diff options
Diffstat (limited to '')
-rw-r--r-- | doc/abstract-api.texi | 2675 |
1 files changed, 2675 insertions, 0 deletions
diff --git a/doc/abstract-api.texi b/doc/abstract-api.texi new file mode 100644 index 0000000..9e25304 --- /dev/null +++ b/doc/abstract-api.texi @@ -0,0 +1,2675 @@ + +@subheading gnutls_certificate_set_key +@anchor{gnutls_certificate_set_key} +@deftypefun {int} {gnutls_certificate_set_key} (gnutls_certificate_credentials_t @var{res}, const char ** @var{names}, int @var{names_size}, gnutls_pcert_st * @var{pcert_list}, int @var{pcert_list_size}, gnutls_privkey_t @var{key}) +@var{res}: is a @code{gnutls_certificate_credentials_t} type. + +@var{names}: is an array of DNS names belonging to the public-key (NULL if none) + +@var{names_size}: holds the size of the names list + +@var{pcert_list}: contains a certificate list (chain) or raw public-key + +@var{pcert_list_size}: holds the size of the certificate list + +@var{key}: is a @code{gnutls_privkey_t} key corresponding to the first public-key in pcert_list + +This function sets a public/private key pair in the +gnutls_certificate_credentials_t type. The given public key may be encapsulated +in a certificate or can be given as a raw key. This function may be +called more than once, in case multiple key pairs exist for +the server. For clients that want to send more than their own end- +entity certificate (e.g., also an intermediate CA cert), the full +certificate chain must be provided in @code{pcert_list} . + +Note that the @code{key} will become part of the credentials structure and must +not be deallocated. It will be automatically deallocated when the @code{res} structure +is deinitialized. + +If this function fails, the @code{res} structure is at an undefined state and it must +not be reused to load other keys or certificates. + +Note that, this function by default returns zero on success and a negative value on error. +Since 3.5.6, when the flag @code{GNUTLS_CERTIFICATE_API_V2} is set using @code{gnutls_certificate_set_flags()} +it returns an index (greater or equal to zero). That index can be used for other functions to refer to the added key-pair. + +Since GnuTLS 3.6.6 this function also handles raw public keys. + +@strong{Returns:} On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_certificate_set_retrieve_function2 +@anchor{gnutls_certificate_set_retrieve_function2} +@deftypefun {void} {gnutls_certificate_set_retrieve_function2} (gnutls_certificate_credentials_t @var{cred}, gnutls_certificate_retrieve_function2 * @var{func}) +@var{cred}: is a @code{gnutls_certificate_credentials_t} type. + +@var{func}: is the callback function + +This function sets a callback to be called in order to retrieve the +certificate to be used in the handshake. The callback will take control +only if a certificate is requested by the peer. + +The callback's function prototype is: +int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs, +const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_pcert_st** pcert, +unsigned int *pcert_length, gnutls_privkey_t * pkey); + + @code{req_ca_dn} is only used in X.509 certificates. +Contains a list with the CA names that the server considers trusted. +This is a hint and typically the client should send a certificate that is signed +by one of these CAs. These names, when available, are DER encoded. To get a more +meaningful value use the function @code{gnutls_x509_rdn_get()} . + + @code{pk_algos} contains a list with server's acceptable public key algorithms. +The certificate returned should support the server's given algorithms. + + @code{pcert} should contain a single certificate and public key or a list of them. + + @code{pcert_length} is the size of the previous list. + + @code{pkey} is the private key. + +If the callback function is provided then gnutls will call it, in the +handshake, after the certificate request message has been received. +All the provided by the callback values will not be released or +modified by gnutls. + +In server side pk_algos and req_ca_dn are NULL. + +The callback function should set the certificate list to be sent, +and return 0 on success. If no certificate was selected then the +number of certificates should be set to zero. The value (-1) +indicates error and the handshake will be terminated. If both certificates +are set in the credentials and a callback is available, the callback +takes predence. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_certificate_set_retrieve_function3 +@anchor{gnutls_certificate_set_retrieve_function3} +@deftypefun {void} {gnutls_certificate_set_retrieve_function3} (gnutls_certificate_credentials_t @var{cred}, gnutls_certificate_retrieve_function3 * @var{func}) +@var{cred}: is a @code{gnutls_certificate_credentials_t} type. + +@var{func}: is the callback function + +This function sets a callback to be called in order to retrieve the +certificate and OCSP responses to be used in the handshake. @code{func} will +be called only if the peer requests a certificate either during handshake +or during post-handshake authentication. + +The callback's function prototype is defined in `abstract.h': + +int gnutls_certificate_retrieve_function3( +gnutls_session_t, +const struct gnutls_cert_retr_st *info, +gnutls_pcert_st **certs, +unsigned int *certs_length, +gnutls_ocsp_data_st **ocsp, +unsigned int *ocsp_length, +gnutls_privkey_t *privkey, +unsigned int *flags); + +The info field of the callback contains: + @code{req_ca_dn} which is a list with the CA names that the server considers trusted. +This is a hint and typically the client should send a certificate that is signed +by one of these CAs. These names, when available, are DER encoded. To get a more +meaningful value use the function @code{gnutls_x509_rdn_get()} . + @code{pk_algos} contains a list with server's acceptable public key algorithms. +The certificate returned should support the server's given algorithms. + +The callback should fill-in the following values: + + @code{certs} should contain an allocated list of certificates and public keys. + @code{certs_length} is the size of the previous list. + @code{ocsp} should contain an allocated list of OCSP responses. + @code{ocsp_length} is the size of the previous list. + @code{privkey} is the private key. + +If flags in the callback are set to @code{GNUTLS_CERT_RETR_DEINIT_ALL} then +all provided values must be allocated using @code{gnutls_malloc()} , and will +be released by gnutls; otherwise they will not be touched by gnutls. + +The callback function should set the certificate and OCSP response +list to be sent, and return 0 on success. If no certificates are available, +the @code{certs_length} and @code{ocsp_length} should be set to zero. The return +value (-1) indicates error and the handshake will be terminated. If both +certificates are set in the credentials and a callback is available, the +callback takes predence. + +Raw public-keys: +In case raw public-keys are negotiated as certificate type, certificates +that would normally hold the public-key material are not available. In that case, + @code{certs} contains an allocated list with only the public key. Since there is no +certificate, there is also no certificate status. Therefore, OCSP information +should not be set. + +@strong{Since:} 3.6.3 +@end deftypefun + +@subheading gnutls_pcert_deinit +@anchor{gnutls_pcert_deinit} +@deftypefun {void} {gnutls_pcert_deinit} (gnutls_pcert_st * @var{pcert}) +@var{pcert}: The structure to be deinitialized + +This function will deinitialize a pcert structure. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pcert_export_openpgp +@anchor{gnutls_pcert_export_openpgp} +@deftypefun {int} {gnutls_pcert_export_openpgp} (gnutls_pcert_st * @var{pcert}, gnutls_openpgp_crt_t * @var{crt}) +@var{pcert}: The pcert structure. + +@var{crt}: An initialized @code{gnutls_openpgp_crt_t} . + +This function is no-op. + +@strong{Returns:} @code{GNUTLS_E_UNIMPLEMENTED_FEATURE} . + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_pcert_export_x509 +@anchor{gnutls_pcert_export_x509} +@deftypefun {int} {gnutls_pcert_export_x509} (gnutls_pcert_st * @var{pcert}, gnutls_x509_crt_t * @var{crt}) +@var{pcert}: The pcert structure. + +@var{crt}: An initialized @code{gnutls_x509_crt_t} . + +Converts the given @code{gnutls_pcert_t} type into a @code{gnutls_x509_crt_t} . +This function only works if the type of @code{pcert} is @code{GNUTLS_CRT_X509} . +When successful, the value written to @code{crt} must be freed with +@code{gnutls_x509_crt_deinit()} when no longer needed. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_pcert_import_openpgp +@anchor{gnutls_pcert_import_openpgp} +@deftypefun {int} {gnutls_pcert_import_openpgp} (gnutls_pcert_st * @var{pcert}, gnutls_openpgp_crt_t @var{crt}, unsigned int @var{flags}) +@var{pcert}: The pcert structure + +@var{crt}: The raw certificate to be imported + +@var{flags}: zero for now + +This function is no-op. + +@strong{Returns:} @code{GNUTLS_E_UNIMPLEMENTED_FEATURE} . + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pcert_import_openpgp_raw +@anchor{gnutls_pcert_import_openpgp_raw} +@deftypefun {int} {gnutls_pcert_import_openpgp_raw} (gnutls_pcert_st * @var{pcert}, const gnutls_datum_t * @var{cert}, gnutls_openpgp_crt_fmt_t @var{format}, gnutls_openpgp_keyid_t @var{keyid}, unsigned int @var{flags}) +@var{pcert}: The pcert structure + +@var{cert}: The raw certificate to be imported + +@var{format}: The format of the certificate + +@var{keyid}: The key ID to use (NULL for the master key) + +@var{flags}: zero for now + +This function is no-op. + +@strong{Returns:} @code{GNUTLS_E_UNIMPLEMENTED_FEATURE} . + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pcert_import_rawpk +@anchor{gnutls_pcert_import_rawpk} +@deftypefun {int} {gnutls_pcert_import_rawpk} (gnutls_pcert_st* @var{pcert}, gnutls_pubkey_t @var{pubkey}, unsigned int @var{flags}) +@var{pcert}: The pcert structure to import the data into. + +@var{pubkey}: The raw public-key in @code{gnutls_pubkey_t} format to be imported + +@var{flags}: zero for now + +This convenience function will import (i.e. convert) the given raw +public key @code{pubkey} into a @code{gnutls_pcert_st} structure. The structure +must be deinitialized afterwards using @code{gnutls_pcert_deinit()} . The +given @code{pubkey} must not be deinitialized because it will be associated +with the given @code{pcert} structure and will be deinitialized with it. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.6 +@end deftypefun + +@subheading gnutls_pcert_import_rawpk_raw +@anchor{gnutls_pcert_import_rawpk_raw} +@deftypefun {int} {gnutls_pcert_import_rawpk_raw} (gnutls_pcert_st* @var{pcert}, const gnutls_datum_t* @var{rawpubkey}, gnutls_x509_crt_fmt_t @var{format}, unsigned int @var{key_usage}, unsigned int @var{flags}) +@var{pcert}: The pcert structure to import the data into. + +@var{rawpubkey}: The raw public-key in @code{gnutls_datum_t} format to be imported. + +@var{format}: The format of the raw public-key. DER or PEM. + +@var{key_usage}: An ORed sequence of @code{GNUTLS_KEY_} * flags. + +@var{flags}: zero for now + +This convenience function will import (i.e. convert) the given raw +public key @code{rawpubkey} into a @code{gnutls_pcert_st} structure. The structure +must be deinitialized afterwards using @code{gnutls_pcert_deinit()} . +Note that the caller is responsible for freeing @code{rawpubkey} . All necessary +values will be copied into @code{pcert} . + +Key usage (as defined by X.509 extension (2.5.29.15)) can be explicitly +set because there is no certificate structure around the key to define +this value. See for more info @code{gnutls_x509_crt_get_key_usage()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.6 +@end deftypefun + +@subheading gnutls_pcert_import_x509 +@anchor{gnutls_pcert_import_x509} +@deftypefun {int} {gnutls_pcert_import_x509} (gnutls_pcert_st * @var{pcert}, gnutls_x509_crt_t @var{crt}, unsigned int @var{flags}) +@var{pcert}: The pcert structure + +@var{crt}: The certificate to be imported + +@var{flags}: zero for now + +This convenience function will import the given certificate to a +@code{gnutls_pcert_st} structure. The structure must be deinitialized +afterwards using @code{gnutls_pcert_deinit()} ; + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pcert_import_x509_list +@anchor{gnutls_pcert_import_x509_list} +@deftypefun {int} {gnutls_pcert_import_x509_list} (gnutls_pcert_st * @var{pcert_list}, gnutls_x509_crt_t * @var{crt}, unsigned * @var{ncrt}, unsigned int @var{flags}) +@var{pcert_list}: The structures to store the certificates; must not contain initialized @code{gnutls_pcert_st} structures. + +@var{crt}: The certificates to be imported + +@var{ncrt}: The number of certificates in @code{crt} ; will be updated if necessary + +@var{flags}: zero or @code{GNUTLS_X509_CRT_LIST_SORT} + +This convenience function will import the given certificates to an +already allocated set of @code{gnutls_pcert_st} structures. The structures must +be deinitialized afterwards using @code{gnutls_pcert_deinit()} . @code{pcert_list} should contain space for at least @code{ncrt} elements. + +In the case @code{GNUTLS_X509_CRT_LIST_SORT} is specified and that +function cannot sort the list, @code{GNUTLS_E_CERTIFICATE_LIST_UNSORTED} +will be returned. Currently sorting can fail if the list size +exceeds an internal constraint (16). + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_pcert_import_x509_raw +@anchor{gnutls_pcert_import_x509_raw} +@deftypefun {int} {gnutls_pcert_import_x509_raw} (gnutls_pcert_st * @var{pcert}, const gnutls_datum_t * @var{cert}, gnutls_x509_crt_fmt_t @var{format}, unsigned int @var{flags}) +@var{pcert}: The pcert structure + +@var{cert}: The raw certificate to be imported + +@var{format}: The format of the certificate + +@var{flags}: zero for now + +This convenience function will import the given certificate to a +@code{gnutls_pcert_st} structure. The structure must be deinitialized +afterwards using @code{gnutls_pcert_deinit()} ; + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pcert_list_import_x509_file +@anchor{gnutls_pcert_list_import_x509_file} +@deftypefun {int} {gnutls_pcert_list_import_x509_file} (gnutls_pcert_st * @var{pcert_list}, unsigned * @var{pcert_list_size}, const char * @var{file}, gnutls_x509_crt_fmt_t @var{format}, gnutls_pin_callback_t @var{pin_fn}, void * @var{pin_fn_userdata}, unsigned int @var{flags}) +@var{pcert_list}: The structures to store the certificates; must not contain initialized @code{gnutls_pcert_st} structures. + +@var{pcert_list_size}: Initially must hold the maximum number of certs. It will be updated with the number of certs available. + +@var{file}: A file or supported URI with the certificates to load + +@var{format}: @code{GNUTLS_X509_FMT_DER} or @code{GNUTLS_X509_FMT_PEM} if a file is given + +@var{pin_fn}: a PIN callback if not globally set + +@var{pin_fn_userdata}: parameter for the PIN callback + +@var{flags}: zero or flags from @code{gnutls_certificate_import_flags} + +This convenience function will import a certificate chain from the given +file or supported URI to @code{gnutls_pcert_st} structures. The structures +must be deinitialized afterwards using @code{gnutls_pcert_deinit()} . + +This function will always return a sorted certificate chain. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value; if the @code{pcert} list doesn't have enough space +@code{GNUTLS_E_SHORT_MEMORY_BUFFER} will be returned. + +@strong{Since:} 3.6.3 +@end deftypefun + +@subheading gnutls_pcert_list_import_x509_raw +@anchor{gnutls_pcert_list_import_x509_raw} +@deftypefun {int} {gnutls_pcert_list_import_x509_raw} (gnutls_pcert_st * @var{pcert_list}, unsigned int * @var{pcert_list_size}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, unsigned int @var{flags}) +@var{pcert_list}: The structures to store the certificates; must not contain initialized @code{gnutls_pcert_st} structures. + +@var{pcert_list_size}: Initially must hold the maximum number of certs. It will be updated with the number of certs available. + +@var{data}: The certificates. + +@var{format}: One of DER or PEM. + +@var{flags}: must be (0) or an OR'd sequence of gnutls_certificate_import_flags. + +This function will import the provided DER or PEM encoded certificates to an +already allocated set of @code{gnutls_pcert_st} structures. The structures must +be deinitialized afterwards using @code{gnutls_pcert_deinit()} . @code{pcert_list} should contain space for at least @code{pcert_list_size} elements. + +If the Certificate is PEM encoded it should have a header of "X509 +CERTIFICATE", or "CERTIFICATE". + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value; if the @code{pcert} list doesn't have enough space +@code{GNUTLS_E_SHORT_MEMORY_BUFFER} will be returned. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_privkey_decrypt_data +@anchor{gnutls_privkey_decrypt_data} +@deftypefun {int} {gnutls_privkey_decrypt_data} (gnutls_privkey_t @var{key}, unsigned int @var{flags}, const gnutls_datum_t * @var{ciphertext}, gnutls_datum_t * @var{plaintext}) +@var{key}: Holds the key + +@var{flags}: zero for now + +@var{ciphertext}: holds the data to be decrypted + +@var{plaintext}: will contain the decrypted data, allocated with @code{gnutls_malloc()} + +This function will decrypt the given data using the algorithm +supported by the private key. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_privkey_decrypt_data2 +@anchor{gnutls_privkey_decrypt_data2} +@deftypefun {int} {gnutls_privkey_decrypt_data2} (gnutls_privkey_t @var{key}, unsigned int @var{flags}, const gnutls_datum_t * @var{ciphertext}, unsigned char * @var{plaintext}, size_t @var{plaintext_size}) +@var{key}: Holds the key + +@var{flags}: zero for now + +@var{ciphertext}: holds the data to be decrypted + +@var{plaintext}: a preallocated buffer that will be filled with the plaintext + +@var{plaintext_size}: in/out size of the plaintext + +This function will decrypt the given data using the algorithm +supported by the private key. Unlike with @code{gnutls_privkey_decrypt_data()} +this function operates in constant time and constant memory access. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.5 +@end deftypefun + +@subheading gnutls_privkey_deinit +@anchor{gnutls_privkey_deinit} +@deftypefun {void} {gnutls_privkey_deinit} (gnutls_privkey_t @var{key}) +@var{key}: The key to be deinitialized + +This function will deinitialize a private key structure. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_privkey_export_dsa_raw +@anchor{gnutls_privkey_export_dsa_raw} +@deftypefun {int} {gnutls_privkey_export_dsa_raw} (gnutls_privkey_t @var{key}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{g}, gnutls_datum_t * @var{y}, gnutls_datum_t * @var{x}) +@var{key}: Holds the public key + +@var{p}: will hold the p + +@var{q}: will hold the q + +@var{g}: will hold the g + +@var{y}: will hold the y + +@var{x}: will hold the x + +This function will export the DSA private key's parameters found +in the given structure. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.3.0 +@end deftypefun + +@subheading gnutls_privkey_export_dsa_raw2 +@anchor{gnutls_privkey_export_dsa_raw2} +@deftypefun {int} {gnutls_privkey_export_dsa_raw2} (gnutls_privkey_t @var{key}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{g}, gnutls_datum_t * @var{y}, gnutls_datum_t * @var{x}, unsigned int @var{flags}) +@var{key}: Holds the public key + +@var{p}: will hold the p + +@var{q}: will hold the q + +@var{g}: will hold the g + +@var{y}: will hold the y + +@var{x}: will hold the x + +@var{flags}: flags from @code{gnutls_abstract_export_flags_t} + +This function will export the DSA private key's parameters found +in the given structure. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_privkey_export_ecc_raw +@anchor{gnutls_privkey_export_ecc_raw} +@deftypefun {int} {gnutls_privkey_export_ecc_raw} (gnutls_privkey_t @var{key}, gnutls_ecc_curve_t * @var{curve}, gnutls_datum_t * @var{x}, gnutls_datum_t * @var{y}, gnutls_datum_t * @var{k}) +@var{key}: Holds the public key + +@var{curve}: will hold the curve + +@var{x}: will hold the x-coordinate + +@var{y}: will hold the y-coordinate + +@var{k}: will hold the private key + +This function will export the ECC private key's parameters found +in the given structure. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +In EdDSA curves the @code{y} parameter will be @code{NULL} and the other parameters +will be in the native format for the curve. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.3.0 +@end deftypefun + +@subheading gnutls_privkey_export_ecc_raw2 +@anchor{gnutls_privkey_export_ecc_raw2} +@deftypefun {int} {gnutls_privkey_export_ecc_raw2} (gnutls_privkey_t @var{key}, gnutls_ecc_curve_t * @var{curve}, gnutls_datum_t * @var{x}, gnutls_datum_t * @var{y}, gnutls_datum_t * @var{k}, unsigned int @var{flags}) +@var{key}: Holds the public key + +@var{curve}: will hold the curve + +@var{x}: will hold the x-coordinate + +@var{y}: will hold the y-coordinate + +@var{k}: will hold the private key + +@var{flags}: flags from @code{gnutls_abstract_export_flags_t} + +This function will export the ECC private key's parameters found +in the given structure. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +In EdDSA curves the @code{y} parameter will be @code{NULL} and the other parameters +will be in the native format for the curve. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_privkey_export_gost_raw2 +@anchor{gnutls_privkey_export_gost_raw2} +@deftypefun {int} {gnutls_privkey_export_gost_raw2} (gnutls_privkey_t @var{key}, gnutls_ecc_curve_t * @var{curve}, gnutls_digest_algorithm_t * @var{digest}, gnutls_gost_paramset_t * @var{paramset}, gnutls_datum_t * @var{x}, gnutls_datum_t * @var{y}, gnutls_datum_t * @var{k}, unsigned int @var{flags}) +@var{key}: Holds the public key + +@var{curve}: will hold the curve + +@var{digest}: will hold the digest + +@var{paramset}: will hold the GOST parameter set ID + +@var{x}: will hold the x-coordinate + +@var{y}: will hold the y-coordinate + +@var{k}: will hold the private key + +@var{flags}: flags from @code{gnutls_abstract_export_flags_t} + +This function will export the GOST private key's parameters found +in the given structure. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +@strong{Note:} parameters will be stored with least significant byte first. On +version 3.6.3 this was incorrectly returned in big-endian format. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.6.3 +@end deftypefun + +@subheading gnutls_privkey_export_openpgp +@anchor{gnutls_privkey_export_openpgp} +@deftypefun {int} {gnutls_privkey_export_openpgp} (gnutls_privkey_t @var{pkey}, gnutls_openpgp_privkey_t * @var{key}) +@var{pkey}: The private key + +@var{key}: Location for the key to be exported. + +This function is no-op. + +@strong{Returns:} @code{GNUTLS_E_UNIMPLEMENTED_FEATURE} . + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_privkey_export_pkcs11 +@anchor{gnutls_privkey_export_pkcs11} +@deftypefun {int} {gnutls_privkey_export_pkcs11} (gnutls_privkey_t @var{pkey}, gnutls_pkcs11_privkey_t * @var{key}) +@var{pkey}: The private key + +@var{key}: Location for the key to be exported. + +Converts the given abstract private key to a @code{gnutls_pkcs11_privkey_t} +type. The key must be of type @code{GNUTLS_PRIVKEY_PKCS11} . The key +returned in @code{key} must be deinitialized with +@code{gnutls_pkcs11_privkey_deinit()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_privkey_export_rsa_raw +@anchor{gnutls_privkey_export_rsa_raw} +@deftypefun {int} {gnutls_privkey_export_rsa_raw} (gnutls_privkey_t @var{key}, gnutls_datum_t * @var{m}, gnutls_datum_t * @var{e}, gnutls_datum_t * @var{d}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{u}, gnutls_datum_t * @var{e1}, gnutls_datum_t * @var{e2}) +@var{key}: Holds the certificate + +@var{m}: will hold the modulus + +@var{e}: will hold the public exponent + +@var{d}: will hold the private exponent + +@var{p}: will hold the first prime (p) + +@var{q}: will hold the second prime (q) + +@var{u}: will hold the coefficient + +@var{e1}: will hold e1 = d mod (p-1) + +@var{e2}: will hold e2 = d mod (q-1) + +This function will export the RSA private key's parameters found +in the given structure. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. For +EdDSA keys, the @code{y} value should be @code{NULL} . + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.3.0 +@end deftypefun + +@subheading gnutls_privkey_export_rsa_raw2 +@anchor{gnutls_privkey_export_rsa_raw2} +@deftypefun {int} {gnutls_privkey_export_rsa_raw2} (gnutls_privkey_t @var{key}, gnutls_datum_t * @var{m}, gnutls_datum_t * @var{e}, gnutls_datum_t * @var{d}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{u}, gnutls_datum_t * @var{e1}, gnutls_datum_t * @var{e2}, unsigned int @var{flags}) +@var{key}: Holds the certificate + +@var{m}: will hold the modulus + +@var{e}: will hold the public exponent + +@var{d}: will hold the private exponent + +@var{p}: will hold the first prime (p) + +@var{q}: will hold the second prime (q) + +@var{u}: will hold the coefficient + +@var{e1}: will hold e1 = d mod (p-1) + +@var{e2}: will hold e2 = d mod (q-1) + +@var{flags}: flags from @code{gnutls_abstract_export_flags_t} + +This function will export the RSA private key's parameters found +in the given structure. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_privkey_export_x509 +@anchor{gnutls_privkey_export_x509} +@deftypefun {int} {gnutls_privkey_export_x509} (gnutls_privkey_t @var{pkey}, gnutls_x509_privkey_t * @var{key}) +@var{pkey}: The private key + +@var{key}: Location for the key to be exported. + +Converts the given abstract private key to a @code{gnutls_x509_privkey_t} +type. The abstract key must be of type @code{GNUTLS_PRIVKEY_X509} . The input + @code{key} must not be initialized. The key returned in @code{key} should be deinitialized +using @code{gnutls_x509_privkey_deinit()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_privkey_generate +@anchor{gnutls_privkey_generate} +@deftypefun {int} {gnutls_privkey_generate} (gnutls_privkey_t @var{pkey}, gnutls_pk_algorithm_t @var{algo}, unsigned int @var{bits}, unsigned int @var{flags}) +@var{pkey}: An initialized private key + +@var{algo}: is one of the algorithms in @code{gnutls_pk_algorithm_t} . + +@var{bits}: the size of the parameters to generate + +@var{flags}: Must be zero or flags from @code{gnutls_privkey_flags_t} . + +This function will generate a random private key. Note that this +function must be called on an initialized private key. + +The flag @code{GNUTLS_PRIVKEY_FLAG_PROVABLE} +instructs the key generation process to use algorithms like Shawe-Taylor +(from FIPS PUB186-4) which generate provable parameters out of a seed +for RSA and DSA keys. See @code{gnutls_privkey_generate2()} for more +information. + +Note that when generating an elliptic curve key, the curve +can be substituted in the place of the bits parameter using the +@code{GNUTLS_CURVE_TO_BITS()} macro. The input to the macro is any curve from +@code{gnutls_ecc_curve_t} . + +For DSA keys, if the subgroup size needs to be specified check +the @code{GNUTLS_SUBGROUP_TO_BITS()} macro. + +It is recommended to do not set the number of @code{bits} directly, use @code{gnutls_sec_param_to_pk_bits()} instead . + +See also @code{gnutls_privkey_generate2()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.3.0 +@end deftypefun + +@subheading gnutls_privkey_generate2 +@anchor{gnutls_privkey_generate2} +@deftypefun {int} {gnutls_privkey_generate2} (gnutls_privkey_t @var{pkey}, gnutls_pk_algorithm_t @var{algo}, unsigned int @var{bits}, unsigned int @var{flags}, const gnutls_keygen_data_st * @var{data}, unsigned @var{data_size}) +@var{pkey}: The private key + +@var{algo}: is one of the algorithms in @code{gnutls_pk_algorithm_t} . + +@var{bits}: the size of the modulus + +@var{flags}: Must be zero or flags from @code{gnutls_privkey_flags_t} . + +@var{data}: Allow specifying @code{gnutls_keygen_data_st} types such as the seed to be used. + +@var{data_size}: The number of @code{data} available. + +This function will generate a random private key. Note that this +function must be called on an initialized private key. + +The flag @code{GNUTLS_PRIVKEY_FLAG_PROVABLE} +instructs the key generation process to use algorithms like Shawe-Taylor +(from FIPS PUB186-4) which generate provable parameters out of a seed +for RSA and DSA keys. On DSA keys the PQG parameters are generated using the +seed, while on RSA the two primes. To specify an explicit seed +(by default a random seed is used), use the @code{data} with a @code{GNUTLS_KEYGEN_SEED} +type. + +Note that when generating an elliptic curve key, the curve +can be substituted in the place of the bits parameter using the +@code{GNUTLS_CURVE_TO_BITS()} macro. + +To export the generated keys in memory or in files it is recommended to use the +PKCS@code{8} form as it can handle all key types, and can store additional parameters +such as the seed, in case of provable RSA or DSA keys. +Generated keys can be exported in memory using @code{gnutls_privkey_export_x509()} , +and then with @code{gnutls_x509_privkey_export2_pkcs8()} . + +If key generation is part of your application, avoid setting the number +of bits directly, and instead use @code{gnutls_sec_param_to_pk_bits()} . +That way the generated keys will adapt to the security levels +of the underlying GnuTLS library. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.5.0 +@end deftypefun + +@subheading gnutls_privkey_get_pk_algorithm +@anchor{gnutls_privkey_get_pk_algorithm} +@deftypefun {int} {gnutls_privkey_get_pk_algorithm} (gnutls_privkey_t @var{key}, unsigned int * @var{bits}) +@var{key}: should contain a @code{gnutls_privkey_t} type + +@var{bits}: If set will return the number of bits of the parameters (may be NULL) + +This function will return the public key algorithm of a private +key and if possible will return a number of bits that indicates +the security parameter of the key. + +@strong{Returns:} a member of the @code{gnutls_pk_algorithm_t} enumeration on +success, or a negative error code on error. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_privkey_get_seed +@anchor{gnutls_privkey_get_seed} +@deftypefun {int} {gnutls_privkey_get_seed} (gnutls_privkey_t @var{key}, gnutls_digest_algorithm_t * @var{digest}, void * @var{seed}, size_t * @var{seed_size}) +@var{key}: should contain a @code{gnutls_privkey_t} type + +@var{digest}: if non-NULL it will contain the digest algorithm used for key generation (if applicable) + +@var{seed}: where seed will be copied to + +@var{seed_size}: originally holds the size of @code{seed} , will be updated with actual size + +This function will return the seed that was used to generate the +given private key. That function will succeed only if the key was generated +as a provable key. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.5.0 +@end deftypefun + +@subheading gnutls_privkey_get_spki +@anchor{gnutls_privkey_get_spki} +@deftypefun {int} {gnutls_privkey_get_spki} (gnutls_privkey_t @var{privkey}, gnutls_x509_spki_t @var{spki}, unsigned int @var{flags}) +@var{privkey}: a public key of type @code{gnutls_privkey_t} + +@var{spki}: a SubjectPublicKeyInfo structure of type @code{gnutls_privkey_spki_t} + +@var{flags}: must be zero + +This function will return the public key information if available. +The provided @code{spki} must be initialized. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_privkey_get_type +@anchor{gnutls_privkey_get_type} +@deftypefun {gnutls_privkey_type_t} {gnutls_privkey_get_type} (gnutls_privkey_t @var{key}) +@var{key}: should contain a @code{gnutls_privkey_t} type + +This function will return the type of the private key. This is +actually the type of the subsystem used to set this private key. + +@strong{Returns:} a member of the @code{gnutls_privkey_type_t} enumeration on +success, or a negative error code on error. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_privkey_import_dsa_raw +@anchor{gnutls_privkey_import_dsa_raw} +@deftypefun {int} {gnutls_privkey_import_dsa_raw} (gnutls_privkey_t @var{key}, const gnutls_datum_t * @var{p}, const gnutls_datum_t * @var{q}, const gnutls_datum_t * @var{g}, const gnutls_datum_t * @var{y}, const gnutls_datum_t * @var{x}) +@var{key}: The structure to store the parsed key + +@var{p}: holds the p + +@var{q}: holds the q + +@var{g}: holds the g + +@var{y}: holds the y (optional) + +@var{x}: holds the x + +This function will convert the given DSA raw parameters to the +native @code{gnutls_privkey_t} format. The output will be stored +in @code{key} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun + +@subheading gnutls_privkey_import_ecc_raw +@anchor{gnutls_privkey_import_ecc_raw} +@deftypefun {int} {gnutls_privkey_import_ecc_raw} (gnutls_privkey_t @var{key}, gnutls_ecc_curve_t @var{curve}, const gnutls_datum_t * @var{x}, const gnutls_datum_t * @var{y}, const gnutls_datum_t * @var{k}) +@var{key}: The key + +@var{curve}: holds the curve + +@var{x}: holds the x-coordinate + +@var{y}: holds the y-coordinate + +@var{k}: holds the k (private key) + +This function will convert the given elliptic curve parameters to the +native @code{gnutls_privkey_t} format. The output will be stored +in @code{key} . + +In EdDSA curves the @code{y} parameter should be @code{NULL} and the @code{x} and @code{k} parameters +must be in the native format for the curve. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_privkey_import_ext +@anchor{gnutls_privkey_import_ext} +@deftypefun {int} {gnutls_privkey_import_ext} (gnutls_privkey_t @var{pkey}, gnutls_pk_algorithm_t @var{pk}, void * @var{userdata}, gnutls_privkey_sign_func @var{sign_func}, gnutls_privkey_decrypt_func @var{decrypt_func}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{pk}: The public key algorithm + +@var{userdata}: private data to be provided to the callbacks + +@var{sign_func}: callback for signature operations + +@var{decrypt_func}: callback for decryption operations + +@var{flags}: Flags for the import + +This function will associate the given callbacks with the +@code{gnutls_privkey_t} type. At least one of the two callbacks +must be non-null. + +Note that the signing function is supposed to "raw" sign data, i.e., +without any hashing or preprocessing. In case of RSA the DigestInfo +will be provided, and the signing function is expected to do the PKCS @code{1} +1.5 padding and the exponentiation. + +See also @code{gnutls_privkey_import_ext3()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_privkey_import_ext2 +@anchor{gnutls_privkey_import_ext2} +@deftypefun {int} {gnutls_privkey_import_ext2} (gnutls_privkey_t @var{pkey}, gnutls_pk_algorithm_t @var{pk}, void * @var{userdata}, gnutls_privkey_sign_func @var{sign_fn}, gnutls_privkey_decrypt_func @var{decrypt_fn}, gnutls_privkey_deinit_func @var{deinit_fn}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{pk}: The public key algorithm + +@var{userdata}: private data to be provided to the callbacks + +@var{sign_fn}: callback for signature operations + +@var{decrypt_fn}: callback for decryption operations + +@var{deinit_fn}: a deinitialization function + +@var{flags}: Flags for the import + +This function will associate the given callbacks with the +@code{gnutls_privkey_t} type. At least one of the two callbacks +must be non-null. If a deinitialization function is provided +then flags is assumed to contain @code{GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE} . + +Note that the signing function is supposed to "raw" sign data, i.e., +without any hashing or preprocessing. In case of RSA the DigestInfo +will be provided, and the signing function is expected to do the PKCS @code{1} +1.5 padding and the exponentiation. + +See also @code{gnutls_privkey_import_ext3()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1 +@end deftypefun + +@subheading gnutls_privkey_import_ext3 +@anchor{gnutls_privkey_import_ext3} +@deftypefun {int} {gnutls_privkey_import_ext3} (gnutls_privkey_t @var{pkey}, void * @var{userdata}, gnutls_privkey_sign_func @var{sign_fn}, gnutls_privkey_decrypt_func @var{decrypt_fn}, gnutls_privkey_deinit_func @var{deinit_fn}, gnutls_privkey_info_func @var{info_fn}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{userdata}: private data to be provided to the callbacks + +@var{sign_fn}: callback for signature operations + +@var{decrypt_fn}: callback for decryption operations + +@var{deinit_fn}: a deinitialization function + +@var{info_fn}: returns info about the public key algorithm (should not be @code{NULL} ) + +@var{flags}: Flags for the import + +This function will associate the given callbacks with the +@code{gnutls_privkey_t} type. At least one of the two callbacks +must be non-null. If a deinitialization function is provided +then flags is assumed to contain @code{GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE} . + +Note that the signing function is supposed to "raw" sign data, i.e., +without any hashing or preprocessing. In case of RSA the DigestInfo +will be provided, and the signing function is expected to do the PKCS @code{1} +1.5 padding and the exponentiation. + +The @code{info_fn} must provide information on the algorithms supported by +this private key, and should support the flags @code{GNUTLS_PRIVKEY_INFO_PK_ALGO} and +@code{GNUTLS_PRIVKEY_INFO_SIGN_ALGO} . It must return -1 on unknown flags. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_privkey_import_ext4 +@anchor{gnutls_privkey_import_ext4} +@deftypefun {int} {gnutls_privkey_import_ext4} (gnutls_privkey_t @var{pkey}, void * @var{userdata}, gnutls_privkey_sign_data_func @var{sign_data_fn}, gnutls_privkey_sign_hash_func @var{sign_hash_fn}, gnutls_privkey_decrypt_func @var{decrypt_fn}, gnutls_privkey_deinit_func @var{deinit_fn}, gnutls_privkey_info_func @var{info_fn}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{userdata}: private data to be provided to the callbacks + +@var{sign_data_fn}: callback for signature operations (may be @code{NULL} ) + +@var{sign_hash_fn}: callback for signature operations (may be @code{NULL} ) + +@var{decrypt_fn}: callback for decryption operations (may be @code{NULL} ) + +@var{deinit_fn}: a deinitialization function + +@var{info_fn}: returns info about the public key algorithm (should not be @code{NULL} ) + +@var{flags}: Flags for the import + +This function will associate the given callbacks with the +@code{gnutls_privkey_t} type. At least one of the callbacks +must be non-null. If a deinitialization function is provided +then flags is assumed to contain @code{GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE} . + +Note that in contrast with the signing function of +@code{gnutls_privkey_import_ext3()} , the signing functions provided to this +function take explicitly the signature algorithm as parameter and +different functions are provided to sign the data and hashes. + +The @code{sign_hash_fn} is to be called to sign pre-hashed data. The input +to the callback is the output of the hash (such as SHA256) corresponding +to the signature algorithm. For RSA PKCS@code{1} signatures, the signature +algorithm can be set to @code{GNUTLS_SIGN_RSA_RAW} , and in that case the data +should be handled as if they were an RSA PKCS@code{1} DigestInfo structure. + +The @code{sign_data_fn} is to be called to sign data. The input data will be +he data to be signed (and hashed), with the provided signature +algorithm. This function is to be used for signature algorithms like +Ed25519 which cannot take pre-hashed data as input. + +When both @code{sign_data_fn} and @code{sign_hash_fn} functions are provided they +must be able to operate on all the supported signature algorithms, +unless prohibited by the type of the algorithm (e.g., as with Ed25519). + +The @code{info_fn} must provide information on the signature algorithms supported by +this private key, and should support the flags @code{GNUTLS_PRIVKEY_INFO_PK_ALGO} , +@code{GNUTLS_PRIVKEY_INFO_HAVE_SIGN_ALGO} and @code{GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS} . +It must return -1 on unknown flags. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_privkey_import_gost_raw +@anchor{gnutls_privkey_import_gost_raw} +@deftypefun {int} {gnutls_privkey_import_gost_raw} (gnutls_privkey_t @var{key}, gnutls_ecc_curve_t @var{curve}, gnutls_digest_algorithm_t @var{digest}, gnutls_gost_paramset_t @var{paramset}, const gnutls_datum_t * @var{x}, const gnutls_datum_t * @var{y}, const gnutls_datum_t * @var{k}) +@var{key}: The key + +@var{curve}: holds the curve + +@var{digest}: holds the digest + +@var{paramset}: holds the GOST parameter set ID + +@var{x}: holds the x-coordinate + +@var{y}: holds the y-coordinate + +@var{k}: holds the k (private key) + +This function will convert the given GOST private key's parameters to the +native @code{gnutls_privkey_t} format. The output will be stored +in @code{key} . @code{digest} should be one of GNUTLS_DIG_GOSR_94, +GNUTLS_DIG_STREEBOG_256 or GNUTLS_DIG_STREEBOG_512. If @code{paramset} is set to +GNUTLS_GOST_PARAMSET_UNKNOWN default one will be selected depending on + @code{digest} . + +@strong{Note:} parameters should be stored with least significant byte first. On +version 3.6.3 big-endian format was used incorrectly. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.3 +@end deftypefun + +@subheading gnutls_privkey_import_openpgp +@anchor{gnutls_privkey_import_openpgp} +@deftypefun {int} {gnutls_privkey_import_openpgp} (gnutls_privkey_t @var{pkey}, gnutls_openpgp_privkey_t @var{key}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{key}: The private key to be imported + +@var{flags}: Flags for the import + +This function is no-op. + +@strong{Returns:} @code{GNUTLS_E_UNIMPLEMENTED_FEATURE} . + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_privkey_import_openpgp_raw +@anchor{gnutls_privkey_import_openpgp_raw} +@deftypefun {int} {gnutls_privkey_import_openpgp_raw} (gnutls_privkey_t @var{pkey}, const gnutls_datum_t * @var{data}, gnutls_openpgp_crt_fmt_t @var{format}, const gnutls_openpgp_keyid_t @var{keyid}, const char * @var{password}) +@var{pkey}: The private key + +@var{data}: The private key data to be imported + +@var{format}: The format of the private key + +@var{keyid}: The key id to use (optional) + +@var{password}: A password (optional) + +This function is no-op. + +@strong{Returns:} @code{GNUTLS_E_UNIMPLEMENTED_FEATURE} . + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_privkey_import_pkcs11 +@anchor{gnutls_privkey_import_pkcs11} +@deftypefun {int} {gnutls_privkey_import_pkcs11} (gnutls_privkey_t @var{pkey}, gnutls_pkcs11_privkey_t @var{key}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{key}: The private key to be imported + +@var{flags}: Flags for the import + +This function will import the given private key to the abstract +@code{gnutls_privkey_t} type. + +The @code{gnutls_pkcs11_privkey_t} object must not be deallocated +during the lifetime of this structure. + + @code{flags} might be zero or one of @code{GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE} +and @code{GNUTLS_PRIVKEY_IMPORT_COPY} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_privkey_import_pkcs11_url +@anchor{gnutls_privkey_import_pkcs11_url} +@deftypefun {int} {gnutls_privkey_import_pkcs11_url} (gnutls_privkey_t @var{key}, const char * @var{url}) +@var{key}: A key of type @code{gnutls_pubkey_t} + +@var{url}: A PKCS 11 url + +This function will import a PKCS 11 private key to a @code{gnutls_private_key_t} +type. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_privkey_import_rsa_raw +@anchor{gnutls_privkey_import_rsa_raw} +@deftypefun {int} {gnutls_privkey_import_rsa_raw} (gnutls_privkey_t @var{key}, const gnutls_datum_t * @var{m}, const gnutls_datum_t * @var{e}, const gnutls_datum_t * @var{d}, const gnutls_datum_t * @var{p}, const gnutls_datum_t * @var{q}, const gnutls_datum_t * @var{u}, const gnutls_datum_t * @var{e1}, const gnutls_datum_t * @var{e2}) +@var{key}: The structure to store the parsed key + +@var{m}: holds the modulus + +@var{e}: holds the public exponent + +@var{d}: holds the private exponent (optional) + +@var{p}: holds the first prime (p) + +@var{q}: holds the second prime (q) + +@var{u}: holds the coefficient (optional) + +@var{e1}: holds e1 = d mod (p-1) (optional) + +@var{e2}: holds e2 = d mod (q-1) (optional) + +This function will convert the given RSA raw parameters to the +native @code{gnutls_privkey_t} format. The output will be stored in + @code{key} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun + +@subheading gnutls_privkey_import_tpm_raw +@anchor{gnutls_privkey_import_tpm_raw} +@deftypefun {int} {gnutls_privkey_import_tpm_raw} (gnutls_privkey_t @var{pkey}, const gnutls_datum_t * @var{fdata}, gnutls_tpmkey_fmt_t @var{format}, const char * @var{srk_password}, const char * @var{key_password}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{fdata}: The TPM key to be imported + +@var{format}: The format of the private key + +@var{srk_password}: The password for the SRK key (optional) + +@var{key_password}: A password for the key (optional) + +@var{flags}: should be zero + +This function will import the given private key to the abstract +@code{gnutls_privkey_t} type. + +With respect to passwords the same as in @code{gnutls_privkey_import_tpm_url()} apply. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_privkey_import_tpm_url +@anchor{gnutls_privkey_import_tpm_url} +@deftypefun {int} {gnutls_privkey_import_tpm_url} (gnutls_privkey_t @var{pkey}, const char * @var{url}, const char * @var{srk_password}, const char * @var{key_password}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{url}: The URL of the TPM key to be imported + +@var{srk_password}: The password for the SRK key (optional) + +@var{key_password}: A password for the key (optional) + +@var{flags}: One of the GNUTLS_PRIVKEY_* flags + +This function will import the given private key to the abstract +@code{gnutls_privkey_t} type. + +Note that unless @code{GNUTLS_PRIVKEY_DISABLE_CALLBACKS} +is specified, if incorrect (or NULL) passwords are given +the PKCS11 callback functions will be used to obtain the +correct passwords. Otherwise if the SRK password is wrong +@code{GNUTLS_E_TPM_SRK_PASSWORD_ERROR} is returned and if the key password +is wrong or not provided then @code{GNUTLS_E_TPM_KEY_PASSWORD_ERROR} +is returned. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_privkey_import_url +@anchor{gnutls_privkey_import_url} +@deftypefun {int} {gnutls_privkey_import_url} (gnutls_privkey_t @var{key}, const char * @var{url}, unsigned int @var{flags}) +@var{key}: A key of type @code{gnutls_privkey_t} + +@var{url}: A PKCS 11 url + +@var{flags}: should be zero + +This function will import a PKCS11 or TPM URL as a +private key. The supported URL types can be checked +using @code{gnutls_url_is_supported()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_privkey_import_x509 +@anchor{gnutls_privkey_import_x509} +@deftypefun {int} {gnutls_privkey_import_x509} (gnutls_privkey_t @var{pkey}, gnutls_x509_privkey_t @var{key}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{key}: The private key to be imported + +@var{flags}: Flags for the import + +This function will import the given private key to the abstract +@code{gnutls_privkey_t} type. + +The @code{gnutls_x509_privkey_t} object must not be deallocated +during the lifetime of this structure. + + @code{flags} might be zero or one of @code{GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE} +and @code{GNUTLS_PRIVKEY_IMPORT_COPY} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_privkey_import_x509_raw +@anchor{gnutls_privkey_import_x509_raw} +@deftypefun {int} {gnutls_privkey_import_x509_raw} (gnutls_privkey_t @var{pkey}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, const char * @var{password}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{data}: The private key data to be imported + +@var{format}: The format of the private key + +@var{password}: A password (optional) + +@var{flags}: an ORed sequence of gnutls_pkcs_encrypt_flags_t + +This function will import the given private key to the abstract +@code{gnutls_privkey_t} type. + +The supported formats are basic unencrypted key, PKCS8, PKCS12, +TSS2, and the openssl format. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_privkey_init +@anchor{gnutls_privkey_init} +@deftypefun {int} {gnutls_privkey_init} (gnutls_privkey_t * @var{key}) +@var{key}: A pointer to the type to be initialized + +This function will initialize a private key object. The object can +be used to generate, import, and perform cryptographic operations +on the associated private key. + +Note that when the underlying private key is a PKCS@code{11} key (i.e., +when imported with a PKCS@code{11} URI), the limitations of @code{gnutls_pkcs11_privkey_init()} +apply to this object as well. In versions of GnuTLS later than 3.5.11 the object +is protected using locks and a single @code{gnutls_privkey_t} can be re-used +by many threads. However, for performance it is recommended to utilize +one object per key per thread. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_privkey_set_flags +@anchor{gnutls_privkey_set_flags} +@deftypefun {void} {gnutls_privkey_set_flags} (gnutls_privkey_t @var{key}, unsigned int @var{flags}) +@var{key}: A key of type @code{gnutls_privkey_t} + +@var{flags}: flags from the @code{gnutls_privkey_flags} + +This function will set flags for the specified private key, after +it is generated. Currently this is useful for the @code{GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT} +to allow exporting a "provable" private key in backwards compatible way. + +@strong{Since:} 3.5.0 +@end deftypefun + +@subheading gnutls_privkey_set_pin_function +@anchor{gnutls_privkey_set_pin_function} +@deftypefun {void} {gnutls_privkey_set_pin_function} (gnutls_privkey_t @var{key}, gnutls_pin_callback_t @var{fn}, void * @var{userdata}) +@var{key}: A key of type @code{gnutls_privkey_t} + +@var{fn}: the callback + +@var{userdata}: data associated with the callback + +This function will set a callback function to be used when +required to access the object. This function overrides any other +global PIN functions. + +Note that this function must be called right after initialization +to have effect. + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_privkey_set_spki +@anchor{gnutls_privkey_set_spki} +@deftypefun {int} {gnutls_privkey_set_spki} (gnutls_privkey_t @var{privkey}, const gnutls_x509_spki_t @var{spki}, unsigned int @var{flags}) +@var{privkey}: a public key of type @code{gnutls_privkey_t} + +@var{spki}: a SubjectPublicKeyInfo structure of type @code{gnutls_privkey_spki_t} + +@var{flags}: must be zero + +This function will set the public key information. +The provided @code{spki} must be initialized. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_privkey_sign_data +@anchor{gnutls_privkey_sign_data} +@deftypefun {int} {gnutls_privkey_sign_data} (gnutls_privkey_t @var{signer}, gnutls_digest_algorithm_t @var{hash}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, gnutls_datum_t * @var{signature}) +@var{signer}: Holds the key + +@var{hash}: should be a digest algorithm + +@var{flags}: Zero or one of @code{gnutls_privkey_flags_t} + +@var{data}: holds the data to be signed + +@var{signature}: will contain the signature allocated with @code{gnutls_malloc()} + +This function will sign the given data using a signature algorithm +supported by the private key. Signature algorithms are always used +together with a hash functions. Different hash functions may be +used for the RSA algorithm, but only the SHA family for the DSA keys. + +You may use @code{gnutls_pubkey_get_preferred_hash_algorithm()} to determine +the hash algorithm. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_privkey_sign_data2 +@anchor{gnutls_privkey_sign_data2} +@deftypefun {int} {gnutls_privkey_sign_data2} (gnutls_privkey_t @var{signer}, gnutls_sign_algorithm_t @var{algo}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, gnutls_datum_t * @var{signature}) +@var{signer}: Holds the key + +@var{algo}: The signature algorithm used + +@var{flags}: Zero or one of @code{gnutls_privkey_flags_t} + +@var{data}: holds the data to be signed + +@var{signature}: will contain the signature allocated with @code{gnutls_malloc()} + +This function will sign the given data using the specified signature +algorithm. This function is an enhancement of @code{gnutls_privkey_sign_data()} , +as it allows utilizing a alternative signature algorithm where possible +(e.g, use an RSA key with RSA-PSS). + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_privkey_sign_hash +@anchor{gnutls_privkey_sign_hash} +@deftypefun {int} {gnutls_privkey_sign_hash} (gnutls_privkey_t @var{signer}, gnutls_digest_algorithm_t @var{hash_algo}, unsigned int @var{flags}, const gnutls_datum_t * @var{hash_data}, gnutls_datum_t * @var{signature}) +@var{signer}: Holds the signer's key + +@var{hash_algo}: The hash algorithm used + +@var{flags}: Zero or one of @code{gnutls_privkey_flags_t} + +@var{hash_data}: holds the data to be signed + +@var{signature}: will contain newly allocated signature + +This function will sign the given hashed data using a signature algorithm +supported by the private key. Signature algorithms are always used +together with a hash functions. Different hash functions may be +used for the RSA algorithm, but only SHA-XXX for the DSA keys. + +You may use @code{gnutls_pubkey_get_preferred_hash_algorithm()} to determine +the hash algorithm. + +The flags may be @code{GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA} or @code{GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS} . +In the former case this function will ignore @code{hash_algo} and perform a raw PKCS1 signature, +and in the latter an RSA-PSS signature will be generated. + +Note that, not all algorithm support signing already hashed data. When +signing with Ed25519, @code{gnutls_privkey_sign_data()} should be used. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_privkey_sign_hash2 +@anchor{gnutls_privkey_sign_hash2} +@deftypefun {int} {gnutls_privkey_sign_hash2} (gnutls_privkey_t @var{signer}, gnutls_sign_algorithm_t @var{algo}, unsigned int @var{flags}, const gnutls_datum_t * @var{hash_data}, gnutls_datum_t * @var{signature}) +@var{signer}: Holds the signer's key + +@var{algo}: The signature algorithm used + +@var{flags}: Zero or one of @code{gnutls_privkey_flags_t} + +@var{hash_data}: holds the data to be signed + +@var{signature}: will contain newly allocated signature + +This function will sign the given hashed data using the specified signature +algorithm. This function is an enhancement of @code{gnutls_privkey_sign_hash()} , +as it allows utilizing a alternative signature algorithm where possible +(e.g, use an RSA key with RSA-PSS). + +The flags may be @code{GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA} . +In that case this function will ignore @code{hash_algo} and perform a raw PKCS1 signature. +Note that this flag is supported since 3.6.9. + +Note also that, not all algorithm support signing already hashed data. When +signing with Ed25519, @code{gnutls_privkey_sign_data2()} should be used instead. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_privkey_status +@anchor{gnutls_privkey_status} +@deftypefun {int} {gnutls_privkey_status} (gnutls_privkey_t @var{key}) +@var{key}: Holds the key + +Checks the status of the private key token. This function +is an actual wrapper over @code{gnutls_pkcs11_privkey_status()} , and +if the private key is a PKCS @code{11} token it will check whether +it is inserted or not. + +@strong{Returns:} this function will return non-zero if the token +holding the private key is still available (inserted), and zero otherwise. + +@strong{Since:} 3.1.10 +@end deftypefun + +@subheading gnutls_privkey_verify_params +@anchor{gnutls_privkey_verify_params} +@deftypefun {int} {gnutls_privkey_verify_params} (gnutls_privkey_t @var{key}) +@var{key}: should contain a @code{gnutls_privkey_t} type + +This function will verify the private key parameters. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.3.0 +@end deftypefun + +@subheading gnutls_privkey_verify_seed +@anchor{gnutls_privkey_verify_seed} +@deftypefun {int} {gnutls_privkey_verify_seed} (gnutls_privkey_t @var{key}, gnutls_digest_algorithm_t @var{digest}, const void * @var{seed}, size_t @var{seed_size}) +@var{key}: should contain a @code{gnutls_privkey_t} type + +@var{digest}: it contains the digest algorithm used for key generation (if applicable) + +@var{seed}: the seed of the key to be checked with + +@var{seed_size}: holds the size of @code{seed} + +This function will verify that the given private key was generated from +the provided seed. + +@strong{Returns:} In case of a verification failure @code{GNUTLS_E_PRIVKEY_VERIFICATION_ERROR} +is returned, and zero or positive code on success. + +@strong{Since:} 3.5.0 +@end deftypefun + +@subheading gnutls_pubkey_deinit +@anchor{gnutls_pubkey_deinit} +@deftypefun {void} {gnutls_pubkey_deinit} (gnutls_pubkey_t @var{key}) +@var{key}: The key to be deinitialized + +This function will deinitialize a public key structure. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_encrypt_data +@anchor{gnutls_pubkey_encrypt_data} +@deftypefun {int} {gnutls_pubkey_encrypt_data} (gnutls_pubkey_t @var{key}, unsigned int @var{flags}, const gnutls_datum_t * @var{plaintext}, gnutls_datum_t * @var{ciphertext}) +@var{key}: Holds the public key + +@var{flags}: should be 0 for now + +@var{plaintext}: The data to be encrypted + +@var{ciphertext}: contains the encrypted data + +This function will encrypt the given data, using the public +key. On success the @code{ciphertext} will be allocated using @code{gnutls_malloc()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pubkey_export +@anchor{gnutls_pubkey_export} +@deftypefun {int} {gnutls_pubkey_export} (gnutls_pubkey_t @var{key}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size}) +@var{key}: Holds the certificate + +@var{format}: the format of output params. One of PEM or DER. + +@var{output_data}: will contain a certificate PEM or DER encoded + +@var{output_data_size}: holds the size of output_data (and will be +replaced by the actual size of parameters) + +This function will export the public key to DER or PEM format. +The contents of the exported data is the SubjectPublicKeyInfo +X.509 structure. + +If the buffer provided is not long enough to hold the output, then +*output_data_size is updated and @code{GNUTLS_E_SHORT_MEMORY_BUFFER} will +be returned. + +If the structure is PEM encoded, it will have a header +of "BEGIN CERTIFICATE". + +@strong{Returns:} In case of failure a negative error code will be +returned, and 0 on success. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_export2 +@anchor{gnutls_pubkey_export2} +@deftypefun {int} {gnutls_pubkey_export2} (gnutls_pubkey_t @var{key}, gnutls_x509_crt_fmt_t @var{format}, gnutls_datum_t * @var{out}) +@var{key}: Holds the certificate + +@var{format}: the format of output params. One of PEM or DER. + +@var{out}: will contain a certificate PEM or DER encoded + +This function will export the public key to DER or PEM format. +The contents of the exported data is the SubjectPublicKeyInfo +X.509 structure. + +The output buffer will be allocated using @code{gnutls_malloc()} . + +If the structure is PEM encoded, it will have a header +of "BEGIN CERTIFICATE". + +@strong{Returns:} In case of failure a negative error code will be +returned, and 0 on success. + +@strong{Since:} 3.1.3 +@end deftypefun + +@subheading gnutls_pubkey_export_dsa_raw +@anchor{gnutls_pubkey_export_dsa_raw} +@deftypefun {int} {gnutls_pubkey_export_dsa_raw} (gnutls_pubkey_t @var{key}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{g}, gnutls_datum_t * @var{y}) +@var{key}: Holds the public key + +@var{p}: will hold the p (may be @code{NULL} ) + +@var{q}: will hold the q (may be @code{NULL} ) + +@var{g}: will hold the g (may be @code{NULL} ) + +@var{y}: will hold the y (may be @code{NULL} ) + +This function will export the DSA public key's parameters found in +the given certificate. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +This function allows for @code{NULL} parameters since 3.4.1. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.3.0 +@end deftypefun + +@subheading gnutls_pubkey_export_dsa_raw2 +@anchor{gnutls_pubkey_export_dsa_raw2} +@deftypefun {int} {gnutls_pubkey_export_dsa_raw2} (gnutls_pubkey_t @var{key}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{g}, gnutls_datum_t * @var{y}, unsigned @var{flags}) +@var{key}: Holds the public key + +@var{p}: will hold the p (may be @code{NULL} ) + +@var{q}: will hold the q (may be @code{NULL} ) + +@var{g}: will hold the g (may be @code{NULL} ) + +@var{y}: will hold the y (may be @code{NULL} ) + +@var{flags}: flags from @code{gnutls_abstract_export_flags_t} + +This function will export the DSA public key's parameters found in +the given certificate. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +This function allows for @code{NULL} parameters since 3.4.1. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_pubkey_export_ecc_raw +@anchor{gnutls_pubkey_export_ecc_raw} +@deftypefun {int} {gnutls_pubkey_export_ecc_raw} (gnutls_pubkey_t @var{key}, gnutls_ecc_curve_t * @var{curve}, gnutls_datum_t * @var{x}, gnutls_datum_t * @var{y}) +@var{key}: Holds the public key + +@var{curve}: will hold the curve (may be @code{NULL} ) + +@var{x}: will hold x-coordinate (may be @code{NULL} ) + +@var{y}: will hold y-coordinate (may be @code{NULL} ) + +This function will export the ECC public key's parameters found in +the given key. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +In EdDSA curves the @code{y} parameter will be @code{NULL} and the other parameters +will be in the native format for the curve. + +This function allows for @code{NULL} parameters since 3.4.1. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pubkey_export_ecc_raw2 +@anchor{gnutls_pubkey_export_ecc_raw2} +@deftypefun {int} {gnutls_pubkey_export_ecc_raw2} (gnutls_pubkey_t @var{key}, gnutls_ecc_curve_t * @var{curve}, gnutls_datum_t * @var{x}, gnutls_datum_t * @var{y}, unsigned int @var{flags}) +@var{key}: Holds the public key + +@var{curve}: will hold the curve (may be @code{NULL} ) + +@var{x}: will hold x-coordinate (may be @code{NULL} ) + +@var{y}: will hold y-coordinate (may be @code{NULL} ) + +@var{flags}: flags from @code{gnutls_abstract_export_flags_t} + +This function will export the ECC public key's parameters found in +the given key. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +In EdDSA curves the @code{y} parameter will be @code{NULL} and the other parameters +will be in the native format for the curve. + +This function allows for @code{NULL} parameters since 3.4.1. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_pubkey_export_ecc_x962 +@anchor{gnutls_pubkey_export_ecc_x962} +@deftypefun {int} {gnutls_pubkey_export_ecc_x962} (gnutls_pubkey_t @var{key}, gnutls_datum_t * @var{parameters}, gnutls_datum_t * @var{ecpoint}) +@var{key}: Holds the public key + +@var{parameters}: DER encoding of an ANSI X9.62 parameters + +@var{ecpoint}: DER encoding of ANSI X9.62 ECPoint + +This function will export the ECC public key's parameters found in +the given certificate. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.3.0 +@end deftypefun + +@subheading gnutls_pubkey_export_gost_raw2 +@anchor{gnutls_pubkey_export_gost_raw2} +@deftypefun {int} {gnutls_pubkey_export_gost_raw2} (gnutls_pubkey_t @var{key}, gnutls_ecc_curve_t * @var{curve}, gnutls_digest_algorithm_t * @var{digest}, gnutls_gost_paramset_t * @var{paramset}, gnutls_datum_t * @var{x}, gnutls_datum_t * @var{y}, unsigned int @var{flags}) +@var{key}: Holds the public key + +@var{curve}: will hold the curve (may be @code{NULL} ) + +@var{digest}: will hold the curve (may be @code{NULL} ) + +@var{paramset}: will hold the parameters id (may be @code{NULL} ) + +@var{x}: will hold the x-coordinate (may be @code{NULL} ) + +@var{y}: will hold the y-coordinate (may be @code{NULL} ) + +@var{flags}: flags from @code{gnutls_abstract_export_flags_t} + +This function will export the GOST public key's parameters found in +the given key. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +@strong{Note:} parameters will be stored with least significant byte first. On +version 3.6.3 this was incorrectly returned in big-endian format. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.6.3 +@end deftypefun + +@subheading gnutls_pubkey_export_rsa_raw +@anchor{gnutls_pubkey_export_rsa_raw} +@deftypefun {int} {gnutls_pubkey_export_rsa_raw} (gnutls_pubkey_t @var{key}, gnutls_datum_t * @var{m}, gnutls_datum_t * @var{e}) +@var{key}: Holds the certificate + +@var{m}: will hold the modulus (may be @code{NULL} ) + +@var{e}: will hold the public exponent (may be @code{NULL} ) + +This function will export the RSA public key's parameters found in +the given structure. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +This function allows for @code{NULL} parameters since 3.4.1. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.3.0 +@end deftypefun + +@subheading gnutls_pubkey_export_rsa_raw2 +@anchor{gnutls_pubkey_export_rsa_raw2} +@deftypefun {int} {gnutls_pubkey_export_rsa_raw2} (gnutls_pubkey_t @var{key}, gnutls_datum_t * @var{m}, gnutls_datum_t * @var{e}, unsigned @var{flags}) +@var{key}: Holds the certificate + +@var{m}: will hold the modulus (may be @code{NULL} ) + +@var{e}: will hold the public exponent (may be @code{NULL} ) + +@var{flags}: flags from @code{gnutls_abstract_export_flags_t} + +This function will export the RSA public key's parameters found in +the given structure. The new parameters will be allocated using +@code{gnutls_malloc()} and will be stored in the appropriate datum. + +This function allows for @code{NULL} parameters since 3.4.1. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_pubkey_get_key_id +@anchor{gnutls_pubkey_get_key_id} +@deftypefun {int} {gnutls_pubkey_get_key_id} (gnutls_pubkey_t @var{key}, unsigned int @var{flags}, unsigned char * @var{output_data}, size_t * @var{output_data_size}) +@var{key}: Holds the public key + +@var{flags}: should be one of the flags from @code{gnutls_keyid_flags_t} + +@var{output_data}: will contain the key ID + +@var{output_data_size}: holds the size of output_data (and will be +replaced by the actual size of parameters) + +This function will return a unique ID that depends on the public +key parameters. This ID can be used in checking whether a +certificate corresponds to the given public key. + +If the buffer provided is not long enough to hold the output, then +*output_data_size is updated and @code{GNUTLS_E_SHORT_MEMORY_BUFFER} will +be returned. The output will normally be a SHA-1 hash output, +which is 20 bytes. + +@strong{Returns:} In case of failure a negative error code will be +returned, and 0 on success. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_get_key_usage +@anchor{gnutls_pubkey_get_key_usage} +@deftypefun {int} {gnutls_pubkey_get_key_usage} (gnutls_pubkey_t @var{key}, unsigned int * @var{usage}) +@var{key}: should contain a @code{gnutls_pubkey_t} type + +@var{usage}: If set will return the number of bits of the parameters (may be NULL) + +This function will return the key usage of the public key. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_get_openpgp_key_id +@anchor{gnutls_pubkey_get_openpgp_key_id} +@deftypefun {int} {gnutls_pubkey_get_openpgp_key_id} (gnutls_pubkey_t @var{key}, unsigned int @var{flags}, unsigned char * @var{output_data}, size_t * @var{output_data_size}, unsigned int * @var{subkey}) +@var{key}: Holds the public key + +@var{flags}: should be one of the flags from @code{gnutls_keyid_flags_t} + +@var{output_data}: will contain the key ID + +@var{output_data_size}: holds the size of output_data (and will be +replaced by the actual size of parameters) + +@var{subkey}: ignored + +This function is no-op. + +@strong{Returns:} @code{GNUTLS_E_UNIMPLEMENTED_FEATURE} . + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_get_pk_algorithm +@anchor{gnutls_pubkey_get_pk_algorithm} +@deftypefun {int} {gnutls_pubkey_get_pk_algorithm} (gnutls_pubkey_t @var{key}, unsigned int * @var{bits}) +@var{key}: should contain a @code{gnutls_pubkey_t} type + +@var{bits}: If set will return the number of bits of the parameters (may be NULL) + +This function will return the public key algorithm of a public +key and if possible will return a number of bits that indicates +the security parameter of the key. + +@strong{Returns:} a member of the @code{gnutls_pk_algorithm_t} enumeration on +success, or a negative error code on error. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_get_preferred_hash_algorithm +@anchor{gnutls_pubkey_get_preferred_hash_algorithm} +@deftypefun {int} {gnutls_pubkey_get_preferred_hash_algorithm} (gnutls_pubkey_t @var{key}, gnutls_digest_algorithm_t * @var{hash}, unsigned int * @var{mand}) +@var{key}: Holds the certificate + +@var{hash}: The result of the call with the hash algorithm used for signature + +@var{mand}: If non zero it means that the algorithm MUST use this hash. May be NULL. + +This function will read the certificate and return the appropriate digest +algorithm to use for signing with this certificate. Some certificates (i.e. +DSA might not be able to sign without the preferred algorithm). + +To get the signature algorithm instead of just the hash use @code{gnutls_pk_to_sign()} +with the algorithm of the certificate/key and the provided @code{hash} . + +@strong{Returns:} the 0 if the hash algorithm is found. A negative error code is +returned on error. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_get_spki +@anchor{gnutls_pubkey_get_spki} +@deftypefun {int} {gnutls_pubkey_get_spki} (gnutls_pubkey_t @var{pubkey}, gnutls_x509_spki_t @var{spki}, unsigned int @var{flags}) +@var{pubkey}: a public key of type @code{gnutls_pubkey_t} + +@var{spki}: a SubjectPublicKeyInfo structure of type @code{gnutls_pubkey_spki_t} + +@var{flags}: must be zero + +This function will return the public key information if available. +The provided @code{spki} must be initialized. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_pubkey_import +@anchor{gnutls_pubkey_import} +@deftypefun {int} {gnutls_pubkey_import} (gnutls_pubkey_t @var{key}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}) +@var{key}: The public key. + +@var{data}: The DER or PEM encoded certificate. + +@var{format}: One of DER or PEM + +This function will import the provided public key in +a SubjectPublicKeyInfo X.509 structure to a native +@code{gnutls_pubkey_t} type. The output will be stored +in @code{key} . If the public key is PEM encoded it should have a header +of "PUBLIC KEY". + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_import_dsa_raw +@anchor{gnutls_pubkey_import_dsa_raw} +@deftypefun {int} {gnutls_pubkey_import_dsa_raw} (gnutls_pubkey_t @var{key}, const gnutls_datum_t * @var{p}, const gnutls_datum_t * @var{q}, const gnutls_datum_t * @var{g}, const gnutls_datum_t * @var{y}) +@var{key}: The structure to store the parsed key + +@var{p}: holds the p + +@var{q}: holds the q + +@var{g}: holds the g + +@var{y}: holds the y + +This function will convert the given DSA raw parameters to the +native @code{gnutls_pubkey_t} format. The output will be stored +in @code{key} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_import_ecc_raw +@anchor{gnutls_pubkey_import_ecc_raw} +@deftypefun {int} {gnutls_pubkey_import_ecc_raw} (gnutls_pubkey_t @var{key}, gnutls_ecc_curve_t @var{curve}, const gnutls_datum_t * @var{x}, const gnutls_datum_t * @var{y}) +@var{key}: The structure to store the parsed key + +@var{curve}: holds the curve + +@var{x}: holds the x-coordinate + +@var{y}: holds the y-coordinate + +This function will convert the given elliptic curve parameters to a +@code{gnutls_pubkey_t} . The output will be stored in @code{key} . + +In EdDSA curves the @code{y} parameter should be @code{NULL} and the @code{x} parameter must +be the value in the native format for the curve. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pubkey_import_ecc_x962 +@anchor{gnutls_pubkey_import_ecc_x962} +@deftypefun {int} {gnutls_pubkey_import_ecc_x962} (gnutls_pubkey_t @var{key}, const gnutls_datum_t * @var{parameters}, const gnutls_datum_t * @var{ecpoint}) +@var{key}: The structure to store the parsed key + +@var{parameters}: DER encoding of an ANSI X9.62 parameters + +@var{ecpoint}: DER encoding of ANSI X9.62 ECPoint + +This function will convert the given elliptic curve parameters to a +@code{gnutls_pubkey_t} . The output will be stored in @code{key} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pubkey_import_gost_raw +@anchor{gnutls_pubkey_import_gost_raw} +@deftypefun {int} {gnutls_pubkey_import_gost_raw} (gnutls_pubkey_t @var{key}, gnutls_ecc_curve_t @var{curve}, gnutls_digest_algorithm_t @var{digest}, gnutls_gost_paramset_t @var{paramset}, const gnutls_datum_t * @var{x}, const gnutls_datum_t * @var{y}) +@var{key}: The structure to store the parsed key + +@var{curve}: holds the curve + +@var{digest}: holds the digest + +@var{paramset}: holds the parameters id + +@var{x}: holds the x-coordinate + +@var{y}: holds the y-coordinate + +This function will convert the given GOST public key's parameters to a +@code{gnutls_pubkey_t} . The output will be stored in @code{key} . @code{digest} should be +one of GNUTLS_DIG_GOSR_94, GNUTLS_DIG_STREEBOG_256 or +GNUTLS_DIG_STREEBOG_512. If @code{paramset} is set to GNUTLS_GOST_PARAMSET_UNKNOWN +default one will be selected depending on @code{digest} . + +@strong{Note:} parameters should be stored with least significant byte first. On +version 3.6.3 big-endian format was used incorrectly. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.3 +@end deftypefun + +@subheading gnutls_pubkey_import_openpgp +@anchor{gnutls_pubkey_import_openpgp} +@deftypefun {int} {gnutls_pubkey_import_openpgp} (gnutls_pubkey_t @var{key}, gnutls_openpgp_crt_t @var{crt}, unsigned int @var{flags}) +@var{key}: The public key + +@var{crt}: The certificate to be imported + +@var{flags}: should be zero + +This function is no-op. + +@strong{Returns:} @code{GNUTLS_E_UNIMPLEMENTED_FEATURE} . + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_import_openpgp_raw +@anchor{gnutls_pubkey_import_openpgp_raw} +@deftypefun {int} {gnutls_pubkey_import_openpgp_raw} (gnutls_pubkey_t @var{pkey}, const gnutls_datum_t * @var{data}, gnutls_openpgp_crt_fmt_t @var{format}, const gnutls_openpgp_keyid_t @var{keyid}, unsigned int @var{flags}) +@var{pkey}: The public key + +@var{data}: The public key data to be imported + +@var{format}: The format of the public key + +@var{keyid}: The key id to use (optional) + +@var{flags}: Should be zero + +This function is no-op. + +@strong{Returns:} @code{GNUTLS_E_UNIMPLEMENTED_FEATURE} . + +@strong{Since:} 3.1.3 +@end deftypefun + +@subheading gnutls_pubkey_import_pkcs11 +@anchor{gnutls_pubkey_import_pkcs11} +@deftypefun {int} {gnutls_pubkey_import_pkcs11} (gnutls_pubkey_t @var{key}, gnutls_pkcs11_obj_t @var{obj}, unsigned int @var{flags}) +@var{key}: The public key + +@var{obj}: The parameters to be imported + +@var{flags}: should be zero + +Imports a public key from a pkcs11 key. This function will import +the given public key to the abstract @code{gnutls_pubkey_t} type. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_import_privkey +@anchor{gnutls_pubkey_import_privkey} +@deftypefun {int} {gnutls_pubkey_import_privkey} (gnutls_pubkey_t @var{key}, gnutls_privkey_t @var{pkey}, unsigned int @var{usage}, unsigned int @var{flags}) +@var{key}: The public key + +@var{pkey}: The private key + +@var{usage}: GNUTLS_KEY_* key usage flags. + +@var{flags}: should be zero + +Imports the public key from a private. This function will import +the given public key to the abstract @code{gnutls_pubkey_t} type. + +Note that in certain keys this operation may not be possible, e.g., +in other than RSA PKCS@code{11} keys. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_import_rsa_raw +@anchor{gnutls_pubkey_import_rsa_raw} +@deftypefun {int} {gnutls_pubkey_import_rsa_raw} (gnutls_pubkey_t @var{key}, const gnutls_datum_t * @var{m}, const gnutls_datum_t * @var{e}) +@var{key}: The key + +@var{m}: holds the modulus + +@var{e}: holds the public exponent + +This function will replace the parameters in the given structure. +The new parameters should be stored in the appropriate +gnutls_datum. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, or an negative error code. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_import_tpm_raw +@anchor{gnutls_pubkey_import_tpm_raw} +@deftypefun {int} {gnutls_pubkey_import_tpm_raw} (gnutls_pubkey_t @var{pkey}, const gnutls_datum_t * @var{fdata}, gnutls_tpmkey_fmt_t @var{format}, const char * @var{srk_password}, unsigned int @var{flags}) +@var{pkey}: The public key + +@var{fdata}: The TPM key to be imported + +@var{format}: The format of the private key + +@var{srk_password}: The password for the SRK key (optional) + +@var{flags}: One of the GNUTLS_PUBKEY_* flags + +This function will import the public key from the provided TPM key +structure. + +With respect to passwords the same as in +@code{gnutls_pubkey_import_tpm_url()} apply. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_pubkey_import_tpm_url +@anchor{gnutls_pubkey_import_tpm_url} +@deftypefun {int} {gnutls_pubkey_import_tpm_url} (gnutls_pubkey_t @var{pkey}, const char * @var{url}, const char * @var{srk_password}, unsigned int @var{flags}) +@var{pkey}: The public key + +@var{url}: The URL of the TPM key to be imported + +@var{srk_password}: The password for the SRK key (optional) + +@var{flags}: should be zero + +This function will import the given private key to the abstract +@code{gnutls_privkey_t} type. + +Note that unless @code{GNUTLS_PUBKEY_DISABLE_CALLBACKS} +is specified, if incorrect (or NULL) passwords are given +the PKCS11 callback functions will be used to obtain the +correct passwords. Otherwise if the SRK password is wrong +@code{GNUTLS_E_TPM_SRK_PASSWORD_ERROR} is returned. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_pubkey_import_url +@anchor{gnutls_pubkey_import_url} +@deftypefun {int} {gnutls_pubkey_import_url} (gnutls_pubkey_t @var{key}, const char * @var{url}, unsigned int @var{flags}) +@var{key}: A key of type @code{gnutls_pubkey_t} + +@var{url}: A PKCS 11 url + +@var{flags}: One of GNUTLS_PKCS11_OBJ_* flags + +This function will import a public key from the provided URL. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_pubkey_import_x509 +@anchor{gnutls_pubkey_import_x509} +@deftypefun {int} {gnutls_pubkey_import_x509} (gnutls_pubkey_t @var{key}, gnutls_x509_crt_t @var{crt}, unsigned int @var{flags}) +@var{key}: The public key + +@var{crt}: The certificate to be imported + +@var{flags}: should be zero + +This function will import the given public key to the abstract +@code{gnutls_pubkey_t} type. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_import_x509_crq +@anchor{gnutls_pubkey_import_x509_crq} +@deftypefun {int} {gnutls_pubkey_import_x509_crq} (gnutls_pubkey_t @var{key}, gnutls_x509_crq_t @var{crq}, unsigned int @var{flags}) +@var{key}: The public key + +@var{crq}: The certificate to be imported + +@var{flags}: should be zero + +This function will import the given public key to the abstract +@code{gnutls_pubkey_t} type. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.5 +@end deftypefun + +@subheading gnutls_pubkey_import_x509_raw +@anchor{gnutls_pubkey_import_x509_raw} +@deftypefun {int} {gnutls_pubkey_import_x509_raw} (gnutls_pubkey_t @var{pkey}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, unsigned int @var{flags}) +@var{pkey}: The public key + +@var{data}: The public key data to be imported + +@var{format}: The format of the public key + +@var{flags}: should be zero + +This function will import the given public key to the abstract +@code{gnutls_pubkey_t} type. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.3 +@end deftypefun + +@subheading gnutls_pubkey_init +@anchor{gnutls_pubkey_init} +@deftypefun {int} {gnutls_pubkey_init} (gnutls_pubkey_t * @var{key}) +@var{key}: A pointer to the type to be initialized + +This function will initialize a public key. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_print +@anchor{gnutls_pubkey_print} +@deftypefun {int} {gnutls_pubkey_print} (gnutls_pubkey_t @var{pubkey}, gnutls_certificate_print_formats_t @var{format}, gnutls_datum_t * @var{out}) +@var{pubkey}: The data to be printed + +@var{format}: Indicate the format to use + +@var{out}: Newly allocated datum with null terminated string. + +This function will pretty print public key information, suitable for +display to a human. + +Only @code{GNUTLS_CRT_PRINT_FULL} and @code{GNUTLS_CRT_PRINT_FULL_NUMBERS} +are implemented. + +The output @code{out} needs to be deallocated using @code{gnutls_free()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.5 +@end deftypefun + +@subheading gnutls_pubkey_set_key_usage +@anchor{gnutls_pubkey_set_key_usage} +@deftypefun {int} {gnutls_pubkey_set_key_usage} (gnutls_pubkey_t @var{key}, unsigned int @var{usage}) +@var{key}: a certificate of type @code{gnutls_x509_crt_t} + +@var{usage}: an ORed sequence of the GNUTLS_KEY_* elements. + +This function will set the key usage flags of the public key. This +is only useful if the key is to be exported to a certificate or +certificate request. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pubkey_set_pin_function +@anchor{gnutls_pubkey_set_pin_function} +@deftypefun {void} {gnutls_pubkey_set_pin_function} (gnutls_pubkey_t @var{key}, gnutls_pin_callback_t @var{fn}, void * @var{userdata}) +@var{key}: A key of type @code{gnutls_pubkey_t} + +@var{fn}: the callback + +@var{userdata}: data associated with the callback + +This function will set a callback function to be used when +required to access the object. This function overrides any other +global PIN functions. + +Note that this function must be called right after initialization +to have effect. + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_pubkey_set_spki +@anchor{gnutls_pubkey_set_spki} +@deftypefun {int} {gnutls_pubkey_set_spki} (gnutls_pubkey_t @var{pubkey}, const gnutls_x509_spki_t @var{spki}, unsigned int @var{flags}) +@var{pubkey}: a public key of type @code{gnutls_pubkey_t} + +@var{spki}: a SubjectPublicKeyInfo structure of type @code{gnutls_pubkey_spki_t} + +@var{flags}: must be zero + +This function will set the public key information. +The provided @code{spki} must be initialized. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_pubkey_verify_data2 +@anchor{gnutls_pubkey_verify_data2} +@deftypefun {int} {gnutls_pubkey_verify_data2} (gnutls_pubkey_t @var{pubkey}, gnutls_sign_algorithm_t @var{algo}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, const gnutls_datum_t * @var{signature}) +@var{pubkey}: Holds the public key + +@var{algo}: The signature algorithm used + +@var{flags}: Zero or an OR list of @code{gnutls_certificate_verify_flags} + +@var{data}: holds the signed data + +@var{signature}: contains the signature + +This function will verify the given signed data, using the +parameters from the certificate. + +@strong{Returns:} In case of a verification failure @code{GNUTLS_E_PK_SIG_VERIFY_FAILED} +is returned, and zero or positive code on success. For known to be insecure +signatures this function will return @code{GNUTLS_E_INSUFFICIENT_SECURITY} unless +the flag @code{GNUTLS_VERIFY_ALLOW_BROKEN} is specified. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pubkey_verify_hash2 +@anchor{gnutls_pubkey_verify_hash2} +@deftypefun {int} {gnutls_pubkey_verify_hash2} (gnutls_pubkey_t @var{key}, gnutls_sign_algorithm_t @var{algo}, unsigned int @var{flags}, const gnutls_datum_t * @var{hash}, const gnutls_datum_t * @var{signature}) +@var{key}: Holds the public key + +@var{algo}: The signature algorithm used + +@var{flags}: Zero or an OR list of @code{gnutls_certificate_verify_flags} + +@var{hash}: holds the hash digest to be verified + +@var{signature}: contains the signature + +This function will verify the given signed digest, using the +parameters from the public key. Note that unlike @code{gnutls_privkey_sign_hash()} , +this function accepts a signature algorithm instead of a digest algorithm. +You can use @code{gnutls_pk_to_sign()} to get the appropriate value. + +@strong{Returns:} In case of a verification failure @code{GNUTLS_E_PK_SIG_VERIFY_FAILED} +is returned, and zero or positive code on success. For known to be insecure +signatures this function will return @code{GNUTLS_E_INSUFFICIENT_SECURITY} unless +the flag @code{GNUTLS_VERIFY_ALLOW_BROKEN} is specified. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pubkey_verify_params +@anchor{gnutls_pubkey_verify_params} +@deftypefun {int} {gnutls_pubkey_verify_params} (gnutls_pubkey_t @var{key}) +@var{key}: should contain a @code{gnutls_pubkey_t} type + +This function will verify the public key parameters. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.3.0 +@end deftypefun + +@subheading gnutls_register_custom_url +@anchor{gnutls_register_custom_url} +@deftypefun {int} {gnutls_register_custom_url} (const gnutls_custom_url_st * @var{st}) +@var{st}: A @code{gnutls_custom_url_st} structure + +Register a custom URL. This will affect the following functions: +@code{gnutls_url_is_supported()} , @code{gnutls_privkey_import_url()} , +gnutls_pubkey_import_url, @code{gnutls_x509_crt_import_url()} +and all functions that depend on +them, e.g., @code{gnutls_certificate_set_x509_key_file2()} . + +The provided structure and callback functions must be valid throughout +the lifetime of the process. The registration of an existing URL type +will fail with @code{GNUTLS_E_INVALID_REQUEST} . Since GnuTLS 3.5.0 this function +can be used to override the builtin URLs. + +This function is not thread safe. + +@strong{Returns:} returns zero if the given structure was imported or a negative value otherwise. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_system_key_add_x509 +@anchor{gnutls_system_key_add_x509} +@deftypefun {int} {gnutls_system_key_add_x509} (gnutls_x509_crt_t @var{crt}, gnutls_x509_privkey_t @var{privkey}, const char * @var{label}, char ** @var{cert_url}, char ** @var{key_url}) +@var{crt}: the certificate to be added + +@var{privkey}: the key to be added + +@var{label}: the friendly name to describe the key + +@var{cert_url}: if non-NULL it will contain an allocated value with the certificate URL + +@var{key_url}: if non-NULL it will contain an allocated value with the key URL + +This function will added the given key and certificate pair, +to the system list. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_system_key_delete +@anchor{gnutls_system_key_delete} +@deftypefun {int} {gnutls_system_key_delete} (const char * @var{cert_url}, const char * @var{key_url}) +@var{cert_url}: the URL of the certificate + +@var{key_url}: the URL of the key + +This function will delete the key and certificate pair. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_system_key_iter_deinit +@anchor{gnutls_system_key_iter_deinit} +@deftypefun {void} {gnutls_system_key_iter_deinit} (gnutls_system_key_iter_t @var{iter}) +@var{iter}: an iterator of system keys + +This function will deinitialize the iterator. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_system_key_iter_get_info +@anchor{gnutls_system_key_iter_get_info} +@deftypefun {int} {gnutls_system_key_iter_get_info} (gnutls_system_key_iter_t * @var{iter}, unsigned @var{cert_type}, char ** @var{cert_url}, char ** @var{key_url}, char ** @var{label}, gnutls_datum_t * @var{der}, unsigned int @var{flags}) +@var{iter}: an iterator of the system keys (must be set to @code{NULL} initially) + +@var{cert_type}: A value of gnutls_certificate_type_t which indicates the type of certificate to look for + +@var{cert_url}: The certificate URL of the pair (may be @code{NULL} ) + +@var{key_url}: The key URL of the pair (may be @code{NULL} ) + +@var{label}: The friendly name (if any) of the pair (may be @code{NULL} ) + +@var{der}: if non-NULL the DER data of the certificate + +@var{flags}: should be zero + +This function will return on each call a certificate +and key pair URLs, as well as a label associated with them, +and the DER-encoded certificate. When the iteration is complete it will +return @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} . + +Typically @code{cert_type} should be @code{GNUTLS_CRT_X509} . + +All values set are allocated and must be cleared using @code{gnutls_free()} , + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_x509_crl_privkey_sign +@anchor{gnutls_x509_crl_privkey_sign} +@deftypefun {int} {gnutls_x509_crl_privkey_sign} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_t @var{issuer}, gnutls_privkey_t @var{issuer_key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags}) +@var{crl}: should contain a gnutls_x509_crl_t type + +@var{issuer}: is the certificate of the certificate issuer + +@var{issuer_key}: holds the issuer's private key + +@var{dig}: The message digest to use. GNUTLS_DIG_SHA256 is the safe choice unless you know what you're doing. + +@var{flags}: must be 0 + +This function will sign the CRL with the issuer's private key, and +will copy the issuer's information into the CRL. + +This must be the last step in a certificate CRL since all +the previously set parameters are now signed. + +A known limitation of this function is, that a newly-signed CRL will not +be fully functional (e.g., for signature verification), until it +is exported an re-imported. + +After GnuTLS 3.6.1 the value of @code{dig} may be @code{GNUTLS_DIG_UNKNOWN} , +and in that case, a suitable but reasonable for the key algorithm will be selected. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +Since 2.12.0 +@end deftypefun + +@subheading gnutls_x509_crq_privkey_sign +@anchor{gnutls_x509_crq_privkey_sign} +@deftypefun {int} {gnutls_x509_crq_privkey_sign} (gnutls_x509_crq_t @var{crq}, gnutls_privkey_t @var{key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags}) +@var{crq}: should contain a @code{gnutls_x509_crq_t} type + +@var{key}: holds a private key + +@var{dig}: The message digest to use, i.e., @code{GNUTLS_DIG_SHA1} + +@var{flags}: must be 0 + +This function will sign the certificate request with a private key. +This must be the same key as the one used in +@code{gnutls_x509_crt_set_key()} since a certificate request is self +signed. + +This must be the last step in a certificate request generation +since all the previously set parameters are now signed. + +A known limitation of this function is, that a newly-signed request will not +be fully functional (e.g., for signature verification), until it +is exported an re-imported. + +After GnuTLS 3.6.1 the value of @code{dig} may be @code{GNUTLS_DIG_UNKNOWN} , +and in that case, a suitable but reasonable for the key algorithm will be selected. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. +@code{GNUTLS_E_ASN1_VALUE_NOT_FOUND} is returned if you didn't set all +information in the certificate request (e.g., the version using +@code{gnutls_x509_crq_set_version()} ). + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_x509_crq_set_pubkey +@anchor{gnutls_x509_crq_set_pubkey} +@deftypefun {int} {gnutls_x509_crq_set_pubkey} (gnutls_x509_crq_t @var{crq}, gnutls_pubkey_t @var{key}) +@var{crq}: should contain a @code{gnutls_x509_crq_t} type + +@var{key}: holds a public key + +This function will set the public parameters from the given public +key to the request. The @code{key} can be deallocated after that. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_x509_crt_privkey_sign +@anchor{gnutls_x509_crt_privkey_sign} +@deftypefun {int} {gnutls_x509_crt_privkey_sign} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crt_t @var{issuer}, gnutls_privkey_t @var{issuer_key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags}) +@var{crt}: a certificate of type @code{gnutls_x509_crt_t} + +@var{issuer}: is the certificate of the certificate issuer + +@var{issuer_key}: holds the issuer's private key + +@var{dig}: The message digest to use, @code{GNUTLS_DIG_SHA256} is a safe choice + +@var{flags}: must be 0 + +This function will sign the certificate with the issuer's private key, and +will copy the issuer's information into the certificate. + +This must be the last step in a certificate generation since all +the previously set parameters are now signed. + +A known limitation of this function is, that a newly-signed certificate will not +be fully functional (e.g., for signature verification), until it +is exported an re-imported. + +After GnuTLS 3.6.1 the value of @code{dig} may be @code{GNUTLS_DIG_UNKNOWN} , +and in that case, a suitable but reasonable for the key algorithm will be selected. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun + +@subheading gnutls_x509_crt_set_pubkey +@anchor{gnutls_x509_crt_set_pubkey} +@deftypefun {int} {gnutls_x509_crt_set_pubkey} (gnutls_x509_crt_t @var{crt}, gnutls_pubkey_t @var{key}) +@var{crt}: should contain a @code{gnutls_x509_crt_t} type + +@var{key}: holds a public key + +This function will set the public parameters from the given public +key to the certificate. The @code{key} can be deallocated after that. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + |