2482 This function will insert a Bag into the PKCS12 structure.
2484 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2485 otherwise a negative error value.
2487 gnutls_pkcs12_simple_parse
2488 --------------------------
2490 -- Function: int gnutls_pkcs12_simple_parse (gnutls_pkcs12_t P12, const
2491 char * PASSWORD, gnutls_x509_privkey_t * KEY,
2492 gnutls_x509_crt_t ** CHAIN, unsigned int * CHAIN_LEN,
2493 gnutls_x509_crt_t ** EXTRA_CERTS, unsigned int *
2494 EXTRA_CERTS_LEN, gnutls_x509_crl_t * CRL, unsigned int FLAGS)
2495 P12: should contain a gnutls_pkcs12_t structure
2497 PASSWORD: optional password used to decrypt the structure, bags and
2500 KEY: a structure to store the parsed private key.
2502 CHAIN: the corresponding to key certificate chain (may be 'NULL' )
2504 CHAIN_LEN: will be updated with the number of additional (may be
2507 EXTRA_CERTS: optional pointer to receive an array of additional
2508 certificates found in the PKCS12 structure (may be 'NULL' ).
2510 EXTRA_CERTS_LEN: will be updated with the number of additional
2511 certs (may be 'NULL' ).
2513 CRL: an optional structure to store the parsed CRL (may be 'NULL'
2516 FLAGS: should be zero or one of GNUTLS_PKCS12_SP_*
2518 This function parses a PKCS12 structure in 'pkcs12' and extracts
2519 the private key, the corresponding certificate chain, any
2520 additional certificates and a CRL.
2522 The 'extra_certs' and 'extra_certs_len' parameters are optional and
2523 both may be set to 'NULL' . If either is non-'NULL' , then both
2524 must be set. The value for 'extra_certs' is allocated using
2527 Encrypted PKCS12 bags and PKCS8 private keys are supported, but
2528 only with password based security and the same password for all
2531 Note that a PKCS12 structure may contain many keys and/or
2532 certificates, and there is no way to identify which key/certificate
2533 pair you want. For this reason this function is useful for PKCS12
2534 files that contain only one key/certificate pair and/or one CRL.
2536 If the provided structure has encrypted fields but no password is
2537 provided then this function returns 'GNUTLS_E_DECRYPTION_FAILED' .
2539 Note that normally the chain constructed does not include self
2540 signed certificates, to comply with TLS' requirements. If,
2541 however, the flag 'GNUTLS_PKCS12_SP_INCLUDE_SELF_SIGNED' is
2542 specified then self signed certificates will be included in the
2545 Prior to using this function the PKCS '12' structure integrity must
2546 be verified using 'gnutls_pkcs12_verify_mac()' .
2548 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2549 otherwise a negative error value.
2553 gnutls_pkcs12_verify_mac
2554 ------------------------
2556 -- Function: int gnutls_pkcs12_verify_mac (gnutls_pkcs12_t PKCS12,
2558 PKCS12: should contain a gnutls_pkcs12_t structure
2560 PASS: The password for the MAC
2562 This function will verify the MAC for the PKCS12 structure.
2564 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2565 otherwise a negative error value.
2568 File: gnutls.info, Node: PKCS 11 API, Next: TPM API, Prev: PKCS 12 API, Up: API reference
2570 E.7 Hardware token via PKCS 11 API
2571 ==================================
2573 The following functions are to be used for PKCS 11 handling. Their
2574 prototypes lie in 'gnutls/pkcs11.h'.
2576 gnutls_pkcs11_add_provider
2577 --------------------------
2579 -- Function: int gnutls_pkcs11_add_provider (const char * NAME, const
2581 NAME: The filename of the module
2583 PARAMS: should be NULL
2585 This function will load and add a PKCS 11 module to the module list
2586 used in gnutls. After this function is called the module will be
2587 used for PKCS 11 operations.
2589 When loading a module to be used for certificate verification, use
2590 the string 'trusted' as 'params' .
2592 Note that this function is not thread safe.
2594 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2595 otherwise a negative error value.
2599 gnutls_pkcs11_copy_secret_key
2600 -----------------------------
2602 -- Function: int gnutls_pkcs11_copy_secret_key (const char * TOKEN_URL,
2603 gnutls_datum_t * KEY, const char * LABEL, unsigned int
2604 KEY_USAGE, unsigned int FLAGS)
2605 TOKEN_URL: A PKCS '11' URL specifying a token
2609 LABEL: A name to be used for the stored data
2611 KEY_USAGE: One of GNUTLS_KEY_*
2613 FLAGS: One of GNUTLS_PKCS11_OBJ_FLAG_*
2615 This function will copy a raw secret (symmetric) key into a PKCS
2616 '11' token specified by a URL. The key can be marked as sensitive
2619 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2620 otherwise a negative error value.
2624 gnutls_pkcs11_copy_x509_crt
2625 ---------------------------
2627 -- Function: int gnutls_pkcs11_copy_x509_crt (const char * TOKEN_URL,
2628 gnutls_x509_crt_t CRT, const char * LABEL, unsigned int FLAGS)
2629 TOKEN_URL: A PKCS '11' URL specifying a token
2631 CRT: The certificate to copy
2633 LABEL: The name to be used for the stored data
2635 FLAGS: One of GNUTLS_PKCS11_OBJ_FLAG_*
2637 This function will copy a certificate into a PKCS '11' token
2638 specified by a URL. The certificate can be marked as trusted or
2641 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2642 otherwise a negative error value.
2646 gnutls_pkcs11_copy_x509_crt2
2647 ----------------------------
2649 -- Function: int gnutls_pkcs11_copy_x509_crt2 (const char * TOKEN_URL,
2650 gnutls_x509_crt_t CRT, const char * LABEL, const
2651 gnutls_datum_t * CID, unsigned int FLAGS)
2652 TOKEN_URL: A PKCS '11' URL specifying a token
2654 CRT: The certificate to copy
2656 LABEL: The name to be used for the stored data
2658 CID: The CKA_ID to set for the object -if NULL, the ID will be
2659 derived from the public key
2661 FLAGS: One of GNUTLS_PKCS11_OBJ_FLAG_*
2663 This function will copy a certificate into a PKCS '11' token
2664 specified by a URL. The certificate can be marked as trusted or
2667 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2668 otherwise a negative error value.
2672 gnutls_pkcs11_copy_x509_privkey
2673 -------------------------------
2675 -- Function: int gnutls_pkcs11_copy_x509_privkey (const char *
2676 TOKEN_URL, gnutls_x509_privkey_t KEY, const char * LABEL,
2677 unsigned int KEY_USAGE, unsigned int FLAGS)
2678 TOKEN_URL: A PKCS '11' URL specifying a token
2682 LABEL: A name to be used for the stored data
2684 KEY_USAGE: One of GNUTLS_KEY_*
2686 FLAGS: One of GNUTLS_PKCS11_OBJ_* flags
2688 This function will copy a private key into a PKCS '11' token
2689 specified by a URL. It is highly recommended flags to contain
2690 'GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE' unless there is a strong
2693 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2694 otherwise a negative error value.
2698 gnutls_pkcs11_copy_x509_privkey2
2699 --------------------------------
2701 -- Function: int gnutls_pkcs11_copy_x509_privkey2 (const char *
2702 TOKEN_URL, gnutls_x509_privkey_t KEY, const char * LABEL,
2703 const gnutls_datum_t * CID, unsigned int KEY_USAGE, unsigned
2705 TOKEN_URL: A PKCS '11' URL specifying a token
2709 LABEL: A name to be used for the stored data
2711 CID: The CKA_ID to set for the object -if NULL, the ID will be
2712 derived from the public key
2714 KEY_USAGE: One of GNUTLS_KEY_*
2716 FLAGS: One of GNUTLS_PKCS11_OBJ_* flags
2718 This function will copy a private key into a PKCS '11' token
2719 specified by a URL. It is highly recommended flags to contain
2720 'GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE' unless there is a strong
2723 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2724 otherwise a negative error value.
2728 gnutls_pkcs11_crt_is_known
2729 --------------------------
2731 -- Function: int gnutls_pkcs11_crt_is_known (const char * URL,
2732 gnutls_x509_crt_t CERT, unsigned int FLAGS)
2733 URL: A PKCS 11 url identifying a token
2735 CERT: is the certificate to find issuer for
2737 FLAGS: Use zero or flags from 'GNUTLS_PKCS11_OBJ_FLAG' .
2739 This function will check whether the provided certificate is stored
2740 in the specified token. This is useful in combination with
2741 'GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED' or
2742 'GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED' , to check whether a
2743 CA is present or a certificate is blacklisted in a trust PKCS '11'
2746 This function can be used with a 'url' of "pkcs11:", and in that
2747 case all modules will be searched. To restrict the modules to the
2748 marked as trusted in p11-kit use the
2749 'GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE' flag.
2751 Note that the flag 'GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED' is
2752 specific to p11-kit trust modules.
2754 *Returns:* If the certificate exists non-zero is returned,
2759 gnutls_pkcs11_deinit
2760 --------------------
2762 -- Function: void gnutls_pkcs11_deinit ( VOID)
2764 This function will deinitialize the PKCS 11 subsystem in gnutls.
2765 This function is only needed if you need to deinitialize the
2766 subsystem without calling 'gnutls_global_deinit()' .
2770 gnutls_pkcs11_delete_url
2771 ------------------------
2773 -- Function: int gnutls_pkcs11_delete_url (const char * OBJECT_URL,
2775 OBJECT_URL: The URL of the object to delete.
2777 FLAGS: One of GNUTLS_PKCS11_OBJ_* flags
2779 This function will delete objects matching the given URL. Note that
2780 not all tokens support the delete operation.
