search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
more doc fixes
[gnutls.git] / lib / gnutls_privkey.c
blob816e941a7d7fdec0b1fecb113501424462364edf
1 /*
2 * GnuTLS PKCS#11 support
3 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 3 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
19 */
20
21 #include <gnutls_int.h>
22 #include <gnutls/pkcs11.h>
23 #include <stdio.h>
24 #include <string.h>
25 #include <gnutls_errors.h>
26 #include <gnutls_datum.h>
27 #include <pkcs11_int.h>
28 #include <gnutls/abstract.h>
29 #include <gnutls_pk.h>
30 #include <x509_int.h>
31 #include <openpgp/openpgp_int.h>
32 #include <openpgp/gnutls_openpgp.h>
33 #include <gnutls_sig.h>
34 #include <abstract_int.h>
35
36 /**
37 * gnutls_privkey_get_type:
38 * @key: should contain a #gnutls_privkey_t structure
39 *
40 * This function will return the type of the private key. This is
41 * actually the type of the subsystem used to set this private key.
42 *
43 * Returns: a member of the #gnutls_privkey_type_t enumeration on
44 * success, or a negative error code on error.
45 *
46 * Since: 2.12.0
47 **/
48 gnutls_privkey_type_t
49 gnutls_privkey_get_type (gnutls_privkey_t key)
50 {
51 return key->type;
52 }
53
54 /**
55 * gnutls_privkey_get_pk_algorithm:
56 * @key: should contain a #gnutls_privkey_t structure
57 * @bits: If set will return the number of bits of the parameters (may be NULL)
58 *
59 * This function will return the public key algorithm of a private
60 * key and if possible will return a number of bits that indicates
61 * the security parameter of the key.
62 *
63 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
64 * success, or a negative error code on error.
65 *
66 * Since: 2.12.0
67 **/
68 int
69 gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key, unsigned int *bits)
70 {
71 switch (key->type)
72 {
73 #ifdef ENABLE_OPENPGP
74 case GNUTLS_PRIVKEY_OPENPGP:
75 return gnutls_openpgp_privkey_get_pk_algorithm (key->key.openpgp, bits);
76 #endif
77 #ifdef ENABLE_PKCS11
78 case GNUTLS_PRIVKEY_PKCS11:
79 return gnutls_pkcs11_privkey_get_pk_algorithm (key->key.pkcs11, bits);
80 #endif
81 case GNUTLS_PRIVKEY_X509:
82 if (bits)
83 *bits = _gnutls_mpi_get_nbits (key->key.x509->params.params[0]);
84 return gnutls_x509_privkey_get_pk_algorithm (key->key.x509);
85 case GNUTLS_PRIVKEY_EXT:
86 if (bits)
87 *bits = 0;
88 return key->pk_algorithm;
89 default:
90 gnutls_assert ();
91 return GNUTLS_E_INVALID_REQUEST;
92 }
93
94 }
95
96 static int
97 privkey_to_pubkey (gnutls_pk_algorithm_t pk,
98 const gnutls_pk_params_st* priv,
99 gnutls_pk_params_st* pub)
100 {
101 int ret;
102
103 switch (pk)
104 {
105 case GNUTLS_PK_RSA:
106 pub->params[0] = _gnutls_mpi_copy (priv->params[0]);
107 pub->params[1] = _gnutls_mpi_copy (priv->params[1]);
108
109 pub->params_nr = RSA_PUBLIC_PARAMS;
110
111 if (pub->params[0] == NULL || pub->params[1] == NULL)
112 {
113 gnutls_assert ();
114 ret = GNUTLS_E_MEMORY_ERROR;
115 goto cleanup;
116 }
117
118 break;
119 case GNUTLS_PK_DSA:
