Top |
int (*gnutls_pkcs11_token_callback_t) (void *const userdata
,const char *const label
,unsigned retry
);
Token callback function. The callback will be used to ask the user to re-insert the token with given (null terminated) label. The callback should return zero if token has been inserted by user and a negative error code otherwise. It might be called multiple times if the token is not detected and the retry counter will be increased.
userdata |
user-controlled data from |
|
label |
token label. |
|
retry |
retry counter, initially 0. |
Since: 2.12.0
int gnutls_pkcs11_init (unsigned int flags
,const char *deprecated_config_file
);
This function will initialize the PKCS 11 subsystem in gnutls. It will
read configuration files if GNUTLS_PKCS11_FLAG_AUTO
is used or allow
you to independently load PKCS 11 modules using gnutls_pkcs11_add_provider()
if GNUTLS_PKCS11_FLAG_MANUAL
is specified.
You don't need to call this function since GnuTLS 3.3.0 because it is being called
during the first request PKCS 11 operation. That call will assume the GNUTLS_PKCS11_FLAG_AUTO
flag. If another flags are required then it must be called independently
prior to any PKCS 11 operation.
flags |
An ORed sequence of |
|
deprecated_config_file |
either NULL or the location of a deprecated configuration file |
Since: 2.12.0
int
gnutls_pkcs11_reinit (void
);
This function will reinitialize the PKCS 11 subsystem in gnutls.
This is required by PKCS 11 when an application uses fork()
. The
reinitialization function must be called on the child.
Note that since GnuTLS 3.3.0, the reinitialization of the PKCS 11 subsystem occurs automatically after fork.
Since: 3.0
void
gnutls_pkcs11_deinit (void
);
This function will deinitialize the PKCS 11 subsystem in gnutls.
This function is only needed if you need to deinitialize the
subsystem without calling gnutls_global_deinit()
.
Since: 2.12.0
void gnutls_pkcs11_set_token_function (gnutls_pkcs11_token_callback_t fn
,void *userdata
);
This function will set a callback function to be used when a token needs to be inserted to continue PKCS 11 operations.
Since: 2.12.0
void gnutls_pkcs11_set_pin_function (gnutls_pin_callback_t fn
,void *userdata
);
This function will set a callback function to be used when a PIN is
required for PKCS 11 operations. See
gnutls_pin_callback_t()
on how the callback should behave.
fn |
The PIN callback, a |
|
userdata |
data to be supplied to callback |
Since: 2.12.0
gnutls_pin_callback_t
gnutls_pkcs11_get_pin_function (void **userdata
);
This function will return the callback function set using
gnutls_pkcs11_set_pin_function()
.
Since: 3.1.0
int gnutls_pkcs11_add_provider (const char *name
,const char *params
);
This function will load and add a PKCS 11 module to the module list used in gnutls. After this function is called the module will be used for PKCS 11 operations.
When loading a module to be used for certificate verification,
use the string 'trusted' as params
.
Note that this function is not thread safe.
name |
The filename of the module |
|
params |
should be NULL or a known string (see description) |
Since: 2.12.0
int
gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t *obj
);
This function will initialize a pkcs11 certificate structure.
Since: 2.12.0
void gnutls_pkcs11_obj_set_pin_function (gnutls_pkcs11_obj_t obj
,gnutls_pin_callback_t fn
,void *userdata
);
This function will set a callback function to be used when
required to access the object. This function overrides the global
set using gnutls_pkcs11_set_pin_function()
.
Since: 3.1.0
int gnutls_pkcs11_obj_import_url (gnutls_pkcs11_obj_t obj
,const char *url
,unsigned int flags
);
This function will "import" a PKCS 11 URL identifying an object (e.g. certificate) to the gnutls_pkcs11_obj_t type. This does not involve any parsing (such as X.509 or OpenPGP) since the gnutls_pkcs11_obj_t is format agnostic. Only data are transferred.
If the flag GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT
is specified
any certificate read, will have its extensions overwritten by any
stapled extensions in the trust module.
obj |
The structure to store the object |
|
url |
a PKCS 11 url identifying the key |
|
flags |
Or sequence of GNUTLS_PKCS11_OBJ_* flags |
Since: 2.12.0
int gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t obj
,gnutls_pkcs11_url_type_t detailed
,char **url
);
This function will export a URL identifying the given object.
obj |
Holds the PKCS 11 certificate |
|
detailed |
non zero if a detailed URL is required |
|
url |
will contain an allocated url |
Since: 2.12.0
void
gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t obj
);
This function will deinitialize a certificate structure.
