search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
certtool is able to set certificate policies via a template
[gnutls.git] / lib / gnutls_privkey.c
blobf718b7cf691f827726fd1c817af20b61a16c1bfa
1 /*
2 * GnuTLS PKCS#11 support
3 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 3 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
19 */
20
21 #include <gnutls_int.h>
22 #include <gnutls/pkcs11.h>
23 #include <stdio.h>
24 #include <string.h>
25 #include <gnutls_errors.h>
26 #include <gnutls_datum.h>
27 #include <pkcs11_int.h>
28 #include <gnutls/abstract.h>
29 #include <gnutls_pk.h>
30 #include <x509_int.h>
31 #include <openpgp/openpgp_int.h>
32 #include <openpgp/gnutls_openpgp.h>
33 #include <gnutls_sig.h>
34 #include <abstract_int.h>
35
36 /**
37 * gnutls_privkey_get_type:
38 * @key: should contain a #gnutls_privkey_t structure
39 *
40 * This function will return the type of the private key. This is
41 * actually the type of the subsystem used to set this private key.
42 *
43 * Returns: a member of the #gnutls_privkey_type_t enumeration on
44 * success, or a negative error code on error.
45 *
46 * Since: 2.12.0
47 **/
48 gnutls_privkey_type_t
49 gnutls_privkey_get_type (gnutls_privkey_t key)
50 {
51 return key->type;
52 }
53
54 /**
55 * gnutls_privkey_get_pk_algorithm:
56 * @key: should contain a #gnutls_privkey_t structure
57 * @bits: If set will return the number of bits of the parameters (may be NULL)
58 *
59 * This function will return the public key algorithm of a private
60 * key and if possible will return a number of bits that indicates
61 * the security parameter of the key.
62 *
63 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
64 * success, or a negative error code on error.
65 *
66 * Since: 2.12.0
67 **/
68 int
69 gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key, unsigned int *bits)
70 {
71 switch (key->type)
72 {
73 #ifdef ENABLE_OPENPGP
74 case GNUTLS_PRIVKEY_OPENPGP:
75 return gnutls_openpgp_privkey_get_pk_algorithm (key->key.openpgp, bits);
76 #endif
77 #ifdef ENABLE_PKCS11
78 case GNUTLS_PRIVKEY_PKCS11:
79 return gnutls_pkcs11_privkey_get_pk_algorithm (key->key.pkcs11, bits);
80 #endif
81 case GNUTLS_PRIVKEY_X509:
82 if (bits)
83 *bits = _gnutls_mpi_get_nbits (key->key.x509->params.params[0]);
84 return gnutls_x509_privkey_get_pk_algorithm (key->key.x509);
85 case GNUTLS_PRIVKEY_EXT:
86 if (bits)
87 *bits = 0;
88 return key->pk_algorithm;
89 default:
90 gnutls_assert ();
91 return GNUTLS_E_INVALID_REQUEST;
92 }
93
94 }
95
96 static int
97 privkey_to_pubkey (gnutls_pk_algorithm_t pk,
98 const gnutls_pk_params_st* priv,
99 gnutls_pk_params_st* pub)
100 {
101 int ret;
102
103 switch (pk)
104 {
105 case GNUTLS_PK_RSA:
106 pub->params[0] = _gnutls_mpi_copy (priv->params[0]);
107 pub->params[1] = _gnutls_mpi_copy (priv->params[1]);
108
109 pub->params_nr = RSA_PUBLIC_PARAMS;
110
111 if (pub->params[0] == NULL || pub->params[1] == NULL)
112 {
113 gnutls_assert ();
114 ret = GNUTLS_E_MEMORY_ERROR;
115 goto cleanup;
116 }
117
118 break;
119 case GNUTLS_PK_DSA:
120 pub->params[0] = _gnutls_mpi_copy (priv->params[0]);
121 pub->params[1] = _gnutls_mpi_copy (priv->params[1]);
122 pub->params[2] = _gnutls_mpi_copy (priv->params[2]);
123 pub->params[3] = _gnutls_mpi_copy (priv->params[3]);
124
125 pub->params_nr = DSA_PUBLIC_PARAMS;
126
127 if (pub->params[0] == NULL || pub->params[1] == NULL ||
128 pub->params[2] == NULL || pub->params[3] == NULL)
129 {
130 gnutls_assert ();
131 ret = GNUTLS_E_MEMORY_ERROR;
132 goto cleanup;
133 }
134
135 break;
136 case GNUTLS_PK_EC:
137 pub->params[0] = _gnutls_mpi_copy (priv->params[0]);
138 pub->params[1] = _gnutls_mpi_copy (priv->params[1]);
139 pub->params[2] = _gnutls_mpi_copy (priv->params[2]);
140 pub->params[3] = _gnutls_mpi_copy (priv->params[3]);
141 pub->params[4] = _gnutls_mpi_copy (priv->params[4]);
142 pub->params[5] = _gnutls_mpi_copy (priv->params[5]);
143 pub->params[6] = _gnutls_mpi_copy (priv->params[6]);
144 pub->params[7] = _gnutls_mpi_copy (priv->params[7]);
145
146 pub->params_nr = ECC_PUBLIC_PARAMS;
147 pub->flags = priv->flags;
148
149 if (pub->params[0] == NULL || pub->params[1] == NULL ||
150 pub->params[2] == NULL || pub->params[3] == NULL ||
151 pub->params[4] == NULL || pub->params[5] == NULL ||
152 pub->params[6] == NULL || pub->params[7] == NULL)
153 {
154 gnutls_assert ();
155 ret = GNUTLS_E_MEMORY_ERROR;
156 goto cleanup;
157 }
158
159 break;
160 default:
161 gnutls_assert ();
162 return GNUTLS_E_INVALID_REQUEST;
163 }
164
165 return 0;
166 cleanup:
167 gnutls_pk_params_release(pub);
168 return ret;
169 }
170
171
172 /* Returns the public key of the private key (if possible)
173 */
174 int
175 _gnutls_privkey_get_public_mpis (gnutls_privkey_t key,
176 gnutls_pk_params_st * params)
177 {
178 int ret;
179 gnutls_pk_algorithm_t pk = gnutls_privkey_get_pk_algorithm (key, NULL);
180
181 switch (key->type)
182 {
183 #ifdef ENABLE_OPENPGP
184 case GNUTLS_PRIVKEY_OPENPGP:
185 {
186 gnutls_pk_params_st tmp_params;
187 uint32_t kid[2];
188 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
189
190 ret =
191 gnutls_openpgp_privkey_get_preferred_key_id (key->key.openpgp,
192 keyid);
193 if (ret == 0)
194 {
195 KEYID_IMPORT (kid, keyid);
196 ret = _gnutls_openpgp_privkey_get_mpis (key->key.openpgp, kid,
197 &tmp_params);
198 }
199 else
200 ret = _gnutls_openpgp_privkey_get_mpis (key->key.openpgp, NULL,
201 &tmp_params);
202
203 if (ret < 0)
204 {
205 gnutls_assert ();
206 return ret;
207 }
208
209 ret = privkey_to_pubkey (pk,
210 &tmp_params,
211 params);
212
213 gnutls_pk_params_release(&tmp_params);
214 }
215
216 break;
217 #endif
218 case GNUTLS_PRIVKEY_X509:
219 ret = privkey_to_pubkey (pk,
220 &key->key.x509->params,
221 params);
222 break;
223 default:
224 gnutls_assert ();
225 return GNUTLS_E_INVALID_REQUEST;
226 }
227
228 return ret;
229 }
230
231 /**
232 * gnutls_privkey_init:
233 * @key: The structure to be initialized
234 *
235 * This function will initialize an private key structure.
236 *
237 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
238 * negative error value.
239 *
240 * Since: 2.12.0
241 **/
242 int
243 gnutls_privkey_init (gnutls_privkey_t * key)
244 {
245 *key = gnutls_calloc (1, sizeof (struct gnutls_privkey_st));
246 if (*key == NULL)
247 {
248 gnutls_assert ();
249 return GNUTLS_E_MEMORY_ERROR;
250 }
251
252 return 0;
253 }
254
255 /**
256 * gnutls_privkey_deinit:
257 * @key: The structure to be deinitialized
258 *
259 * This function will deinitialize a private key structure.
260 *
261 * Since: 2.12.0
262 **/
263 void
264 gnutls_privkey_deinit (gnutls_privkey_t key)
265 {
266 if (key == NULL) return;
267
268 if (key->flags & GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE || key->flags & GNUTLS_PRIVKEY_IMPORT_COPY)
269 switch (key->type)
270 {
271 #ifdef ENABLE_OPENPGP
272 case GNUTLS_PRIVKEY_OPENPGP:
273 gnutls_openpgp_privkey_deinit (key->key.openpgp);
274 break;
275 #endif
276 #ifdef ENABLE_PKCS11
277 case GNUTLS_PRIVKEY_PKCS11:
278 gnutls_pkcs11_privkey_deinit (key->key.pkcs11);
279 break;
280 #endif
281 case GNUTLS_PRIVKEY_X509:
282 gnutls_x509_privkey_deinit (key->key.x509);
283 break;
284 case GNUTLS_PRIVKEY_EXT:
285 if (key->key.ext.deinit_func != NULL)
286 key->key.ext.deinit_func(key, key->key.ext.userdata);
287 break;
288 default:
289 break;
290 }
291 gnutls_free (key);
292 }
293
294 /* will fail if the private key contains an actual key.
295 */
296 static int check_if_clean(gnutls_privkey_t key)
297 {
298 if (key->type != 0)
299 return GNUTLS_E_INVALID_REQUEST;
300
301 return 0;
302 }
303
304 #ifdef ENABLE_PKCS11
305
306 /**
307 * gnutls_privkey_import_pkcs11:
308 * @pkey: The private key
309 * @key: The private key to be imported
310 * @flags: Flags for the import
311 *
312 * This function will import the given private key to the abstract
313 * #gnutls_privkey_t structure.
314 *
315 * The #gnutls_pkcs11_privkey_t object must not be deallocated
316 * during the lifetime of this structure.
317 *
318 * @flags might be zero or one of %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
319 * and %GNUTLS_PRIVKEY_IMPORT_COPY.
320 *
321 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
322 * negative error value.
323 *
324 * Since: 2.12.0
325 **/
326 int
327 gnutls_privkey_import_pkcs11 (gnutls_privkey_t pkey,
328 gnutls_pkcs11_privkey_t key, unsigned int flags)
329 {
330 int ret;
331
332 ret = check_if_clean(pkey);
333 if (ret < 0)
334 {
335 gnutls_assert();
336 return ret;
337 }
338
339 if (flags & GNUTLS_PRIVKEY_IMPORT_COPY)
340 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
341
342 pkey->key.pkcs11 = key;
343 pkey->type = GNUTLS_PRIVKEY_PKCS11;
344 pkey->pk_algorithm = gnutls_pkcs11_privkey_get_pk_algorithm (key, NULL);
345 pkey->flags = flags;
346
347 if (pkey->pin.data)
348 gnutls_pkcs11_privkey_set_pin_function(key, pkey->pin.cb, pkey->pin.data);
349
350 return 0;
351 }
352
353 /**
354 * gnutls_privkey_import_pkcs11_url:
355 * @key: A key of type #gnutls_pubkey_t
356 * @url: A PKCS 11 url
357 *
358 * This function will import a PKCS 11 private key to a #gnutls_private_key_t
359 * structure.
360 *
361 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
362 * negative error value.
363 *
364 * Since: 3.1.0
365 **/
366 int
367 gnutls_privkey_import_pkcs11_url (gnutls_privkey_t key, const char *url)
368 {
369 gnutls_pkcs11_privkey_t pkey;
370 int ret;
371
372 ret = gnutls_pkcs11_privkey_init (&pkey);
373 if (ret < 0)
374 {
375 gnutls_assert ();
376 return ret;
377 }
378
379 if (key->pin.cb)
380 gnutls_pkcs11_privkey_set_pin_function(pkey, key->pin.cb, key->pin.data);
381
382 ret = gnutls_pkcs11_privkey_import_url (pkey, url, 0);
383 if (ret < 0)
384 {
385 gnutls_assert ();
386 goto cleanup;
387 }
388
389 ret = gnutls_privkey_import_pkcs11 (key, pkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
390 if (ret < 0)
391 {
392 gnutls_assert ();
393 goto cleanup;
394 }
395
396 return 0;
397
398 cleanup:
399 gnutls_pkcs11_privkey_deinit (pkey);
400
401 return ret;
402 }
403
404 #endif /* ENABLE_PKCS11 */
405
406 /**
407 * gnutls_privkey_import_ext:
408 * @pkey: The private key
409 * @pk: The public key algorithm
410 * @userdata: private data to be provided to the callbacks
411 * @sign_func: callback for signature operations
412 * @decrypt_func: callback for decryption operations
413 * @flags: Flags for the import
414 *
415 * This function will associate the given callbacks with the
416 * #gnutls_privkey_t structure. At least one of the two callbacks
417 * must be non-null.
418 *
419 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
420 * negative error value.
421 *
422 * Since: 3.0
423 **/
424 int
425 gnutls_privkey_import_ext (gnutls_privkey_t pkey,
426 gnutls_pk_algorithm_t pk,
427 void* userdata,
428 gnutls_privkey_sign_func sign_func,
429 gnutls_privkey_decrypt_func decrypt_func,
430 unsigned int flags)
431 {
432 return gnutls_privkey_import_ext2( pkey, pk, userdata, sign_func, decrypt_func,
433 NULL, flags);
434 }
435
436 /**
437 * gnutls_privkey_import_ext2:
438 * @pkey: The private key
439 * @pk: The public key algorithm
440 * @userdata: private data to be provided to the callbacks
441 * @sign_func: callback for signature operations
442 * @decrypt_func: callback for decryption operations
443 * @deinit_func: a deinitialization function
444 * @flags: Flags for the import
445 *
446 * This function will associate the given callbacks with the
447 * #gnutls_privkey_t structure. At least one of the two callbacks
448 * must be non-null. If a deinitialization function is provided
449 * then flags is assumed to contain %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE.
450 *
451 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
452 * negative error value.
453 *
454 * Since: 3.1
455 **/
456 int
457 gnutls_privkey_import_ext2 (gnutls_privkey_t pkey,
458 gnutls_pk_algorithm_t pk,
459 void* userdata,
460 gnutls_privkey_sign_func sign_func,
461 gnutls_privkey_decrypt_func decrypt_func,
462 gnutls_privkey_deinit_func deinit_func,
463 unsigned int flags)
464 {
465 int ret;
466
467 ret = check_if_clean(pkey);
468 if (ret < 0)
469 {
470 gnutls_assert();
471 return ret;
472 }
473
474 if (sign_func == NULL && decrypt_func == NULL)
475 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
476
477 pkey->key.ext.sign_func = sign_func;
478 pkey->key.ext.decrypt_func = decrypt_func;
479 pkey->key.ext.deinit_func = deinit_func;
480 pkey->key.ext.userdata = userdata;
481 pkey->type = GNUTLS_PRIVKEY_EXT;
482 pkey->pk_algorithm = pk;
483 pkey->flags = flags;
484
485 /* Ensure gnutls_privkey_deinit() calls the deinit_func */
486 if (deinit_func)
487 pkey->flags |= GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE;
488
489 return 0;
490 }
491
492 /**
493 * gnutls_privkey_import_x509:
494 * @pkey: The private key
495 * @key: The private key to be imported
496 * @flags: Flags for the import
497 *
498 * This function will import the given private key to the abstract
499 * #gnutls_privkey_t structure.
500 *
501 * The #gnutls_x509_privkey_t object must not be deallocated
502 * during the lifetime of this structure.
503 *
504 * @flags might be zero or one of %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
505 * and %GNUTLS_PRIVKEY_IMPORT_COPY.
506 *
507 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
508 * negative error value.
509 *
510 * Since: 2.12.0
511 **/
512 int
513 gnutls_privkey_import_x509 (gnutls_privkey_t pkey,
514 gnutls_x509_privkey_t key, unsigned int flags)
515 {
516 int ret;
517
518 ret = check_if_clean(pkey);
519 if (ret < 0)
520 {
521 gnutls_assert();
522 return ret;
523 }
524
525 if (flags & GNUTLS_PRIVKEY_IMPORT_COPY)
526 {
527 ret = gnutls_x509_privkey_init(&pkey->key.x509);
528 if (ret < 0)
529 return gnutls_assert_val(ret);
530
531 ret = gnutls_x509_privkey_cpy(pkey->key.x509, key);
532 if (ret < 0)
533 {
534 gnutls_x509_privkey_deinit(pkey->key.x509);
535 return gnutls_assert_val(ret);
536 }
537 }
538 else
539 pkey->key.x509 = key;
540
541 pkey->type = GNUTLS_PRIVKEY_X509;
542 pkey->pk_algorithm = gnutls_x509_privkey_get_pk_algorithm (key);
543 pkey->flags = flags;
544
545 return 0;
546 }
547
548 #ifdef ENABLE_OPENPGP
549 /**
550 * gnutls_privkey_import_openpgp:
551 * @pkey: The private key
552 * @key: The private key to be imported
553 * @flags: Flags for the import
554 *
555 * This function will import the given private key to the abstract
556 * #gnutls_privkey_t structure.
557 *
558 * The #gnutls_openpgp_privkey_t object must not be deallocated
559 * during the lifetime of this structure. The subkey set as
560 * preferred will be used, or the master key otherwise.
561 *
562 * @flags might be zero or one of %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
563 * and %GNUTLS_PRIVKEY_IMPORT_COPY.
564 *
565 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
566 * negative error value.
567 *
568 * Since: 2.12.0
569 **/
570 int
571 gnutls_privkey_import_openpgp (gnutls_privkey_t pkey,
572 gnutls_openpgp_privkey_t key,
573 unsigned int flags)
574 {
575 int ret, idx;
576 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
577
578 ret = check_if_clean(pkey);
579 if (ret < 0)
580 {
581 gnutls_assert();
582 return ret;
583 }
584
585 if (flags & GNUTLS_PRIVKEY_IMPORT_COPY)
586 {
587 ret = gnutls_openpgp_privkey_init(&pkey->key.openpgp);
588 if (ret < 0)
589 return gnutls_assert_val(ret);
590
591 ret = _gnutls_openpgp_privkey_cpy(pkey->key.openpgp, key);
592 if (ret < 0)
593 {
594 gnutls_openpgp_privkey_deinit(pkey->key.openpgp);
595 return gnutls_assert_val(ret);
596 }
597 }
598 else
599 pkey->key.openpgp = key;
600
601 pkey->type = GNUTLS_PRIVKEY_OPENPGP;
602
603 ret = gnutls_openpgp_privkey_get_preferred_key_id (key, keyid);
604 if (ret == GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR)
605 {
606 pkey->pk_algorithm = gnutls_openpgp_privkey_get_pk_algorithm(key, NULL);
607 }
608 else
609 {
610 if (ret < 0)
611 return gnutls_assert_val(ret);
612
613 idx = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
614
615 pkey->pk_algorithm = gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, idx, NULL);
616 }
617
618 pkey->flags = flags;
619
620 return 0;
621 }
622
623 /**
624 * gnutls_privkey_import_openpgp_raw:
625 * @pkey: The private key
626 * @data: The private key data to be imported
627 * @format: The format of the private key
628 * @keyid: The key id to use (optional)
629 * @password: A password (optional)
630 *
631 * This function will import the given private key to the abstract
632 * #gnutls_privkey_t structure.
633 *
634 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
635 * negative error value.
636 *
637 * Since: 3.1.0
638 **/
639 int gnutls_privkey_import_openpgp_raw (gnutls_privkey_t pkey,
640 const gnutls_datum_t * data,
641 gnutls_openpgp_crt_fmt_t format,
642 const gnutls_openpgp_keyid_t keyid,
643 const char* password)
644 {
645 gnutls_openpgp_privkey_t xpriv;
646 int ret;
647
648 ret = gnutls_openpgp_privkey_init(&xpriv);
649 if (ret < 0)
650 return gnutls_assert_val(ret);
651
652 ret = gnutls_openpgp_privkey_import(xpriv, data, format, password, 0);
653 if (ret < 0)
654 {
655 gnutls_assert();
656 goto cleanup;
657 }
658
659 if(keyid)
660 {
661 ret = gnutls_openpgp_privkey_set_preferred_key_id(xpriv, keyid);
662 if (ret < 0)
663 {
664 gnutls_assert();
665 goto cleanup;
666 }
667 }
668
669 ret = gnutls_privkey_import_openpgp(pkey, xpriv, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
670 if (ret < 0)
671 {
672 gnutls_assert();
673 goto cleanup;
674 }
675
676 ret = 0;
677
678 cleanup:
679 gnutls_openpgp_privkey_deinit(xpriv);
680
681 return ret;
682 }
683 #endif
684
685 /**
686 * gnutls_privkey_sign_data:
687 * @signer: Holds the key
688 * @hash: should be a digest algorithm
689 * @flags: should be 0 for now
690 * @data: holds the data to be signed
691 * @signature: will contain the signature allocate with gnutls_malloc()
692 *
693 * This function will sign the given data using a signature algorithm
694 * supported by the private key. Signature algorithms are always used
695 * together with a hash functions. Different hash functions may be
696 * used for the RSA algorithm, but only the SHA family for the DSA keys.
697 *
698 * You may use gnutls_pubkey_get_preferred_hash_algorithm() to determine
699 * the hash algorithm.
700 *
701 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
702 * negative error value.
703 *
704 * Since: 2.12.0
705 **/
706 int
707 gnutls_privkey_sign_data (gnutls_privkey_t signer,
708 gnutls_digest_algorithm_t hash,
709 unsigned int flags,
710 const gnutls_datum_t * data,
711 gnutls_datum_t * signature)
712 {
713 int ret;
714 gnutls_datum_t digest;
715
716 ret = pk_hash_data (signer->pk_algorithm, hash, NULL, data, &digest);
717 if (ret < 0)
718 {
719 gnutls_assert ();
720 return ret;
721 }
722
723 ret = pk_prepare_hash (signer->pk_algorithm, hash, &digest);
724 if (ret < 0)
725 {
726 gnutls_assert ();
727 goto cleanup;
728 }
729
730 ret = _gnutls_privkey_sign_hash (signer, &digest, signature);
731 _gnutls_free_datum (&digest);
732
733 if (ret < 0)
734 {
735 gnutls_assert ();
736 return ret;
737 }
738
739 return 0;
740
741 cleanup:
742 _gnutls_free_datum (&digest);
743 return ret;
744 }
745
746 /**
747 * gnutls_privkey_sign_hash:
748 * @signer: Holds the signer's key
749 * @hash_algo: The hash algorithm used
750 * @flags: zero for now
751 * @hash_data: holds the data to be signed
752 * @signature: will contain newly allocated signature
753 *
754 * This function will sign the given hashed data using a signature algorithm
755 * supported by the private key. Signature algorithms are always used
756 * together with a hash functions. Different hash functions may be
757 * used for the RSA algorithm, but only SHA-XXX for the DSA keys.
758 *
759 * You may use gnutls_pubkey_get_preferred_hash_algorithm() to determine
760 * the hash algorithm.
761 *
762 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
763 * negative error value.
764 *
765 * Since: 2.12.0
766 **/
767 int
768 gnutls_privkey_sign_hash (gnutls_privkey_t signer,
769 gnutls_digest_algorithm_t hash_algo,
770 unsigned int flags,
771 const gnutls_datum_t * hash_data,
772 gnutls_datum_t * signature)
773 {
774 int ret;
775 gnutls_datum_t digest;
776
777 digest.data = gnutls_malloc (hash_data->size);
778 if (digest.data == NULL)
779 {
780 gnutls_assert ();
781 return GNUTLS_E_MEMORY_ERROR;
782 }
783 digest.size = hash_data->size;
784 memcpy (digest.data, hash_data->data, digest.size);
785
786 ret = pk_prepare_hash (signer->pk_algorithm, hash_algo, &digest);
787 if (ret < 0)
788 {
789 gnutls_assert ();
790 goto cleanup;
791 }
792
793 ret = _gnutls_privkey_sign_hash (signer, &digest, signature);
794 if (ret < 0)
795 {
796 gnutls_assert ();
797 goto cleanup;
798 }
799
800 ret = 0;
801
802 cleanup:
803 _gnutls_free_datum (&digest);
804 return ret;
805 }
806
807 /*-
808 * _gnutls_privkey_sign_hash:
809 * @key: Holds the key
810 * @data: holds the data to be signed
811 * @signature: will contain the signature allocate with gnutls_malloc()
812 *
813 * This function will sign the given data using a signature algorithm
814 * supported by the private key.
815 *
816 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
817 * negative error value.
818 -*/
819 int
820 _gnutls_privkey_sign_hash (gnutls_privkey_t key,
821 const gnutls_datum_t * hash,
822 gnutls_datum_t * signature)
823 {
824 switch (key->type)
825 {
826 #ifdef ENABLE_OPENPGP
827 case GNUTLS_PRIVKEY_OPENPGP:
828 return gnutls_openpgp_privkey_sign_hash (key->key.openpgp,
829 hash, signature);
830 #endif
831 #ifdef ENABLE_PKCS11
832 case GNUTLS_PRIVKEY_PKCS11:
833 return _gnutls_pkcs11_privkey_sign_hash (key->key.pkcs11,
834 hash, signature);
835 #endif
836 case GNUTLS_PRIVKEY_X509:
837 return _gnutls_pk_sign (key->key.x509->pk_algorithm,
838 signature, hash, &key->key.x509->params);
839 case GNUTLS_PRIVKEY_EXT:
840 if (key->key.ext.sign_func == NULL)
841 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
842 return key->key.ext.sign_func(key, key->key.ext.userdata, hash, signature);
843 default:
844 gnutls_assert ();
845 return GNUTLS_E_INVALID_REQUEST;
846 }
847 }
848
849 /**
850 * gnutls_privkey_decrypt_data:
851 * @key: Holds the key
852 * @flags: zero for now
853 * @ciphertext: holds the data to be decrypted
854 * @plaintext: will contain the decrypted data, allocated with gnutls_malloc()
855 *
856 * This function will decrypt the given data using the algorithm
857 * supported by the private key.
858 *
859 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
860 * negative error value.
