2 @subheading gnutls_pkcs11_add_provider
3 @anchor{gnutls_pkcs11_add_provider}
4 @deftypefun {int} {gnutls_pkcs11_add_provider} (const char * @var{name}, const char * @var{params})
5 @var{name}: The filename of the module
7 @var{params}: should be NULL
9 This function will load and add a PKCS 11 module to the module
10 list used in gnutls. After this function is called the module will
11 be used for PKCS 11 operations.
13 When loading a module to be used for certificate verification,
14 use the string 'trusted' as @code{params} .
16 Note that this function is not thread safe.
18 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
21 @strong{Since:} 2.12.0
24 @subheading gnutls_pkcs11_copy_secret_key
25 @anchor{gnutls_pkcs11_copy_secret_key}
26 @deftypefun {int} {gnutls_pkcs11_copy_secret_key} (const char * @var{token_url}, gnutls_datum_t * @var{key}, const char * @var{label}, unsigned int @var{key_usage}, unsigned int @var{flags})
27 @var{token_url}: A PKCS @code{11} URL specifying a token
29 @var{key}: The raw key
31 @var{label}: A name to be used for the stored data
33 @var{key_usage}: One of GNUTLS_KEY_*
35 @var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_*
37 This function will copy a raw secret (symmetric) key into a PKCS @code{11}
38 token specified by a URL. The key can be marked as sensitive or not.
40 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
43 @strong{Since:} 2.12.0
46 @subheading gnutls_pkcs11_copy_x509_crt
47 @anchor{gnutls_pkcs11_copy_x509_crt}
48 @deftypefun {int} {gnutls_pkcs11_copy_x509_crt} (const char * @var{token_url}, gnutls_x509_crt_t @var{crt}, const char * @var{label}, unsigned int @var{flags})
49 @var{token_url}: A PKCS @code{11} URL specifying a token
51 @var{crt}: The certificate to copy
53 @var{label}: The name to be used for the stored data
55 @var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_*
57 This function will copy a certificate into a PKCS @code{11} token specified by
58 a URL. The certificate can be marked as trusted or not.
60 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
63 @strong{Since:} 2.12.0
66 @subheading gnutls_pkcs11_copy_x509_crt2
67 @anchor{gnutls_pkcs11_copy_x509_crt2}
68 @deftypefun {int} {gnutls_pkcs11_copy_x509_crt2} (const char * @var{token_url}, gnutls_x509_crt_t @var{crt}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{flags})
69 @var{token_url}: A PKCS @code{11} URL specifying a token
71 @var{crt}: The certificate to copy
73 @var{label}: The name to be used for the stored data
75 @var{cid}: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key
77 @var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_*
79 This function will copy a certificate into a PKCS @code{11} token specified by
80 a URL. The certificate can be marked as trusted or not.
82 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
85 @strong{Since:} 3.3.26
88 @subheading gnutls_pkcs11_copy_x509_privkey
89 @anchor{gnutls_pkcs11_copy_x509_privkey}
90 @deftypefun {int} {gnutls_pkcs11_copy_x509_privkey} (const char * @var{token_url}, gnutls_x509_privkey_t @var{key}, const char * @var{label}, unsigned int @var{key_usage}, unsigned int @var{flags})
91 @var{token_url}: A PKCS @code{11} URL specifying a token
93 @var{key}: A private key
95 @var{label}: A name to be used for the stored data
97 @var{key_usage}: One of GNUTLS_KEY_*
99 @var{flags}: One of GNUTLS_PKCS11_OBJ_* flags
101 This function will copy a private key into a PKCS @code{11} token specified by
102 a URL. It is highly recommended flags to contain @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE}
103 unless there is a strong reason not to.
105 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
106 negative error value.
108 @strong{Since:} 2.12.0
111 @subheading gnutls_pkcs11_copy_x509_privkey2
112 @anchor{gnutls_pkcs11_copy_x509_privkey2}
113 @deftypefun {int} {gnutls_pkcs11_copy_x509_privkey2} (const char * @var{token_url}, gnutls_x509_privkey_t @var{key}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{key_usage}, unsigned int @var{flags})
114 @var{token_url}: A PKCS @code{11} URL specifying a token
116 @var{key}: A private key
118 @var{label}: A name to be used for the stored data
120 @var{cid}: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key
122 @var{key_usage}: One of GNUTLS_KEY_*
124 @var{flags}: One of GNUTLS_PKCS11_OBJ_* flags
126 This function will copy a private key into a PKCS @code{11} token specified by
127 a URL. It is highly recommended flags to contain @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE}
128 unless there is a strong reason not to.
130 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
131 negative error value.