Since: 2.12.0
int gnutls_pkcs11_obj_export (gnutls_pkcs11_obj_t obj
,void *output_data
,size_t *output_data_size
);
This function will export the PKCS11 object data. It is normal for
data to be inaccessible and in that case GNUTLS_E_INVALID_REQUEST
will be returned.
If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
obj |
Holds the object |
|
output_data |
will contain the object data |
|
output_data_size |
holds the size of output_data (and will be replaced by the actual size of parameters) |
In case of failure a negative error code will be
returned, and GNUTLS_E_SUCCESS
(0) on success.
Since: 2.12.0
int gnutls_pkcs11_obj_export2 (gnutls_pkcs11_obj_t obj
,gnutls_datum_t *out
);
This function will export the PKCS11 object data. It is normal for
data to be inaccessible and in that case GNUTLS_E_INVALID_REQUEST
will be returned.
The output buffer is allocated using gnutls_malloc()
.
In case of failure a negative error code will be
returned, and GNUTLS_E_SUCCESS
(0) on success.
Since: 3.1.3
int gnutls_pkcs11_obj_export3 (gnutls_pkcs11_obj_t obj
,gnutls_x509_crt_fmt_t fmt
,gnutls_datum_t *out
);
This function will export the PKCS11 object data. It is normal for
data to be inaccessible and in that case GNUTLS_E_INVALID_REQUEST
will be returned.
The output buffer is allocated using gnutls_malloc()
.
obj |
Holds the object |
|
out |
will contain the object data |
|
fmt |
The format of the exported data |
In case of failure a negative error code will be
returned, and GNUTLS_E_SUCCESS
(0) on success.
Since: 3.2.7
int gnutls_pkcs11_get_raw_issuer (const char *url
,gnutls_x509_crt_t cert
,gnutls_datum_t *issuer
,gnutls_x509_crt_fmt_t fmt
,unsigned int flags
);
This function will return the issuer of a given certificate, if it
is stored in the token. By default only marked as trusted issuers
are returned. If any issuer should be returned specify
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY
in flags
.
url |
A PKCS 11 url identifying a token |
|
cert |
is the certificate to find issuer for |
|
issuer |
Will hold the issuer if any in an allocated buffer. |
|
fmt |
The format of the exported issuer. |
|
flags |
Use zero or flags from |
Since: 3.2.7
int gnutls_pkcs11_get_raw_issuer_by_dn (const char *url
,const gnutls_datum_t *dn
,gnutls_datum_t *issuer
,gnutls_x509_crt_fmt_t fmt
,unsigned int flags
);
This function will return the certificate with the given DN, if it
is stored in the token. By default only marked as trusted issuers
are returned. If any issuer should be returned specify
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY
in flags
.
The name of the function includes issuer because it can be used to discover issuers of certificates.
url |
A PKCS 11 url identifying a token |
|
dn |
is the DN to search for |
|
issuer |
Will hold the issuer if any in an allocated buffer. |
|
fmt |
The format of the exported issuer. |
|
flags |
Use zero or flags from |
Since: 3.4.0
int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url
,const gnutls_datum_t *dn
,const gnutls_datum_t *spki
,gnutls_datum_t *issuer
,gnutls_x509_crt_fmt_t fmt
,unsigned int flags
);
This function will return the certificate with the given DN and spki
, if it
is stored in the token. By default only marked as trusted issuers
are returned. If any issuer should be returned specify
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY
in flags
.
The name of the function includes issuer because it can be used to discover issuers of certificates.
url |
A PKCS 11 url identifying a token |
|
dn |
is the DN to search for (may be |
|
spki |
is the subject key ID to search for |
|
issuer |
Will hold the issuer if any in an allocated buffer. |
|
fmt |
The format of the exported issuer. |
|
flags |
Use zero or flags from |
Since: 3.4.2
unsigned gnutls_pkcs11_crt_is_known (const char *url
,gnutls_x509_crt_t cert
,unsigned int flags
);
This function will check whether the provided certificate is stored
in the specified token. This is useful in combination with
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED
or
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED
,
to check whether a CA is present or a certificate is blacklisted in
a trust PKCS 11 module.
This function can be used with a url
of "pkcs11:", and in that case all modules
will be searched. To restrict the modules to the marked as trusted in p11-kit
use the GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE
flag.