861 *
862 * Since: 2.12.0
863 **/
864 int
865 gnutls_privkey_decrypt_data (gnutls_privkey_t key,
866 unsigned int flags,
867 const gnutls_datum_t * ciphertext,
868 gnutls_datum_t * plaintext)
869 {
870 switch (key->type)
871 {
872 #ifdef ENABLE_OPENPGP
873 case GNUTLS_PRIVKEY_OPENPGP:
874 return _gnutls_openpgp_privkey_decrypt_data (key->key.openpgp, flags,
875 ciphertext, plaintext);
876 #endif
877 case GNUTLS_PRIVKEY_X509:
878 return _gnutls_pk_decrypt (key->pk_algorithm, plaintext, ciphertext,
879 &key->key.x509->params);
880 #ifdef ENABLE_PKCS11
881 case GNUTLS_PRIVKEY_PKCS11:
882 return _gnutls_pkcs11_privkey_decrypt_data (key->key.pkcs11,
883 flags,
884 ciphertext, plaintext);
885 #endif
886 case GNUTLS_PRIVKEY_EXT:
887 if (key->key.ext.decrypt_func == NULL)
888 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
889
890 return key->key.ext.decrypt_func(key, key->key.ext.userdata, ciphertext, plaintext);
891 default:
892 gnutls_assert ();
893 return GNUTLS_E_INVALID_REQUEST;
894 }
895 }
896
897 /**
898 * gnutls_privkey_import_x509_raw:
899 * @pkey: The private key
900 * @data: The private key data to be imported
901 * @format: The format of the private key
902 * @password: A password (optional)
903 * @flags: an ORed sequence of gnutls_pkcs_encrypt_flags_t
904 *
905 * This function will import the given private key to the abstract
906 * #gnutls_privkey_t structure.
907 *
908 * The supported formats are typical X.509, PKCS #8 and the openssl
909 * format.
910 *
911 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
912 * negative error value.
913 *
914 * Since: 3.1.0
915 **/
916 int gnutls_privkey_import_x509_raw (gnutls_privkey_t pkey,
917 const gnutls_datum_t * data,
918 gnutls_x509_crt_fmt_t format,
919 const char* password, unsigned int flags)
920 {
921 gnutls_x509_privkey_t xpriv;
922 int ret;
923
924 ret = gnutls_x509_privkey_init(&xpriv);
925 if (ret < 0)
926 return gnutls_assert_val(ret);
927
928 ret = gnutls_x509_privkey_import2(xpriv, data, format, password, flags);
929 if (ret < 0)
930 {
931 gnutls_assert();
932 goto cleanup;
933 }
934
935 ret = gnutls_privkey_import_x509(pkey, xpriv, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
936 if (ret < 0)
937 {
938 gnutls_assert();
939 goto cleanup;
940 }
941
942 return 0;
943
944 cleanup:
945 gnutls_x509_privkey_deinit(xpriv);
946
947 return ret;
948 }
949
950 /**
951 * gnutls_privkey_import_url:
952 * @key: A key of type #gnutls_privkey_t
953 * @url: A PKCS 11 url
954 * @flags: should be zero
955 *
956 * This function will import a PKCS11 or TPM URL as a
957 * private key. The supported URL types can be checked
958 * using gnutls_url_is_supported().
959 *
960 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
961 * negative error value.
962 *
963 * Since: 3.1.0
964 **/
965 int
966 gnutls_privkey_import_url (gnutls_privkey_t key, const char *url, unsigned int flags)
967 {
968 #ifdef ENABLE_PKCS11
969 if (strstr(url, "pkcs11:") != NULL)
970 return gnutls_privkey_import_pkcs11_url(key, url);
971 #endif
972 #ifdef HAVE_TROUSERS
973 if (strstr(url, "tpmkey:") != NULL)
974 return gnutls_privkey_import_tpm_url(key, url, NULL, NULL, 0);
975 #endif
976 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
977 }
978
979 /**
980 * gnutls_privkey_set_pin_function:
981 * @key: A key of type #gnutls_privkey_t
982 * @fn: the callback
983 * @userdata: data associated with the callback
984 *
985 * This function will set a callback function to be used when
986 * required to access the object. This function overrides any other
987 * global PIN functions.
988 *
989 * Note that this function must be called right after initialization
990 * to have effect.
991 *
992 * Since: 3.1.0
993 *
994 **/
995 void gnutls_privkey_set_pin_function (gnutls_privkey_t key,
996 gnutls_pin_callback_t fn, void *userdata)
997 {
998 key->pin.cb = fn;
999 key->pin.data = userdata;
1000 }
Implementation of the SSL/TLS protocol