133 @strong{Since:} 3.3.26
136 @subheading gnutls_pkcs11_crt_is_known
137 @anchor{gnutls_pkcs11_crt_is_known}
138 @deftypefun {int} {gnutls_pkcs11_crt_is_known} (const char * @var{url}, gnutls_x509_crt_t @var{cert}, unsigned int @var{flags})
139 @var{url}: A PKCS 11 url identifying a token
141 @var{cert}: is the certificate to find issuer for
143 @var{flags}: Use zero or flags from @code{GNUTLS_PKCS11_OBJ_FLAG} .
145 This function will check whether the provided certificate is stored
146 in the specified token. This is useful in combination with
147 @code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED} or
148 @code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED} ,
149 to check whether a CA is present or a certificate is blacklisted in
150 a trust PKCS @code{11} module.
152 This function can be used with a @code{url} of "pkcs11:", and in that case all modules
153 will be searched. To restrict the modules to the marked as trusted in p11-kit
154 use the @code{GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE} flag.
156 Note that the flag @code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED} is
157 specific to p11-kit trust modules.
159 @strong{Returns:} If the certificate exists non-zero is returned, otherwise zero.
161 @strong{Since:} 3.3.0
164 @subheading gnutls_pkcs11_deinit
165 @anchor{gnutls_pkcs11_deinit}
166 @deftypefun {void} {gnutls_pkcs11_deinit} ( @var{void})
168 This function will deinitialize the PKCS 11 subsystem in gnutls.
169 This function is only needed if you need to deinitialize the
170 subsystem without calling @code{gnutls_global_deinit()} .
172 @strong{Since:} 2.12.0
175 @subheading gnutls_pkcs11_delete_url
176 @anchor{gnutls_pkcs11_delete_url}
177 @deftypefun {int} {gnutls_pkcs11_delete_url} (const char * @var{object_url}, unsigned int @var{flags})
178 @var{object_url}: The URL of the object to delete.
180 @var{flags}: One of GNUTLS_PKCS11_OBJ_* flags
182 This function will delete objects matching the given URL.
183 Note that not all tokens support the delete operation.
185 @strong{Returns:} On success, the number of objects deleted is returned, otherwise a
186 negative error value.
188 @strong{Since:} 2.12.0
191 @subheading gnutls_pkcs11_get_pin_function
192 @anchor{gnutls_pkcs11_get_pin_function}
193 @deftypefun {gnutls_pin_callback_t} {gnutls_pkcs11_get_pin_function} (void ** @var{userdata})
194 @var{userdata}: data to be supplied to callback
196 This function will return the callback function set using
197 @code{gnutls_pkcs11_set_pin_function()} .
199 @strong{Returns:} The function set or NULL otherwise.
201 @strong{Since:} 3.1.0
204 @subheading gnutls_pkcs11_get_raw_issuer
205 @anchor{gnutls_pkcs11_get_raw_issuer}
206 @deftypefun {int} {gnutls_pkcs11_get_raw_issuer} (const char * @var{url}, gnutls_x509_crt_t @var{cert}, gnutls_datum_t * @var{issuer}, gnutls_x509_crt_fmt_t @var{fmt}, unsigned int @var{flags})
207 @var{url}: A PKCS 11 url identifying a token
209 @var{cert}: is the certificate to find issuer for
211 @var{issuer}: Will hold the issuer if any in an allocated buffer.
213 @var{fmt}: The format of the exported issuer.
215 @var{flags}: Use zero or flags from @code{GNUTLS_PKCS11_OBJ_FLAG} .
217 This function will return the issuer of a given certificate, if it
218 is stored in the token. By default only marked as trusted issuers
219 are retuned. If any issuer should be returned specify
220 @code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY} in @code{flags} .
222 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
223 negative error value.
225 @strong{Since:} 3.2.7
228 @subheading gnutls_pkcs11_init
229 @anchor{gnutls_pkcs11_init}
230 @deftypefun {int} {gnutls_pkcs11_init} (unsigned int @var{flags}, const char * @var{deprecated_config_file})
231 @var{flags}: An ORed sequence of @code{GNUTLS_PKCS11_FLAG_} *
233 @var{deprecated_config_file}: either NULL or the location of a deprecated
236 This function will initialize the PKCS 11 subsystem in gnutls. It will
237 read configuration files if @code{GNUTLS_PKCS11_FLAG_AUTO} is used or allow
238 you to independently load PKCS 11 modules using @code{gnutls_pkcs11_add_provider()}
239 if @code{GNUTLS_PKCS11_FLAG_MANUAL} is specified.
241 Normally you don't need to call this function since it is being called
242 when the first PKCS 11 operation is requested using the @code{GNUTLS_PKCS11_FLAG_AUTO}
243 flag. If another flags are required then it must be called independently
244 prior to any PKCS 11 operation.
246 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
247 negative error value.
