2 * GnuTLS public key support
3 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 3 of
10 * the License, or (at your option) any later version.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
21 #include <gnutls_int.h>
22 #include <gnutls/pkcs11.h>
25 #include <gnutls_errors.h>
26 #include <gnutls_datum.h>
27 #include <pkcs11_int.h>
28 #include <gnutls/abstract.h>
29 #include <gnutls_sig.h>
30 #include <gnutls_pk.h>
32 #include <openpgp/openpgp_int.h>
33 #include <gnutls_num.h>
34 #include <x509/common.h>
36 #include <abstract_int.h>
37 #include <gnutls_ecc.h>
39 #define PK_PEM_HEADER "PUBLIC KEY"
41 #define OPENPGP_KEY_PRIMARY 2
42 #define OPENPGP_KEY_SUBKEY 1
45 int pubkey_to_bits(gnutls_pk_algorithm_t pk
, gnutls_pk_params_st
* params
)
50 return _gnutls_mpi_get_nbits(params
->params
[0]);
52 return _gnutls_mpi_get_nbits(params
->params
[3]);
54 return gnutls_ecc_curve_get_size(params
->flags
)*8;
61 * gnutls_pubkey_get_pk_algorithm:
62 * @key: should contain a #gnutls_pubkey_t structure
63 * @bits: If set will return the number of bits of the parameters (may be NULL)
65 * This function will return the public key algorithm of a public
66 * key and if possible will return a number of bits that indicates
67 * the security parameter of the key.
69 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
70 * success, or a negative error code on error.
75 gnutls_pubkey_get_pk_algorithm (gnutls_pubkey_t key
, unsigned int *bits
)
80 return key
->pk_algorithm
;
84 * gnutls_pubkey_get_key_usage:
85 * @key: should contain a #gnutls_pubkey_t structure
86 * @usage: If set will return the number of bits of the parameters (may be NULL)
88 * This function will return the key usage of the public key.
90 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
91 * negative error value.
96 gnutls_pubkey_get_key_usage (gnutls_pubkey_t key
, unsigned int *usage
)
99 *usage
= key
->key_usage
;
105 * gnutls_pubkey_init:
106 * @key: The structure to be initialized
108 * This function will initialize an public key structure.
110 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
111 * negative error value.
116 gnutls_pubkey_init (gnutls_pubkey_t
* key
)
118 *key
= gnutls_calloc (1, sizeof (struct gnutls_pubkey_st
));
122 return GNUTLS_E_MEMORY_ERROR
;
129 * gnutls_pubkey_deinit:
130 * @key: The structure to be deinitialized
132 * This function will deinitialize a public key structure.
137 gnutls_pubkey_deinit (gnutls_pubkey_t key
)
141 gnutls_pk_params_release (&key
->params
);
146 * gnutls_pubkey_import_x509:
147 * @key: The public key
148 * @crt: The certificate to be imported
149 * @flags: should be zero
151 * This function will import the given public key to the abstract
152 * #gnutls_pubkey_t structure.
154 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
155 * negative error value.
160 gnutls_pubkey_import_x509 (gnutls_pubkey_t key
, gnutls_x509_crt_t crt
,
165 key
->pk_algorithm
= gnutls_x509_crt_get_pk_algorithm (crt
, &key
->bits
);
167 ret
= gnutls_x509_crt_get_key_usage (crt
, &key
->key_usage
, NULL
);
171 ret
= _gnutls_x509_crt_get_mpis (crt
, &key
->params
);
182 * gnutls_pubkey_import_privkey:
183 * @key: The public key
184 * @pkey: The private key
185 * @usage: GNUTLS_KEY_* key usage flags.
186 * @flags: should be zero
188 * Imports the public key from a private. This function will import
189 * the given public key to the abstract #gnutls_pubkey_t structure.
191 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
192 * negative error value.
197 gnutls_pubkey_import_privkey (gnutls_pubkey_t key
, gnutls_privkey_t pkey
,
198 unsigned int usage
, unsigned int flags
)
200 key
->pk_algorithm
= gnutls_privkey_get_pk_algorithm (pkey
, &key
->bits
);
202 key
->key_usage
= usage
;
204 return _gnutls_privkey_get_public_mpis (pkey
, &key
->params
);
208 * gnutls_pubkey_get_preferred_hash_algorithm:
209 * @key: Holds the certificate
210 * @hash: The result of the call with the hash algorithm used for signature
211 * @mand: If non zero it means that the algorithm MUST use this hash. May be NULL.
213 * This function will read the certifcate and return the appropriate digest
214 * algorithm to use for signing with this certificate. Some certificates (i.e.
215 * DSA might not be able to sign without the preferred algorithm).
217 * Returns: the 0 if the hash algorithm is found. A negative error code is
223 gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t key
,
224 gnutls_digest_algorithm_t
*
225 hash
, unsigned int *mand
)
232 return GNUTLS_E_INVALID_REQUEST
;
235 ret
= _gnutls_pk_get_hash_algorithm (key
->pk_algorithm
,
245 * gnutls_pubkey_import_pkcs11:
246 * @key: The public key
247 * @obj: The parameters to be imported
248 * @flags: should be zero
250 * Imports a public key from a pkcs11 key. This function will import
251 * the given public key to the abstract #gnutls_pubkey_t structure.
253 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
254 * negative error value.