2782 *Returns:* On success, the number of objects deleted is returned,
2783 otherwise a negative error value.
2787 gnutls_pkcs11_get_pin_function
2788 ------------------------------
2790 -- Function: gnutls_pin_callback_t gnutls_pkcs11_get_pin_function (void
2792 USERDATA: data to be supplied to callback
2794 This function will return the callback function set using
2795 'gnutls_pkcs11_set_pin_function()' .
2797 *Returns:* The function set or NULL otherwise.
2801 gnutls_pkcs11_get_raw_issuer
2802 ----------------------------
2804 -- Function: int gnutls_pkcs11_get_raw_issuer (const char * URL,
2805 gnutls_x509_crt_t CERT, gnutls_datum_t * ISSUER,
2806 gnutls_x509_crt_fmt_t FMT, unsigned int FLAGS)
2807 URL: A PKCS 11 url identifying a token
2809 CERT: is the certificate to find issuer for
2811 ISSUER: Will hold the issuer if any in an allocated buffer.
2813 FMT: The format of the exported issuer.
2815 FLAGS: Use zero or flags from 'GNUTLS_PKCS11_OBJ_FLAG' .
2817 This function will return the issuer of a given certificate, if it
2818 is stored in the token. By default only marked as trusted issuers
2819 are retuned. If any issuer should be returned specify
2820 'GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY' in 'flags' .
2822 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2823 otherwise a negative error value.
2830 -- Function: int gnutls_pkcs11_init (unsigned int FLAGS, const char *
2831 DEPRECATED_CONFIG_FILE)
2832 FLAGS: An ORed sequence of 'GNUTLS_PKCS11_FLAG_' *
2834 DEPRECATED_CONFIG_FILE: either NULL or the location of a deprecated
2837 This function will initialize the PKCS 11 subsystem in gnutls. It
2838 will read configuration files if 'GNUTLS_PKCS11_FLAG_AUTO' is used
2839 or allow you to independently load PKCS 11 modules using
2840 'gnutls_pkcs11_add_provider()' if 'GNUTLS_PKCS11_FLAG_MANUAL' is
2843 Normally you don't need to call this function since it is being
2844 called when the first PKCS 11 operation is requested using the
2845 'GNUTLS_PKCS11_FLAG_AUTO' flag. If another flags are required then
2846 it must be called independently prior to any PKCS 11 operation.
2848 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2849 otherwise a negative error value.
2853 gnutls_pkcs11_obj_deinit
2854 ------------------------
2856 -- Function: void gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t OBJ)
2857 OBJ: The structure to be initialized
2859 This function will deinitialize a certificate structure.
2863 gnutls_pkcs11_obj_export
2864 ------------------------
2866 -- Function: int gnutls_pkcs11_obj_export (gnutls_pkcs11_obj_t OBJ,
2867 void * OUTPUT_DATA, size_t * OUTPUT_DATA_SIZE)
2868 OBJ: Holds the object
2870 OUTPUT_DATA: will contain the object data
2872 OUTPUT_DATA_SIZE: holds the size of output_data (and will be
2873 replaced by the actual size of parameters)
2875 This function will export the PKCS11 object data. It is normal for
2876 data to be inaccesible and in that case 'GNUTLS_E_INVALID_REQUEST'
2879 If the buffer provided is not long enough to hold the output, then
2880 *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2883 *Returns:* In case of failure a negative error code will be
2884 returned, and 'GNUTLS_E_SUCCESS' (0) on success.
2888 gnutls_pkcs11_obj_export2
2889 -------------------------
2891 -- Function: int gnutls_pkcs11_obj_export2 (gnutls_pkcs11_obj_t OBJ,
2892 gnutls_datum_t * OUT)
2893 OBJ: Holds the object
2895 OUT: will contain the object data
2897 This function will export the PKCS11 object data. It is normal for
2898 data to be inaccesible and in that case 'GNUTLS_E_INVALID_REQUEST'
2901 The output buffer is allocated using 'gnutls_malloc()' .
2903 *Returns:* In case of failure a negative error code will be
2904 returned, and 'GNUTLS_E_SUCCESS' (0) on success.
2908 gnutls_pkcs11_obj_export3
2909 -------------------------
2911 -- Function: int gnutls_pkcs11_obj_export3 (gnutls_pkcs11_obj_t OBJ,
2912 gnutls_x509_crt_fmt_t FMT, gnutls_datum_t * OUT)
2913 OBJ: Holds the object
2915 FMT: The format of the exported data
2917 OUT: will contain the object data
2919 This function will export the PKCS11 object data. It is normal for
2920 data to be inaccesible and in that case 'GNUTLS_E_INVALID_REQUEST'
2923 The output buffer is allocated using 'gnutls_malloc()' .
2925 *Returns:* In case of failure a negative error code will be
2926 returned, and 'GNUTLS_E_SUCCESS' (0) on success.