249 @strong{Since:} 2.12.0
252 @subheading gnutls_pkcs11_obj_deinit
253 @anchor{gnutls_pkcs11_obj_deinit}
254 @deftypefun {void} {gnutls_pkcs11_obj_deinit} (gnutls_pkcs11_obj_t @var{obj})
255 @var{obj}: The structure to be initialized
257 This function will deinitialize a certificate structure.
259 @strong{Since:} 2.12.0
262 @subheading gnutls_pkcs11_obj_export
263 @anchor{gnutls_pkcs11_obj_export}
264 @deftypefun {int} {gnutls_pkcs11_obj_export} (gnutls_pkcs11_obj_t @var{obj}, void * @var{output_data}, size_t * @var{output_data_size})
265 @var{obj}: Holds the object
267 @var{output_data}: will contain the object data
269 @var{output_data_size}: holds the size of output_data (and will be
270 replaced by the actual size of parameters)
272 This function will export the PKCS11 object data. It is normal for
273 data to be inaccesible and in that case @code{GNUTLS_E_INVALID_REQUEST}
276 If the buffer provided is not long enough to hold the output, then
277 *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
280 @strong{Returns:} In case of failure a negative error code will be
281 returned, and @code{GNUTLS_E_SUCCESS} (0) on success.
283 @strong{Since:} 2.12.0
286 @subheading gnutls_pkcs11_obj_export2
287 @anchor{gnutls_pkcs11_obj_export2}
288 @deftypefun {int} {gnutls_pkcs11_obj_export2} (gnutls_pkcs11_obj_t @var{obj}, gnutls_datum_t * @var{out})
289 @var{obj}: Holds the object
291 @var{out}: will contain the object data
293 This function will export the PKCS11 object data. It is normal for
294 data to be inaccesible and in that case @code{GNUTLS_E_INVALID_REQUEST}
297 The output buffer is allocated using @code{gnutls_malloc()} .
299 @strong{Returns:} In case of failure a negative error code will be
300 returned, and @code{GNUTLS_E_SUCCESS} (0) on success.
302 @strong{Since:} 3.1.3
305 @subheading gnutls_pkcs11_obj_export3
306 @anchor{gnutls_pkcs11_obj_export3}
307 @deftypefun {int} {gnutls_pkcs11_obj_export3} (gnutls_pkcs11_obj_t @var{obj}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{out})
308 @var{obj}: Holds the object
310 @var{fmt}: The format of the exported data
312 @var{out}: will contain the object data
314 This function will export the PKCS11 object data. It is normal for
315 data to be inaccesible and in that case @code{GNUTLS_E_INVALID_REQUEST}
318 The output buffer is allocated using @code{gnutls_malloc()} .
320 @strong{Returns:} In case of failure a negative error code will be
321 returned, and @code{GNUTLS_E_SUCCESS} (0) on success.
323 @strong{Since:} 3.2.7
326 @subheading gnutls_pkcs11_obj_export_url
327 @anchor{gnutls_pkcs11_obj_export_url}
328 @deftypefun {int} {gnutls_pkcs11_obj_export_url} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_url_type_t @var{detailed}, char ** @var{url})
329 @var{obj}: Holds the PKCS 11 certificate
331 @var{detailed}: non zero if a detailed URL is required
333 @var{url}: will contain an allocated url
335 This function will export a URL identifying the given certificate.
337 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
338 negative error value.
340 @strong{Since:} 2.12.0
343 @subheading gnutls_pkcs11_obj_flags_get_str
344 @anchor{gnutls_pkcs11_obj_flags_get_str}
345 @deftypefun {char *} {gnutls_pkcs11_obj_flags_get_str} (unsigned int @var{flags})
346 @var{flags}: holds the flags
348 This function given an or-sequence of @code{GNUTLS_PKCS11_OBJ_FLAG_MARK} ,
349 will return an allocated string with its description. The string
350 needs to be deallocated using @code{gnutls_free()} .
352 @strong{Returns:} If flags is zero @code{NULL} is returned, otherwise an allocated string.
354 @strong{Since:} 3.3.7
357 @subheading gnutls_pkcs11_obj_get_exts
358 @anchor{gnutls_pkcs11_obj_get_exts}
359 @deftypefun {int} {gnutls_pkcs11_obj_get_exts} (gnutls_pkcs11_obj_t @var{obj}, gnutls_x509_ext_st ** @var{exts}, unsigned int * @var{exts_size}, unsigned int @var{flags})
360 @var{obj}: should contain a @code{gnutls_pkcs11_obj_t} type
362 @var{exts}: a pointer to a @code{gnutls_x509_ext_st} pointer
364 @var{exts_size}: will be updated with the number of @code{exts}
366 @var{flags}: Or sequence of @code{GNUTLS_PKCS11_OBJ_} * flags
368 This function will return information about attached extensions
369 that associate to the provided object (which should be a certificate).
370 The extensions are the attached p11-kit trust module extensions.
372 Each element of @code{exts} must be deinitialized using @code{gnutls_x509_ext_deinit()}
373 while @code{exts} should be deallocated using @code{gnutls_free()} .
