Next: Cryptographic Message Syntax / PKCS7, Previous: Symmetric algorithms, Up: Using GnuTLS as a cryptographic library [Contents][Index]

Public key cryptography algorithms such as RSA, DSA and ECDSA, are accessed using the abstract key API in Abstract key types. This is a high level API with the advantage of transparently handling keys stored in memory and keys present in smart cards.

`int`gnutls_privkey_init (gnutls_privkey_t *`key`)`int`gnutls_privkey_import_url (gnutls_privkey_t`key`, const char *`url`, unsigned int`flags`)`int`gnutls_privkey_import_x509_raw (gnutls_privkey_t`pkey`, const gnutls_datum_t *`data`, gnutls_x509_crt_fmt_t`format`, const char *`password`, unsigned int`flags`)`int`gnutls_privkey_sign_data (gnutls_privkey_t`signer`, gnutls_digest_algorithm_t`hash`, unsigned int`flags`, const gnutls_datum_t *`data`, gnutls_datum_t *`signature`)`int`gnutls_privkey_sign_hash (gnutls_privkey_t`signer`, gnutls_digest_algorithm_t`hash_algo`, unsigned int`flags`, const gnutls_datum_t *`hash_data`, gnutls_datum_t *`signature`)`void`gnutls_privkey_deinit (gnutls_privkey_t`key`)

`int`gnutls_pubkey_init (gnutls_pubkey_t *`key`)`int`gnutls_pubkey_import_url (gnutls_pubkey_t`key`, const char *`url`, unsigned int`flags`)`int`gnutls_pubkey_import_x509 (gnutls_pubkey_t`key`, gnutls_x509_crt_t`crt`, unsigned int`flags`)`int`gnutls_pubkey_verify_data2 (gnutls_pubkey_t`pubkey`, gnutls_sign_algorithm_t`algo`, unsigned int`flags`, const gnutls_datum_t *`data`, const gnutls_datum_t *`signature`)`int`gnutls_pubkey_verify_hash2 (gnutls_pubkey_t`key`, gnutls_sign_algorithm_t`algo`, unsigned int`flags`, const gnutls_datum_t *`hash`, const gnutls_datum_t *`signature`)`void`gnutls_pubkey_deinit (gnutls_pubkey_t`key`)

Keys stored in memory can be imported using functions like gnutls_privkey_import_x509_raw, while keys on smart cards or HSMs should be imported using their PKCS#11 URL with gnutls_privkey_import_url.

If any of the smart card operations require PIN, that should be provided either by setting the global PIN function (gnutls_pkcs11_set_pin_function), or better with the targeted to structures functions such as gnutls_privkey_set_pin_function.

All supported key types (including RSA, DSA, ECDSA, Ed25519) can be generated with GnuTLS. They can be generated with the simpler gnutls_privkey_generate or with the more advanced gnutls_privkey_generate2.

- Function:
*int***gnutls_privkey_generate2***(gnutls_privkey_t*`pkey`, gnutls_pk_algorithm_t`algo`, unsigned int`bits`, unsigned int`flags`, const gnutls_keygen_data_st *`data`, unsigned`data_size`) `pkey`: The private key`algo`: is one of the algorithms in`gnutls_pk_algorithm_t`

.`bits`: the size of the modulus`flags`: Must be zero or flags from`gnutls_privkey_flags_t`

.`data`: Allow specifying`gnutls_keygen_data_st`

types such as the seed to be used.`data_size`: The number of`data`

available.This function will generate a random private key. Note that this function must be called on an initialized private key.

The flag

`GNUTLS_PRIVKEY_FLAG_PROVABLE`

instructs the key generation process to use algorithms like Shawe-Taylor (from FIPS PUB186-4) which generate provable parameters out of a seed for RSA and DSA keys. On DSA keys the PQG parameters are generated using the seed, while on RSA the two primes. To specify an explicit seed (by default a random seed is used), use the`data`

with a`GNUTLS_KEYGEN_SEED`

type.Note that when generating an elliptic curve key, the curve can be substituted in the place of the bits parameter using the

`GNUTLS_CURVE_TO_BITS()`

macro.To export the generated keys in memory or in files it is recommended to use the PKCS

`8`

form as it can handle all key types, and can store additional parameters such as the seed, in case of provable RSA or DSA keys. Generated keys can be exported in memory using`gnutls_privkey_export_x509()`

, and then with`gnutls_x509_privkey_export2_pkcs8()`

.If key generation is part of your application, avoid setting the number of bits directly, and instead use

`gnutls_sec_param_to_pk_bits()`

. That way the generated keys will adapt to the security levels of the underlying GnuTLS library.**Returns:**On success,`GNUTLS_E_SUCCESS`

(0) is returned, otherwise a negative error value.**Since:**3.5.0