2930 gnutls_pkcs11_obj_export_url
2931 ----------------------------
2933 -- Function: int gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t OBJ,
2934 gnutls_pkcs11_url_type_t DETAILED, char ** URL)
2935 OBJ: Holds the PKCS 11 certificate
2937 DETAILED: non zero if a detailed URL is required
2939 URL: will contain an allocated url
2941 This function will export a URL identifying the given certificate.
2943 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
2944 otherwise a negative error value.
2948 gnutls_pkcs11_obj_flags_get_str
2949 -------------------------------
2951 -- Function: char * gnutls_pkcs11_obj_flags_get_str (unsigned int
2953 FLAGS: holds the flags
2955 This function given an or-sequence of 'GNUTLS_PKCS11_OBJ_FLAG_MARK'
2956 , will return an allocated string with its description. The string
2957 needs to be deallocated using 'gnutls_free()' .
2959 *Returns:* If flags is zero 'NULL' is returned, otherwise an
2964 gnutls_pkcs11_obj_get_exts
2965 --------------------------
2967 -- Function: int gnutls_pkcs11_obj_get_exts (gnutls_pkcs11_obj_t OBJ,
2968 gnutls_x509_ext_st ** EXTS, unsigned int * EXTS_SIZE, unsigned
2970 OBJ: should contain a 'gnutls_pkcs11_obj_t' type
2972 EXTS: a pointer to a 'gnutls_x509_ext_st' pointer
2974 EXTS_SIZE: will be updated with the number of 'exts'
2976 FLAGS: Or sequence of 'GNUTLS_PKCS11_OBJ_' * flags
2978 This function will return information about attached extensions
2979 that associate to the provided object (which should be a
2980 certificate). The extensions are the attached p11-kit trust module
2983 Each element of 'exts' must be deinitialized using
2984 'gnutls_x509_ext_deinit()' while 'exts' should be deallocated using
2987 *Returns:* 'GNUTLS_E_SUCCESS' (0) on success or a negative error
2992 gnutls_pkcs11_obj_get_flags
2993 ---------------------------
2995 -- Function: int gnutls_pkcs11_obj_get_flags (gnutls_pkcs11_obj_t OBJ,
2996 unsigned int * OFLAGS)
2997 OBJ: The structure that holds the object
2999 OFLAGS: Will hold the output flags
3001 This function will return the flags of the object being stored in
3002 the structure. The 'oflags' are the 'GNUTLS_PKCS11_OBJ_FLAG_MARK'
3005 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3006 otherwise a negative error value.
3010 gnutls_pkcs11_obj_get_info
3011 --------------------------
3013 -- Function: int gnutls_pkcs11_obj_get_info (gnutls_pkcs11_obj_t OBJ,
3014 gnutls_pkcs11_obj_info_t ITYPE, void * OUTPUT, size_t *
3016 OBJ: should contain a 'gnutls_pkcs11_obj_t' structure
3018 ITYPE: Denotes the type of information requested
3020 OUTPUT: where output will be stored
3022 OUTPUT_SIZE: contains the maximum size of the output and will be
3023 overwritten with actual
3025 This function will return information about the PKCS11 certificate
3026 such as the label, id as well as token information where the key is
3027 stored. When output is text it returns null terminated string
3028 although 'output_size' contains the size of the actual data only.
3030 *Returns:* 'GNUTLS_E_SUCCESS' (0) on success or a negative error
3035 gnutls_pkcs11_obj_get_type
3036 --------------------------
3038 -- Function: gnutls_pkcs11_obj_type_t gnutls_pkcs11_obj_get_type
3039 (gnutls_pkcs11_obj_t OBJ)
3040 OBJ: Holds the PKCS 11 object
3042 This function will return the type of the object being stored in
3045 *Returns:* The type of the object
3049 gnutls_pkcs11_obj_import_url
3050 ----------------------------
3052 -- Function: int gnutls_pkcs11_obj_import_url (gnutls_pkcs11_obj_t OBJ,
3053 const char * URL, unsigned int FLAGS)
3054 OBJ: The structure to store the object
3056 URL: a PKCS 11 url identifying the key
3058 FLAGS: Or sequence of GNUTLS_PKCS11_OBJ_* flags
3060 This function will "import" a PKCS 11 URL identifying an object
3061 (e.g. certificate) to the 'gnutls_pkcs11_obj_t' structure. This
3062 does not involve any parsing (such as X.509 or OpenPGP) since the
3063 'gnutls_pkcs11_obj_t' is format agnostic. Only data are
3066 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3067 otherwise a negative error value.
3071 gnutls_pkcs11_obj_init
3072 ----------------------
3074 -- Function: int gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t * OBJ)
3075 OBJ: The structure to be initialized
3077 This function will initialize a pkcs11 certificate structure.
3079 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3080 otherwise a negative error value.