375 @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
377 @strong{Since:} 3.3.8
380 @subheading gnutls_pkcs11_obj_get_flags
381 @anchor{gnutls_pkcs11_obj_get_flags}
382 @deftypefun {int} {gnutls_pkcs11_obj_get_flags} (gnutls_pkcs11_obj_t @var{obj}, unsigned int * @var{oflags})
383 @var{obj}: The structure that holds the object
385 @var{oflags}: Will hold the output flags
387 This function will return the flags of the object being
388 stored in the structure. The @code{oflags} are the @code{GNUTLS_PKCS11_OBJ_FLAG_MARK}
391 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
392 negative error value.
394 @strong{Since:} 3.3.7
397 @subheading gnutls_pkcs11_obj_get_info
398 @anchor{gnutls_pkcs11_obj_get_info}
399 @deftypefun {int} {gnutls_pkcs11_obj_get_info} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_obj_info_t @var{itype}, void * @var{output}, size_t * @var{output_size})
400 @var{obj}: should contain a @code{gnutls_pkcs11_obj_t} structure
402 @var{itype}: Denotes the type of information requested
404 @var{output}: where output will be stored
406 @var{output_size}: contains the maximum size of the output and will be overwritten with actual
408 This function will return information about the PKCS11 certificate
409 such as the label, id as well as token information where the key is
410 stored. When output is text it returns null terminated string
411 although @code{output_size} contains the size of the actual data only.
413 @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
415 @strong{Since:} 2.12.0
418 @subheading gnutls_pkcs11_obj_get_type
419 @anchor{gnutls_pkcs11_obj_get_type}
420 @deftypefun {gnutls_pkcs11_obj_type_t} {gnutls_pkcs11_obj_get_type} (gnutls_pkcs11_obj_t @var{obj})
421 @var{obj}: Holds the PKCS 11 object
423 This function will return the type of the object being
424 stored in the structure.
426 @strong{Returns:} The type of the object
428 @strong{Since:} 2.12.0
431 @subheading gnutls_pkcs11_obj_import_url
432 @anchor{gnutls_pkcs11_obj_import_url}
433 @deftypefun {int} {gnutls_pkcs11_obj_import_url} (gnutls_pkcs11_obj_t @var{obj}, const char * @var{url}, unsigned int @var{flags})
434 @var{obj}: The structure to store the object
436 @var{url}: a PKCS 11 url identifying the key
438 @var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags
440 This function will "import" a PKCS 11 URL identifying an object (e.g. certificate)
441 to the @code{gnutls_pkcs11_obj_t} structure. This does not involve any
442 parsing (such as X.509 or OpenPGP) since the @code{gnutls_pkcs11_obj_t} is
443 format agnostic. Only data are transferred.
445 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
446 negative error value.
448 @strong{Since:} 2.12.0
451 @subheading gnutls_pkcs11_obj_init
452 @anchor{gnutls_pkcs11_obj_init}
453 @deftypefun {int} {gnutls_pkcs11_obj_init} (gnutls_pkcs11_obj_t * @var{obj})
454 @var{obj}: The structure to be initialized
456 This function will initialize a pkcs11 certificate structure.
458 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
459 negative error value.
461 @strong{Since:} 2.12.0
464 @subheading gnutls_pkcs11_obj_list_import_url
465 @anchor{gnutls_pkcs11_obj_list_import_url}
466 @deftypefun {int} {gnutls_pkcs11_obj_list_import_url} (gnutls_pkcs11_obj_t * @var{p_list}, unsigned int * @var{n_list}, const char * @var{url}, gnutls_pkcs11_obj_attr_t @var{attrs}, unsigned int @var{flags})
467 @var{p_list}: An uninitialized object list (may be NULL)
469 @var{n_list}: initially should hold the maximum size of the list. Will contain the actual size.
471 @var{url}: A PKCS 11 url identifying a set of objects
473 @var{attrs}: Attributes of type @code{gnutls_pkcs11_obj_attr_t} that can be used to limit output
475 @var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags
477 This function will initialize and set values to an object list
478 by using all objects identified by a PKCS 11 URL.
480 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
481 negative error value.
483 @strong{Since:} 2.12.0
486 @subheading gnutls_pkcs11_obj_list_import_url2
487 @anchor{gnutls_pkcs11_obj_list_import_url2}
488 @deftypefun {int} {gnutls_pkcs11_obj_list_import_url2} (gnutls_pkcs11_obj_t ** @var{p_list}, unsigned int * @var{n_list}, const char * @var{url}, gnutls_pkcs11_obj_attr_t @var{attrs}, unsigned int @var{flags})
489 @var{p_list}: An uninitialized object list (may be NULL)
491 @var{n_list}: It will contain the size of the list.
493 @var{url}: A PKCS 11 url identifying a set of objects
495 @var{attrs}: Attributes of type @code{gnutls_pkcs11_obj_attr_t} that can be used to limit output
497 @var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags
499 This function will initialize and set values to an object list
500 by using all objects identified by the PKCS 11 URL. The output
501 is stored in @code{p_list} , which will be initialized.
503 All returned objects must be deinitialized using @code{gnutls_pkcs11_obj_deinit()} ,
504 and @code{p_list} must be free'd using @code{gnutls_free()} .
506 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
507 negative error value.
509 @strong{Since:} 3.1.0
512 @subheading gnutls_pkcs11_obj_set_info
513 @anchor{gnutls_pkcs11_obj_set_info}
514 @deftypefun {int} {gnutls_pkcs11_obj_set_info} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_obj_info_t @var{itype}, const void * @var{data}, size_t @var{data_size}, unsigned @var{flags})
515 @var{obj}: should contain a @code{gnutls_pkcs11_obj_t} structure
517 @var{itype}: Denotes the type of information to be set
519 @var{data}: the data to set
521 @var{data_size}: the size of data
523 @var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags
525 This function will set attributes on the provided object.
526 Available options for @code{itype} are @code{GNUTLS_PKCS11_OBJ_LABEL} ,
527 @code{GNUTLS_PKCS11_OBJ_ID_HEX} , and @code{GNUTLS_PKCS11_OBJ_ID} .
529 @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
531 @strong{Since:} 3.3.26
534 @subheading gnutls_pkcs11_obj_set_pin_function
535 @anchor{gnutls_pkcs11_obj_set_pin_function}
536 @deftypefun {void} {gnutls_pkcs11_obj_set_pin_function} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pin_callback_t @var{fn}, void * @var{userdata})
537 @var{obj}: The object structure
539 @var{fn}: the callback
541 @var{userdata}: data associated with the callback
543 This function will set a callback function to be used when
544 required to access the object. This function overrides the global
545 set using @code{gnutls_pkcs11_set_pin_function()} .
547 @strong{Since:} 3.1.0
550 @subheading gnutls_pkcs11_privkey_deinit
551 @anchor{gnutls_pkcs11_privkey_deinit}
552 @deftypefun {void} {gnutls_pkcs11_privkey_deinit} (gnutls_pkcs11_privkey_t @var{key})
553 @var{key}: The structure to be initialized
555 This function will deinitialize a private key structure.
558 @subheading gnutls_pkcs11_privkey_export_pubkey
559 @anchor{gnutls_pkcs11_privkey_export_pubkey}
560 @deftypefun {int} {gnutls_pkcs11_privkey_export_pubkey} (gnutls_pkcs11_privkey_t @var{pkey}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{data}, unsigned int @var{flags})
561 @var{pkey}: The private key
563 @var{fmt}: the format of output params. PEM or DER.
565 @var{data}: will hold the public key
567 @var{flags}: should be zero
569 This function will extract the public key (modulus and public
570 exponent) from the private key specified by the @code{url} private key.
571 This public key will be stored in @code{pubkey} in the format specified
572 by @code{fmt} . @code{pubkey} should be deinitialized using @code{gnutls_free()} .
574 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
575 negative error value.
577 @strong{Since:} 3.3.7
580 @subheading gnutls_pkcs11_privkey_export_url
581 @anchor{gnutls_pkcs11_privkey_export_url}
582 @deftypefun {int} {gnutls_pkcs11_privkey_export_url} (gnutls_pkcs11_privkey_t @var{key}, gnutls_pkcs11_url_type_t @var{detailed}, char ** @var{url})
583 @var{key}: Holds the PKCS 11 key
585 @var{detailed}: non zero if a detailed URL is required
587 @var{url}: will contain an allocated url
589 This function will export a URL identifying the given key.
591 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
592 negative error value.
595 @subheading gnutls_pkcs11_privkey_generate
596 @anchor{gnutls_pkcs11_privkey_generate}
597 @deftypefun {int} {gnutls_pkcs11_privkey_generate} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, unsigned int @var{flags})
598 @var{url}: a token URL
600 @var{pk}: the public key algorithm
602 @var{bits}: the security bits
606 @var{flags}: should be zero
608 This function will generate a private key in the specified
609 by the @code{url} token. The private key will be generate within
610 the token and will not be exportable.
612 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
613 negative error value.
618 @subheading gnutls_pkcs11_privkey_generate2
619 @anchor{gnutls_pkcs11_privkey_generate2}
620 @deftypefun {int} {gnutls_pkcs11_privkey_generate2} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{pubkey}, unsigned int @var{flags})
621 @var{url}: a token URL
623 @var{pk}: the public key algorithm
625 @var{bits}: the security bits
629 @var{fmt}: the format of output params. PEM or DER
631 @var{pubkey}: will hold the public key (may be @code{NULL} )
633 @var{flags}: zero or an OR'ed sequence of @code{GNUTLS_PKCS11_OBJ_FLAGs}
635 This function will generate a private key in the specified
636 by the @code{url} token. The private key will be generate within
637 the token and will not be exportable. This function will
638 store the DER-encoded public key in the SubjectPublicKeyInfo format
639 in @code{pubkey} . The @code{pubkey} should be deinitialized using @code{gnutls_free()} .
641 Note that when generating an elliptic curve key, the curve
642 can be substituted in the place of the bits parameter using the
643 @code{GNUTLS_CURVE_TO_BITS()} macro.
645 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
646 negative error value.
648 @strong{Since:} 3.1.5
651 @subheading gnutls_pkcs11_privkey_generate3
652 @anchor{gnutls_pkcs11_privkey_generate3}
653 @deftypefun {int} {gnutls_pkcs11_privkey_generate3} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, const gnutls_datum_t * @var{cid}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{pubkey}, unsigned int @var{flags})
654 @var{url}: a token URL
656 @var{pk}: the public key algorithm
658 @var{bits}: the security bits
662 @var{cid}: The CKA_ID to use for the new object
664 @var{fmt}: the format of output params. PEM or DER
666 @var{pubkey}: will hold the public key (may be @code{NULL} )
668 @var{flags}: zero or an OR'ed sequence of @code{GNUTLS_PKCS11_OBJ_FLAGs}
670 This function will generate a private key in the specified
671 by the @code{url} token. The private key will be generate within
672 the token and will not be exportable. This function will
673 store the DER-encoded public key in the SubjectPublicKeyInfo format
674 in @code{pubkey} . The @code{pubkey} should be deinitialized using @code{gnutls_free()} .
676 Note that when generating an elliptic curve key, the curve
677 can be substituted in the place of the bits parameter using the
678 @code{GNUTLS_CURVE_TO_BITS()} macro.
680 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
681 negative error value.
683 @strong{Since:} 3.3.26
686 @subheading gnutls_pkcs11_privkey_get_info
687 @anchor{gnutls_pkcs11_privkey_get_info}
688 @deftypefun {int} {gnutls_pkcs11_privkey_get_info} (gnutls_pkcs11_privkey_t @var{pkey}, gnutls_pkcs11_obj_info_t @var{itype}, void * @var{output}, size_t * @var{output_size})
689 @var{pkey}: should contain a @code{gnutls_pkcs11_privkey_t} structure
691 @var{itype}: Denotes the type of information requested
693 @var{output}: where output will be stored
695 @var{output_size}: contains the maximum size of the output and will be overwritten with actual
697 This function will return information about the PKCS 11 private key such
698 as the label, id as well as token information where the key is stored. When
699 output is text it returns null terminated string although @code{output_size} contains
700 the size of the actual data only.
702 @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
705 @subheading gnutls_pkcs11_privkey_get_pk_algorithm
706 @anchor{gnutls_pkcs11_privkey_get_pk_algorithm}
707 @deftypefun {int} {gnutls_pkcs11_privkey_get_pk_algorithm} (gnutls_pkcs11_privkey_t @var{key}, unsigned int * @var{bits})
708 @var{key}: should contain a @code{gnutls_pkcs11_privkey_t} structure
710 @var{bits}: if bits is non null it will hold the size of the parameters' in bits
712 This function will return the public key algorithm of a private
715 @strong{Returns:} a member of the @code{gnutls_pk_algorithm_t} enumeration on
716 success, or a negative error code on error.
719 @subheading gnutls_pkcs11_privkey_import_url
720 @anchor{gnutls_pkcs11_privkey_import_url}
721 @deftypefun {int} {gnutls_pkcs11_privkey_import_url} (gnutls_pkcs11_privkey_t @var{pkey}, const char * @var{url}, unsigned int @var{flags})
722 @var{pkey}: The structure to store the parsed key
724 @var{url}: a PKCS 11 url identifying the key
726 @var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags
728 This function will "import" a PKCS 11 URL identifying a private
729 key to the @code{gnutls_pkcs11_privkey_t} structure. In reality since
730 in most cases keys cannot be exported, the private key structure
731 is being associated with the available operations on the token.
733 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
734 negative error value.
737 @subheading gnutls_pkcs11_privkey_init
738 @anchor{gnutls_pkcs11_privkey_init}
739 @deftypefun {int} {gnutls_pkcs11_privkey_init} (gnutls_pkcs11_privkey_t * @var{key})
740 @var{key}: The structure to be initialized
742 This function will initialize an private key structure.
744 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
745 negative error value.
748 @subheading gnutls_pkcs11_privkey_set_pin_function
749 @anchor{gnutls_pkcs11_privkey_set_pin_function}
750 @deftypefun {void} {gnutls_pkcs11_privkey_set_pin_function} (gnutls_pkcs11_privkey_t @var{key}, gnutls_pin_callback_t @var{fn}, void * @var{userdata})
751 @var{key}: The private key
753 @var{fn}: the callback
755 @var{userdata}: data associated with the callback
757 This function will set a callback function to be used when
758 required to access the object. This function overrides the global
759 set using @code{gnutls_pkcs11_set_pin_function()} .