Note that the flag GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED
is
specific to p11-kit trust modules.
url |
A PKCS 11 url identifying a token |
|
cert |
is the certificate to find issuer for |
|
flags |
Use zero or flags from |
Since: 3.3.0
int gnutls_pkcs11_copy_x509_crt (const char *token_url
,gnutls_x509_crt_t crt
,const char *label
,unsigned int flags
);
This function will copy a certificate into a PKCS 11 token specified by a URL. The certificate can be marked as trusted or not.
token_url |
A PKCS 11 URL specifying a token |
|
crt |
A certificate |
|
label |
A name to be used for the stored data |
|
flags |
One of GNUTLS_PKCS11_OBJ_FLAG_* |
Since: 2.12.0
int gnutls_pkcs11_copy_x509_privkey (const char *token_url
,gnutls_x509_privkey_t key
,const char *label
,unsigned int key_usage
,unsigned int flags
);
This function will copy a private key into a PKCS 11 token specified by a URL.
Since 3.6.3 the objects are marked as sensitive by default unless
GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE
is specified.
token_url |
A PKCS 11 URL specifying a token |
|
key |
A private key |
|
label |
A name to be used for the stored data |
|
key_usage |
One of GNUTLS_KEY_* |
|
flags |
One of GNUTLS_PKCS11_OBJ_* flags |
Since: 2.12.0
int gnutls_pkcs11_privkey_generate2 (const char *url
,gnutls_pk_algorithm_t pk
,unsigned int bits
,const char *label
,gnutls_x509_crt_fmt_t fmt
,gnutls_datum_t *pubkey
,unsigned int flags
);
This function will generate a private key in the specified
by the url
token. The private key will be generate within
the token and will not be exportable. This function will
store the DER-encoded public key in the SubjectPublicKeyInfo format
in pubkey
. The pubkey
should be deinitialized using gnutls_free()
.
Note that when generating an elliptic curve key, the curve
can be substituted in the place of the bits parameter using the
GNUTLS_CURVE_TO_BITS()
macro.
url |
a token URL |
|
pk |
the public key algorithm |
|
bits |
the security bits |
|
label |
a label |
|
fmt |
the format of output params. PEM or DER |
|
pubkey |
will hold the public key (may be |
|
flags |
zero or an OR'ed sequence of |
Since: 3.1.5
int gnutls_pkcs11_privkey_generate (const char *url
,gnutls_pk_algorithm_t pk
,unsigned int bits
,const char *label
,unsigned int flags
);
This function will generate a private key in the specified
by the url
token. The private key will be generate within
the token and will not be exportable.
url |
a token URL |
|
pk |
the public key algorithm |
|
bits |
the security bits |
|
label |
a label |
|
flags |
should be zero |
Since: 3.0
int gnutls_pkcs11_copy_pubkey (const char *token_url
,gnutls_pubkey_t crt
,const char *label
,const gnutls_datum_t *cid
,unsigned int key_usage
,unsigned int flags
);
This function will copy a public key object into a PKCS 11 token specified by
a URL. Valid flags to mark the key: GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED
,
GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE
, GNUTLS_PKCS11_OBJ_FLAG_MARK_CA
,
GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH
.
token_url |
A PKCS 11 URL specifying a token |
|
pubkey |
The public key to copy |
|
label |
The name to be used for the stored data |
|
cid |
The CKA_ID to set for the object -if NULL, the ID will be derived from the public key |
|
key_usage |
One of GNUTLS_KEY_* |
|
flags |
One of GNUTLS_PKCS11_OBJ_FLAG_* |
Since: 3.4.6
int gnutls_pkcs11_copy_x509_crt2 (const char *token_url
,gnutls_x509_crt_t crt
,const char *label
,const gnutls_datum_t *id
,unsigned int flags
);
This function will copy a certificate into a PKCS 11 token specified by
a URL. Valid flags to mark the certificate: GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED
,
GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE
, GNUTLS_PKCS11_OBJ_FLAG_MARK_CA
,
GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH
.
token_url |
A PKCS 11 URL specifying a token |
|
crt |
The certificate to copy |
|
label |
The name to be used for the stored data |
|
cid |
The CKA_ID to set for the object -if NULL, the ID will be derived from the public key |
|
flags |
One of GNUTLS_PKCS11_OBJ_FLAG_* |
Since: 3.4.0
int gnutls_pkcs11_copy_x509_privkey2 (const char *token_url
,gnutls_x509_privkey_t key
,const char *label
,const gnutls_datum_t *cid
,unsigned int key_usage
,unsigned int flags
);
This function will copy a private key into a PKCS 11 token specified by a URL.
Since 3.6.3 the objects are marked as sensitive by default unless
GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE
is specified.
token_url |
A PKCS 11 URL specifying a token |
|
key |
A private key |
|
label |
A name to be used for the stored data |
|
cid |
The CKA_ID to set for the object -if NULL, the ID will be derived from the public key |
|
key_usage |
One of GNUTLS_KEY_* |
|
flags |
One of GNUTLS_PKCS11_OBJ_* flags |
Since: 3.4.0
int gnutls_pkcs11_delete_url (const char *object_url
,unsigned int flags
);
This function will delete objects matching the given URL. Note that not all tokens support the delete operation.