3084 gnutls_pkcs11_obj_list_import_url
3085 ---------------------------------
3087 -- Function: int gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t
3088 * P_LIST, unsigned int * N_LIST, const char * URL,
3089 gnutls_pkcs11_obj_attr_t ATTRS, unsigned int FLAGS)
3090 P_LIST: An uninitialized object list (may be NULL)
3092 N_LIST: initially should hold the maximum size of the list. Will
3093 contain the actual size.
3095 URL: A PKCS 11 url identifying a set of objects
3097 ATTRS: Attributes of type 'gnutls_pkcs11_obj_attr_t' that can be
3098 used to limit output
3100 FLAGS: Or sequence of GNUTLS_PKCS11_OBJ_* flags
3102 This function will initialize and set values to an object list by
3103 using all objects identified by a PKCS 11 URL.
3105 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3106 otherwise a negative error value.
3110 gnutls_pkcs11_obj_list_import_url2
3111 ----------------------------------
3113 -- Function: int gnutls_pkcs11_obj_list_import_url2
3114 (gnutls_pkcs11_obj_t ** P_LIST, unsigned int * N_LIST, const
3115 char * URL, gnutls_pkcs11_obj_attr_t ATTRS, unsigned int
3117 P_LIST: An uninitialized object list (may be NULL)
3119 N_LIST: It will contain the size of the list.
3121 URL: A PKCS 11 url identifying a set of objects
3123 ATTRS: Attributes of type 'gnutls_pkcs11_obj_attr_t' that can be
3124 used to limit output
3126 FLAGS: Or sequence of GNUTLS_PKCS11_OBJ_* flags
3128 This function will initialize and set values to an object list by
3129 using all objects identified by the PKCS 11 URL. The output is
3130 stored in 'p_list' , which will be initialized.
3132 All returned objects must be deinitialized using
3133 'gnutls_pkcs11_obj_deinit()' , and 'p_list' must be free'd using
3136 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3137 otherwise a negative error value.
3141 gnutls_pkcs11_obj_set_info
3142 --------------------------
3144 -- Function: int gnutls_pkcs11_obj_set_info (gnutls_pkcs11_obj_t OBJ,
3145 gnutls_pkcs11_obj_info_t ITYPE, const void * DATA, size_t
3146 DATA_SIZE, unsigned FLAGS)
3147 OBJ: should contain a 'gnutls_pkcs11_obj_t' structure
3149 ITYPE: Denotes the type of information to be set
3151 DATA: the data to set
3153 DATA_SIZE: the size of data
3155 FLAGS: Or sequence of GNUTLS_PKCS11_OBJ_* flags
3157 This function will set attributes on the provided object.
3158 Available options for 'itype' are 'GNUTLS_PKCS11_OBJ_LABEL' ,
3159 'GNUTLS_PKCS11_OBJ_ID_HEX' , and 'GNUTLS_PKCS11_OBJ_ID' .
3161 *Returns:* 'GNUTLS_E_SUCCESS' (0) on success or a negative error
3166 gnutls_pkcs11_obj_set_pin_function
3167 ----------------------------------
3169 -- Function: void gnutls_pkcs11_obj_set_pin_function
3170 (gnutls_pkcs11_obj_t OBJ, gnutls_pin_callback_t FN, void *
3172 OBJ: The object structure
3176 USERDATA: data associated with the callback
3178 This function will set a callback function to be used when required
3179 to access the object. This function overrides the global set using
3180 'gnutls_pkcs11_set_pin_function()' .
3184 gnutls_pkcs11_privkey_deinit
3185 ----------------------------
3187 -- Function: void gnutls_pkcs11_privkey_deinit (gnutls_pkcs11_privkey_t
3189 KEY: The structure to be initialized
3191 This function will deinitialize a private key structure.
3193 gnutls_pkcs11_privkey_export_pubkey
3194 -----------------------------------
3196 -- Function: int gnutls_pkcs11_privkey_export_pubkey
3197 (gnutls_pkcs11_privkey_t PKEY, gnutls_x509_crt_fmt_t FMT,
3198 gnutls_datum_t * DATA, unsigned int FLAGS)
3199 PKEY: The private key
3201 FMT: the format of output params. PEM or DER.
3203 DATA: will hold the public key
3205 FLAGS: should be zero
3207 This function will extract the public key (modulus and public
3208 exponent) from the private key specified by the 'url' private key.
3209 This public key will be stored in 'pubkey' in the format specified
3210 by 'fmt' . 'pubkey' should be deinitialized using 'gnutls_free()'
3213 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3214 otherwise a negative error value.
3218 gnutls_pkcs11_privkey_export_url
3219 --------------------------------
3221 -- Function: int gnutls_pkcs11_privkey_export_url
3222 (gnutls_pkcs11_privkey_t KEY, gnutls_pkcs11_url_type_t
3223 DETAILED, char ** URL)
3224 KEY: Holds the PKCS 11 key
3226 DETAILED: non zero if a detailed URL is required
3228 URL: will contain an allocated url
3230 This function will export a URL identifying the given key.
3232 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3233 otherwise a negative error value.
