diff options
Diffstat (limited to 'doc/pkcs11-api.texi')
-rw-r--r-- | doc/pkcs11-api.texi | 1247 |
1 files changed, 1247 insertions, 0 deletions
diff --git a/doc/pkcs11-api.texi b/doc/pkcs11-api.texi new file mode 100644 index 0000000..d40c615 --- /dev/null +++ b/doc/pkcs11-api.texi @@ -0,0 +1,1247 @@ + +@subheading gnutls_pkcs11_add_provider +@anchor{gnutls_pkcs11_add_provider} +@deftypefun {int} {gnutls_pkcs11_add_provider} (const char * @var{name}, const char * @var{params}) +@var{name}: The filename of the module + +@var{params}: should be NULL or a known string (see description) + +This function will load and add a PKCS 11 module to the module +list used in gnutls. After this function is called the module will +be used for PKCS 11 operations. + +When loading a module to be used for certificate verification, +use the string 'trusted' as @code{params} . + +Note that this function is not thread safe. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_copy_attached_extension +@anchor{gnutls_pkcs11_copy_attached_extension} +@deftypefun {int} {gnutls_pkcs11_copy_attached_extension} (const char * @var{token_url}, gnutls_x509_crt_t @var{crt}, gnutls_datum_t * @var{data}, const char * @var{label}, unsigned int @var{flags}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{crt}: An X.509 certificate object + +@var{data}: the attached extension + +@var{label}: A name to be used for the attached extension (may be @code{NULL} ) + +@var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_* + +This function will copy an the attached extension in @code{data} for +the certificate provided in @code{crt} in the PKCS @code{11} token specified +by the URL (typically a trust module). The extension must be in +RFC5280 Extension format. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.3.8 +@end deftypefun + +@subheading gnutls_pkcs11_copy_pubkey +@anchor{gnutls_pkcs11_copy_pubkey} +@deftypefun {int} {gnutls_pkcs11_copy_pubkey} (const char * @var{token_url}, gnutls_pubkey_t @var{pubkey}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{key_usage}, unsigned int @var{flags}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{pubkey}: The public key to copy + +@var{label}: The name to be used for the stored data + +@var{cid}: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key + +@var{key_usage}: One of GNUTLS_KEY_* + +@var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_* + +This function will copy a public key object into a PKCS @code{11} token specified by +a URL. Valid flags to mark the key: @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED} , +@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE} , @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_CA} , +@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.6 +@end deftypefun + +@subheading gnutls_pkcs11_copy_secret_key +@anchor{gnutls_pkcs11_copy_secret_key} +@deftypefun {int} {gnutls_pkcs11_copy_secret_key} (const char * @var{token_url}, gnutls_datum_t * @var{key}, const char * @var{label}, unsigned int @var{key_usage}, unsigned int @var{flags}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{key}: The raw key + +@var{label}: A name to be used for the stored data + +@var{key_usage}: One of GNUTLS_KEY_* + +@var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_* + +This function will copy a raw secret (symmetric) key into a PKCS @code{11} +token specified by a URL. The key can be marked as sensitive or not. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_copy_x509_crt +@anchor{gnutls_pkcs11_copy_x509_crt} +@deftypefun {int} {gnutls_pkcs11_copy_x509_crt} (const char * @var{token_url}, gnutls_x509_crt_t @var{crt}, const char * @var{label}, unsigned int @var{flags}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{crt}: A certificate + +@var{label}: A name to be used for the stored data + +@var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_* + +This function will copy a certificate into a PKCS @code{11} token specified by +a URL. The certificate can be marked as trusted or not. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_copy_x509_crt2 +@anchor{gnutls_pkcs11_copy_x509_crt2} +@deftypefun {int} {gnutls_pkcs11_copy_x509_crt2} (const char * @var{token_url}, gnutls_x509_crt_t @var{crt}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{flags}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{crt}: The certificate to copy + +@var{label}: The name to be used for the stored data + +@var{cid}: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key + +@var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_* + +This function will copy a certificate into a PKCS @code{11} token specified by +a URL. Valid flags to mark the certificate: @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED} , +@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE} , @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_CA} , +@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_pkcs11_copy_x509_privkey +@anchor{gnutls_pkcs11_copy_x509_privkey} +@deftypefun {int} {gnutls_pkcs11_copy_x509_privkey} (const char * @var{token_url}, gnutls_x509_privkey_t @var{key}, const char * @var{label}, unsigned int @var{key_usage}, unsigned int @var{flags}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{key}: A private key + +@var{label}: A name to be used for the stored data + +@var{key_usage}: One of GNUTLS_KEY_* + +@var{flags}: One of GNUTLS_PKCS11_OBJ_* flags + +This function will copy a private key into a PKCS @code{11} token specified by +a URL. + +Since 3.6.3 the objects are marked as sensitive by default unless +@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE} is specified. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_copy_x509_privkey2 +@anchor{gnutls_pkcs11_copy_x509_privkey2} +@deftypefun {int} {gnutls_pkcs11_copy_x509_privkey2} (const char * @var{token_url}, gnutls_x509_privkey_t @var{key}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{key_usage}, unsigned int @var{flags}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{key}: A private key + +@var{label}: A name to be used for the stored data + +@var{cid}: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key + +@var{key_usage}: One of GNUTLS_KEY_* + +@var{flags}: One of GNUTLS_PKCS11_OBJ_* flags + +This function will copy a private key into a PKCS @code{11} token specified by +a URL. + +Since 3.6.3 the objects are marked as sensitive by default unless +@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE} is specified. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_pkcs11_crt_is_known +@anchor{gnutls_pkcs11_crt_is_known} +@deftypefun {unsigned} {gnutls_pkcs11_crt_is_known} (const char * @var{url}, gnutls_x509_crt_t @var{cert}, unsigned int @var{flags}) +@var{url}: A PKCS 11 url identifying a token + +@var{cert}: is the certificate to find issuer for + +@var{flags}: Use zero or flags from @code{GNUTLS_PKCS11_OBJ_FLAG} . + +This function will check whether the provided certificate is stored +in the specified token. This is useful in combination with +@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED} or +@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED} , +to check whether a CA is present or a certificate is blacklisted in +a trust PKCS @code{11} module. + +This function can be used with a @code{url} of "pkcs11:", and in that case all modules +will be searched. To restrict the modules to the marked as trusted in p11-kit +use the @code{GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE} flag. + +Note that the flag @code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED} is +specific to p11-kit trust modules. + +@strong{Returns:} If the certificate exists non-zero is returned, otherwise zero. + +@strong{Since:} 3.3.0 +@end deftypefun + +@subheading gnutls_pkcs11_deinit +@anchor{gnutls_pkcs11_deinit} +@deftypefun {void} {gnutls_pkcs11_deinit} ( @var{void}) + +This function will deinitialize the PKCS 11 subsystem in gnutls. +This function is only needed if you need to deinitialize the +subsystem without calling @code{gnutls_global_deinit()} . + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_delete_url +@anchor{gnutls_pkcs11_delete_url} +@deftypefun {int} {gnutls_pkcs11_delete_url} (const char * @var{object_url}, unsigned int @var{flags}) +@var{object_url}: The URL of the object to delete. + +@var{flags}: One of GNUTLS_PKCS11_OBJ_* flags + +This function will delete objects matching the given URL. +Note that not all tokens support the delete operation. + +@strong{Returns:} On success, the number of objects deleted is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_get_pin_function +@anchor{gnutls_pkcs11_get_pin_function} +@deftypefun {gnutls_pin_callback_t} {gnutls_pkcs11_get_pin_function} (void ** @var{userdata}) +@var{userdata}: data to be supplied to callback + +This function will return the callback function set using +@code{gnutls_pkcs11_set_pin_function()} . + +@strong{Returns:} The function set or NULL otherwise. + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_pkcs11_get_raw_issuer +@anchor{gnutls_pkcs11_get_raw_issuer} +@deftypefun {int} {gnutls_pkcs11_get_raw_issuer} (const char * @var{url}, gnutls_x509_crt_t @var{cert}, gnutls_datum_t * @var{issuer}, gnutls_x509_crt_fmt_t @var{fmt}, unsigned int @var{flags}) +@var{url}: A PKCS 11 url identifying a token + +@var{cert}: is the certificate to find issuer for + +@var{issuer}: Will hold the issuer if any in an allocated buffer. + +@var{fmt}: The format of the exported issuer. + +@var{flags}: Use zero or flags from @code{GNUTLS_PKCS11_OBJ_FLAG} . + +This function will return the issuer of a given certificate, if it +is stored in the token. By default only marked as trusted issuers +are returned. If any issuer should be returned specify +@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY} in @code{flags} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.2.7 +@end deftypefun + +@subheading gnutls_pkcs11_get_raw_issuer_by_dn +@anchor{gnutls_pkcs11_get_raw_issuer_by_dn} +@deftypefun {int} {gnutls_pkcs11_get_raw_issuer_by_dn} (const char * @var{url}, const gnutls_datum_t * @var{dn}, gnutls_datum_t * @var{issuer}, gnutls_x509_crt_fmt_t @var{fmt}, unsigned int @var{flags}) +@var{url}: A PKCS 11 url identifying a token + +@var{dn}: is the DN to search for + +@var{issuer}: Will hold the issuer if any in an allocated buffer. + +@var{fmt}: The format of the exported issuer. + +@var{flags}: Use zero or flags from @code{GNUTLS_PKCS11_OBJ_FLAG} . + +This function will return the certificate with the given DN, if it +is stored in the token. By default only marked as trusted issuers +are returned. If any issuer should be returned specify +@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY} in @code{flags} . + +The name of the function includes issuer because it can +be used to discover issuers of certificates. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_pkcs11_get_raw_issuer_by_subject_key_id +@anchor{gnutls_pkcs11_get_raw_issuer_by_subject_key_id} +@deftypefun {int} {gnutls_pkcs11_get_raw_issuer_by_subject_key_id} (const char * @var{url}, const gnutls_datum_t * @var{dn}, const gnutls_datum_t * @var{spki}, gnutls_datum_t * @var{issuer}, gnutls_x509_crt_fmt_t @var{fmt}, unsigned int @var{flags}) +@var{url}: A PKCS 11 url identifying a token + +@var{dn}: is the DN to search for (may be @code{NULL} ) + +@var{spki}: is the subject key ID to search for + +@var{issuer}: Will hold the issuer if any in an allocated buffer. + +@var{fmt}: The format of the exported issuer. + +@var{flags}: Use zero or flags from @code{GNUTLS_PKCS11_OBJ_FLAG} . + +This function will return the certificate with the given DN and @code{spki} , if it +is stored in the token. By default only marked as trusted issuers +are returned. If any issuer should be returned specify +@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY} in @code{flags} . + +The name of the function includes issuer because it can +be used to discover issuers of certificates. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.2 +@end deftypefun + +@subheading gnutls_pkcs11_init +@anchor{gnutls_pkcs11_init} +@deftypefun {int} {gnutls_pkcs11_init} (unsigned int @var{flags}, const char * @var{deprecated_config_file}) +@var{flags}: An ORed sequence of @code{GNUTLS_PKCS11_FLAG_} * + +@var{deprecated_config_file}: either NULL or the location of a deprecated +configuration file + +This function will initialize the PKCS 11 subsystem in gnutls. It will +read configuration files if @code{GNUTLS_PKCS11_FLAG_AUTO} is used or allow +you to independently load PKCS 11 modules using @code{gnutls_pkcs11_add_provider()} +if @code{GNUTLS_PKCS11_FLAG_MANUAL} is specified. + +You don't need to call this function since GnuTLS 3.3.0 because it is being called +during the first request PKCS 11 operation. That call will assume the @code{GNUTLS_PKCS11_FLAG_AUTO} +flag. If another flags are required then it must be called independently +prior to any PKCS 11 operation. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_obj_deinit +@anchor{gnutls_pkcs11_obj_deinit} +@deftypefun {void} {gnutls_pkcs11_obj_deinit} (gnutls_pkcs11_obj_t @var{obj}) +@var{obj}: The type to be deinitialized + +This function will deinitialize a certificate structure. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_obj_export +@anchor{gnutls_pkcs11_obj_export} +@deftypefun {int} {gnutls_pkcs11_obj_export} (gnutls_pkcs11_obj_t @var{obj}, void * @var{output_data}, size_t * @var{output_data_size}) +@var{obj}: Holds the object + +@var{output_data}: will contain the object data + +@var{output_data_size}: holds the size of output_data (and will be +replaced by the actual size of parameters) + +This function will export the PKCS11 object data. It is normal for +data to be inaccessible and in that case @code{GNUTLS_E_INVALID_REQUEST} +will be returned. + +If the buffer provided is not long enough to hold the output, then +*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will +be returned. + +@strong{Returns:} In case of failure a negative error code will be +returned, and @code{GNUTLS_E_SUCCESS} (0) on success. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_obj_export2 +@anchor{gnutls_pkcs11_obj_export2} +@deftypefun {int} {gnutls_pkcs11_obj_export2} (gnutls_pkcs11_obj_t @var{obj}, gnutls_datum_t * @var{out}) +@var{obj}: Holds the object + +@var{out}: will contain the object data + +This function will export the PKCS11 object data. It is normal for +data to be inaccessible and in that case @code{GNUTLS_E_INVALID_REQUEST} +will be returned. + +The output buffer is allocated using @code{gnutls_malloc()} . + +@strong{Returns:} In case of failure a negative error code will be +returned, and @code{GNUTLS_E_SUCCESS} (0) on success. + +@strong{Since:} 3.1.3 +@end deftypefun + +@subheading gnutls_pkcs11_obj_export3 +@anchor{gnutls_pkcs11_obj_export3} +@deftypefun {int} {gnutls_pkcs11_obj_export3} (gnutls_pkcs11_obj_t @var{obj}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{out}) +@var{obj}: Holds the object + +@var{fmt}: The format of the exported data + +@var{out}: will contain the object data + +This function will export the PKCS11 object data. It is normal for +data to be inaccessible and in that case @code{GNUTLS_E_INVALID_REQUEST} +will be returned. + +The output buffer is allocated using @code{gnutls_malloc()} . + +@strong{Returns:} In case of failure a negative error code will be +returned, and @code{GNUTLS_E_SUCCESS} (0) on success. + +@strong{Since:} 3.2.7 +@end deftypefun + +@subheading gnutls_pkcs11_obj_export_url +@anchor{gnutls_pkcs11_obj_export_url} +@deftypefun {int} {gnutls_pkcs11_obj_export_url} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_url_type_t @var{detailed}, char ** @var{url}) +@var{obj}: Holds the PKCS 11 certificate + +@var{detailed}: non zero if a detailed URL is required + +@var{url}: will contain an allocated url + +This function will export a URL identifying the given object. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_obj_flags_get_str +@anchor{gnutls_pkcs11_obj_flags_get_str} +@deftypefun {char *} {gnutls_pkcs11_obj_flags_get_str} (unsigned int @var{flags}) +@var{flags}: holds the flags + +This function given an or-sequence of @code{GNUTLS_PKCS11_OBJ_FLAG_MARK} , +will return an allocated string with its description. The string +needs to be deallocated using @code{gnutls_free()} . + +@strong{Returns:} If flags is zero @code{NULL} is returned, otherwise an allocated string. + +@strong{Since:} 3.3.7 +@end deftypefun + +@subheading gnutls_pkcs11_obj_get_exts +@anchor{gnutls_pkcs11_obj_get_exts} +@deftypefun {int} {gnutls_pkcs11_obj_get_exts} (gnutls_pkcs11_obj_t @var{obj}, gnutls_x509_ext_st ** @var{exts}, unsigned int * @var{exts_size}, unsigned int @var{flags}) +@var{obj}: should contain a @code{gnutls_pkcs11_obj_t} type + +@var{exts}: a pointer to a @code{gnutls_x509_ext_st} pointer + +@var{exts_size}: will be updated with the number of @code{exts} + +@var{flags}: Or sequence of @code{GNUTLS_PKCS11_OBJ_} * flags + +This function will return information about attached extensions +that associate to the provided object (which should be a certificate). +The extensions are the attached p11-kit trust module extensions. + +Each element of @code{exts} must be deinitialized using @code{gnutls_x509_ext_deinit()} +while @code{exts} should be deallocated using @code{gnutls_free()} . + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error. + +@strong{Since:} 3.3.8 +@end deftypefun + +@subheading gnutls_pkcs11_obj_get_flags +@anchor{gnutls_pkcs11_obj_get_flags} +@deftypefun {int} {gnutls_pkcs11_obj_get_flags} (gnutls_pkcs11_obj_t @var{obj}, unsigned int * @var{oflags}) +@var{obj}: The pkcs11 object + +@var{oflags}: Will hold the output flags + +This function will return the flags of the object. +The @code{oflags} will be flags from @code{gnutls_pkcs11_obj_flags} . That is, +the @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_} * flags. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.3.7 +@end deftypefun + +@subheading gnutls_pkcs11_obj_get_info +@anchor{gnutls_pkcs11_obj_get_info} +@deftypefun {int} {gnutls_pkcs11_obj_get_info} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_obj_info_t @var{itype}, void * @var{output}, size_t * @var{output_size}) +@var{obj}: should contain a @code{gnutls_pkcs11_obj_t} type + +@var{itype}: Denotes the type of information requested + +@var{output}: where output will be stored + +@var{output_size}: contains the maximum size of the output buffer and will be +overwritten with the actual size. + +This function will return information about the PKCS11 certificate +such as the label, id as well as token information where the key is +stored. + +When output is text, a null terminated string is written to @code{output} and its +string length is written to @code{output_size} (without null terminator). If the +buffer is too small, @code{output_size} will contain the expected buffer size +(with null terminator for text) and return @code{GNUTLS_E_SHORT_MEMORY_BUFFER} . + +In versions previously to 3.6.0 this function included the null terminator +to @code{output_size} . After 3.6.0 the output size doesn't include the terminator character. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_obj_get_ptr +@anchor{gnutls_pkcs11_obj_get_ptr} +@deftypefun {int} {gnutls_pkcs11_obj_get_ptr} (gnutls_pkcs11_obj_t @var{obj}, void ** @var{ptr}, void ** @var{session}, void ** @var{ohandle}, unsigned long * @var{slot_id}, unsigned int @var{flags}) +@var{obj}: should contain a @code{gnutls_pkcs11_obj_t} type + +@var{ptr}: will contain the CK_FUNCTION_LIST_PTR pointer (may be @code{NULL} ) + +@var{session}: will contain the CK_SESSION_HANDLE of the object + +@var{ohandle}: will contain the CK_OBJECT_HANDLE of the object + +@var{slot_id}: the identifier of the slot (may be @code{NULL} ) + +@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags + +Obtains the PKCS@code{11} session handles of an object. @code{session} and @code{ohandle} must be deinitialized by the caller. The returned pointers are +independent of the @code{obj} lifetime. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code +on error. + +@strong{Since:} 3.6.3 +@end deftypefun + +@subheading gnutls_pkcs11_obj_get_type +@anchor{gnutls_pkcs11_obj_get_type} +@deftypefun {gnutls_pkcs11_obj_type_t} {gnutls_pkcs11_obj_get_type} (gnutls_pkcs11_obj_t @var{obj}) +@var{obj}: Holds the PKCS 11 object + +This function will return the type of the object being +stored in the structure. + +@strong{Returns:} The type of the object + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_obj_import_url +@anchor{gnutls_pkcs11_obj_import_url} +@deftypefun {int} {gnutls_pkcs11_obj_import_url} (gnutls_pkcs11_obj_t @var{obj}, const char * @var{url}, unsigned int @var{flags}) +@var{obj}: The structure to store the object + +@var{url}: a PKCS 11 url identifying the key + +@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags + +This function will "import" a PKCS 11 URL identifying an object (e.g. certificate) +to the @code{gnutls_pkcs11_obj_t} type. This does not involve any +parsing (such as X.509 or OpenPGP) since the @code{gnutls_pkcs11_obj_t} is +format agnostic. Only data are transferred. + +If the flag @code{GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT} is specified +any certificate read, will have its extensions overwritten by any +stapled extensions in the trust module. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_obj_init +@anchor{gnutls_pkcs11_obj_init} +@deftypefun {int} {gnutls_pkcs11_obj_init} (gnutls_pkcs11_obj_t * @var{obj}) +@var{obj}: A pointer to the type to be initialized + +This function will initialize a pkcs11 certificate structure. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_obj_list_import_url3 +@anchor{gnutls_pkcs11_obj_list_import_url3} +@deftypefun {int} {gnutls_pkcs11_obj_list_import_url3} (gnutls_pkcs11_obj_t * @var{p_list}, unsigned int * @var{n_list}, const char * @var{url}, unsigned int @var{flags}) +@var{p_list}: An uninitialized object list (may be @code{NULL} ) + +@var{n_list}: Initially should hold the maximum size of the list. Will contain the actual size. + +@var{url}: A PKCS 11 url identifying a set of objects + +@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags + +This function will initialize and set values to an object list +by using all objects identified by a PKCS 11 URL. + +This function will enumerate all the objects specified by the PKCS@code{11} URL +provided. It expects an already allocated @code{p_list} which has * @code{n_list} elements, +and that value will be updated to the actual number of present objects. The + @code{p_list} objects will be initialized and set by this function. +To obtain a list of all available objects use a @code{url} of 'pkcs11:'. + +All returned objects must be deinitialized using @code{gnutls_pkcs11_obj_deinit()} . + +The supported in this function @code{flags} are @code{GNUTLS_PKCS11_OBJ_FLAG_LOGIN} , +@code{GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO} , @code{GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE} , +@code{GNUTLS_PKCS11_OBJ_FLAG_CRT} , @code{GNUTLS_PKCS11_OBJ_FLAG_PUBKEY} , @code{GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY} , +@code{GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY} , @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_CA} , +@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED} , and since 3.5.1 the @code{GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT} . + +On versions of GnuTLS prior to 3.4.0 the equivalent function was +@code{gnutls_pkcs11_obj_list_import_url()} . That is also available on this version +as a macro which maps to this function. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_pkcs11_obj_list_import_url4 +@anchor{gnutls_pkcs11_obj_list_import_url4} +@deftypefun {int} {gnutls_pkcs11_obj_list_import_url4} (gnutls_pkcs11_obj_t ** @var{p_list}, unsigned int * @var{n_list}, const char * @var{url}, unsigned int @var{flags}) +@var{p_list}: An uninitialized object list (may be NULL) + +@var{n_list}: It will contain the size of the list. + +@var{url}: A PKCS 11 url identifying a set of objects + +@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags + +This function will enumerate all the objects specified by the PKCS@code{11} URL +provided. It will initialize and set values to the object pointer list ( @code{p_list} ) +provided. To obtain a list of all available objects use a @code{url} of 'pkcs11:'. + +All returned objects must be deinitialized using @code{gnutls_pkcs11_obj_deinit()} , +and @code{p_list} must be deinitialized using @code{gnutls_free()} . + +The supported in this function @code{flags} are @code{GNUTLS_PKCS11_OBJ_FLAG_LOGIN} , +@code{GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO} , @code{GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE} , +@code{GNUTLS_PKCS11_OBJ_FLAG_CRT} , @code{GNUTLS_PKCS11_OBJ_FLAG_PUBKEY} , @code{GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY} , +@code{GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY} , @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_CA} , +@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED} , and since 3.5.1 the @code{GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT} . + +On versions of GnuTLS prior to 3.4.0 the equivalent function was +@code{gnutls_pkcs11_obj_list_import_url2()} . That is also available on this version +as a macro which maps to this function. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_pkcs11_obj_set_info +@anchor{gnutls_pkcs11_obj_set_info} +@deftypefun {int} {gnutls_pkcs11_obj_set_info} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_obj_info_t @var{itype}, const void * @var{data}, size_t @var{data_size}, unsigned @var{flags}) +@var{obj}: should contain a @code{gnutls_pkcs11_obj_t} type + +@var{itype}: Denotes the type of information to be set + +@var{data}: the data to set + +@var{data_size}: the size of data + +@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags + +This function will set attributes on the provided object. +Available options for @code{itype} are @code{GNUTLS_PKCS11_OBJ_LABEL} , +@code{GNUTLS_PKCS11_OBJ_ID_HEX} , and @code{GNUTLS_PKCS11_OBJ_ID} . + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_pkcs11_obj_set_pin_function +@anchor{gnutls_pkcs11_obj_set_pin_function} +@deftypefun {void} {gnutls_pkcs11_obj_set_pin_function} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pin_callback_t @var{fn}, void * @var{userdata}) +@var{obj}: The object structure + +@var{fn}: the callback + +@var{userdata}: data associated with the callback + +This function will set a callback function to be used when +required to access the object. This function overrides the global +set using @code{gnutls_pkcs11_set_pin_function()} . + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_pkcs11_privkey_cpy +@anchor{gnutls_pkcs11_privkey_cpy} +@deftypefun {int} {gnutls_pkcs11_privkey_cpy} (gnutls_pkcs11_privkey_t @var{dst}, gnutls_pkcs11_privkey_t @var{src}) +@var{dst}: The destination key, which should be initialized. + +@var{src}: The source key + +This function will copy a private key from source to destination +key. Destination has to be initialized. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_pkcs11_privkey_deinit +@anchor{gnutls_pkcs11_privkey_deinit} +@deftypefun {void} {gnutls_pkcs11_privkey_deinit} (gnutls_pkcs11_privkey_t @var{key}) +@var{key}: the key to be deinitialized + +This function will deinitialize a private key structure. +@end deftypefun + +@subheading gnutls_pkcs11_privkey_export_pubkey +@anchor{gnutls_pkcs11_privkey_export_pubkey} +@deftypefun {int} {gnutls_pkcs11_privkey_export_pubkey} (gnutls_pkcs11_privkey_t @var{pkey}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{data}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{fmt}: the format of output params. PEM or DER. + +@var{data}: will hold the public key + +@var{flags}: should be zero + +This function will extract the public key (modulus and public +exponent) from the private key specified by the @code{url} private key. +This public key will be stored in @code{pubkey} in the format specified +by @code{fmt} . @code{pubkey} should be deinitialized using @code{gnutls_free()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.3.7 +@end deftypefun + +@subheading gnutls_pkcs11_privkey_export_url +@anchor{gnutls_pkcs11_privkey_export_url} +@deftypefun {int} {gnutls_pkcs11_privkey_export_url} (gnutls_pkcs11_privkey_t @var{key}, gnutls_pkcs11_url_type_t @var{detailed}, char ** @var{url}) +@var{key}: Holds the PKCS 11 key + +@var{detailed}: non zero if a detailed URL is required + +@var{url}: will contain an allocated url + +This function will export a URL identifying the given key. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun + +@subheading gnutls_pkcs11_privkey_generate +@anchor{gnutls_pkcs11_privkey_generate} +@deftypefun {int} {gnutls_pkcs11_privkey_generate} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, unsigned int @var{flags}) +@var{url}: a token URL + +@var{pk}: the public key algorithm + +@var{bits}: the security bits + +@var{label}: a label + +@var{flags}: should be zero + +This function will generate a private key in the specified +by the @code{url} token. The private key will be generate within +the token and will not be exportable. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pkcs11_privkey_generate2 +@anchor{gnutls_pkcs11_privkey_generate2} +@deftypefun {int} {gnutls_pkcs11_privkey_generate2} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{pubkey}, unsigned int @var{flags}) +@var{url}: a token URL + +@var{pk}: the public key algorithm + +@var{bits}: the security bits + +@var{label}: a label + +@var{fmt}: the format of output params. PEM or DER + +@var{pubkey}: will hold the public key (may be @code{NULL} ) + +@var{flags}: zero or an OR'ed sequence of @code{GNUTLS_PKCS11_OBJ_FLAGs} + +This function will generate a private key in the specified +by the @code{url} token. The private key will be generate within +the token and will not be exportable. This function will +store the DER-encoded public key in the SubjectPublicKeyInfo format +in @code{pubkey} . The @code{pubkey} should be deinitialized using @code{gnutls_free()} . + +Note that when generating an elliptic curve key, the curve +can be substituted in the place of the bits parameter using the +@code{GNUTLS_CURVE_TO_BITS()} macro. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.1.5 +@end deftypefun + +@subheading gnutls_pkcs11_privkey_generate3 +@anchor{gnutls_pkcs11_privkey_generate3} +@deftypefun {int} {gnutls_pkcs11_privkey_generate3} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, const gnutls_datum_t * @var{cid}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{pubkey}, unsigned int @var{key_usage}, unsigned int @var{flags}) +@var{url}: a token URL + +@var{pk}: the public key algorithm + +@var{bits}: the security bits + +@var{label}: a label + +@var{cid}: The CKA_ID to use for the new object + +@var{fmt}: the format of output params. PEM or DER + +@var{pubkey}: will hold the public key (may be @code{NULL} ) + +@var{key_usage}: One of GNUTLS_KEY_* + +@var{flags}: zero or an OR'ed sequence of @code{GNUTLS_PKCS11_OBJ_FLAGs} + +This function will generate a private key in the specified +by the @code{url} token. The private key will be generate within +the token and will not be exportable. This function will +store the DER-encoded public key in the SubjectPublicKeyInfo format +in @code{pubkey} . The @code{pubkey} should be deinitialized using @code{gnutls_free()} . + +Note that when generating an elliptic curve key, the curve +can be substituted in the place of the bits parameter using the +@code{GNUTLS_CURVE_TO_BITS()} macro. + +Since 3.6.3 the objects are marked as sensitive by default unless +@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE} is specified. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.4.0 +@end deftypefun + +@subheading gnutls_pkcs11_privkey_get_info +@anchor{gnutls_pkcs11_privkey_get_info} +@deftypefun {int} {gnutls_pkcs11_privkey_get_info} (gnutls_pkcs11_privkey_t @var{pkey}, gnutls_pkcs11_obj_info_t @var{itype}, void * @var{output}, size_t * @var{output_size}) +@var{pkey}: should contain a @code{gnutls_pkcs11_privkey_t} type + +@var{itype}: Denotes the type of information requested + +@var{output}: where output will be stored + +@var{output_size}: contains the maximum size of the output and will be overwritten with actual + +This function will return information about the PKCS 11 private key such +as the label, id as well as token information where the key is stored. When +output is text it returns null terminated string although @code{output_size} contains +the size of the actual data only. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error. +@end deftypefun + +@subheading gnutls_pkcs11_privkey_get_pk_algorithm +@anchor{gnutls_pkcs11_privkey_get_pk_algorithm} +@deftypefun {int} {gnutls_pkcs11_privkey_get_pk_algorithm} (gnutls_pkcs11_privkey_t @var{key}, unsigned int * @var{bits}) +@var{key}: should contain a @code{gnutls_pkcs11_privkey_t} type + +@var{bits}: if bits is non null it will hold the size of the parameters' in bits + +This function will return the public key algorithm of a private +key. + +@strong{Returns:} a member of the @code{gnutls_pk_algorithm_t} enumeration on +success, or a negative error code on error. +@end deftypefun + +@subheading gnutls_pkcs11_privkey_import_url +@anchor{gnutls_pkcs11_privkey_import_url} +@deftypefun {int} {gnutls_pkcs11_privkey_import_url} (gnutls_pkcs11_privkey_t @var{pkey}, const char * @var{url}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{url}: a PKCS 11 url identifying the key + +@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags + +This function will "import" a PKCS 11 URL identifying a private +key to the @code{gnutls_pkcs11_privkey_t} type. In reality since +in most cases keys cannot be exported, the private key structure +is being associated with the available operations on the token. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun + +@subheading gnutls_pkcs11_privkey_init +@anchor{gnutls_pkcs11_privkey_init} +@deftypefun {int} {gnutls_pkcs11_privkey_init} (gnutls_pkcs11_privkey_t * @var{key}) +@var{key}: A pointer to the type to be initialized + +This function will initialize an private key structure. This +structure can be used for accessing an underlying PKCS@code{11} object. + +In versions of GnuTLS later than 3.5.11 the object is protected +using locks and a single @code{gnutls_pkcs11_privkey_t} can be re-used +by many threads. However, for performance it is recommended to utilize +one object per key per thread. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun + +@subheading gnutls_pkcs11_privkey_set_pin_function +@anchor{gnutls_pkcs11_privkey_set_pin_function} +@deftypefun {void} {gnutls_pkcs11_privkey_set_pin_function} (gnutls_pkcs11_privkey_t @var{key}, gnutls_pin_callback_t @var{fn}, void * @var{userdata}) +@var{key}: The private key + +@var{fn}: the callback + +@var{userdata}: data associated with the callback + +This function will set a callback function to be used when +required to access the object. This function overrides the global +set using @code{gnutls_pkcs11_set_pin_function()} . + +@strong{Since:} 3.1.0 +@end deftypefun + +@subheading gnutls_pkcs11_privkey_status +@anchor{gnutls_pkcs11_privkey_status} +@deftypefun {unsigned} {gnutls_pkcs11_privkey_status} (gnutls_pkcs11_privkey_t @var{key}) +@var{key}: Holds the key + +Checks the status of the private key token. + +@strong{Returns:} this function will return non-zero if the token +holding the private key is still available (inserted), and zero otherwise. + +@strong{Since:} 3.1.9 +@end deftypefun + +@subheading gnutls_pkcs11_reinit +@anchor{gnutls_pkcs11_reinit} +@deftypefun {int} {gnutls_pkcs11_reinit} ( @var{void}) + +This function will reinitialize the PKCS 11 subsystem in gnutls. +This is required by PKCS 11 when an application uses @code{fork()} . The +reinitialization function must be called on the child. + +Note that since GnuTLS 3.3.0, the reinitialization of the PKCS @code{11} +subsystem occurs automatically after fork. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.0 +@end deftypefun + +@subheading gnutls_pkcs11_set_pin_function +@anchor{gnutls_pkcs11_set_pin_function} +@deftypefun {void} {gnutls_pkcs11_set_pin_function} (gnutls_pin_callback_t @var{fn}, void * @var{userdata}) +@var{fn}: The PIN callback, a @code{gnutls_pin_callback_t()} function. + +@var{userdata}: data to be supplied to callback + +This function will set a callback function to be used when a PIN is +required for PKCS 11 operations. See +@code{gnutls_pin_callback_t()} on how the callback should behave. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_set_token_function +@anchor{gnutls_pkcs11_set_token_function} +@deftypefun {void} {gnutls_pkcs11_set_token_function} (gnutls_pkcs11_token_callback_t @var{fn}, void * @var{userdata}) +@var{fn}: The token callback + +@var{userdata}: data to be supplied to callback + +This function will set a callback function to be used when a token +needs to be inserted to continue PKCS 11 operations. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_token_check_mechanism +@anchor{gnutls_pkcs11_token_check_mechanism} +@deftypefun {unsigned} {gnutls_pkcs11_token_check_mechanism} (const char * @var{url}, unsigned long @var{mechanism}, void * @var{ptr}, unsigned @var{psize}, unsigned @var{flags}) +@var{url}: should contain a PKCS 11 URL + +@var{mechanism}: The PKCS @code{11} mechanism ID + +@var{ptr}: if set it should point to a CK_MECHANISM_INFO struct + +@var{psize}: the size of CK_MECHANISM_INFO struct (for safety) + +@var{flags}: must be zero + +This function will return whether a mechanism is supported +by the given token. If the mechanism is supported and + @code{ptr} is set, it will be updated with the token information. + +@strong{Returns:} Non-zero if the mechanism is supported or zero otherwise. + +@strong{Since:} 3.6.0 +@end deftypefun + +@subheading gnutls_pkcs11_token_get_flags +@anchor{gnutls_pkcs11_token_get_flags} +@deftypefun {int} {gnutls_pkcs11_token_get_flags} (const char * @var{url}, unsigned int * @var{flags}) +@var{url}: should contain a PKCS 11 URL + +@var{flags}: The output flags (GNUTLS_PKCS11_TOKEN_*) + +This function will return information about the PKCS 11 token flags. + +The supported flags are: @code{GNUTLS_PKCS11_TOKEN_HW} and @code{GNUTLS_PKCS11_TOKEN_TRUSTED} . + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_token_get_info +@anchor{gnutls_pkcs11_token_get_info} +@deftypefun {int} {gnutls_pkcs11_token_get_info} (const char * @var{url}, gnutls_pkcs11_token_info_t @var{ttype}, void * @var{output}, size_t * @var{output_size}) +@var{url}: should contain a PKCS 11 URL + +@var{ttype}: Denotes the type of information requested + +@var{output}: where output will be stored + +@var{output_size}: contains the maximum size of the output buffer and will be +overwritten with the actual size. + +This function will return information about the PKCS 11 token such +as the label, id, etc. + +When output is text, a null terminated string is written to @code{output} and its +string length is written to @code{output_size} (without null terminator). If the +buffer is too small, @code{output_size} will contain the expected buffer size +(with null terminator for text) and return @code{GNUTLS_E_SHORT_MEMORY_BUFFER} . + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code +on error. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_token_get_mechanism +@anchor{gnutls_pkcs11_token_get_mechanism} +@deftypefun {int} {gnutls_pkcs11_token_get_mechanism} (const char * @var{url}, unsigned int @var{idx}, unsigned long * @var{mechanism}) +@var{url}: should contain a PKCS 11 URL + +@var{idx}: The index of the mechanism + +@var{mechanism}: The PKCS @code{11} mechanism ID + +This function will return the names of the supported mechanisms +by the token. It should be called with an increasing index until +it return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_token_get_ptr +@anchor{gnutls_pkcs11_token_get_ptr} +@deftypefun {int} {gnutls_pkcs11_token_get_ptr} (const char * @var{url}, void ** @var{ptr}, unsigned long * @var{slot_id}, unsigned int @var{flags}) +@var{url}: should contain a PKCS@code{11} URL identifying a token + +@var{ptr}: will contain the CK_FUNCTION_LIST_PTR pointer + +@var{slot_id}: will contain the slot_id (may be @code{NULL} ) + +@var{flags}: should be zero + +This function will return the function pointer of the specified +token by the URL. The returned pointers are valid until +gnutls is deinitialized, c.f. @code{_global_deinit()} . + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code +on error. + +@strong{Since:} 3.6.3 +@end deftypefun + +@subheading gnutls_pkcs11_token_get_random +@anchor{gnutls_pkcs11_token_get_random} +@deftypefun {int} {gnutls_pkcs11_token_get_random} (const char * @var{token_url}, void * @var{rnddata}, size_t @var{len}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{rnddata}: A pointer to the memory area to be filled with random data + +@var{len}: The number of bytes of randomness to request + +This function will get random data from the given token. +It will store rnddata and fill the memory pointed to by rnddata with +len random bytes from the token. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun + +@subheading gnutls_pkcs11_token_get_url +@anchor{gnutls_pkcs11_token_get_url} +@deftypefun {int} {gnutls_pkcs11_token_get_url} (unsigned int @var{seq}, gnutls_pkcs11_url_type_t @var{detailed}, char ** @var{url}) +@var{seq}: sequence number starting from 0 + +@var{detailed}: non zero if a detailed URL is required + +@var{url}: will contain an allocated url + +This function will return the URL for each token available +in system. The url has to be released using @code{gnutls_free()} + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, +@code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} if the sequence number +exceeds the available tokens, otherwise a negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_pkcs11_token_init +@anchor{gnutls_pkcs11_token_init} +@deftypefun {int} {gnutls_pkcs11_token_init} (const char * @var{token_url}, const char * @var{so_pin}, const char * @var{label}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{so_pin}: Security Officer's PIN + +@var{label}: A name to be used for the token + +This function will initialize (format) a token. If the token is +at a factory defaults state the security officer's PIN given will be +set to be the default. Otherwise it should match the officer's PIN. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun + +@subheading gnutls_pkcs11_token_set_pin +@anchor{gnutls_pkcs11_token_set_pin} +@deftypefun {int} {gnutls_pkcs11_token_set_pin} (const char * @var{token_url}, const char * @var{oldpin}, const char * @var{newpin}, unsigned int @var{flags}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{oldpin}: old user's PIN + +@var{newpin}: new user's PIN + +@var{flags}: one of @code{gnutls_pin_flag_t} . + +This function will modify or set a user or administrator's PIN for +the given token. If it is called to set a PIN for first time +the oldpin must be @code{NULL} . When setting the admin's PIN with the +@code{GNUTLS_PIN_SO} flag, the @code{oldpin} value must be provided (this requirement +is relaxed after GnuTLS 3.6.5 since which the PIN will be requested if missing). + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun + +@subheading gnutls_pkcs11_type_get_name +@anchor{gnutls_pkcs11_type_get_name} +@deftypefun {const char *} {gnutls_pkcs11_type_get_name} (gnutls_pkcs11_obj_type_t @var{type}) +@var{type}: Holds the PKCS 11 object type, a @code{gnutls_pkcs11_obj_type_t} . + +This function will return a human readable description of the +PKCS11 object type @code{obj} . It will return "Unknown" for unknown +types. + +@strong{Returns:} human readable string labeling the PKCS11 object type + @code{type} . + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_x509_crt_import_pkcs11 +@anchor{gnutls_x509_crt_import_pkcs11} +@deftypefun {int} {gnutls_x509_crt_import_pkcs11} (gnutls_x509_crt_t @var{crt}, gnutls_pkcs11_obj_t @var{pkcs11_crt}) +@var{crt}: A certificate of type @code{gnutls_x509_crt_t} + +@var{pkcs11_crt}: A PKCS 11 object that contains a certificate + +This function will import a PKCS 11 certificate to a @code{gnutls_x509_crt_t} +structure. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + +@subheading gnutls_x509_crt_list_import_pkcs11 +@anchor{gnutls_x509_crt_list_import_pkcs11} +@deftypefun {int} {gnutls_x509_crt_list_import_pkcs11} (gnutls_x509_crt_t * @var{certs}, unsigned int @var{cert_max}, gnutls_pkcs11_obj_t * const @var{objs}, unsigned int @var{flags}) +@var{certs}: A list of certificates of type @code{gnutls_x509_crt_t} + +@var{cert_max}: The maximum size of the list + +@var{objs}: A list of PKCS 11 objects + +@var{flags}: 0 for now + +This function will import a PKCS 11 certificate list to a list of +@code{gnutls_x509_crt_t} type. These must not be initialized. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 2.12.0 +@end deftypefun + |