search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
corrected copyright notices
[gnutls.git] / lib / gnutls_privkey.c
blob0af61afadfd96432aa77a159d38a22ba00779430
1 /*
2 * GnuTLS PKCS#11 support
3 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
4 * Copyright (C) 2012 Nikos Mavrogiannopoulos
5 *
6 * Author: Nikos Mavrogiannopoulos
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 */
21
22 #include <gnutls_int.h>
23 #include <gnutls/pkcs11.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <gnutls_errors.h>
27 #include <gnutls_datum.h>
28 #include <pkcs11_int.h>
29 #include <gnutls/abstract.h>
30 #include <gnutls_pk.h>
31 #include <x509_int.h>
32 #include <openpgp/openpgp_int.h>
33 #include <openpgp/gnutls_openpgp.h>
34 #include <gnutls_sig.h>
35 #include <abstract_int.h>
36
37 /**
38 * gnutls_privkey_get_type:
39 * @key: should contain a #gnutls_privkey_t structure
40 *
41 * This function will return the type of the private key. This is
42 * actually the type of the subsystem used to set this private key.
43 *
44 * Returns: a member of the #gnutls_privkey_type_t enumeration on
45 * success, or a negative error code on error.
46 *
47 * Since: 2.12.0
48 **/
49 gnutls_privkey_type_t
50 gnutls_privkey_get_type (gnutls_privkey_t key)
51 {
52 return key->type;
53 }
54
55 /**
56 * gnutls_privkey_get_pk_algorithm:
57 * @key: should contain a #gnutls_privkey_t structure
58 * @bits: If set will return the number of bits of the parameters (may be NULL)
59 *
60 * This function will return the public key algorithm of a private
61 * key and if possible will return a number of bits that indicates
62 * the security parameter of the key.
63 *
64 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
65 * success, or a negative error code on error.
66 *
67 * Since: 2.12.0
68 **/
69 int
70 gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key, unsigned int *bits)
71 {
72 switch (key->type)
73 {
74 #ifdef ENABLE_OPENPGP
75 case GNUTLS_PRIVKEY_OPENPGP:
76 return gnutls_openpgp_privkey_get_pk_algorithm (key->key.openpgp, bits);
77 #endif
78 #ifdef ENABLE_PKCS11
79 case GNUTLS_PRIVKEY_PKCS11:
80 return gnutls_pkcs11_privkey_get_pk_algorithm (key->key.pkcs11, bits);
81 #endif
82 case GNUTLS_PRIVKEY_X509:
83 if (bits)
84 *bits = _gnutls_mpi_get_nbits (key->key.x509->params.params[0]);
85 return gnutls_x509_privkey_get_pk_algorithm (key->key.x509);
86 case GNUTLS_PRIVKEY_EXT:
87 if (bits)
88 *bits = 0;
89 return key->pk_algorithm;
90 default:
91 gnutls_assert ();
92 return GNUTLS_E_INVALID_REQUEST;
93 }
94
95 }
96
97 static int
98 privkey_to_pubkey (gnutls_pk_algorithm_t pk,
99 const gnutls_pk_params_st* priv,
100 gnutls_pk_params_st* pub)
101 {
102 int ret;
103
104 switch (pk)
105 {
106 case GNUTLS_PK_RSA:
107 pub->params[0] = _gnutls_mpi_copy (priv->params[0]);
108 pub->params[1] = _gnutls_mpi_copy (priv->params[1]);
109
110 pub->params_nr = RSA_PUBLIC_PARAMS;
111
112 if (pub->params[0] == NULL || pub->params[1] == NULL)
113 {
114 gnutls_assert ();
115 ret = GNUTLS_E_MEMORY_ERROR;
116 goto cleanup;
117 }
118
119 break;