3235 gnutls_pkcs11_privkey_generate
3236 ------------------------------
3238 -- Function: int gnutls_pkcs11_privkey_generate (const char * URL,
3239 gnutls_pk_algorithm_t PK, unsigned int BITS, const char *
3240 LABEL, unsigned int FLAGS)
3243 PK: the public key algorithm
3245 BITS: the security bits
3249 FLAGS: should be zero
3251 This function will generate a private key in the specified by the
3252 'url' token. The private key will be generate within the token and
3253 will not be exportable.
3255 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3256 otherwise a negative error value.
3260 gnutls_pkcs11_privkey_generate2
3261 -------------------------------
3263 -- Function: int gnutls_pkcs11_privkey_generate2 (const char * URL,
3264 gnutls_pk_algorithm_t PK, unsigned int BITS, const char *
3265 LABEL, gnutls_x509_crt_fmt_t FMT, gnutls_datum_t * PUBKEY,
3269 PK: the public key algorithm
3271 BITS: the security bits
3275 FMT: the format of output params. PEM or DER
3277 PUBKEY: will hold the public key (may be 'NULL' )
3279 FLAGS: zero or an OR'ed sequence of 'GNUTLS_PKCS11_OBJ_FLAGs'
3281 This function will generate a private key in the specified by the
3282 'url' token. The private key will be generate within the token and
3283 will not be exportable. This function will store the DER-encoded
3284 public key in the SubjectPublicKeyInfo format in 'pubkey' . The
3285 'pubkey' should be deinitialized using 'gnutls_free()' .
3287 Note that when generating an elliptic curve key, the curve can be
3288 substituted in the place of the bits parameter using the
3289 'GNUTLS_CURVE_TO_BITS()' macro.
3291 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3292 otherwise a negative error value.
3296 gnutls_pkcs11_privkey_generate3
3297 -------------------------------
3299 -- Function: int gnutls_pkcs11_privkey_generate3 (const char * URL,
3300 gnutls_pk_algorithm_t PK, unsigned int BITS, const char *
3301 LABEL, const gnutls_datum_t * CID, gnutls_x509_crt_fmt_t FMT,
3302 gnutls_datum_t * PUBKEY, unsigned int FLAGS)
3305 PK: the public key algorithm
3307 BITS: the security bits
3311 CID: The CKA_ID to use for the new object
3313 FMT: the format of output params. PEM or DER
3315 PUBKEY: will hold the public key (may be 'NULL' )
3317 FLAGS: zero or an OR'ed sequence of 'GNUTLS_PKCS11_OBJ_FLAGs'
3319 This function will generate a private key in the specified by the
3320 'url' token. The private key will be generate within the token and
3321 will not be exportable. This function will store the DER-encoded
3322 public key in the SubjectPublicKeyInfo format in 'pubkey' . The
3323 'pubkey' should be deinitialized using 'gnutls_free()' .
3325 Note that when generating an elliptic curve key, the curve can be
3326 substituted in the place of the bits parameter using the
3327 'GNUTLS_CURVE_TO_BITS()' macro.
3329 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3330 otherwise a negative error value.
3334 gnutls_pkcs11_privkey_get_info
3335 ------------------------------
3337 -- Function: int gnutls_pkcs11_privkey_get_info
3338 (gnutls_pkcs11_privkey_t PKEY, gnutls_pkcs11_obj_info_t ITYPE,
3339 void * OUTPUT, size_t * OUTPUT_SIZE)
3340 PKEY: should contain a 'gnutls_pkcs11_privkey_t' structure
3342 ITYPE: Denotes the type of information requested
3344 OUTPUT: where output will be stored
3346 OUTPUT_SIZE: contains the maximum size of the output and will be
3347 overwritten with actual
3349 This function will return information about the PKCS 11 private key
3350 such as the label, id as well as token information where the key is
3351 stored. When output is text it returns null terminated string
3352 although 'output_size' contains the size of the actual data only.
3354 *Returns:* 'GNUTLS_E_SUCCESS' (0) on success or a negative error
3357 gnutls_pkcs11_privkey_get_pk_algorithm
3358 --------------------------------------
3360 -- Function: int gnutls_pkcs11_privkey_get_pk_algorithm
3361 (gnutls_pkcs11_privkey_t KEY, unsigned int * BITS)
3362 KEY: should contain a 'gnutls_pkcs11_privkey_t' structure
3364 BITS: if bits is non null it will hold the size of the parameters'
3367 This function will return the public key algorithm of a private
3370 *Returns:* a member of the 'gnutls_pk_algorithm_t' enumeration on
3371 success, or a negative error code on error.
