Next: , Previous: , Up: Abstract key types   [Contents][Index]

5.1.2 Private keys

An abstract gnutls_privkey_t can be initialized using the functions below. It can be imported through an existing structure like gnutls_x509_privkey_t, but unlike public keys it cannot be exported. That is to allow abstraction over keys stored in hardware that makes available only operations.

int gnutls_privkey_import_x509 (gnutls_privkey_t pkey, gnutls_x509_privkey_t key, unsigned int flags)
int gnutls_privkey_import_pkcs11 (gnutls_privkey_t pkey, gnutls_pkcs11_privkey_t key, unsigned int flags)

Other helper functions that allow directly importing from raw X.509 or OpenPGP structures are shown below. Again, as with public keys, private keys can be imported from a hardware module using URLs.

Function: int gnutls_privkey_import_url (gnutls_privkey_t key, const char * url, unsigned int flags)

key: A key of type gnutls_privkey_t

url: A PKCS 11 url

flags: should be zero

This function will import a PKCS11 or TPM URL as a private key. The supported URL types can be checked using gnutls_url_is_supported() .

Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.1.0

int gnutls_privkey_import_x509_raw (gnutls_privkey_t pkey, const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format, const char * password, unsigned int flags)
int gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key, unsigned int * bits)
gnutls_privkey_type_t gnutls_privkey_get_type (gnutls_privkey_t key)
int gnutls_privkey_status (gnutls_privkey_t key)

In order to support cryptographic operations using an external API, the following function is provided. This allows for a simple extensibility API without resorting to PKCS #11.

Function: int gnutls_privkey_import_ext3 (gnutls_privkey_t pkey, void * userdata, gnutls_privkey_sign_func sign_fn, gnutls_privkey_decrypt_func decrypt_fn, gnutls_privkey_deinit_func deinit_fn, gnutls_privkey_info_func info_fn, unsigned int flags)

pkey: The private key

userdata: private data to be provided to the callbacks

sign_fn: callback for signature operations

decrypt_fn: callback for decryption operations

deinit_fn: a deinitialization function

info_fn: returns info about the public key algorithm (should not be NULL )

flags: Flags for the import

This function will associate the given callbacks with the gnutls_privkey_t type. At least one of the two callbacks must be non-null. If a deinitialization function is provided then flags is assumed to contain GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE .

Note that the signing function is supposed to "raw" sign data, i.e., without any hashing or preprocessing. In case of RSA the DigestInfo will be provided, and the signing function is expected to do the PKCS 1 1.5 padding and the exponentiation.

The info_fn must provide information on the algorithms supported by this private key, and should support the flags GNUTLS_PRIVKEY_INFO_PK_ALGO and GNUTLS_PRIVKEY_INFO_SIGN_ALGO . It must return -1 on unknown flags.

Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.4.0

Next: , Previous: , Up: Abstract key types   [Contents][Index]