120 case GNUTLS_PK_DSA:
121 pub->params[0] = _gnutls_mpi_copy (priv->params[0]);
122 pub->params[1] = _gnutls_mpi_copy (priv->params[1]);
123 pub->params[2] = _gnutls_mpi_copy (priv->params[2]);
124 pub->params[3] = _gnutls_mpi_copy (priv->params[3]);
125
126 pub->params_nr = DSA_PUBLIC_PARAMS;
127
128 if (pub->params[0] == NULL || pub->params[1] == NULL ||
129 pub->params[2] == NULL || pub->params[3] == NULL)
130 {
131 gnutls_assert ();
132 ret = GNUTLS_E_MEMORY_ERROR;
133 goto cleanup;
134 }
135
136 break;
137 case GNUTLS_PK_EC:
138 pub->params[0] = _gnutls_mpi_copy (priv->params[0]);
139 pub->params[1] = _gnutls_mpi_copy (priv->params[1]);
140 pub->params[2] = _gnutls_mpi_copy (priv->params[2]);
141 pub->params[3] = _gnutls_mpi_copy (priv->params[3]);
142 pub->params[4] = _gnutls_mpi_copy (priv->params[4]);
143 pub->params[5] = _gnutls_mpi_copy (priv->params[5]);
144 pub->params[6] = _gnutls_mpi_copy (priv->params[6]);
145 pub->params[7] = _gnutls_mpi_copy (priv->params[7]);
146
147 pub->params_nr = ECC_PUBLIC_PARAMS;
148 pub->flags = priv->flags;
149
150 if (pub->params[0] == NULL || pub->params[1] == NULL ||
151 pub->params[2] == NULL || pub->params[3] == NULL ||
152 pub->params[4] == NULL || pub->params[5] == NULL ||
153 pub->params[6] == NULL || pub->params[7] == NULL)
154 {
155 gnutls_assert ();
156 ret = GNUTLS_E_MEMORY_ERROR;
157 goto cleanup;
158 }
159
160 break;
161 default:
162 gnutls_assert ();
163 return GNUTLS_E_INVALID_REQUEST;
164 }
165
166 return 0;
167 cleanup:
168 gnutls_pk_params_release(pub);
169 return ret;
170 }
171
172
173 /* Returns the public key of the private key (if possible)
174 */
175 int
176 _gnutls_privkey_get_public_mpis (gnutls_privkey_t key,
177 gnutls_pk_params_st * params)
178 {
179 int ret;
180 gnutls_pk_algorithm_t pk = gnutls_privkey_get_pk_algorithm (key, NULL);
181
182 switch (key->type)
183 {
184 #ifdef ENABLE_OPENPGP
185 case GNUTLS_PRIVKEY_OPENPGP:
186 {
187 gnutls_pk_params_st tmp_params;
188 uint32_t kid[2];
189 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
190
191 ret =
192 gnutls_openpgp_privkey_get_preferred_key_id (key->key.openpgp,
193 keyid);
194 if (ret == 0)
195 {
196 KEYID_IMPORT (kid, keyid);
197 ret = _gnutls_openpgp_privkey_get_mpis (key->key.openpgp, kid,
198 &tmp_params);
199 }
200 else
201 ret = _gnutls_openpgp_privkey_get_mpis (key->key.openpgp, NULL,
202 &tmp_params);
203
204 if (ret < 0)
205 {
206 gnutls_assert ();
207 return ret;
208 }
209
210 ret = privkey_to_pubkey (pk,
211 &tmp_params,
212 params);
213
214 gnutls_pk_params_release(&tmp_params);
215 }
216
217 break;
218 #endif
219 case GNUTLS_PRIVKEY_X509:
220 ret = privkey_to_pubkey (pk,
221 &key->key.x509->params,
222 params);
223 break;
224 default:
225 gnutls_assert ();
226 return GNUTLS_E_INVALID_REQUEST;
227 }
228
229 return ret;
230 }
231
232 /**
233 * gnutls_privkey_init:
234 * @key: The structure to be initialized
235 *
236 * This function will initialize an private key structure.
237 *
238 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
239 * negative error value.