761 @strong{Since:} 3.1.0
764 @subheading gnutls_pkcs11_privkey_status
765 @anchor{gnutls_pkcs11_privkey_status}
766 @deftypefun {int} {gnutls_pkcs11_privkey_status} (gnutls_pkcs11_privkey_t @var{key})
767 @var{key}: Holds the key
769 Checks the status of the private key token.
771 @strong{Returns:} this function will return non-zero if the token
772 holding the private key is still available (inserted), and zero otherwise.
774 @strong{Since:} 3.1.9
777 @subheading gnutls_pkcs11_reinit
778 @anchor{gnutls_pkcs11_reinit}
779 @deftypefun {int} {gnutls_pkcs11_reinit} ( @var{void})
781 This function will reinitialize the PKCS 11 subsystem in gnutls.
782 This is required by PKCS 11 when an application uses @code{fork()} . The
783 reinitialization function must be called on the child.
785 Note that since GnuTLS 3.3.0, the reinitialization of the PKCS @code{11}
786 subsystem occurs automatically after fork.
788 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
789 negative error value.
794 @subheading gnutls_pkcs11_set_pin_function
795 @anchor{gnutls_pkcs11_set_pin_function}
796 @deftypefun {void} {gnutls_pkcs11_set_pin_function} (gnutls_pin_callback_t @var{fn}, void * @var{userdata})
797 @var{fn}: The PIN callback, a @code{gnutls_pin_callback_t()} function.
799 @var{userdata}: data to be supplied to callback
801 This function will set a callback function to be used when a PIN is
802 required for PKCS 11 operations. See
803 @code{gnutls_pin_callback_t()} on how the callback should behave.
805 @strong{Since:} 2.12.0
808 @subheading gnutls_pkcs11_set_token_function
809 @anchor{gnutls_pkcs11_set_token_function}
810 @deftypefun {void} {gnutls_pkcs11_set_token_function} (gnutls_pkcs11_token_callback_t @var{fn}, void * @var{userdata})
811 @var{fn}: The token callback
813 @var{userdata}: data to be supplied to callback
815 This function will set a callback function to be used when a token
816 needs to be inserted to continue PKCS 11 operations.
818 @strong{Since:} 2.12.0
821 @subheading gnutls_pkcs11_token_get_flags
822 @anchor{gnutls_pkcs11_token_get_flags}
823 @deftypefun {int} {gnutls_pkcs11_token_get_flags} (const char * @var{url}, unsigned int * @var{flags})
824 @var{url}: should contain a PKCS 11 URL
826 @var{flags}: The output flags (GNUTLS_PKCS11_TOKEN_*)
828 This function will return information about the PKCS 11 token flags.
830 The supported flags are: @code{GNUTLS_PKCS11_TOKEN_HW} and @code{GNUTLS_PKCS11_TOKEN_TRUSTED} .
832 @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
834 @strong{Since:} 2.12.0
837 @subheading gnutls_pkcs11_token_get_info
838 @anchor{gnutls_pkcs11_token_get_info}
839 @deftypefun {int} {gnutls_pkcs11_token_get_info} (const char * @var{url}, gnutls_pkcs11_token_info_t @var{ttype}, void * @var{output}, size_t * @var{output_size})
840 @var{url}: should contain a PKCS 11 URL
842 @var{ttype}: Denotes the type of information requested
844 @var{output}: where output will be stored
846 @var{output_size}: contains the maximum size of the output and will be overwritten with actual
848 This function will return information about the PKCS 11 token such
849 as the label, id, etc.
851 @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code
854 @strong{Since:} 2.12.0
857 @subheading gnutls_pkcs11_token_get_mechanism
858 @anchor{gnutls_pkcs11_token_get_mechanism}
859 @deftypefun {int} {gnutls_pkcs11_token_get_mechanism} (const char * @var{url}, unsigned int @var{idx}, unsigned long * @var{mechanism})
860 @var{url}: should contain a PKCS 11 URL
862 @var{idx}: The index of the mechanism
864 @var{mechanism}: The PKCS @code{11} mechanism ID
866 This function will return the names of the supported mechanisms
867 by the token. It should be called with an increasing index until
868 it return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.
870 @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
872 @strong{Since:} 2.12.0
875 @subheading gnutls_pkcs11_token_get_random
876 @anchor{gnutls_pkcs11_token_get_random}
877 @deftypefun {int} {gnutls_pkcs11_token_get_random} (const char * @var{token_url}, void * @var{rnddata}, size_t @var{len})
878 @var{token_url}: A PKCS @code{11} URL specifying a token
880 @var{rnddata}: A pointer to the memory area to be filled with random data
882 @var{len}: The number of bytes of randomness to request
884 This function will get random data from the given token.
885 It will store rnddata and fill the memory pointed to by rnddata with
886 len random bytes from the token.
888 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
889 negative error value.