120 pub->params[0] = _gnutls_mpi_copy (priv->params[0]);
121 pub->params[1] = _gnutls_mpi_copy (priv->params[1]);
122 pub->params[2] = _gnutls_mpi_copy (priv->params[2]);
123 pub->params[3] = _gnutls_mpi_copy (priv->params[3]);
124
125 pub->params_nr = DSA_PUBLIC_PARAMS;
126
127 if (pub->params[0] == NULL || pub->params[1] == NULL ||
128 pub->params[2] == NULL || pub->params[3] == NULL)
129 {
130 gnutls_assert ();
131 ret = GNUTLS_E_MEMORY_ERROR;
132 goto cleanup;
133 }
134
135 break;
136 case GNUTLS_PK_EC:
137 pub->params[0] = _gnutls_mpi_copy (priv->params[0]);
138 pub->params[1] = _gnutls_mpi_copy (priv->params[1]);
139 pub->params[2] = _gnutls_mpi_copy (priv->params[2]);
140 pub->params[3] = _gnutls_mpi_copy (priv->params[3]);
141 pub->params[4] = _gnutls_mpi_copy (priv->params[4]);
142 pub->params[5] = _gnutls_mpi_copy (priv->params[5]);
143 pub->params[6] = _gnutls_mpi_copy (priv->params[6]);
144 pub->params[7] = _gnutls_mpi_copy (priv->params[7]);
145
146 pub->params_nr = ECC_PUBLIC_PARAMS;
147 pub->flags = priv->flags;
148
149 if (pub->params[0] == NULL || pub->params[1] == NULL ||
150 pub->params[2] == NULL || pub->params[3] == NULL ||
151 pub->params[4] == NULL || pub->params[5] == NULL ||
152 pub->params[6] == NULL || pub->params[7] == NULL)
153 {
154 gnutls_assert ();
155 ret = GNUTLS_E_MEMORY_ERROR;
156 goto cleanup;
157 }
158
159 break;
160 default:
161 gnutls_assert ();
162 return GNUTLS_E_INVALID_REQUEST;
163 }
164
165 return 0;
166 cleanup:
167 gnutls_pk_params_release(pub);
168 return ret;
169 }
170
171
172 /* Returns the public key of the private key (if possible)
173 */
174 int
175 _gnutls_privkey_get_public_mpis (gnutls_privkey_t key,
176 gnutls_pk_params_st * params)
177 {
178 int ret;
179 gnutls_pk_algorithm_t pk = gnutls_privkey_get_pk_algorithm (key, NULL);
180
181 switch (key->type)
182 {
183 #ifdef ENABLE_OPENPGP
184 case GNUTLS_PRIVKEY_OPENPGP:
185 {
186 gnutls_pk_params_st tmp_params;
187 uint32_t kid[2];
188 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
189
190 ret =
191 gnutls_openpgp_privkey_get_preferred_key_id (key->key.openpgp,
192 keyid);
193 if (ret == 0)
194 {
195 KEYID_IMPORT (kid, keyid);
196 ret = _gnutls_openpgp_privkey_get_mpis (key->key.openpgp, kid,
197 &tmp_params);
198 }
199 else
200 ret = _gnutls_openpgp_privkey_get_mpis (key->key.openpgp, NULL,
201 &tmp_params);
202
203 if (ret < 0)
204 {
205 gnutls_assert ();
206 return ret;
207 }
208
209 ret = privkey_to_pubkey (pk,
210 &tmp_params,
211 params);
212
213 gnutls_pk_params_release(&tmp_params);
214 }
215
216 break;
217 #endif
218 case GNUTLS_PRIVKEY_X509:
219 ret = privkey_to_pubkey (pk,
220 &key->key.x509->params,
221 params);
222 break;
223 default:
224 gnutls_assert ();
225 return GNUTLS_E_INVALID_REQUEST;
226 }
227
228 return ret;
229 }
230
231 /**
232 * gnutls_privkey_init:
233 * @key: The structure to be initialized
234 *
235 * This function will initialize an private key structure.
236 *
237 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
238 * negative error value.