240 *
241 * Since: 2.12.0
242 **/
243 int
244 gnutls_privkey_init (gnutls_privkey_t * key)
245 {
246 *key = gnutls_calloc (1, sizeof (struct gnutls_privkey_st));
247 if (*key == NULL)
248 {
249 gnutls_assert ();
250 return GNUTLS_E_MEMORY_ERROR;
251 }
252
253 return 0;
254 }
255
256 /**
257 * gnutls_privkey_deinit:
258 * @key: The structure to be deinitialized
259 *
260 * This function will deinitialize a private key structure.
261 *
262 * Since: 2.12.0
263 **/
264 void
265 gnutls_privkey_deinit (gnutls_privkey_t key)
266 {
267 if (key == NULL) return;
268
269 if (key->flags & GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE || key->flags & GNUTLS_PRIVKEY_IMPORT_COPY)
270 switch (key->type)
271 {
272 #ifdef ENABLE_OPENPGP
273 case GNUTLS_PRIVKEY_OPENPGP:
274 gnutls_openpgp_privkey_deinit (key->key.openpgp);
275 break;
276 #endif
277 #ifdef ENABLE_PKCS11
278 case GNUTLS_PRIVKEY_PKCS11:
279 gnutls_pkcs11_privkey_deinit (key->key.pkcs11);
280 break;
281 #endif
282 case GNUTLS_PRIVKEY_X509:
283 gnutls_x509_privkey_deinit (key->key.x509);
284 break;
285 case GNUTLS_PRIVKEY_EXT:
286 if (key->key.ext.deinit_func != NULL)
287 key->key.ext.deinit_func(key, key->key.ext.userdata);
288 break;
289 default:
290 break;
291 }
292 gnutls_free (key);
293 }
294
295 /* will fail if the private key contains an actual key.
296 */
297 static int check_if_clean(gnutls_privkey_t key)
298 {
299 if (key->type != 0)
300 return GNUTLS_E_INVALID_REQUEST;
301
302 return 0;
303 }
304
305 #ifdef ENABLE_PKCS11
306
307 /**
308 * gnutls_privkey_import_pkcs11:
309 * @pkey: The private key
310 * @key: The private key to be imported
311 * @flags: Flags for the import
312 *
313 * This function will import the given private key to the abstract
314 * #gnutls_privkey_t structure.
315 *
316 * The #gnutls_pkcs11_privkey_t object must not be deallocated
317 * during the lifetime of this structure.
318 *
319 * @flags might be zero or one of %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
320 * and %GNUTLS_PRIVKEY_IMPORT_COPY.
321 *
322 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
323 * negative error value.
324 *
325 * Since: 2.12.0
326 **/
327 int
328 gnutls_privkey_import_pkcs11 (gnutls_privkey_t pkey,
329 gnutls_pkcs11_privkey_t key, unsigned int flags)
330 {
331 int ret;
332
333 ret = check_if_clean(pkey);
334 if (ret < 0)
335 {
336 gnutls_assert();
337 return ret;
338 }
339
340 if (flags & GNUTLS_PRIVKEY_IMPORT_COPY)
341 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
342
343 pkey->key.pkcs11 = key;
344 pkey->type = GNUTLS_PRIVKEY_PKCS11;
345 pkey->pk_algorithm = gnutls_pkcs11_privkey_get_pk_algorithm (key, NULL);
346 pkey->flags = flags;
347
348 if (pkey->pin.data)
349 gnutls_pkcs11_privkey_set_pin_function(key, pkey->pin.cb, pkey->pin.data);
350
351 return 0;
352 }
353
354 /**
355 * gnutls_privkey_import_pkcs11_url:
356 * @key: A key of type #gnutls_pubkey_t
357 * @url: A PKCS 11 url
358 *
359 * This function will import a PKCS 11 private key to a #gnutls_private_key_t
360 * structure.
361 *
362 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
363 * negative error value.