Since: 2.12.0
int gnutls_pkcs11_copy_secret_key (const char *token_url
,gnutls_datum_t *key
,const char *label
,unsigned int key_usage
,unsigned int flags
);
This function will copy a raw secret (symmetric) key into a PKCS 11 token specified by a URL. The key can be marked as sensitive or not.
token_url |
A PKCS 11 URL specifying a token |
|
key |
The raw key |
|
label |
A name to be used for the stored data |
|
key_usage |
One of GNUTLS_KEY_* |
|
flags |
One of GNUTLS_PKCS11_OBJ_FLAG_* |
Since: 2.12.0
int gnutls_pkcs11_obj_get_ptr (gnutls_pkcs11_obj_t obj
,void **ptr
,void **session
,void **ohandle
,unsigned long *slot_id
,unsigned int flags
);
Obtains the PKCS11 session handles of an object. session
and ohandle
must be deinitialized by the caller. The returned pointers are
independent of the obj
lifetime.
obj |
should contain a gnutls_pkcs11_obj_t type |
|
ptr |
will contain the CK_FUNCTION_LIST_PTR pointer (may be |
|
session |
will contain the CK_SESSION_HANDLE of the object |
|
ohandle |
will contain the CK_OBJECT_HANDLE of the object |
|
slot_id |
the identifier of the slot (may be |
|
flags |
Or sequence of GNUTLS_PKCS11_OBJ_* flags |
Since: 3.6.3
int gnutls_pkcs11_obj_get_info (gnutls_pkcs11_obj_t obj
,gnutls_pkcs11_obj_info_t itype
,void *output
,size_t *output_size
);
This function will return information about the PKCS11 certificate such as the label, id as well as token information where the key is stored.
When output is text, a null terminated string is written to output
and its
string length is written to output_size
(without null terminator). If the
buffer is too small, output_size
will contain the expected buffer size
(with null terminator for text) and return GNUTLS_E_SHORT_MEMORY_BUFFER
.
In versions previously to 3.6.0 this function included the null terminator
to output_size
. After 3.6.0 the output size doesn't include the terminator character.
obj |
should contain a gnutls_pkcs11_obj_t type |
|
itype |
Denotes the type of information requested |
|
output |
where output will be stored |
|
output_size |
contains the maximum size of the output buffer and will be overwritten with the actual size. |
Since: 2.12.0
int gnutls_pkcs11_obj_set_info (gnutls_pkcs11_obj_t obj
,gnutls_pkcs11_obj_info_t itype
,const void *data
,size_t data_size
,unsigned flags
);
This function will set attributes on the provided object.
Available options for itype
are GNUTLS_PKCS11_OBJ_LABEL
,
GNUTLS_PKCS11_OBJ_ID_HEX
, and GNUTLS_PKCS11_OBJ_ID
.
obj |
should contain a gnutls_pkcs11_obj_t type |
|
itype |
Denotes the type of information to be set |
|
data |
the data to set |
|
data_size |
the size of data |
|
flags |
Or sequence of GNUTLS_PKCS11_OBJ_* flags |
Since: 3.4.0
int gnutls_pkcs11_token_init (const char *token_url
,const char *so_pin
,const char *label
);
This function will initialize (format) a token. If the token is at a factory defaults state the security officer's PIN given will be set to be the default. Otherwise it should match the officer's PIN.
int gnutls_pkcs11_token_get_ptr (const char *url
,void **ptr
,unsigned long *slot_id
,unsigned int flags
);
This function will return the function pointer of the specified
token by the URL. The returned pointers are valid until
gnutls is deinitialized, c.f. _global_deinit()
.
url |
should contain a PKCS11 URL identifying a token |
|
ptr |
will contain the CK_FUNCTION_LIST_PTR pointer |
|
slot_id |
will contain the slot_id (may be |
|
flags |
should be zero |
Since: 3.6.3
int gnutls_pkcs11_token_get_mechanism (const char *url
,unsigned int idx
,unsigned long *mechanism
);
This function will return the names of the supported mechanisms by the token. It should be called with an increasing index until it return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.
url |
should contain a PKCS 11 URL |
|
idx |
The index of the mechanism |
|
mechanism |
The PKCS 11 mechanism ID |
Since: 2.12.0
unsigned gnutls_pkcs11_token_check_mechanism (const char *url
,unsigned long mechanism
,void *ptr
,unsigned psize
,unsigned flags
);
This function will return whether a mechanism is supported
by the given token. If the mechanism is supported and
ptr
is set, it will be updated with the token information.