259 gnutls_pubkey_import_pkcs11 (gnutls_pubkey_t key
,
260 gnutls_pkcs11_obj_t obj
, unsigned int flags
)
264 type
= gnutls_pkcs11_obj_get_type (obj
);
265 if (type
!= GNUTLS_PKCS11_OBJ_PUBKEY
&& type
!= GNUTLS_PKCS11_OBJ_X509_CRT
)
268 return GNUTLS_E_INVALID_REQUEST
;
271 if (type
== GNUTLS_PKCS11_OBJ_X509_CRT
)
273 gnutls_x509_crt_t xcrt
;
275 ret
= gnutls_x509_crt_init (&xcrt
);
282 ret
= gnutls_x509_crt_import_pkcs11 (xcrt
, obj
);
289 ret
= gnutls_pubkey_import_x509 (key
, xcrt
, 0);
296 gnutls_x509_crt_get_key_usage(xcrt
, &key
->key_usage
, NULL
);
300 gnutls_x509_crt_deinit(xcrt
);
304 key
->key_usage
= obj
->key_usage
;
306 switch (obj
->pk_algorithm
)
309 ret
= gnutls_pubkey_import_rsa_raw (key
, &obj
->pubkey
[0],
313 ret
= gnutls_pubkey_import_dsa_raw (key
, &obj
->pubkey
[0],
315 &obj
->pubkey
[2], &obj
->pubkey
[3]);
318 ret
= gnutls_pubkey_import_ecc_x962 (key
, &obj
->pubkey
[0],
323 return GNUTLS_E_UNIMPLEMENTED_FEATURE
;
335 #endif /* ENABLE_PKCS11 */
337 #ifdef ENABLE_OPENPGP
340 * gnutls_pubkey_import_openpgp:
341 * @key: The public key
342 * @crt: The certificate to be imported
343 * @flags: should be zero
345 * Imports a public key from an openpgp key. This function will import
346 * the given public key to the abstract #gnutls_pubkey_t
347 * structure. The subkey set as preferred will be imported or the
348 * master key otherwise.
350 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
351 * negative error value.
356 gnutls_pubkey_import_openpgp (gnutls_pubkey_t key
,
357 gnutls_openpgp_crt_t crt
,
363 uint8_t keyid
[GNUTLS_OPENPGP_KEYID_SIZE
];
365 ret
= gnutls_openpgp_crt_get_preferred_key_id (crt
, keyid
);
366 if (ret
== GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR
)
368 key
->pk_algorithm
= gnutls_openpgp_crt_get_pk_algorithm (crt
, &key
->bits
);
369 key
->openpgp_key_id_set
= OPENPGP_KEY_PRIMARY
;
371 ret
= gnutls_openpgp_crt_get_key_id(crt
, key
->openpgp_key_id
);
373 return gnutls_assert_val(ret
);
375 ret
= gnutls_openpgp_crt_get_key_usage (crt
, &key
->key_usage
);
388 key
->openpgp_key_id_set
= OPENPGP_KEY_SUBKEY
;
390 KEYID_IMPORT (kid32
, keyid
);
393 idx
= gnutls_openpgp_crt_get_subkey_idx (crt
, keyid
);
395 ret
= gnutls_openpgp_crt_get_subkey_id(crt
, idx
, key
->openpgp_key_id
);
397 return gnutls_assert_val(ret
);
399 ret
= gnutls_openpgp_crt_get_subkey_usage (crt
, idx
, &key
->key_usage
);
403 key
->pk_algorithm
= gnutls_openpgp_crt_get_subkey_pk_algorithm (crt
, idx
, NULL
);
407 _gnutls_openpgp_crt_get_mpis (crt
, k
, &key
->params
);
409 return gnutls_assert_val(ret
);
415 * gnutls_pubkey_get_openpgp_key_id:
416 * @key: Holds the public key
417 * @flags: should be 0 for now
418 * @output_data: will contain the key ID
419 * @output_data_size: holds the size of output_data (and will be
420 * replaced by the actual size of parameters)
421 * @subkey: Will be non zero if the key ID corresponds to a subkey
423 * This function will return a unique ID the depends on the public
424 * key parameters. This ID can be used in checking whether a
425 * certificate corresponds to the given public key.
427 * If the buffer provided is not long enough to hold the output, then
428 * *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
429 * be returned. The output will normally be a SHA-1 hash output,
432 * Returns: In case of failure a negative error code will be
433 * returned, and 0 on success.
438 gnutls_pubkey_get_openpgp_key_id (gnutls_pubkey_t key
, unsigned int flags
,
439 unsigned char *output_data
,
440 size_t * output_data_size
,
441 unsigned int *subkey
)
446 return GNUTLS_E_INVALID_REQUEST
;
449 if (*output_data_size
< sizeof(key
->openpgp_key_id
))
451 *output_data_size
= sizeof(key
->openpgp_key_id
);
452 return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER
);
455 if (key
->openpgp_key_id_set
== 0)
456 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST
);
458 if (key
->openpgp_key_id_set
== OPENPGP_KEY_SUBKEY
)
459 if (subkey
) *subkey
= 1;
463 memcpy(output_data
, key
->openpgp_key_id
, sizeof(key
->openpgp_key_id
));
465 *output_data_size
= sizeof(key
->openpgp_key_id
);
471 * gnutls_pubkey_import_openpgp_raw:
472 * @pkey: The public key
473 * @data: The public key data to be imported
474 * @format: The format of the public key
475 * @keyid: The key id to use (optional)
476 * @flags: Should be zero
478 * This function will import the given public key to the abstract
479 * #gnutls_pubkey_t structure.
481 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
482 * negative error value.
486 int gnutls_pubkey_import_openpgp_raw (gnutls_pubkey_t pkey
,
487 const gnutls_datum_t
* data
,
488 gnutls_openpgp_crt_fmt_t format
,
489 const gnutls_openpgp_keyid_t keyid
,
492 gnutls_openpgp_crt_t xpriv
;
495 ret
= gnutls_openpgp_crt_init(&xpriv
);
497 return gnutls_assert_val(ret
);
499 ret
= gnutls_openpgp_crt_import(xpriv
, data
, format
);
508 ret
= gnutls_openpgp_crt_set_preferred_key_id(xpriv
, keyid
);
516 ret
= gnutls_pubkey_import_openpgp(pkey
, xpriv
, flags
);
526 gnutls_openpgp_crt_deinit(xpriv
);
534 * gnutls_pubkey_export:
535 * @key: Holds the certificate
536 * @format: the format of output params. One of PEM or DER.
537 * @output_data: will contain a certificate PEM or DER encoded
538 * @output_data_size: holds the size of output_data (and will be
539 * replaced by the actual size of parameters)
541 * This function will export the public key to DER or PEM format.