364 *
365 * Since: 3.1.0
366 **/
367 int
368 gnutls_privkey_import_pkcs11_url (gnutls_privkey_t key, const char *url)
369 {
370 gnutls_pkcs11_privkey_t pkey;
371 int ret;
372
373 ret = gnutls_pkcs11_privkey_init (&pkey);
374 if (ret < 0)
375 {
376 gnutls_assert ();
377 return ret;
378 }
379
380 if (key->pin.cb)
381 gnutls_pkcs11_privkey_set_pin_function(pkey, key->pin.cb, key->pin.data);
382
383 ret = gnutls_pkcs11_privkey_import_url (pkey, url, 0);
384 if (ret < 0)
385 {
386 gnutls_assert ();
387 goto cleanup;
388 }
389
390 ret = gnutls_privkey_import_pkcs11 (key, pkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
391 if (ret < 0)
392 {
393 gnutls_assert ();
394 goto cleanup;
395 }
396
397 return 0;
398
399 cleanup:
400 gnutls_pkcs11_privkey_deinit (pkey);
401
402 return ret;
403 }
404
405 #endif /* ENABLE_PKCS11 */
406
407 /**
408 * gnutls_privkey_import_ext:
409 * @pkey: The private key
410 * @pk: The public key algorithm
411 * @userdata: private data to be provided to the callbacks
412 * @sign_func: callback for signature operations
413 * @decrypt_func: callback for decryption operations
414 * @flags: Flags for the import
415 *
416 * This function will associate the given callbacks with the
417 * #gnutls_privkey_t structure. At least one of the two callbacks
418 * must be non-null.
419 *
420 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
421 * negative error value.
422 *
423 * Since: 3.0
424 **/
425 int
426 gnutls_privkey_import_ext (gnutls_privkey_t pkey,
427 gnutls_pk_algorithm_t pk,
428 void* userdata,
429 gnutls_privkey_sign_func sign_func,
430 gnutls_privkey_decrypt_func decrypt_func,
431 unsigned int flags)
432 {
433 return gnutls_privkey_import_ext2( pkey, pk, userdata, sign_func, decrypt_func,
434 NULL, flags);
435 }
436
437 /**
438 * gnutls_privkey_import_ext2:
439 * @pkey: The private key
440 * @pk: The public key algorithm
441 * @userdata: private data to be provided to the callbacks
442 * @sign_func: callback for signature operations
443 * @decrypt_func: callback for decryption operations
444 * @deinit_func: a deinitialization function
445 * @flags: Flags for the import
446 *
447 * This function will associate the given callbacks with the
448 * #gnutls_privkey_t structure. At least one of the two callbacks
449 * must be non-null. If a deinitialization function is provided
450 * then flags is assumed to contain %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE.
451 *
452 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
453 * negative error value.
454 *
455 * Since: 3.1
456 **/
457 int
458 gnutls_privkey_import_ext2 (gnutls_privkey_t pkey,
459 gnutls_pk_algorithm_t pk,
460 void* userdata,
461 gnutls_privkey_sign_func sign_func,
462 gnutls_privkey_decrypt_func decrypt_func,
463 gnutls_privkey_deinit_func deinit_func,
464 unsigned int flags)
465 {
466 int ret;
467
468 ret = check_if_clean(pkey);
469 if (ret < 0)
470 {
471 gnutls_assert();
472 return ret;
473 }
474
475 if (sign_func == NULL && decrypt_func == NULL)
476 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
477
478 pkey->key.ext.sign_func = sign_func;
479 pkey->key.ext.decrypt_func = decrypt_func;
480 pkey->key.ext.deinit_func = deinit_func;
481 pkey->key.ext.userdata = userdata;
482 pkey->type = GNUTLS_PRIVKEY_EXT;
483 pkey->pk_algorithm = pk;
484 pkey->flags = flags;
485
486 /* Ensure gnutls_privkey_deinit() calls the deinit_func */
487 if (deinit_func)
488 pkey->flags |= GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE;
489
490 return 0;
491 }
492
493 /**
494 * gnutls_privkey_import_x509:
495 * @pkey: The private key
496 * @key: The private key to be imported
497 * @flags: Flags for the import
498 *
499 * This function will import the given private key to the abstract
500 * #gnutls_privkey_t structure.