3373 gnutls_pkcs11_privkey_import_url
3374 --------------------------------
3376 -- Function: int gnutls_pkcs11_privkey_import_url
3377 (gnutls_pkcs11_privkey_t PKEY, const char * URL, unsigned int
3379 PKEY: The structure to store the parsed key
3381 URL: a PKCS 11 url identifying the key
3383 FLAGS: Or sequence of GNUTLS_PKCS11_OBJ_* flags
3385 This function will "import" a PKCS 11 URL identifying a private key
3386 to the 'gnutls_pkcs11_privkey_t' structure. In reality since in
3387 most cases keys cannot be exported, the private key structure is
3388 being associated with the available operations on the token.
3390 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3391 otherwise a negative error value.
3393 gnutls_pkcs11_privkey_init
3394 --------------------------
3396 -- Function: int gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t *
3398 KEY: The structure to be initialized
3400 This function will initialize an private key structure.
3402 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3403 otherwise a negative error value.
3405 gnutls_pkcs11_privkey_set_pin_function
3406 --------------------------------------
3408 -- Function: void gnutls_pkcs11_privkey_set_pin_function
3409 (gnutls_pkcs11_privkey_t KEY, gnutls_pin_callback_t FN, void *
3411 KEY: The private key
3415 USERDATA: data associated with the callback
3417 This function will set a callback function to be used when required
3418 to access the object. This function overrides the global set using
3419 'gnutls_pkcs11_set_pin_function()' .
3423 gnutls_pkcs11_privkey_status
3424 ----------------------------
3426 -- Function: int gnutls_pkcs11_privkey_status (gnutls_pkcs11_privkey_t
3430 Checks the status of the private key token.
3432 *Returns:* this function will return non-zero if the token holding
3433 the private key is still available (inserted), and zero otherwise.
3437 gnutls_pkcs11_reinit
3438 --------------------
3440 -- Function: int gnutls_pkcs11_reinit ( VOID)
3442 This function will reinitialize the PKCS 11 subsystem in gnutls.
3443 This is required by PKCS 11 when an application uses 'fork()' .
3444 The reinitialization function must be called on the child.
3446 Note that since GnuTLS 3.3.0, the reinitialization of the PKCS '11'
3447 subsystem occurs automatically after fork.
3449 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3450 otherwise a negative error value.
3454 gnutls_pkcs11_set_pin_function
3455 ------------------------------
3457 -- Function: void gnutls_pkcs11_set_pin_function (gnutls_pin_callback_t
3458 FN, void * USERDATA)
3459 FN: The PIN callback, a 'gnutls_pin_callback_t()' function.
3461 USERDATA: data to be supplied to callback
3463 This function will set a callback function to be used when a PIN is
3464 required for PKCS 11 operations. See 'gnutls_pin_callback_t()' on
3465 how the callback should behave.
3469 gnutls_pkcs11_set_token_function
3470 --------------------------------
3472 -- Function: void gnutls_pkcs11_set_token_function
3473 (gnutls_pkcs11_token_callback_t FN, void * USERDATA)
3474 FN: The token callback
3476 USERDATA: data to be supplied to callback
3478 This function will set a callback function to be used when a token
3479 needs to be inserted to continue PKCS 11 operations.
3483 gnutls_pkcs11_token_get_flags
3484 -----------------------------
3486 -- Function: int gnutls_pkcs11_token_get_flags (const char * URL,
3487 unsigned int * FLAGS)
3488 URL: should contain a PKCS 11 URL
3490 FLAGS: The output flags (GNUTLS_PKCS11_TOKEN_*)
3492 This function will return information about the PKCS 11 token
3495 The supported flags are: 'GNUTLS_PKCS11_TOKEN_HW' and
3496 'GNUTLS_PKCS11_TOKEN_TRUSTED' .
3498 *Returns:* 'GNUTLS_E_SUCCESS' (0) on success or a negative error
3503 gnutls_pkcs11_token_get_info
3504 ----------------------------
3506 -- Function: int gnutls_pkcs11_token_get_info (const char * URL,
3507 gnutls_pkcs11_token_info_t TTYPE, void * OUTPUT, size_t *
3509 URL: should contain a PKCS 11 URL
3511 TTYPE: Denotes the type of information requested
3513 OUTPUT: where output will be stored
3515 OUTPUT_SIZE: contains the maximum size of the output and will be
3516 overwritten with actual
3518 This function will return information about the PKCS 11 token such
3519 as the label, id, etc.
3521 *Returns:* 'GNUTLS_E_SUCCESS' (0) on success or a negative error
3526 gnutls_pkcs11_token_get_mechanism
3527 ---------------------------------
3529 -- Function: int gnutls_pkcs11_token_get_mechanism (const char * URL,
3530 unsigned int IDX, unsigned long * MECHANISM)
3531 URL: should contain a PKCS 11 URL
3533 IDX: The index of the mechanism
3535 MECHANISM: The PKCS '11' mechanism ID
3537 This function will return the names of the supported mechanisms by
3538 the token. It should be called with an increasing index until it
3539 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.