239 *
240 * Since: 2.12.0
241 **/
242 int
243 gnutls_privkey_init (gnutls_privkey_t * key)
244 {
245 *key = gnutls_calloc (1, sizeof (struct gnutls_privkey_st));
246 if (*key == NULL)
247 {
248 gnutls_assert ();
249 return GNUTLS_E_MEMORY_ERROR;
250 }
251
252 return 0;
253 }
254
255 /**
256 * gnutls_privkey_deinit:
257 * @key: The structure to be deinitialized
258 *
259 * This function will deinitialize a private key structure.
260 *
261 * Since: 2.12.0
262 **/
263 void
264 gnutls_privkey_deinit (gnutls_privkey_t key)
265 {
266 if (key == NULL) return;
267
268 if (key->flags & GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE || key->flags & GNUTLS_PRIVKEY_IMPORT_COPY)
269 switch (key->type)
270 {
271 #ifdef ENABLE_OPENPGP
272 case GNUTLS_PRIVKEY_OPENPGP:
273 gnutls_openpgp_privkey_deinit (key->key.openpgp);
274 break;
275 #endif
276 #ifdef ENABLE_PKCS11
277 case GNUTLS_PRIVKEY_PKCS11:
278 gnutls_pkcs11_privkey_deinit (key->key.pkcs11);
279 break;
280 #endif
281 case GNUTLS_PRIVKEY_X509:
282 gnutls_x509_privkey_deinit (key->key.x509);
283 break;
284 case GNUTLS_PRIVKEY_EXT:
285 if (key->key.ext.deinit_func != NULL)
286 key->key.ext.deinit_func(key, key->key.ext.userdata);
287 break;
288 default:
289 break;
290 }
291 gnutls_free (key);
292 }
293
294 /* will fail if the private key contains an actual key.
295 */
296 static int check_if_clean(gnutls_privkey_t key)
297 {
298 if (key->type != 0)
299 return GNUTLS_E_INVALID_REQUEST;
300
301 return 0;
302 }
303
304 #ifdef ENABLE_PKCS11
305
306 /**
307 * gnutls_privkey_import_pkcs11:
308 * @pkey: The private key
309 * @key: The private key to be imported
310 * @flags: Flags for the import
311 *
312 * This function will import the given private key to the abstract
313 * #gnutls_privkey_t structure.
314 *
315 * The #gnutls_pkcs11_privkey_t object must not be deallocated
316 * during the lifetime of this structure.
317 *
318 * @flags might be zero or one of %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
319 * and %GNUTLS_PRIVKEY_IMPORT_COPY.
320 *
321 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
322 * negative error value.
323 *
324 * Since: 2.12.0
325 **/
326 int
327 gnutls_privkey_import_pkcs11 (gnutls_privkey_t pkey,
328 gnutls_pkcs11_privkey_t key, unsigned int flags)
329 {
330 int ret;
331
332 ret = check_if_clean(pkey);
333 if (ret < 0)
334 {
335 gnutls_assert();
336 return ret;
337 }
338
339 if (flags & GNUTLS_PRIVKEY_IMPORT_COPY)
340 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
341
342 pkey->key.pkcs11 = key;
343 pkey->type = GNUTLS_PRIVKEY_PKCS11;
344 pkey->pk_algorithm = gnutls_pkcs11_privkey_get_pk_algorithm (key, NULL);
345 pkey->flags = flags;
346
347 if (pkey->pin.data)
348 gnutls_pkcs11_privkey_set_pin_function(key, pkey->pin.cb, pkey->pin.data);
349
350 return 0;
351 }
352
353 /**
354 * gnutls_privkey_import_pkcs11_url:
355 * @key: A key of type #gnutls_pubkey_t
356 * @url: A PKCS 11 url
357 *
358 * This function will import a PKCS 11 private key to a #gnutls_private_key_t
359 * structure.
360 *
361 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
362 * negative error value.
363 *
364 * Since: 3.1.0
365 **/
366 int
367 gnutls_privkey_import_pkcs11_url (gnutls_privkey_t key, const char *url)
368 {
369 gnutls_pkcs11_privkey_t pkey;
370 int ret;
371
372 ret = gnutls_pkcs11_privkey_init (&pkey);
373 if (ret < 0)
374 {
375 gnutls_assert ();
376 return ret;
377 }
378
379 if (key->pin.cb)
380 gnutls_pkcs11_privkey_set_pin_function(pkey, key->pin.cb, key->pin.data);
381
382 ret = gnutls_pkcs11_privkey_import_url (pkey, url, 0);
383 if (ret < 0)
384 {
385 gnutls_assert ();
386 goto cleanup;
387 }
388
389 ret = gnutls_privkey_import_pkcs11 (key, pkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
390 if (ret < 0)
391 {
392 gnutls_assert ();
393 goto cleanup;
394 }
395
396 return 0;
397
398 cleanup:
399 gnutls_pkcs11_privkey_deinit (pkey);
400
401 return ret;
402 }
403
404 #endif /* ENABLE_PKCS11 */
405
406 /**
407 * gnutls_privkey_import_ext:
408 * @pkey: The private key
409 * @pk: The public key algorithm
410 * @userdata: private data to be provided to the callbacks
411 * @sign_func: callback for signature operations
412 * @decrypt_func: callback for decryption operations
413 * @flags: Flags for the import
414 *
415 * This function will associate the given callbacks with the
416 * #gnutls_privkey_t structure. At least one of the two callbacks
417 * must be non-null.
418 *
419 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
420 * negative error value.
421 *
422 * Since: 3.0
423 **/
424 int
425 gnutls_privkey_import_ext (gnutls_privkey_t pkey,
426 gnutls_pk_algorithm_t pk,
427 void* userdata,
428 gnutls_privkey_sign_func sign_func,
429 gnutls_privkey_decrypt_func decrypt_func,
430 unsigned int flags)
431 {
432 return gnutls_privkey_import_ext2( pkey, pk, userdata, sign_func, decrypt_func,
433 NULL, flags);
434 }
435
436 /**
437 * gnutls_privkey_import_ext2:
438 * @pkey: The private key
439 * @pk: The public key algorithm
440 * @userdata: private data to be provided to the callbacks
441 * @sign_func: callback for signature operations
442 * @decrypt_func: callback for decryption operations
443 * @deinit_func: a deinitialization function
444 * @flags: Flags for the import
445 *
446 * This function will associate the given callbacks with the
447 * #gnutls_privkey_t structure. At least one of the two callbacks
448 * must be non-null. If a deinitialization function is provided
449 * then flags is assumed to contain %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE.
450 *
451 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
452 * negative error value.
453 *
454 * Since: 3.1
455 **/
456 int
457 gnutls_privkey_import_ext2 (gnutls_privkey_t pkey,
458 gnutls_pk_algorithm_t pk,
459 void* userdata,
460 gnutls_privkey_sign_func sign_func,
461 gnutls_privkey_decrypt_func decrypt_func,
462 gnutls_privkey_deinit_func deinit_func,
463 unsigned int flags)
464 {
465 int ret;
466
467 ret = check_if_clean(pkey);
468 if (ret < 0)
469 {
470 gnutls_assert();
471 return ret;
472 }
473
474 if (sign_func == NULL && decrypt_func == NULL)
475 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
476
477 pkey->key.ext.sign_func = sign_func;
478 pkey->key.ext.decrypt_func = decrypt_func;
479 pkey->key.ext.deinit_func = deinit_func;
480 pkey->key.ext.userdata = userdata;
481 pkey->type = GNUTLS_PRIVKEY_EXT;
482 pkey->pk_algorithm = pk;
483 pkey->flags = flags;
484
485 /* Ensure gnutls_privkey_deinit() calls the deinit_func */
486 if (deinit_func)
487 pkey->flags |= GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE;
488
489 return 0;
490 }
491
492 /**
493 * gnutls_privkey_import_x509:
494 * @pkey: The private key
495 * @key: The private key to be imported
496 * @flags: Flags for the import
497 *
498 * This function will import the given private key to the abstract
499 * #gnutls_privkey_t structure.