501 *
502 * The #gnutls_x509_privkey_t object must not be deallocated
503 * during the lifetime of this structure.
504 *
505 * @flags might be zero or one of %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
506 * and %GNUTLS_PRIVKEY_IMPORT_COPY.
507 *
508 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
509 * negative error value.
510 *
511 * Since: 2.12.0
512 **/
513 int
514 gnutls_privkey_import_x509 (gnutls_privkey_t pkey,
515 gnutls_x509_privkey_t key, unsigned int flags)
516 {
517 int ret;
518
519 ret = check_if_clean(pkey);
520 if (ret < 0)
521 {
522 gnutls_assert();
523 return ret;
524 }
525
526 if (flags & GNUTLS_PRIVKEY_IMPORT_COPY)
527 {
528 ret = gnutls_x509_privkey_init(&pkey->key.x509);
529 if (ret < 0)
530 return gnutls_assert_val(ret);
531
532 ret = gnutls_x509_privkey_cpy(pkey->key.x509, key);
533 if (ret < 0)
534 {
535 gnutls_x509_privkey_deinit(pkey->key.x509);
536 return gnutls_assert_val(ret);
537 }
538 }
539 else
540 pkey->key.x509 = key;
541
542 pkey->type = GNUTLS_PRIVKEY_X509;
543 pkey->pk_algorithm = gnutls_x509_privkey_get_pk_algorithm (key);
544 pkey->flags = flags;
545
546 return 0;
547 }
548
549 #ifdef ENABLE_OPENPGP
550 /**
551 * gnutls_privkey_import_openpgp:
552 * @pkey: The private key
553 * @key: The private key to be imported
554 * @flags: Flags for the import
555 *
556 * This function will import the given private key to the abstract
557 * #gnutls_privkey_t structure.
558 *
559 * The #gnutls_openpgp_privkey_t object must not be deallocated
560 * during the lifetime of this structure. The subkey set as
561 * preferred will be used, or the master key otherwise.
562 *
563 * @flags might be zero or one of %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
564 * and %GNUTLS_PRIVKEY_IMPORT_COPY.
565 *
566 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
567 * negative error value.
568 *
569 * Since: 2.12.0
570 **/
571 int
572 gnutls_privkey_import_openpgp (gnutls_privkey_t pkey,
573 gnutls_openpgp_privkey_t key,
574 unsigned int flags)
575 {
576 int ret, idx;
577 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
578
579 ret = check_if_clean(pkey);
580 if (ret < 0)
581 {
582 gnutls_assert();
583 return ret;
584 }
585
586 if (flags & GNUTLS_PRIVKEY_IMPORT_COPY)
587 {
588 ret = gnutls_openpgp_privkey_init(&pkey->key.openpgp);
589 if (ret < 0)
590 return gnutls_assert_val(ret);
591
592 ret = _gnutls_openpgp_privkey_cpy(pkey->key.openpgp, key);
593 if (ret < 0)
594 {
595 gnutls_openpgp_privkey_deinit(pkey->key.openpgp);
596 return gnutls_assert_val(ret);
597 }
598 }
599 else
600 pkey->key.openpgp = key;
601
602 pkey->type = GNUTLS_PRIVKEY_OPENPGP;
603
604 ret = gnutls_openpgp_privkey_get_preferred_key_id (key, keyid);
605 if (ret == GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR)
606 {
607 pkey->pk_algorithm = gnutls_openpgp_privkey_get_pk_algorithm(key, NULL);
608 }
609 else
610 {
611 if (ret < 0)
612 return gnutls_assert_val(ret);
613
614 idx = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
615
616 pkey->pk_algorithm = gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, idx, NULL);
617 }
618
619 pkey->flags = flags;
620
621 return 0;
622 }
623
624 /**
625 * gnutls_privkey_import_openpgp_raw:
626 * @pkey: The private key
627 * @data: The private key data to be imported
628 * @format: The format of the private key
629 * @keyid: The key id to use (optional)
630 * @password: A password (optional)
631 *
632 * This function will import the given private key to the abstract
633 * #gnutls_privkey_t structure.
634 *
635 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
636 * negative error value.
637 *
638 * Since: 3.1.0
639 **/
640 int gnutls_privkey_import_openpgp_raw (gnutls_privkey_t pkey,
641 const gnutls_datum_t * data,
642 gnutls_openpgp_crt_fmt_t format,
643 const gnutls_openpgp_keyid_t keyid,
644 const char* password)
645 {
646 gnutls_openpgp_privkey_t xpriv;
647 int ret;
648
649 ret = gnutls_openpgp_privkey_init(&xpriv);
650 if (ret < 0)
651 return gnutls_assert_val(ret);
652
653 ret = gnutls_openpgp_privkey_import(xpriv, data, format, password, 0);
654 if (ret < 0)
655 {
656 gnutls_assert();
657 goto cleanup;
658 }
659
660 if(keyid)
661 {
662 ret = gnutls_openpgp_privkey_set_preferred_key_id(xpriv, keyid);
663 if (ret < 0)
664 {
665 gnutls_assert();
666 goto cleanup;
667 }
668 }
669
670 ret = gnutls_privkey_import_openpgp(pkey, xpriv, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
671 if (ret < 0)
672 {
673 gnutls_assert();
674 goto cleanup;
675 }
676
677 ret = 0;
678
679 cleanup:
680 gnutls_openpgp_privkey_deinit(xpriv);
681
682 return ret;
683 }
684 #endif
685
686 /**
687 * gnutls_privkey_sign_data:
688 * @signer: Holds the key
689 * @hash: should be a digest algorithm
690 * @flags: should be 0 for now
691 * @data: holds the data to be signed
692 * @signature: will contain the signature allocate with gnutls_malloc()
693 *
694 * This function will sign the given data using a signature algorithm
695 * supported by the private key. Signature algorithms are always used
696 * together with a hash functions. Different hash functions may be
697 * used for the RSA algorithm, but only the SHA family for the DSA keys.
698 *
699 * You may use gnutls_pubkey_get_preferred_hash_algorithm() to determine
700 * the hash algorithm.
701 *
702 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
703 * negative error value.
704 *
705 * Since: 2.12.0
706 **/
707 int
708 gnutls_privkey_sign_data (gnutls_privkey_t signer,
709 gnutls_digest_algorithm_t hash,
710 unsigned int flags,
711 const gnutls_datum_t * data,
712 gnutls_datum_t * signature)
713 {
714 int ret;
715 gnutls_datum_t digest;
716
717 ret = pk_hash_data (signer->pk_algorithm, hash, NULL, data, &digest);
718 if (ret < 0)
719 {
720 gnutls_assert ();
721 return ret;
722 }
723
724 ret = pk_prepare_hash (signer->pk_algorithm, hash, &digest);
725 if (ret < 0)
726 {
727 gnutls_assert ();
728 goto cleanup;
729 }
730
731 ret = _gnutls_privkey_sign_hash (signer, &digest, signature);
732 _gnutls_free_datum (&digest);
733
734 if (ret < 0)
735 {
736 gnutls_assert ();
737 return ret;
738 }
739
740 return 0;
741
742 cleanup:
743 _gnutls_free_datum (&digest);
744 return ret;
745 }
746
747 /**
748 * gnutls_privkey_sign_hash:
749 * @signer: Holds the signer's key
750 * @hash_algo: The hash algorithm used
751 * @flags: zero for now
752 * @hash_data: holds the data to be signed
753 * @signature: will contain newly allocated signature
754 *
755 * This function will sign the given hashed data using a signature algorithm
756 * supported by the private key. Signature algorithms are always used
757 * together with a hash functions. Different hash functions may be
758 * used for the RSA algorithm, but only SHA-XXX for the DSA keys.
759 *
760 * You may use gnutls_pubkey_get_preferred_hash_algorithm() to determine
761 * the hash algorithm.
762 *
763 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
764 * negative error value.
765 *
766 * Since: 2.12.0
767 **/
768 int
769 gnutls_privkey_sign_hash (gnutls_privkey_t signer,
770 gnutls_digest_algorithm_t hash_algo,
771 unsigned int flags,
772 const gnutls_datum_t * hash_data,
773 gnutls_datum_t * signature)
774 {
775 int ret;
776 gnutls_datum_t digest;
777
778 digest.data = gnutls_malloc (hash_data->size);
779 if (digest.data == NULL)
780 {
781 gnutls_assert ();
782 return GNUTLS_E_MEMORY_ERROR;
783 }
784 digest.size = hash_data->size;
785 memcpy (digest.data, hash_data->data, digest.size);
786
787 ret = pk_prepare_hash (signer->pk_algorithm, hash_algo, &digest);
788 if (ret < 0)
789 {
790 gnutls_assert ();
791 goto cleanup;
792 }
793
794 ret = _gnutls_privkey_sign_hash (signer, &digest, signature);
795 if (ret < 0)
796 {
797 gnutls_assert ();
798 goto cleanup;
799 }
800
801 ret = 0;
802
803 cleanup:
804 _gnutls_free_datum (&digest);
805 return ret;
806 }
807
808 /*-
809 * _gnutls_privkey_sign_hash:
810 * @key: Holds the key
811 * @data: holds the data to be signed
812 * @signature: will contain the signature allocate with gnutls_malloc()
813 *
814 * This function will sign the given data using a signature algorithm
815 * supported by the private key.
816 *
817 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
818 * negative error value.
819 -*/
820 int
821 _gnutls_privkey_sign_hash (gnutls_privkey_t key,
822 const gnutls_datum_t * hash,
823 gnutls_datum_t * signature)
824 {
825 switch (key->type)
826 {
827 #ifdef ENABLE_OPENPGP
828 case GNUTLS_PRIVKEY_OPENPGP:
829 return gnutls_openpgp_privkey_sign_hash (key->key.openpgp,
830 hash, signature);
831 #endif
832 #ifdef ENABLE_PKCS11
833 case GNUTLS_PRIVKEY_PKCS11:
834 return _gnutls_pkcs11_privkey_sign_hash (key->key.pkcs11,
835 hash, signature);
836 #endif
837 case GNUTLS_PRIVKEY_X509:
838 return _gnutls_pk_sign (key->key.x509->pk_algorithm,
839 signature, hash, &key->key.x509->params);
840 case GNUTLS_PRIVKEY_EXT:
841 if (key->key.ext.sign_func == NULL)
842 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
843 return key->key.ext.sign_func(key, key->key.ext.userdata, hash, signature);
844 default:
845 gnutls_assert ();
846 return GNUTLS_E_INVALID_REQUEST;
847 }
848 }
849
850 /**
851 * gnutls_privkey_decrypt_data:
852 * @key: Holds the key
853 * @flags: zero for now
854 * @ciphertext: holds the data to be decrypted
855 * @plaintext: will contain the decrypted data, allocated with gnutls_malloc()
856 *
857 * This function will decrypt the given data using the algorithm
858 * supported by the private key.
859 *
860 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
861 * negative error value.