url |
should contain a PKCS 11 URL |
|
mechanism |
The PKCS 11 mechanism ID |
|
ptr |
if set it should point to a CK_MECHANISM_INFO struct |
|
psize |
the size of CK_MECHANISM_INFO struct (for safety) |
|
flags |
must be zero |
Since: 3.6.0
int gnutls_pkcs11_token_set_pin (const char *token_url
,const char *oldpin
,const char *newpin
,unsigned int flags
);
This function will modify or set a user or administrator's PIN for
the given token. If it is called to set a PIN for first time
the oldpin must be NULL
. When setting the admin's PIN with the
GNUTLS_PIN_SO
flag, the oldpin
value must be provided (this requirement
is relaxed after GnuTLS 3.6.5 since which the PIN will be requested if missing).
token_url |
A PKCS 11 URL specifying a token |
|
oldpin |
old user's PIN |
|
newpin |
new user's PIN |
|
flags |
one of gnutls_pin_flag_t. |
int gnutls_pkcs11_token_get_url (unsigned int seq
,gnutls_pkcs11_url_type_t detailed
,char **url
);
This function will return the URL for each token available
in system. The url has to be released using gnutls_free()
seq |
sequence number starting from 0 |
|
detailed |
non zero if a detailed URL is required |
|
url |
will contain an allocated url |
On success, GNUTLS_E_SUCCESS
(0) is returned,
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
if the sequence number
exceeds the available tokens, otherwise a negative error value.
Since: 2.12.0
int gnutls_pkcs11_token_get_info (const char *url
,gnutls_pkcs11_token_info_t ttype
,void *output
,size_t *output_size
);
This function will return information about the PKCS 11 token such as the label, id, etc.
When output is text, a null terminated string is written to output
and its
string length is written to output_size
(without null terminator). If the
buffer is too small, output_size
will contain the expected buffer size
(with null terminator for text) and return GNUTLS_E_SHORT_MEMORY_BUFFER
.
url |
should contain a PKCS 11 URL |
|
ttype |
Denotes the type of information requested |
|
output |
where output will be stored |
|
output_size |
contains the maximum size of the output buffer and will be overwritten with the actual size. |
Since: 2.12.0
int gnutls_pkcs11_token_get_flags (const char *url
,unsigned int *flags
);
This function will return information about the PKCS 11 token flags.
The supported flags are: GNUTLS_PKCS11_TOKEN_HW
and GNUTLS_PKCS11_TOKEN_TRUSTED
.
Since: 2.12.0
#define gnutls_pkcs11_obj_list_import_url(p_list, n_list, url, attrs, flags) gnutls_pkcs11_obj_list_import_url3(p_list, n_list, url, attrs|flags)
#define gnutls_pkcs11_obj_list_import_url2(p_list, n_list, url, attrs, flags) gnutls_pkcs11_obj_list_import_url4(p_list, n_list, url, attrs|flags)
int gnutls_pkcs11_obj_list_import_url3 (gnutls_pkcs11_obj_t *p_list
,unsigned int *const n_list
,const char *url
,unsigned int flags
);
This function will initialize and set values to an object list by using all objects identified by a PKCS 11 URL.
This function will enumerate all the objects specified by the PKCS11 URL
provided. It expects an already allocated p_list
which has *n_list
elements,
and that value will be updated to the actual number of present objects. The
p_list
objects will be initialized and set by this function.
To obtain a list of all available objects use a url
of 'pkcs11:'.
All returned objects must be deinitialized using gnutls_pkcs11_obj_deinit()
.
The supported in this function flags
are GNUTLS_PKCS11_OBJ_FLAG_LOGIN
,
GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO
, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE
,
GNUTLS_PKCS11_OBJ_FLAG_CRT
, GNUTLS_PKCS11_OBJ_FLAG_PUBKEY
, GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY
,
GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY
, GNUTLS_PKCS11_OBJ_FLAG_MARK_CA
,
GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED
, and since 3.5.1 the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT
.
On versions of GnuTLS prior to 3.4.0 the equivalent function was
gnutls_pkcs11_obj_list_import_url()
. That is also available on this version
as a macro which maps to this function.
p_list |
An uninitialized object list (may be |
|
n_list |
Initially should hold the maximum size of the list. Will contain the actual size. |
|
url |
A PKCS 11 url identifying a set of objects |
|
flags |
Or sequence of GNUTLS_PKCS11_OBJ_* flags |
Since: 3.4.0
int gnutls_pkcs11_obj_list_import_url4 (gnutls_pkcs11_obj_t **p_list
,unsigned int *n_list
,const char *url
,unsigned int flags
);
This function will enumerate all the objects specified by the PKCS11 URL
provided. It will initialize and set values to the object pointer list (p_list
)
provided. To obtain a list of all available objects use a url
of 'pkcs11:'.