542 * The contents of the exported data is the SubjectPublicKeyInfo
545 * If the buffer provided is not long enough to hold the output, then
546 * *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
549 * If the structure is PEM encoded, it will have a header
550 * of "BEGIN CERTIFICATE".
552 * Returns: In case of failure a negative error code will be
553 * returned, and 0 on success.
558 gnutls_pubkey_export (gnutls_pubkey_t key
,
559 gnutls_x509_crt_fmt_t format
, void *output_data
,
560 size_t * output_data_size
)
563 ASN1_TYPE spk
= ASN1_TYPE_EMPTY
;
568 return GNUTLS_E_INVALID_REQUEST
;
571 if ((result
= asn1_create_element
572 (_gnutls_get_pkix (), "PKIX1.SubjectPublicKeyInfo", &spk
))
576 return _gnutls_asn2err (result
);
580 _gnutls_x509_encode_and_copy_PKI_params (spk
, "",
589 result
= _gnutls_x509_export_int_named (spk
, "",
590 format
, PK_PEM_HEADER
,
591 output_data
, output_data_size
);
601 asn1_delete_structure (&spk
);
607 * gnutls_pubkey_export2:
608 * @key: Holds the certificate
609 * @format: the format of output params. One of PEM or DER.
610 * @out: will contain a certificate PEM or DER encoded
612 * This function will export the public key to DER or PEM format.
613 * The contents of the exported data is the SubjectPublicKeyInfo
616 * The output buffer will be allocated using gnutls_malloc().
618 * If the structure is PEM encoded, it will have a header
619 * of "BEGIN CERTIFICATE".
621 * Returns: In case of failure a negative error code will be
622 * returned, and 0 on success.
627 gnutls_pubkey_export2 (gnutls_pubkey_t key
,
628 gnutls_x509_crt_fmt_t format
,
629 gnutls_datum_t
* out
)
632 ASN1_TYPE spk
= ASN1_TYPE_EMPTY
;
637 return GNUTLS_E_INVALID_REQUEST
;
640 if ((result
= asn1_create_element
641 (_gnutls_get_pkix (), "PKIX1.SubjectPublicKeyInfo", &spk
))
645 return _gnutls_asn2err (result
);
649 _gnutls_x509_encode_and_copy_PKI_params (spk
, "",
658 result
= _gnutls_x509_export_int_named2 (spk
, "",
659 format
, PK_PEM_HEADER
, out
);
669 asn1_delete_structure (&spk
);
675 * gnutls_pubkey_get_key_id:
676 * @key: Holds the public key
677 * @flags: should be 0 for now
678 * @output_data: will contain the key ID
679 * @output_data_size: holds the size of output_data (and will be
680 * replaced by the actual size of parameters)
682 * This function will return a unique ID the depends on the public
683 * key parameters. This ID can be used in checking whether a
684 * certificate corresponds to the given public key.
686 * If the buffer provided is not long enough to hold the output, then
687 * *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
688 * be returned. The output will normally be a SHA-1 hash output,
691 * Returns: In case of failure a negative error code will be
692 * returned, and 0 on success.
697 gnutls_pubkey_get_key_id (gnutls_pubkey_t key
, unsigned int flags
,
698 unsigned char *output_data
,
699 size_t * output_data_size
)
706 return GNUTLS_E_INVALID_REQUEST
;
710 _gnutls_get_key_id (key
->pk_algorithm
, &key
->params
,
711 output_data
, output_data_size
);
722 * gnutls_pubkey_get_pk_rsa_raw:
723 * @key: Holds the certificate
724 * @m: will hold the modulus
725 * @e: will hold the public exponent
727 * This function will export the RSA public key's parameters found in
728 * the given structure. The new parameters will be allocated using
729 * gnutls_malloc() and will be stored in the appropriate datum.
731 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
736 gnutls_pubkey_get_pk_rsa_raw (gnutls_pubkey_t key
,
737 gnutls_datum_t
* m
, gnutls_datum_t
* e
)
744 return GNUTLS_E_INVALID_REQUEST
;
747 if (key
->pk_algorithm
!= GNUTLS_PK_RSA
)
750 return GNUTLS_E_INVALID_REQUEST
;
753 ret
= _gnutls_mpi_dprint_lz (key
->params
.params
[0], m
);
760 ret
= _gnutls_mpi_dprint_lz (key
->params
.params
[1], e
);
764 _gnutls_free_datum (m
);
772 * gnutls_pubkey_get_pk_dsa_raw:
773 * @key: Holds the public key
774 * @p: will hold the p
775 * @q: will hold the q
776 * @g: will hold the g
777 * @y: will hold the y
779 * This function will export the DSA public key's parameters found in
780 * the given certificate. The new parameters will be allocated using
781 * gnutls_malloc() and will be stored in the appropriate datum.
783 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
788 gnutls_pubkey_get_pk_dsa_raw (gnutls_pubkey_t key
,
789 gnutls_datum_t
* p
, gnutls_datum_t
* q
,
790 gnutls_datum_t
* g
, gnutls_datum_t
* y
)
797 return GNUTLS_E_INVALID_REQUEST
;
800 if (key
->pk_algorithm
!= GNUTLS_PK_DSA
)
803 return GNUTLS_E_INVALID_REQUEST
;
807 ret
= _gnutls_mpi_dprint_lz (key
->params
.params
[0], p
);
815 ret
= _gnutls_mpi_dprint_lz (key
->params
.params
[1], q
);
819 _gnutls_free_datum (p
);
825 ret
= _gnutls_mpi_dprint_lz (key
->params
.params
[2], g
);
829 _gnutls_free_datum (p
);
830 _gnutls_free_datum (q
);
836 ret
= _gnutls_mpi_dprint_lz (key
->params
.params
[3], y
);
840 _gnutls_free_datum (p
);
841 _gnutls_free_datum (g
);
842 _gnutls_free_datum (q
);
850 * gnutls_pubkey_get_pk_ecc_raw:
851 * @key: Holds the public key
852 * @curve: will hold the curve
856 * This function will export the ECC public key's parameters found in
857 * the given certificate. The new parameters will be allocated using
858 * gnutls_malloc() and will be stored in the appropriate datum.
860 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
865 gnutls_pubkey_get_pk_ecc_raw (gnutls_pubkey_t key
, gnutls_ecc_curve_t
*curve
,
866 gnutls_datum_t
* x
, gnutls_datum_t
* y
)
873 return GNUTLS_E_INVALID_REQUEST
;
876 if (key
->pk_algorithm
!= GNUTLS_PK_EC
)
879 return GNUTLS_E_INVALID_REQUEST
;
882 *curve
= key
->params
.flags
;
885 ret
= _gnutls_mpi_dprint_lz (key
->params
.params
[ECC_X
], x
);
893 ret
= _gnutls_mpi_dprint_lz (key
->params
.params
[ECC_Y
], y
);
897 _gnutls_free_datum (x
);
905 * gnutls_pubkey_get_pk_ecc_x962:
906 * @key: Holds the public key
907 * @parameters: DER encoding of an ANSI X9.62 parameters
908 * @ecpoint: DER encoding of ANSI X9.62 ECPoint
910 * This function will export the ECC public key's parameters found in
911 * the given certificate. The new parameters will be allocated using
912 * gnutls_malloc() and will be stored in the appropriate datum.
914 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
918 int gnutls_pubkey_get_pk_ecc_x962 (gnutls_pubkey_t key
, gnutls_datum_t
* parameters
,
919 gnutls_datum_t
* ecpoint
)
923 if (key
== NULL
|| key
->pk_algorithm
!= GNUTLS_PK_EC
)
924 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST
);
926 ret
= _gnutls_x509_write_ecc_pubkey(&key
->params
, ecpoint
);
928 return gnutls_assert_val(ret
);
930 ret
= _gnutls_x509_write_ecc_params(&key
->params
, parameters
);
933 _gnutls_free_datum(ecpoint
);
934 return gnutls_assert_val(ret
);
941 * gnutls_pubkey_import:
942 * @key: The structure to store the parsed public key.
943 * @data: The DER or PEM encoded certificate.
944 * @format: One of DER or PEM
946 * This function will import the provided public key in
947 * a SubjectPublicKeyInfo X.509 structure to a native
948 * %gnutls_pubkey_t structure. The output will be stored
949 * in @key. If the public key is PEM encoded it should have a header
952 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
953 * negative error value.
958 gnutls_pubkey_import (gnutls_pubkey_t key
,
959 const gnutls_datum_t
* data
,
960 gnutls_x509_crt_fmt_t format
)
962 int result
= 0, need_free
= 0;
963 gnutls_datum_t _data
;
969 return GNUTLS_E_INVALID_REQUEST
;
972 _data
.data
= data
->data
;
973 _data
.size
= data
->size
;
975 /* If the Certificate is in PEM format then decode it
977 if (format
== GNUTLS_X509_FMT_PEM
)
979 /* Try the first header */
981 _gnutls_fbase64_decode (PK_PEM_HEADER
, data
->data
, data
->size
, &_data
);
992 if ((result
= asn1_create_element
993 (_gnutls_get_pkix (), "PKIX1.SubjectPublicKeyInfo", &spk
))
997 result
= _gnutls_asn2err (result
);
1001 result
= asn1_der_decoding (&spk
, _data
.data
, _data
.size
, NULL
);
1002 if (result
!= ASN1_SUCCESS
)
1005 result
= _gnutls_asn2err (result
);
1009 result
= _gnutls_get_asn_mpis (spk
, "", &key
->params
);
1016 /* this has already been called by get_asn_mpis() thus it cannot
1019 key
->pk_algorithm
= _gnutls_x509_get_pk_algorithm (spk
, "", NULL
);
1020 key
->bits
= pubkey_to_bits(key
->pk_algorithm
, &key
->params
);
1025 asn1_delete_structure (&spk
);
1028 _gnutls_free_datum (&_data
);
1033 * gnutls_x509_crt_set_pubkey:
1034 * @crt: should contain a #gnutls_x509_crt_t structure
1035 * @key: holds a public key
1037 * This function will set the public parameters from the given public
1038 * key to the request.
1040 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1041 * negative error value.
1046 gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt
, gnutls_pubkey_t key
)
1053 return GNUTLS_E_INVALID_REQUEST
;
1056 result
= _gnutls_x509_encode_and_copy_PKI_params (crt
->cert
,
1057 "tbsCertificate.subjectPublicKeyInfo",
1068 gnutls_x509_crt_set_key_usage (crt
, key
->key_usage
);
1074 * gnutls_x509_crq_set_pubkey:
1075 * @crq: should contain a #gnutls_x509_crq_t structure
1076 * @key: holds a public key
1078 * This function will set the public parameters from the given public
1079 * key to the request.
1081 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1082 * negative error value.
1087 gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq
, gnutls_pubkey_t key
)
1094 return GNUTLS_E_INVALID_REQUEST
;
1097 result
= _gnutls_x509_encode_and_copy_PKI_params
1099 "certificationRequestInfo.subjectPKInfo",
1100 key
->pk_algorithm
, &key
->params
);
1109 gnutls_x509_crq_set_key_usage (crq
, key
->key_usage
);
1115 * gnutls_pubkey_set_key_usage:
1116 * @key: a certificate of type #gnutls_x509_crt_t
1117 * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
1119 * This function will set the key usage flags of the public key. This
1120 * is only useful if the key is to be exported to a certificate or
1121 * certificate request.
1123 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1124 * negative error value.
1129 gnutls_pubkey_set_key_usage (gnutls_pubkey_t key
, unsigned int usage
)
1131 key
->key_usage
= usage
;
1136 #ifdef ENABLE_PKCS11
1139 * gnutls_pubkey_import_pkcs11_url:
1140 * @key: A key of type #gnutls_pubkey_t
1141 * @url: A PKCS 11 url
1142 * @flags: One of GNUTLS_PKCS11_OBJ_* flags
1144 * This function will import a PKCS 11 certificate to a #gnutls_pubkey_t
1147 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1148 * negative error value.
1153 gnutls_pubkey_import_pkcs11_url (gnutls_pubkey_t key
, const char *url
,
1156 gnutls_pkcs11_obj_t pcrt
;
1159 ret
= gnutls_pkcs11_obj_init (&pcrt
);
1167 gnutls_pkcs11_obj_set_pin_function(pcrt
, key
->pin
.cb
, key
->pin
.data
);
1169 ret
= gnutls_pkcs11_obj_import_url (pcrt
, url
, flags
);
1176 ret
= gnutls_pubkey_import_pkcs11 (key
, pcrt
, 0);
1186 gnutls_pkcs11_obj_deinit (pcrt
);
1191 #endif /* ENABLE_PKCS11 */
1194 * gnutls_pubkey_import_url:
1195 * @key: A key of type #gnutls_pubkey_t
1196 * @url: A PKCS 11 url
1197 * @flags: One of GNUTLS_PKCS11_OBJ_* flags
1199 * This function will import a PKCS11 certificate or a TPM key
1202 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1203 * negative error value.
1208 gnutls_pubkey_import_url (gnutls_pubkey_t key
, const char *url
,
1211 #ifdef ENABLE_PKCS11
1212 if (strstr(url
, "pkcs11:") != NULL
)
1213 return gnutls_pubkey_import_pkcs11_url(key
, url
, flags
);
1215 #ifdef HAVE_TROUSERS
1216 if (strstr(url
, "tpmkey:") != NULL
)
1217 return gnutls_pubkey_import_tpm_url(key
, url
, NULL
, 0);
1219 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST
);
1223 * gnutls_pubkey_import_rsa_raw:
1224 * @key: Is a structure will hold the parameters
1225 * @m: holds the modulus
1226 * @e: holds the public exponent
1228 * This function will replace the parameters in the given structure.
1229 * The new parameters should be stored in the appropriate
1232 * Returns: %GNUTLS_E_SUCCESS on success, or an negative error code.
1237 gnutls_pubkey_import_rsa_raw (gnutls_pubkey_t key
,
1238 const gnutls_datum_t
* m
,
1239 const gnutls_datum_t
* e
)
1246 return GNUTLS_E_INVALID_REQUEST
;
1249 gnutls_pk_params_init(&key
->params
);
1252 if (_gnutls_mpi_scan_nz (&key
->params
.params
[0], m
->data
, siz
))
1255 return GNUTLS_E_MPI_SCAN_FAILED
;
1259 if (_gnutls_mpi_scan_nz (&key
->params
.params
[1], e
->data
, siz
))
1262 _gnutls_mpi_release (&key
->params
.params
[0]);
1263 return GNUTLS_E_MPI_SCAN_FAILED
;
1266 key
->params
.params_nr
= RSA_PUBLIC_PARAMS
;
1267 key
->pk_algorithm
= GNUTLS_PK_RSA
;
1268 key
->bits
= pubkey_to_bits(GNUTLS_PK_RSA
, &key
->params
);
1274 * gnutls_pubkey_import_ecc_raw:
1275 * @key: The structure to store the parsed key
1276 * @curve: holds the curve
1280 * This function will convert the given elliptic curve parameters to a
1281 * #gnutls_pubkey_t. The output will be stored in @key.
1283 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1284 * negative error value.
1289 gnutls_pubkey_import_ecc_raw (gnutls_pubkey_t key
,
1290 gnutls_ecc_curve_t curve
,
1291 const gnutls_datum_t
* x
,
1292 const gnutls_datum_t
* y
)
1299 return GNUTLS_E_INVALID_REQUEST
;
1302 key
->params
.flags
= curve
;
1304 ret
= _gnutls_ecc_curve_fill_params(curve
, &key
->params
);
1306 return gnutls_assert_val(ret
);
1308 if (_gnutls_mpi_scan_nz (&key
->params
.params
[ECC_X
], x
->data
, x
->size
))
1311 ret
= GNUTLS_E_MPI_SCAN_FAILED
;
1314 key
->params
.params_nr
++;
1316 if (_gnutls_mpi_scan_nz (&key
->params
.params
[ECC_Y
], y
->data
, y
->size
))
1319 ret
= GNUTLS_E_MPI_SCAN_FAILED
;
1322 key
->params
.params_nr
++;
1323 key
->pk_algorithm
= GNUTLS_PK_EC
;
1328 gnutls_pk_params_release(&key
->params
);
1333 * gnutls_pubkey_import_ecc_x962:
1334 * @key: The structure to store the parsed key
1335 * @parameters: DER encoding of an ANSI X9.62 parameters
1336 * @ecpoint: DER encoding of ANSI X9.62 ECPoint
1338 * This function will convert the given elliptic curve parameters to a
1339 * #gnutls_pubkey_t. The output will be stored in @key.
1341 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1342 * negative error value.
1347 gnutls_pubkey_import_ecc_x962 (gnutls_pubkey_t key
,
1348 const gnutls_datum_t
* parameters
,
1349 const gnutls_datum_t
* ecpoint
)
1356 return GNUTLS_E_INVALID_REQUEST
;
1359 key
->params
.params_nr
= 0;
1361 ret
= _gnutls_x509_read_ecc_params(parameters
->data
, parameters
->size
,
1369 ret
= _gnutls_ecc_ansi_x963_import(ecpoint
->data
, ecpoint
->size
,
1370 &key
->params
.params
[ECC_X
], &key
->params
.params
[ECC_Y
]);
1376 key
->params
.params_nr
+=2;
1377 key
->pk_algorithm
= GNUTLS_PK_EC
;
1382 gnutls_pk_params_release(&key
->params
);
1387 * gnutls_pubkey_import_dsa_raw:
1388 * @key: The structure to store the parsed key
1394 * This function will convert the given DSA raw parameters to the
1395 * native #gnutls_pubkey_t format. The output will be stored
1398 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1399 * negative error value.
1404 gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key
,
1405 const gnutls_datum_t
* p
,
1406 const gnutls_datum_t
* q
,
1407 const gnutls_datum_t
* g
,
1408 const gnutls_datum_t
* y
)
1415 return GNUTLS_E_INVALID_REQUEST
;
1418 gnutls_pk_params_init(&key
->params
);
1421 if (_gnutls_mpi_scan_nz (&key
->params
.params
[0], p
->data
, siz
))
1424 return GNUTLS_E_MPI_SCAN_FAILED
;
1428 if (_gnutls_mpi_scan_nz (&key
->params
.params
[1], q
->data
, siz
))
1431 _gnutls_mpi_release (&key
->params
.params
[0]);
1432 return GNUTLS_E_MPI_SCAN_FAILED
;
1436 if (_gnutls_mpi_scan_nz (&key
->params
.params
[2], g
->data
, siz
))
1439 _gnutls_mpi_release (&key
->params
.params
[1]);
1440 _gnutls_mpi_release (&key
->params
.params
[0]);
1441 return GNUTLS_E_MPI_SCAN_FAILED
;
1445 if (_gnutls_mpi_scan_nz (&key
->params
.params
[3], y
->data
, siz
))
1448 _gnutls_mpi_release (&key
->params
.params
[2]);
1449 _gnutls_mpi_release (&key
->params
.params
[1]);
1450 _gnutls_mpi_release (&key
->params
.params
[0]);
1451 return GNUTLS_E_MPI_SCAN_FAILED
;
1454 key
->params
.params_nr
= DSA_PUBLIC_PARAMS
;
1455 key
->pk_algorithm
= GNUTLS_PK_DSA
;
1456 key
->bits
= pubkey_to_bits(GNUTLS_PK_DSA
, &key
->params
);
1463 * gnutls_pubkey_verify_data:
1464 * @pubkey: Holds the public key
1465 * @flags: should be 0 for now
1466 * @data: holds the signed data
1467 * @signature: contains the signature
1469 * This function will verify the given signed data, using the
1470 * parameters from the certificate.
1472 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
1473 * is returned, and zero or positive code on success.
1475 * Deprecated. Use gnutls_pubkey_verify_data2() instead of this function.
1480 gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey
, unsigned int flags
,
1481 const gnutls_datum_t
* data
,
1482 const gnutls_datum_t
* signature
)
1489 return GNUTLS_E_INVALID_REQUEST
;
1492 ret
= pubkey_verify_data( pubkey
->pk_algorithm
, GNUTLS_DIG_UNKNOWN
, data
, signature
,
1503 * gnutls_pubkey_verify_data2:
1504 * @pubkey: Holds the public key
1505 * @algo: The signature algorithm used
1506 * @flags: should be 0 for now
1507 * @data: holds the signed data
1508 * @signature: contains the signature
1510 * This function will verify the given signed data, using the
1511 * parameters from the certificate.
1513 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
1514 * is returned, and zero or positive code on success.
1519 gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey
,
1520 gnutls_sign_algorithm_t algo
,
1522 const gnutls_datum_t
* data
,
1523 const gnutls_datum_t
* signature
)
1530 return GNUTLS_E_INVALID_REQUEST
;
1533 ret
= pubkey_verify_data( pubkey
->pk_algorithm
, gnutls_sign_get_hash_algorithm(algo
),
1534 data
, signature
, &pubkey
->params
);
1545 * gnutls_pubkey_verify_hash:
1546 * @key: Holds the public key
1547 * @flags: should be 0 for now
1548 * @hash: holds the hash digest to be verified
1549 * @signature: contains the signature
1551 * This function will verify the given signed digest, using the
1552 * parameters from the public key.
1554 * Deprecated. Use gnutls_pubkey_verify_hash2() instead of this function.
1556 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
1557 * is returned, and zero or positive code on success.
1562 gnutls_pubkey_verify_hash (gnutls_pubkey_t key
, unsigned int flags
,
1563 const gnutls_datum_t
* hash
,
1564 const gnutls_datum_t
* signature
)
1566 gnutls_digest_algorithm_t algo
;
1569 ret
= gnutls_pubkey_get_verify_algorithm (key
, signature
, &algo
);
1571 return gnutls_assert_val(ret
);
1573 return gnutls_pubkey_verify_hash2(key
, gnutls_pk_to_sign(key
->pk_algorithm
, algo
),
1574 flags
, hash
, signature
);
1578 * gnutls_pubkey_verify_hash2:
1579 * @key: Holds the public key
1580 * @algo: The signature algorithm used
1581 * @flags: should be 0 for now
1582 * @hash: holds the hash digest to be verified
1583 * @signature: contains the signature
1585 * This function will verify the given signed digest, using the
1586 * parameters from the public key.
1588 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
1589 * is returned, and zero or positive code on success.
1594 gnutls_pubkey_verify_hash2 (gnutls_pubkey_t key
,
1595 gnutls_sign_algorithm_t algo
,
1597 const gnutls_datum_t
* hash
,
1598 const gnutls_datum_t
* signature
)
1603 return GNUTLS_E_INVALID_REQUEST
;
1606 if (flags
& GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA
)
1607 return _gnutls_pk_verify (GNUTLS_PK_RSA
, hash
, signature
, &key
->params
);
1610 return pubkey_verify_hashed_data (key
->pk_algorithm
, gnutls_sign_get_hash_algorithm(algo
),
1611 hash
, signature
, &key
->params
);
1616 * gnutls_pubkey_encrypt_data:
1617 * @key: Holds the public key
1618 * @flags: should be 0 for now
1619 * @plaintext: The data to be encrypted
1620 * @ciphertext: contains the encrypted data
1622 * This function will encrypt the given data, using the public
1625 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1626 * negative error value.
1631 gnutls_pubkey_encrypt_data (gnutls_pubkey_t key
, unsigned int flags
,
1632 const gnutls_datum_t
* plaintext
,
1633 gnutls_datum_t
* ciphertext
)
1638 return GNUTLS_E_INVALID_REQUEST
;
1641 return _gnutls_pk_encrypt (key
->pk_algorithm
, ciphertext
,
1642 plaintext
, &key
->params
);
1646 * gnutls_pubkey_get_verify_algorithm:
1647 * @key: Holds the certificate
1648 * @signature: contains the signature
1649 * @hash: The result of the call with the hash algorithm used for signature
1651 * This function will read the certifcate and the signed data to
1652 * determine the hash algorithm used to generate the signature.
1654 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1655 * negative error value.
1660 gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key
,
1661 const gnutls_datum_t
* signature
,
1662 gnutls_digest_algorithm_t
* hash
)
1667 return GNUTLS_E_INVALID_REQUEST
;
1670 return _gnutls_x509_verify_algorithm (hash
, signature
,
1676 /* Checks whether the public key given is compatible with the
1677 * signature algorithm used. The session is only used for audit logging, and
1680 int _gnutls_pubkey_compatible_with_sig(gnutls_session_t session
,
1681 gnutls_pubkey_t pubkey
,
1682 gnutls_protocol_t ver
,
1683 gnutls_sign_algorithm_t sign
)
1685 unsigned int hash_size
;
1686 unsigned int hash_algo
;
1687 unsigned int sig_hash_size
;
1689 if (pubkey
->pk_algorithm
== GNUTLS_PK_DSA
)
1691 hash_algo
= _gnutls_dsa_q_to_hash (pubkey
->pk_algorithm
, &pubkey
->params
, &hash_size
);
1693 /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
1694 if (!_gnutls_version_has_selectable_sighash (ver
))
1696 if (hash_algo
!= GNUTLS_DIG_SHA1
)
1697 return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL
);
1699 else if (sign
!= GNUTLS_SIGN_UNKNOWN
)
1701 sig_hash_size
= _gnutls_hash_get_algo_len(gnutls_sign_get_hash_algorithm(sign
));
1702 if (sig_hash_size
< hash_size
)
1703 _gnutls_audit_log(session
, "The hash size used in signature (%u) is less than the expected (%u)\n", sig_hash_size
, hash_size
);
1707 else if (pubkey
->pk_algorithm
== GNUTLS_PK_EC
)
1709 if (_gnutls_version_has_selectable_sighash (ver
) && sign
!= GNUTLS_SIGN_UNKNOWN
)
1711 _gnutls_dsa_q_to_hash (pubkey
->pk_algorithm
, &pubkey
->params
, &hash_size
);
1712 sig_hash_size
= _gnutls_hash_get_algo_len(gnutls_sign_get_hash_algorithm(sign
));
1714 if (sig_hash_size
< hash_size
)
1715 _gnutls_audit_log(session
, "The hash size used in signature (%u) is less than the expected (%u)\n", sig_hash_size
, hash_size
);
1723 /* Returns zero if the public key has more than 512 bits */
1724 int _gnutls_pubkey_is_over_rsa_512(gnutls_pubkey_t pubkey
)
1726 if (pubkey
->pk_algorithm
== GNUTLS_PK_RSA
&& _gnutls_mpi_get_nbits (pubkey
->params
.params
[0]) > 512)
1729 return GNUTLS_E_INVALID_REQUEST
; /* doesn't matter */
1733 /* Returns the public key.
1736 _gnutls_pubkey_get_mpis (gnutls_pubkey_t key
,
1737 gnutls_pk_params_st
* params
)
1739 return _gnutls_pk_params_copy(params
, &key
->params
);
1742 /* if hash==MD5 then we do RSA-MD5
1743 * if hash==SHA then we do RSA-SHA
1744 * params[0] is modulus
1745 * params[1] is public key
1748 _pkcs1_rsa_verify_sig (gnutls_digest_algorithm_t hash
,
1749 const gnutls_datum_t
* text
,
1750 const gnutls_datum_t
* prehash
,
1751 const gnutls_datum_t
* signature
,
1752 gnutls_pk_params_st
* params
)
1755 uint8_t md
[MAX_HASH_SIZE
], *cmp
;
1756 unsigned int digest_size
;
1757 gnutls_datum_t d
, di
;
1760 digest_size
= _gnutls_hash_get_algo_len (hash
);
1763 if (prehash
->data
== NULL
|| prehash
->size
!= digest_size
)
1764 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST
);
1766 cmp
= prehash
->data
;
1773 return GNUTLS_E_INVALID_REQUEST
;
1776 ret
= _gnutls_hash_init (&hd
, hash
);
1783 _gnutls_hash (&hd
, text
->data
, text
->size
);
1784 _gnutls_hash_deinit (&hd
, md
);
1790 d
.size
= digest_size
;
1792 /* decrypted is a BER encoded data of type DigestInfo
1795 ret
= encode_ber_digest_info (hash
, &d
, &di
);
1797 return gnutls_assert_val(ret
);
1799 ret
= _gnutls_pk_verify (GNUTLS_PK_RSA
, &di
, signature
, params
);
1801 _gnutls_free_datum (&di
);
1806 /* Hashes input data and verifies a signature.