500 *
501 * The #gnutls_x509_privkey_t object must not be deallocated
502 * during the lifetime of this structure.
503 *
504 * @flags might be zero or one of %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
505 * and %GNUTLS_PRIVKEY_IMPORT_COPY.
506 *
507 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
508 * negative error value.
509 *
510 * Since: 2.12.0
511 **/
512 int
513 gnutls_privkey_import_x509 (gnutls_privkey_t pkey,
514 gnutls_x509_privkey_t key, unsigned int flags)
515 {
516 int ret;
517
518 ret = check_if_clean(pkey);
519 if (ret < 0)
520 {
521 gnutls_assert();
522 return ret;
523 }
524
525 if (flags & GNUTLS_PRIVKEY_IMPORT_COPY)
526 {
527 ret = gnutls_x509_privkey_init(&pkey->key.x509);
528 if (ret < 0)
529 return gnutls_assert_val(ret);
530
531 ret = gnutls_x509_privkey_cpy(pkey->key.x509, key);
532 if (ret < 0)
533 {
534 gnutls_x509_privkey_deinit(pkey->key.x509);
535 return gnutls_assert_val(ret);
536 }
537 }
538 else
539 pkey->key.x509 = key;
540
541 pkey->type = GNUTLS_PRIVKEY_X509;
542 pkey->pk_algorithm = gnutls_x509_privkey_get_pk_algorithm (key);
543 pkey->flags = flags;
544
545 return 0;
546 }
547
548 #ifdef ENABLE_OPENPGP
549 /**
550 * gnutls_privkey_import_openpgp:
551 * @pkey: The private key
552 * @key: The private key to be imported
553 * @flags: Flags for the import
554 *
555 * This function will import the given private key to the abstract
556 * #gnutls_privkey_t structure.
557 *
558 * The #gnutls_openpgp_privkey_t object must not be deallocated
559 * during the lifetime of this structure. The subkey set as
560 * preferred will be used, or the master key otherwise.
561 *
562 * @flags might be zero or one of %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
563 * and %GNUTLS_PRIVKEY_IMPORT_COPY.
564 *
565 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
566 * negative error value.
567 *
568 * Since: 2.12.0
569 **/
570 int
571 gnutls_privkey_import_openpgp (gnutls_privkey_t pkey,
572 gnutls_openpgp_privkey_t key,
573 unsigned int flags)
574 {
575 int ret, idx;
576 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
577
578 ret = check_if_clean(pkey);
579 if (ret < 0)
580 {
581 gnutls_assert();
582 return ret;
583 }
584
585 if (flags & GNUTLS_PRIVKEY_IMPORT_COPY)
586 {
587 ret = gnutls_openpgp_privkey_init(&pkey->key.openpgp);
588 if (ret < 0)
589 return gnutls_assert_val(ret);
590
591 ret = _gnutls_openpgp_privkey_cpy(pkey->key.openpgp, key);
592 if (ret < 0)
593 {
594 gnutls_openpgp_privkey_deinit(pkey->key.openpgp);
595 return gnutls_assert_val(ret);
596 }
597 }
598 else
599 pkey->key.openpgp = key;
600
601 pkey->type = GNUTLS_PRIVKEY_OPENPGP;
602
603 ret = gnutls_openpgp_privkey_get_preferred_key_id (key, keyid);
604 if (ret == GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR)
605 {
606 pkey->pk_algorithm = gnutls_openpgp_privkey_get_pk_algorithm(key, NULL);
607 }
608 else
609 {
610 if (ret < 0)
611 return gnutls_assert_val(ret);
612
613 idx = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
614
615 pkey->pk_algorithm = gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, idx, NULL);
616 }
617
618 pkey->flags = flags;
619
620 return 0;
621 }
622 #endif
623
624 /**
625 * gnutls_privkey_sign_data:
626 * @signer: Holds the key
627 * @hash: should be a digest algorithm
628 * @flags: should be 0 for now
629 * @data: holds the data to be signed
630 * @signature: will contain the signature allocate with gnutls_malloc()
631 *
632 * This function will sign the given data using a signature algorithm
633 * supported by the private key. Signature algorithms are always used
634 * together with a hash functions. Different hash functions may be
635 * used for the RSA algorithm, but only the SHA family for the DSA keys.