3541 *Returns:* 'GNUTLS_E_SUCCESS' (0) on success or a negative error
3546 gnutls_pkcs11_token_get_random
3547 ------------------------------
3549 -- Function: int gnutls_pkcs11_token_get_random (const char *
3550 TOKEN_URL, void * RNDDATA, size_t LEN)
3551 TOKEN_URL: A PKCS '11' URL specifying a token
3553 RNDDATA: A pointer to the memory area to be filled with random data
3555 LEN: The number of bytes of randomness to request
3557 This function will get random data from the given token. It will
3558 store rnddata and fill the memory pointed to by rnddata with len
3559 random bytes from the token.
3561 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3562 otherwise a negative error value.
3564 gnutls_pkcs11_token_get_url
3565 ---------------------------
3567 -- Function: int gnutls_pkcs11_token_get_url (unsigned int SEQ,
3568 gnutls_pkcs11_url_type_t DETAILED, char ** URL)
3569 SEQ: sequence number starting from 0
3571 DETAILED: non zero if a detailed URL is required
3573 URL: will contain an allocated url
3575 This function will return the URL for each token available in
3576 system. The url has to be released using 'gnutls_free()'
3578 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3579 'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if the sequence number
3580 exceeds the available tokens, otherwise a negative error value.
3584 gnutls_pkcs11_token_init
3585 ------------------------
3587 -- Function: int gnutls_pkcs11_token_init (const char * TOKEN_URL,
3588 const char * SO_PIN, const char * LABEL)
3589 TOKEN_URL: A PKCS '11' URL specifying a token
3591 SO_PIN: Security Officer's PIN
3593 LABEL: A name to be used for the token
3595 This function will initialize (format) a token. If the token is at
3596 a factory defaults state the security officer's PIN given will be
3597 set to be the default. Otherwise it should match the officer's
3600 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3601 otherwise a negative error value.
3603 gnutls_pkcs11_token_set_pin
3604 ---------------------------
3606 -- Function: int gnutls_pkcs11_token_set_pin (const char * TOKEN_URL,
3607 const char * OLDPIN, const char * NEWPIN, unsigned int FLAGS)
3608 TOKEN_URL: A PKCS '11' URL specifying a token
3610 OLDPIN: old user's PIN
3612 NEWPIN: new user's PIN
3614 FLAGS: one of 'gnutls_pin_flag_t' .
3616 This function will modify or set a user's PIN for the given token.
3617 If it is called to set a user pin for first time the oldpin must be
3620 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3621 otherwise a negative error value.
3623 gnutls_pkcs11_type_get_name
3624 ---------------------------
3626 -- Function: const char * gnutls_pkcs11_type_get_name
3627 (gnutls_pkcs11_obj_type_t TYPE)
3628 TYPE: Holds the PKCS 11 object type, a 'gnutls_pkcs11_obj_type_t' .
3630 This function will return a human readable description of the
3631 PKCS11 object type 'obj' . It will return "Unknown" for unknown
3634 *Returns:* human readable string labeling the PKCS11 object type
3639 gnutls_x509_crt_import_pkcs11
3640 -----------------------------
3642 -- Function: int gnutls_x509_crt_import_pkcs11 (gnutls_x509_crt_t CRT,
3643 gnutls_pkcs11_obj_t PKCS11_CRT)
3644 CRT: A certificate of type 'gnutls_x509_crt_t'
3646 PKCS11_CRT: A PKCS 11 object that contains a certificate
3648 This function will import a PKCS 11 certificate to a
3649 'gnutls_x509_crt_t' structure.
3651 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3652 otherwise a negative error value.
3656 gnutls_x509_crt_import_pkcs11_url
3657 ---------------------------------
3659 -- Function: int gnutls_x509_crt_import_pkcs11_url (gnutls_x509_crt_t
3660 CRT, const char * URL, unsigned int FLAGS)
3661 CRT: A certificate of type 'gnutls_x509_crt_t'
3665 FLAGS: One of GNUTLS_PKCS11_OBJ_* flags
3667 This function will import a PKCS 11 certificate directly from a
3668 token without involving the 'gnutls_pkcs11_obj_t' structure. This
3669 function will fail if the certificate stored is not of X.509 type.
3671 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3672 otherwise a negative error value.
3676 gnutls_x509_crt_list_import_pkcs11
3677 ----------------------------------
3679 -- Function: int gnutls_x509_crt_list_import_pkcs11 (gnutls_x509_crt_t
3680 * CERTS, unsigned int CERT_MAX, gnutls_pkcs11_obj_t * const
3681 OBJS, unsigned int FLAGS)
3682 CERTS: A list of certificates of type 'gnutls_x509_crt_t'
3684 CERT_MAX: The maximum size of the list
3686 OBJS: A list of PKCS 11 objects
3690 This function will import a PKCS 11 certificate list to a list of
3691 'gnutls_x509_crt_t' structure. These must not be initialized.
3693 *Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
3694 otherwise a negative error value.