862 *
863 * Since: 2.12.0
864 **/
865 int
866 gnutls_privkey_decrypt_data (gnutls_privkey_t key,
867 unsigned int flags,
868 const gnutls_datum_t * ciphertext,
869 gnutls_datum_t * plaintext)
870 {
871 switch (key->type)
872 {
873 #ifdef ENABLE_OPENPGP
874 case GNUTLS_PRIVKEY_OPENPGP:
875 return _gnutls_openpgp_privkey_decrypt_data (key->key.openpgp, flags,
876 ciphertext, plaintext);
877 #endif
878 case GNUTLS_PRIVKEY_X509:
879 return _gnutls_pk_decrypt (key->pk_algorithm, plaintext, ciphertext,
880 &key->key.x509->params);
881 #ifdef ENABLE_PKCS11
882 case GNUTLS_PRIVKEY_PKCS11:
883 return _gnutls_pkcs11_privkey_decrypt_data (key->key.pkcs11,
884 flags,
885 ciphertext, plaintext);
886 #endif
887 case GNUTLS_PRIVKEY_EXT:
888 if (key->key.ext.decrypt_func == NULL)
889 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
890
891 return key->key.ext.decrypt_func(key, key->key.ext.userdata, ciphertext, plaintext);
892 default:
893 gnutls_assert ();
894 return GNUTLS_E_INVALID_REQUEST;
895 }
896 }
897
898 /**
899 * gnutls_privkey_import_x509_raw:
900 * @pkey: The private key
901 * @data: The private key data to be imported
902 * @format: The format of the private key
903 * @password: A password (optional)
904 * @flags: an ORed sequence of gnutls_pkcs_encrypt_flags_t
905 *
906 * This function will import the given private key to the abstract
907 * #gnutls_privkey_t structure.
908 *
909 * The supported formats are basic unencrypted key, PKCS #8, PKCS #12,
910 * and the openssl format.
911 *
912 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
913 * negative error value.
914 *
915 * Since: 3.1.0
916 **/
917 int gnutls_privkey_import_x509_raw (gnutls_privkey_t pkey,
918 const gnutls_datum_t * data,
919 gnutls_x509_crt_fmt_t format,
920 const char* password, unsigned int flags)
921 {
922 gnutls_x509_privkey_t xpriv;
923 int ret;
924
925 ret = gnutls_x509_privkey_init(&xpriv);
926 if (ret < 0)
927 return gnutls_assert_val(ret);
928
929 ret = gnutls_x509_privkey_import2(xpriv, data, format, password, flags);
930 if (ret < 0)
931 {
932 gnutls_assert();
933 goto cleanup;
934 }
935
936 ret = gnutls_privkey_import_x509(pkey, xpriv, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
937 if (ret < 0)
938 {
939 gnutls_assert();
940 goto cleanup;
941 }
942
943 return 0;
944
945 cleanup:
946 gnutls_x509_privkey_deinit(xpriv);
947
948 return ret;
949 }
950
951 /**
952 * gnutls_privkey_import_url:
953 * @key: A key of type #gnutls_privkey_t
954 * @url: A PKCS 11 url
955 * @flags: should be zero
956 *
957 * This function will import a PKCS11 or TPM URL as a
958 * private key. The supported URL types can be checked
959 * using gnutls_url_is_supported().
960 *
961 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
962 * negative error value.
963 *
964 * Since: 3.1.0
965 **/
966 int
967 gnutls_privkey_import_url (gnutls_privkey_t key, const char *url, unsigned int flags)
968 {
969 #ifdef ENABLE_PKCS11
970 if (strstr(url, "pkcs11:") != NULL)
971 return gnutls_privkey_import_pkcs11_url(key, url);
972 #endif
973 #ifdef HAVE_TROUSERS
974 if (strstr(url, "tpmkey:") != NULL)
975 return gnutls_privkey_import_tpm_url(key, url, NULL, NULL, 0);
976 #endif
977 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
978 }
979
980 /**
981 * gnutls_privkey_set_pin_function:
982 * @key: A key of type #gnutls_privkey_t
983 * @fn: the callback
984 * @userdata: data associated with the callback
985 *
986 * This function will set a callback function to be used when
987 * required to access the object. This function overrides any other
988 * global PIN functions.
989 *
990 * Note that this function must be called right after initialization
991 * to have effect.
992 *
993 * Since: 3.1.0
994 *
995 **/
996 void gnutls_privkey_set_pin_function (gnutls_privkey_t key,
997 gnutls_pin_callback_t fn, void *userdata)
998 {
999 key->pin.cb = fn;
1000 key->pin.data = userdata;
1001 }
Implementation of the SSL/TLS protocol