636 *
637 * You may use gnutls_pubkey_get_preferred_hash_algorithm() to determine
638 * the hash algorithm.
639 *
640 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
641 * negative error value.
642 *
643 * Since: 2.12.0
644 **/
645 int
646 gnutls_privkey_sign_data (gnutls_privkey_t signer,
647 gnutls_digest_algorithm_t hash,
648 unsigned int flags,
649 const gnutls_datum_t * data,
650 gnutls_datum_t * signature)
651 {
652 int ret;
653 gnutls_datum_t digest;
654
655 ret = pk_hash_data (signer->pk_algorithm, hash, NULL, data, &digest);
656 if (ret < 0)
657 {
658 gnutls_assert ();
659 return ret;
660 }
661
662 ret = pk_prepare_hash (signer->pk_algorithm, hash, &digest);
663 if (ret < 0)
664 {
665 gnutls_assert ();
666 goto cleanup;
667 }
668
669 ret = _gnutls_privkey_sign_hash (signer, &digest, signature);
670 _gnutls_free_datum (&digest);
671
672 if (ret < 0)
673 {
674 gnutls_assert ();
675 return ret;
676 }
677
678 return 0;
679
680 cleanup:
681 _gnutls_free_datum (&digest);
682 return ret;
683 }
684
685 /**
686 * gnutls_privkey_sign_hash:
687 * @signer: Holds the signer's key
688 * @hash_algo: The hash algorithm used
689 * @flags: zero for now
690 * @hash_data: holds the data to be signed
691 * @signature: will contain newly allocated signature
692 *
693 * This function will sign the given hashed data using a signature algorithm
694 * supported by the private key. Signature algorithms are always used
695 * together with a hash functions. Different hash functions may be
696 * used for the RSA algorithm, but only SHA-XXX for the DSA keys.
697 *
698 * You may use gnutls_pubkey_get_preferred_hash_algorithm() to determine
699 * the hash algorithm.
700 *
701 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
702 * negative error value.
703 *
704 * Since: 2.12.0
705 **/
706 int
707 gnutls_privkey_sign_hash (gnutls_privkey_t signer,
708 gnutls_digest_algorithm_t hash_algo,
709 unsigned int flags,
710 const gnutls_datum_t * hash_data,
711 gnutls_datum_t * signature)
712 {
713 int ret;
714 gnutls_datum_t digest;
715
716 digest.data = gnutls_malloc (hash_data->size);
717 if (digest.data == NULL)
718 {
719 gnutls_assert ();
720 return GNUTLS_E_MEMORY_ERROR;
721 }
722 digest.size = hash_data->size;
723 memcpy (digest.data, hash_data->data, digest.size);
724
725 ret = pk_prepare_hash (signer->pk_algorithm, hash_algo, &digest);
726 if (ret < 0)
727 {
728 gnutls_assert ();
729 goto cleanup;
730 }
731
732 ret = _gnutls_privkey_sign_hash (signer, &digest, signature);
733 if (ret < 0)
734 {
735 gnutls_assert ();
736 goto cleanup;
737 }
738
739 ret = 0;
740
741 cleanup:
742 _gnutls_free_datum (&digest);
743 return ret;
744 }
745
746 /*-
747 * _gnutls_privkey_sign_hash:
748 * @key: Holds the key
749 * @data: holds the data to be signed
750 * @signature: will contain the signature allocate with gnutls_malloc()
751 *
752 * This function will sign the given data using a signature algorithm
753 * supported by the private key.