1809 dsa_verify_hashed_data (gnutls_pk_algorithm_t pk
,
1810 gnutls_digest_algorithm_t algo
,
1811 const gnutls_datum_t
* hash
,
1812 const gnutls_datum_t
* signature
,
1813 gnutls_pk_params_st
* params
)
1815 gnutls_datum_t digest
;
1816 unsigned int hash_len
;
1818 if (algo
== GNUTLS_DIG_UNKNOWN
)
1819 algo
= _gnutls_dsa_q_to_hash (pk
, params
, &hash_len
);
1820 else hash_len
= _gnutls_hash_get_algo_len(algo
);
1822 /* SHA1 or better allowed */
1823 if (!hash
->data
|| hash
->size
< hash_len
)
1826 _gnutls_debug_log("Hash size (%d) does not correspond to hash %s(%d) or better.\n", (int)hash
->size
, gnutls_mac_get_name(algo
), hash_len
);
1828 if (hash
->size
!= 20) /* SHA1 is allowed */
1829 return gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED
);
1832 digest
.data
= hash
->data
;
1833 digest
.size
= hash
->size
;
1835 return _gnutls_pk_verify (pk
, &digest
, signature
, params
);
1839 dsa_verify_data (gnutls_pk_algorithm_t pk
,
1840 gnutls_digest_algorithm_t algo
,
1841 const gnutls_datum_t
* data
,
1842 const gnutls_datum_t
* signature
,
1843 gnutls_pk_params_st
* params
)
1846 uint8_t _digest
[MAX_HASH_SIZE
];
1847 gnutls_datum_t digest
;
1850 if (algo
== GNUTLS_DIG_UNKNOWN
)
1851 algo
= _gnutls_dsa_q_to_hash (pk
, params
, NULL
);
1853 ret
= _gnutls_hash_init (&hd
, algo
);
1855 return gnutls_assert_val(ret
);
1857 _gnutls_hash (&hd
, data
->data
, data
->size
);
1858 _gnutls_hash_deinit (&hd
, _digest
);
1860 digest
.data
= _digest
;
1861 digest
.size
= _gnutls_hash_get_algo_len(algo
);
1863 return _gnutls_pk_verify (pk
, &digest
, signature
, params
);
1866 /* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if
1867 * not verified, or 1 otherwise.
1870 pubkey_verify_hashed_data (gnutls_pk_algorithm_t pk
,
1871 gnutls_digest_algorithm_t hash_algo
,
1872 const gnutls_datum_t
* hash
,
1873 const gnutls_datum_t
* signature
,
1874 gnutls_pk_params_st
* issuer_params
)
1881 if (_pkcs1_rsa_verify_sig
1882 (hash_algo
, NULL
, hash
, signature
, issuer_params
) != 0)
1885 return GNUTLS_E_PK_SIG_VERIFY_FAILED
;
1893 if (dsa_verify_hashed_data(pk
, hash_algo
, hash
, signature
, issuer_params
) != 0)
1896 return GNUTLS_E_PK_SIG_VERIFY_FAILED
;
1903 return GNUTLS_E_INTERNAL_ERROR
;
1908 /* Verifies the signature data, and returns GNUTLS_E_PK_SIG_VERIFY_FAILED if
1909 * not verified, or 1 otherwise.
1912 pubkey_verify_data (gnutls_pk_algorithm_t pk
,
1913 gnutls_digest_algorithm_t hash_algo
,
1914 const gnutls_datum_t
* data
,
1915 const gnutls_datum_t
* signature
,
1916 gnutls_pk_params_st
* issuer_params
)
1923 if (_pkcs1_rsa_verify_sig
1924 (hash_algo
, data
, NULL
, signature
, issuer_params
) != 0)
1927 return GNUTLS_E_PK_SIG_VERIFY_FAILED
;
1935 if (dsa_verify_data(pk
, hash_algo
, data
, signature
, issuer_params
) != 0)
1938 return GNUTLS_E_PK_SIG_VERIFY_FAILED
;
1945 return GNUTLS_E_INTERNAL_ERROR
;
1950 gnutls_digest_algorithm_t
1951 _gnutls_dsa_q_to_hash (gnutls_pk_algorithm_t algo
, const gnutls_pk_params_st
* params
,
1952 unsigned int* hash_len
)
1956 if (algo
== GNUTLS_PK_DSA
)
1957 bits
= _gnutls_mpi_get_nbits (params
->params
[1]);
1958 else if (algo
== GNUTLS_PK_EC
)
1959 bits
= gnutls_ecc_curve_get_size(params
->flags
)*8;
1963 if (hash_len
) *hash_len
= 20;
1964 return GNUTLS_DIG_SHA1
;
1966 else if (bits
<= 192)
1968 if (hash_len
) *hash_len
= 24;
1969 return GNUTLS_DIG_SHA256
;
1971 else if (bits
<= 224)
1973 if (hash_len
) *hash_len
= 28;
1974 return GNUTLS_DIG_SHA256
;
1976 else if (bits
<= 256)
1978 if (hash_len
) *hash_len
= 32;
1979 return GNUTLS_DIG_SHA256
;
1981 else if (bits
<= 384)
1983 if (hash_len
) *hash_len
= 48;
1984 return GNUTLS_DIG_SHA384
;
1988 if (hash_len
) *hash_len
= 64;
1989 return GNUTLS_DIG_SHA512
;
1994 * gnutls_pubkey_set_pin_function:
1995 * @key: A key of type #gnutls_pubkey_t
1997 * @userdata: data associated with the callback
1999 * This function will set a callback function to be used when
2000 * required to access the object. This function overrides any other
2001 * global PIN functions.
2003 * Note that this function must be called right after initialization
2009 void gnutls_pubkey_set_pin_function (gnutls_pubkey_t key
,
2010 gnutls_pin_callback_t fn
, void *userdata
)
2013 key
->pin
.data
= userdata
;
2017 * gnutls_pubkey_import_x509_raw:
2018 * @pkey: The public key
2019 * @data: The public key data to be imported
2020 * @format: The format of the public key
2021 * @flags: should be zero
2023 * This function will import the given public key to the abstract
2024 * #gnutls_pubkey_t structure.
2026 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2027 * negative error value.
2031 int gnutls_pubkey_import_x509_raw (gnutls_pubkey_t pkey
,
2032 const gnutls_datum_t
* data
,
2033 gnutls_x509_crt_fmt_t format
,
2036 gnutls_x509_crt_t xpriv
;
2039 ret
= gnutls_x509_crt_init(&xpriv
);
2041 return gnutls_assert_val(ret
);
2043 ret
= gnutls_x509_crt_import(xpriv
, data
, format
);
2050 ret
= gnutls_pubkey_import_x509(pkey
, xpriv
, flags
);
2060 gnutls_x509_crt_deinit(xpriv
);