All returned objects must be deinitialized using gnutls_pkcs11_obj_deinit()
,
and p_list
must be deinitialized using gnutls_free()
.
The supported in this function flags
are GNUTLS_PKCS11_OBJ_FLAG_LOGIN
,
GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO
, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE
,
GNUTLS_PKCS11_OBJ_FLAG_CRT
, GNUTLS_PKCS11_OBJ_FLAG_PUBKEY
, GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY
,
GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY
, GNUTLS_PKCS11_OBJ_FLAG_MARK_CA
,
GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED
, and since 3.5.1 the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT
.
On versions of GnuTLS prior to 3.4.0 the equivalent function was
gnutls_pkcs11_obj_list_import_url2()
. That is also available on this version
as a macro which maps to this function.
p_list |
An uninitialized object list (may be NULL) |
|
n_list |
It will contain the size of the list. |
|
url |
A PKCS 11 url identifying a set of objects |
|
flags |
Or sequence of GNUTLS_PKCS11_OBJ_* flags |
Since: 3.4.0
int gnutls_x509_crt_import_pkcs11 (gnutls_x509_crt_t crt
,gnutls_pkcs11_obj_t pkcs11_crt
);
This function will import a PKCS 11 certificate to a gnutls_x509_crt_t structure.
crt |
A certificate of type gnutls_x509_crt_t |
|
pkcs11_crt |
A PKCS 11 object that contains a certificate |
Since: 2.12.0
const char *
gnutls_pkcs11_type_get_name (gnutls_pkcs11_obj_type_t type
);
This function will return a human readable description of the
PKCS11 object type obj
. It will return "Unknown" for unknown
types.
Since: 2.12.0
int gnutls_pkcs11_obj_get_exts (gnutls_pkcs11_obj_t obj
,struct gnutls_x509_ext_st **exts
,unsigned int *exts_size
,unsigned int flags
);
This function will return information about attached extensions that associate to the provided object (which should be a certificate). The extensions are the attached p11-kit trust module extensions.
Each element of exts
must be deinitialized using gnutls_x509_ext_deinit()
while exts
should be deallocated using gnutls_free()
.
obj |
should contain a gnutls_pkcs11_obj_t type |
|
exts |
a pointer to a |
|
exts_size |
will be updated with the number of |
|
flags |
Or sequence of |
Since: 3.3.8
int gnutls_pkcs11_obj_get_flags (gnutls_pkcs11_obj_t obj
,unsigned int *oflags
);
This function will return the flags of the object.
The oflags
will be flags from gnutls_pkcs11_obj_flags
. That is,
the GNUTLS_PKCS11_OBJ_FLAG_MARK_
* flags.
Since: 3.3.7
char *
gnutls_pkcs11_obj_flags_get_str (unsigned int flags
);
This function given an or-sequence of GNUTLS_PKCS11_OBJ_FLAG_MARK
,
will return an allocated string with its description. The string
needs to be deallocated using gnutls_free()
.
Since: 3.3.7
int gnutls_x509_crt_list_import_pkcs11 (gnutls_x509_crt_t *certs
,unsigned int cert_max
,gnutls_pkcs11_obj_t * const objs
,unsigned int flags
);
This function will import a PKCS 11 certificate list to a list of gnutls_x509_crt_t type. These must not be initialized.
certs |
A list of certificates of type gnutls_x509_crt_t |
|
cert_max |
The maximum size of the list |
|
objs |
A list of PKCS 11 objects |
|
flags |
0 for now |
Since: 2.12.0
int
gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t *key
);
This function will initialize an private key structure. This structure can be used for accessing an underlying PKCS11 object.
In versions of GnuTLS later than 3.5.11 the object is protected
using locks and a single gnutls_pkcs11_privkey_t
can be re-used
by many threads. However, for performance it is recommended to utilize
one object per key per thread.
int gnutls_pkcs11_privkey_cpy (gnutls_pkcs11_privkey_t dst
,gnutls_pkcs11_privkey_t src
);
This function will copy a private key from source to destination key. Destination has to be initialized.
Since: 3.4.0
void gnutls_pkcs11_privkey_set_pin_function (gnutls_pkcs11_privkey_t key
,gnutls_pin_callback_t fn
,void *userdata
);
This function will set a callback function to be used when
required to access the object. This function overrides the global
set using gnutls_pkcs11_set_pin_function()
.