892 @subheading gnutls_pkcs11_token_get_url
893 @anchor{gnutls_pkcs11_token_get_url}
894 @deftypefun {int} {gnutls_pkcs11_token_get_url} (unsigned int @var{seq}, gnutls_pkcs11_url_type_t @var{detailed}, char ** @var{url})
895 @var{seq}: sequence number starting from 0
897 @var{detailed}: non zero if a detailed URL is required
899 @var{url}: will contain an allocated url
901 This function will return the URL for each token available
902 in system. The url has to be released using @code{gnutls_free()}
904 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned,
905 @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} if the sequence number
906 exceeds the available tokens, otherwise a negative error value.
908 @strong{Since:} 2.12.0
911 @subheading gnutls_pkcs11_token_init
912 @anchor{gnutls_pkcs11_token_init}
913 @deftypefun {int} {gnutls_pkcs11_token_init} (const char * @var{token_url}, const char * @var{so_pin}, const char * @var{label})
914 @var{token_url}: A PKCS @code{11} URL specifying a token
916 @var{so_pin}: Security Officer's PIN
918 @var{label}: A name to be used for the token
920 This function will initialize (format) a token. If the token is
921 at a factory defaults state the security officer's PIN given will be
922 set to be the default. Otherwise it should match the officer's PIN.
924 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
925 negative error value.
928 @subheading gnutls_pkcs11_token_set_pin
929 @anchor{gnutls_pkcs11_token_set_pin}
930 @deftypefun {int} {gnutls_pkcs11_token_set_pin} (const char * @var{token_url}, const char * @var{oldpin}, const char * @var{newpin}, unsigned int @var{flags})
931 @var{token_url}: A PKCS @code{11} URL specifying a token
933 @var{oldpin}: old user's PIN
935 @var{newpin}: new user's PIN
937 @var{flags}: one of @code{gnutls_pin_flag_t} .
939 This function will modify or set a user's PIN for the given token.
940 If it is called to set a user pin for first time the oldpin must
943 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
944 negative error value.
947 @subheading gnutls_pkcs11_type_get_name
948 @anchor{gnutls_pkcs11_type_get_name}
949 @deftypefun {const char *} {gnutls_pkcs11_type_get_name} (gnutls_pkcs11_obj_type_t @var{type})
950 @var{type}: Holds the PKCS 11 object type, a @code{gnutls_pkcs11_obj_type_t} .
952 This function will return a human readable description of the
953 PKCS11 object type @code{obj} . It will return "Unknown" for unknown
956 @strong{Returns:} human readable string labeling the PKCS11 object type
959 @strong{Since:} 2.12.0
962 @subheading gnutls_x509_crt_import_pkcs11
963 @anchor{gnutls_x509_crt_import_pkcs11}
964 @deftypefun {int} {gnutls_x509_crt_import_pkcs11} (gnutls_x509_crt_t @var{crt}, gnutls_pkcs11_obj_t @var{pkcs11_crt})
965 @var{crt}: A certificate of type @code{gnutls_x509_crt_t}
967 @var{pkcs11_crt}: A PKCS 11 object that contains a certificate
969 This function will import a PKCS 11 certificate to a @code{gnutls_x509_crt_t}
972 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
973 negative error value.
975 @strong{Since:} 2.12.0
978 @subheading gnutls_x509_crt_import_pkcs11_url
979 @anchor{gnutls_x509_crt_import_pkcs11_url}
980 @deftypefun {int} {gnutls_x509_crt_import_pkcs11_url} (gnutls_x509_crt_t @var{crt}, const char * @var{url}, unsigned int @var{flags})
981 @var{crt}: A certificate of type @code{gnutls_x509_crt_t}
983 @var{url}: A PKCS 11 url
985 @var{flags}: One of GNUTLS_PKCS11_OBJ_* flags
987 This function will import a PKCS 11 certificate directly from a token
988 without involving the @code{gnutls_pkcs11_obj_t} structure. This function will
989 fail if the certificate stored is not of X.509 type.
991 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
992 negative error value.
994 @strong{Since:} 2.12.0
997 @subheading gnutls_x509_crt_list_import_pkcs11
998 @anchor{gnutls_x509_crt_list_import_pkcs11}
999 @deftypefun {int} {gnutls_x509_crt_list_import_pkcs11} (gnutls_x509_crt_t * @var{certs}, unsigned int @var{cert_max}, gnutls_pkcs11_obj_t * const @var{objs}, unsigned int @var{flags})
1000 @var{certs}: A list of certificates of type @code{gnutls_x509_crt_t}
1002 @var{cert_max}: The maximum size of the list
1004 @var{objs}: A list of PKCS 11 objects
1006 @var{flags}: 0 for now
1008 This function will import a PKCS 11 certificate list to a list of
1009 @code{gnutls_x509_crt_t} structure. These must not be initialized.
1011 @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
1012 negative error value.
1014 @strong{Since:} 2.12.0