754 *
755 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
756 * negative error value.
757 -*/
758 int
759 _gnutls_privkey_sign_hash (gnutls_privkey_t key,
760 const gnutls_datum_t * hash,
761 gnutls_datum_t * signature)
762 {
763 switch (key->type)
764 {
765 #ifdef ENABLE_OPENPGP
766 case GNUTLS_PRIVKEY_OPENPGP:
767 return gnutls_openpgp_privkey_sign_hash (key->key.openpgp,
768 hash, signature);
769 #endif
770 #ifdef ENABLE_PKCS11
771 case GNUTLS_PRIVKEY_PKCS11:
772 return _gnutls_pkcs11_privkey_sign_hash (key->key.pkcs11,
773 hash, signature);
774 #endif
775 case GNUTLS_PRIVKEY_X509:
776 return _gnutls_pk_sign (key->key.x509->pk_algorithm,
777 signature, hash, &key->key.x509->params);
778 case GNUTLS_PRIVKEY_EXT:
779 if (key->key.ext.sign_func == NULL)
780 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
781 return key->key.ext.sign_func(key, key->key.ext.userdata, hash, signature);
782 default:
783 gnutls_assert ();
784 return GNUTLS_E_INVALID_REQUEST;
785 }
786 }
787
788 /**
789 * gnutls_privkey_decrypt_data:
790 * @key: Holds the key
791 * @flags: zero for now
792 * @ciphertext: holds the data to be decrypted
793 * @plaintext: will contain the decrypted data, allocated with gnutls_malloc()
794 *
795 * This function will decrypt the given data using the algorithm
796 * supported by the private key.
797 *
798 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
799 * negative error value.
800 *
801 * Since: 2.12.0
802 **/
803 int
804 gnutls_privkey_decrypt_data (gnutls_privkey_t key,
805 unsigned int flags,
806 const gnutls_datum_t * ciphertext,
807 gnutls_datum_t * plaintext)
808 {
809 switch (key->type)
810 {
811 #ifdef ENABLE_OPENPGP
812 case GNUTLS_PRIVKEY_OPENPGP:
813 return _gnutls_openpgp_privkey_decrypt_data (key->key.openpgp, flags,
814 ciphertext, plaintext);
815 #endif
816 case GNUTLS_PRIVKEY_X509:
817 return _gnutls_pk_decrypt (key->pk_algorithm, plaintext, ciphertext,
818 &key->key.x509->params);
819 #ifdef ENABLE_PKCS11
820 case GNUTLS_PRIVKEY_PKCS11:
821 return _gnutls_pkcs11_privkey_decrypt_data (key->key.pkcs11,
822 flags,
823 ciphertext, plaintext);
824 #endif
825 case GNUTLS_PRIVKEY_EXT:
826 if (key->key.ext.decrypt_func == NULL)
827 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
828
829 return key->key.ext.decrypt_func(key, key->key.ext.userdata, ciphertext, plaintext);
830 default:
831 gnutls_assert ();
832 return GNUTLS_E_INVALID_REQUEST;
833 }
834 }
835
836 /**
837 * gnutls_privkey_import_x509_raw:
838 * @pkey: The private key
839 * @data: The private key data to be imported
840 * @format: The format of the private key
841 * @password: A password (optional)
842 *
843 * This function will import the given private key to the abstract
844 * #gnutls_privkey_t structure.
845 *
846 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
847 * negative error value.