Since: 3.1.0
void
gnutls_pkcs11_privkey_deinit (gnutls_pkcs11_privkey_t key
);
This function will deinitialize a private key structure.
int gnutls_pkcs11_privkey_get_pk_algorithm (gnutls_pkcs11_privkey_t key
,unsigned int *bits
);
This function will return the public key algorithm of a private key.
key |
should contain a gnutls_pkcs11_privkey_t type |
|
bits |
if bits is non null it will hold the size of the parameters' in bits |
a member of the gnutls_pk_algorithm_t enumeration on success, or a negative error code on error.
int gnutls_pkcs11_privkey_get_info (gnutls_pkcs11_privkey_t pkey
,gnutls_pkcs11_obj_info_t itype
,void *output
,size_t *output_size
);
This function will return information about the PKCS 11 private key such as the label, id as well as token information where the key is stored. When output is text it returns null terminated string although output_size contains the size of the actual data only.
pkey |
should contain a gnutls_pkcs11_privkey_t type |
|
itype |
Denotes the type of information requested |
|
output |
where output will be stored |
|
output_size |
contains the maximum size of the output and will be overwritten with actual |
int gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey
,const char *url
,unsigned int flags
);
This function will "import" a PKCS 11 URL identifying a private key to the gnutls_pkcs11_privkey_t type. In reality since in most cases keys cannot be exported, the private key structure is being associated with the available operations on the token.
int gnutls_pkcs11_privkey_export_url (gnutls_pkcs11_privkey_t key
,gnutls_pkcs11_url_type_t detailed
,char **url
);
This function will export a URL identifying the given key.
unsigned
gnutls_pkcs11_privkey_status (gnutls_pkcs11_privkey_t key
);
Checks the status of the private key token.
this function will return non-zero if the token holding the private key is still available (inserted), and zero otherwise.
Since: 3.1.9
int gnutls_pkcs11_privkey_generate3 (const char *url
,gnutls_pk_algorithm_t pk
,unsigned int bits
,const char *label
,const gnutls_datum_t *cid
,gnutls_x509_crt_fmt_t fmt
,gnutls_datum_t *pubkey
,unsigned int key_usage
,unsigned int flags
);
This function will generate a private key in the specified
by the url
token. The private key will be generate within
the token and will not be exportable. This function will
store the DER-encoded public key in the SubjectPublicKeyInfo format
in pubkey
. The pubkey
should be deinitialized using gnutls_free()
.
Note that when generating an elliptic curve key, the curve
can be substituted in the place of the bits parameter using the
GNUTLS_CURVE_TO_BITS()
macro.
Since 3.6.3 the objects are marked as sensitive by default unless
GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE
is specified.
url |
a token URL |
|
pk |
the public key algorithm |
|
bits |
the security bits |
|
label |
a label |
|
cid |
The CKA_ID to use for the new object |
|
fmt |
the format of output params. PEM or DER |
|
pubkey |
will hold the public key (may be |
|
key_usage |
One of GNUTLS_KEY_* |
|
flags |
zero or an OR'ed sequence of |
Since: 3.4.0
int gnutls_pkcs11_privkey_export_pubkey (gnutls_pkcs11_privkey_t pkey
,gnutls_x509_crt_fmt_t fmt
,gnutls_datum_t *pubkey
,unsigned int flags
);
This function will extract the public key (modulus and public
exponent) from the private key specified by the url
private key.
This public key will be stored in pubkey
in the format specified
by fmt
. pubkey
should be deinitialized using gnutls_free()
.
pkey |
The private key |
|
fmt |
the format of output params. PEM or DER. |
|
data |
will hold the public key |
|
flags |
should be zero |
Since: 3.3.7
int gnutls_pkcs11_token_get_random (const char *token_url
,void *data
,size_t len
);
This function will get random data from the given token. It will store rnddata and fill the memory pointed to by rnddata with len random bytes from the token.
int gnutls_pkcs11_copy_attached_extension (const char *token_url
,gnutls_x509_crt_t crt
,gnutls_datum_t *data
,const char *label
,unsigned int flags
);
This function will copy an the attached extension in data
for
the certificate provided in crt
in the PKCS 11 token specified
by the URL (typically a trust module). The extension must be in
RFC5280 Extension format.
token_url |
A PKCS 11 URL specifying a token |
|
crt |
An X.509 certificate object |
|
data |
the attached extension |
|
label |
A name to be used for the attached extension (may be |
|
flags |
One of GNUTLS_PKCS11_OBJ_FLAG_* |
Since: 3.3.8
#define GNUTLS_PKCS11_FLAG_AUTO 1 /* Automatically load libraries by reading /etc/gnutls/pkcs11.conf */
#define GNUTLS_PKCS11_FLAG_AUTO_TRUSTED (1<<1) /* Automatically load trusted libraries by reading /etc/gnutls/pkcs11.conf */
Enumeration of different PKCS 11 object flags. Some flags are used to mark objects when storing, while others are also used while seeking or retrieving objects.