848 *
849 * Since: 3.1.0
850 **/
851 int gnutls_privkey_import_x509_raw (gnutls_privkey_t pkey,
852 const gnutls_datum_t * data,
853 gnutls_x509_crt_fmt_t format,
854 const char* password)
855 {
856 gnutls_x509_privkey_t xpriv;
857 int ret;
858
859 ret = gnutls_x509_privkey_init(&xpriv);
860 if (ret < 0)
861 return gnutls_assert_val(ret);
862
863 ret = gnutls_x509_privkey_import2(xpriv, data, format, password);
864 if (ret < 0)
865 {
866 gnutls_assert();
867 goto cleanup;
868 }
869
870 ret = gnutls_privkey_import_x509(pkey, xpriv, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
871 if (ret < 0)
872 {
873 gnutls_assert();
874 goto cleanup;
875 }
876
877 return 0;
878
879 cleanup:
880 gnutls_x509_privkey_deinit(xpriv);
881
882 return ret;
883 }
884
885 /**
886 * gnutls_privkey_import_openpgp_raw:
887 * @pkey: The private key
888 * @data: The private key data to be imported
889 * @format: The format of the private key
890 * @keyid: The key id to use (optional)
891 * @password: A password (optional)
892 *
893 * This function will import the given private key to the abstract
894 * #gnutls_privkey_t structure.
895 *
896 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
897 * negative error value.
898 *
899 * Since: 3.1.0
900 **/
901 int gnutls_privkey_import_openpgp_raw (gnutls_privkey_t pkey,
902 const gnutls_datum_t * data,
903 gnutls_openpgp_crt_fmt_t format,
904 const gnutls_openpgp_keyid_t keyid,
905 const char* password)
906 {
907 gnutls_openpgp_privkey_t xpriv;
908 int ret;
909
910 ret = gnutls_openpgp_privkey_init(&xpriv);
911 if (ret < 0)
912 return gnutls_assert_val(ret);
913
914 ret = gnutls_openpgp_privkey_import(xpriv, data, format, password, 0);
915 if (ret < 0)
916 {
917 gnutls_assert();
918 goto cleanup;
919 }
920
921 if(keyid)
922 {
923 ret = gnutls_openpgp_privkey_set_preferred_key_id(xpriv, keyid);
924 if (ret < 0)
925 {
926 gnutls_assert();
927 goto cleanup;
928 }
929 }
930
931 ret = gnutls_privkey_import_openpgp(pkey, xpriv, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
932 if (ret < 0)
933 {
934 gnutls_assert();
935 goto cleanup;
936 }
937
938 ret = 0;
939
940 cleanup:
941 gnutls_openpgp_privkey_deinit(xpriv);
942
943 return ret;
944 }
945
946
947 /**
948 * gnutls_privkey_import_url:
949 * @key: A key of type #gnutls_privkey_t
950 * @url: A PKCS 11 url
951 * @flags: should be zero
952 *
953 * This function will import a PKCS11 or TPM URL as a
954 * private key. The supported URL types can be checked
955 * using gnutls_url_is_supported().
956 *
957 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
958 * negative error value.
959 *
960 * Since: 3.1.0
961 **/
962 int
963 gnutls_privkey_import_url (gnutls_privkey_t key, const char *url, unsigned int flags)
964 {
965 #ifdef ENABLE_PKCS11
966 if (strstr(url, "pkcs11:") != NULL)
967 return gnutls_privkey_import_pkcs11_url(key, url);
968 #endif
969 #ifdef HAVE_TROUSERS
970 if (strstr(url, "tpmkey:") != NULL)
971 return gnutls_privkey_import_tpm_url(key, url, NULL, NULL, 0);
972 #endif
973 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
974 }
975
976 /**
977 * gnutls_privkey_set_pin_function:
978 * @key: A key of type #gnutls_privkey_t
979 * @fn: the callback
980 * @userdata: data associated with the callback
981 *
982 * This function will set a callback function to be used when
983 * required to access the object. This function overrides any other
984 * global PIN functions.
985 *
986 * Note that this function must be called right after initialization
987 * to have effect.
988 *
989 * Since: 3.1.0
990 *
991 **/
992 void gnutls_privkey_set_pin_function (gnutls_privkey_t key,
993 gnutls_pin_callback_t fn, void *userdata)
994 {
995 key->pin.cb = fn;
996 key->pin.data = userdata;
997 }
Implementation of the SSL/TLS protocol