Force login in the token for the operation (seek+store). |
||
object marked as trusted (seek+store). |
||
object is explicitly marked as sensitive -unexportable (store). |
||
force login as a security officer in the token for the operation (seek+store). |
||
marked as private -requires PIN to access (store). |
||
marked as not private (store). |
||
When retrieving an object, do not set any requirements (store). |
||
When retrieving an object, only retrieve the marked as trusted (alias to |
||
When writing an object, mark it as distrusted (store). |
||
When retrieving an object, only retrieve the marked as distrusted (seek). |
||
When checking an object's presence, fully compare it before returning any result (seek). |
||
The object must be present in a marked as trusted module (seek). |
||
Mark the object as a CA (seek+store). |
||
Mark the generated key pair as wrapping and unwrapping keys (store). |
||
When checking an object's presence, compare the key before returning any result (seek). |
||
When an issuer is requested, override its extensions with the ones present in the trust module (seek). |
||
Mark the key pair as requiring authentication (pin entry) before every operation (seek+store). |
||
Mark the key pair as being extractable (store). |
||
If set, the object was never marked as extractable (store). |
||
When searching, restrict to certificates only (seek). |
||
When searching, restrict to public key objects only (seek). |
||
When generating a keypair don't store the public key (store). |
||
When searching, restrict to private key objects only (seek). |
||
object marked as not sensitive -exportable (store). |
Enumeration of several object information types.
The object ID in hex. Null-terminated text. |
||
The object label. Null-terminated text. |
||
The token's label. Null-terminated text. |
||
The token's serial number. Null-terminated text. |
||
The token's manufacturer. Null-terminated text. |
||
The token's model. Null-terminated text. |
||
The object ID. Raw bytes. |
||
The library's version. Null-terminated text. |
||
The library's description. Null-terminated text. |
||
The library's manufacturer name. Null-terminated text. |
#define GNUTLS_PKCS11_OBJ_ATTR_MATCH 0 /* always match the given URL */
#define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)
#define GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY)
#define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)
#define GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY
Enumeration of types for retrieving token information.
Enumeration of object types.
#define GNUTLS_PKCS11_TOKEN_LOGIN_REQUIRED (1<<3) /* CKF_LOGIN_REQUIRED */
#define GNUTLS_PKCS11_TOKEN_PROTECTED_AUTHENTICATION_PATH (1<<4) /* CKF_PROTECTED_AUTHENTICATION_PATH */
#define GNUTLS_PKCS11_TOKEN_INITIALIZED (1<<5) /* CKF_TOKEN_INITIALIZED */
#define GNUTLS_PKCS11_TOKEN_USER_PIN_COUNT_LOW (1<<6) /* CKF_USER_PIN_COUNT_LOW */
#define GNUTLS_PKCS11_TOKEN_USER_PIN_FINAL_TRY (1<<7) /* CKF_USER_PIN_FINAL_TRY */
#define GNUTLS_PKCS11_TOKEN_USER_PIN_LOCKED (1<<8) /* CKF_USER_PIN_LOCKED */
#define GNUTLS_PKCS11_TOKEN_SO_PIN_COUNT_LOW (1<<9) /* CKF_SO_PIN_COUNT_LOW */
#define GNUTLS_PKCS11_TOKEN_SO_PIN_FINAL_TRY (1<<10) /* CKF_SO_PIN_FINAL_TRY */
#define GNUTLS_PKCS11_TOKEN_SO_PIN_LOCKED (1<<11) /* CKF_SO_PIN_LOCKED */
#define GNUTLS_PKCS11_TOKEN_USER_PIN_INITIALIZED (1<<12) /* CKF_USER_PIN_INITIALIZED */
#define GNUTLS_PKCS11_TOKEN_ERROR_STATE (1<<13) /* CKF_ERROR_STATE */
#define gnutls_x509_crt_import_pkcs11_url gnutls_x509_crt_import_url
struct gnutls_pkcs11_obj_st { gnutls_datum_t raw; gnutls_pkcs11_obj_type_t type; ck_object_class_t class; unsigned int flags; struct p11_kit_uri *info; /* only when pubkey */ gnutls_datum_t pubkey[MAX_PUBLIC_PARAMS_SIZE]; unsigned pubkey_size; gnutls_pk_algorithm_t pk_algorithm; unsigned int key_usage; struct pin_info_st pin; };