Top | ![]() |
![]() |
![]() |
![]() |
#define | GNUTLS_PKCS11_MAX_PIN_LEN |
struct | gnutls_pkcs11_obj_st |
typedef | gnutls_pkcs11_obj_t |
#define | GNUTLS_PKCS11_FLAG_MANUAL |
#define | GNUTLS_PKCS11_FLAG_AUTO |
#define | GNUTLS_PKCS11_OBJ_FLAG_LOGIN |
#define | GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED |
#define | GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE |
enum | gnutls_pkcs11_obj_info_t |
enum | gnutls_pkcs11_obj_attr_t |
enum | gnutls_pkcs11_token_info_t |
enum | gnutls_pkcs11_obj_type_t |
#define | GNUTLS_PKCS11_TOKEN_HW |
int (*gnutls_pkcs11_token_callback_t) (void *const global_data
,const char *const label
,const unsigned retry Param3
);
int (*gnutls_pkcs11_pin_callback_t) (void *userdata
,int attempt
,const char *token_url
,const char *token_label
,unsigned int flags
);
Callback function type for PKCS11 PIN entry. It is set by
gnutls_pkcs11_set_pin_function()
.
The callback should provides the PIN code to unlock the token with
label token_label
, specified by the URL token_url
.
The PIN code, as a NUL-terminated ASCII string, should be copied
into the pin
buffer (of maximum size pin_max
), and return 0 to
indicate success. Alternatively, the callback may return a
negative gnutls error code to indicate failure and cancel PIN entry
(in which case, the contents of the pin
parameter are ignored).
When a PIN is required, the callback will be invoked repeatedly
(and indefinitely) until either the returned PIN code is correct,
the callback returns failure, or the token refuses login (e.g. when
the token is locked due to too many incorrect PINs!). For the
first such invocation, the attempt
counter will have value zero;
it will increase by one for each subsequent attempt.
userdata |
user-controlled data from |
|
attempt |
pin-attempt counter, initially 0. |
|
token_url |
PKCS11 URL. |
|
token_label |
label of PKCS11 token. |
|
flags |
a gnutls_pkcs11_pin_flag_t flag. |
Since: 2.12.0
int gnutls_pkcs11_init (unsigned int flags
,const char *deprecated_config_file
);
This function will initialize the PKCS 11 subsystem in gnutls. It will
read configuration files if GNUTLS_PKCS11_FLAG_AUTO
is used or allow
you to independently load PKCS 11 modules using gnutls_pkcs11_add_provider()
if GNUTLS_PKCS11_FLAG_MANUAL
is specified.
Using a custom configfile is deprecated and will not be supported in future versions of gnutls.
Normally you don't need to call this function since it is being called
by gnutls_global_init()
using the GNUTLS_PKCS11_FLAG_AUTO
. If you need to
call this function, you must call it before gnutls_global_init()
.
void
gnutls_pkcs11_deinit (void
);
This function will deinitialize the PKCS 11 subsystem in gnutls.
void gnutls_pkcs11_set_token_function (gnutls_pkcs11_token_callback_t fn
,void *userdata
);
This function will set a callback function to be used when a token needs to be inserted to continue PKCS 11 operations.
void gnutls_pkcs11_set_pin_function (gnutls_pkcs11_pin_callback_t fn
,void *userdata
);
This function will set a callback function to be used when a PIN is required for PKCS 11 operations.
Callback for PKCS11 PIN entry. The callback provides the PIN code to unlock the token with label 'token_label', specified by the URL 'token_url'.
The PIN code, as a NUL-terminated ASCII string, should be copied into the 'pin' buffer (of maximum size pin_max), and return 0 to indicate success. Alternatively, the callback may return a negative gnutls error code to indicate failure and cancel PIN entry (in which case, the contents of the 'pin' parameter are ignored).
When a PIN is required, the callback will be invoked repeatedly (and indefinitely) until either the returned PIN code is correct, the callback returns failure, or the token refuses login (e.g. when the token is locked due to too many incorrect PINs!). For the first such invocation, the 'attempt' counter will have value zero; it will increase by one for each subsequent attempt.
int gnutls_pkcs11_add_provider (const char *name
,const char *params
);
This function will load and add a PKCS 11 module to the module list used in gnutls. After this function is called the module will be used for PKCS 11 operations.
int
gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t *obj
);
This function will initialize a pkcs11 certificate structure.
int gnutls_pkcs11_obj_import_url (gnutls_pkcs11_obj_t Param1
,const char *url
,unsigned int flags
);
int gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t obj
,gnutls_pkcs11_url_type_t detailed
,char **url
);
This function will export a URL identifying the given certificate.
void
gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t obj
);
This function will deinitialize a certificate structure.
int gnutls_pkcs11_obj_export (gnutls_pkcs11_obj_t obj
,void *output_data
,size_t *output_data_size
);
This function will export the pkcs11 object data. It is normal
for PKCS 11 data to be inaccesible and in that case GNUTLS_E_INVALID_REQUEST
will be returned.
If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
If the structure is PEM encoded, it will have a header of "BEGIN CERTIFICATE".
int gnutls_pkcs11_copy_x509_crt (const char *token_url
,gnutls_x509_crt_t crt
,const char *label
,unsigned int flags
);
This function will copy a certificate into a PKCS 11 token specified by a URL. The certificate can be marked as trusted or not.
int gnutls_pkcs11_copy_x509_privkey (const char *token_url
,gnutls_x509_privkey_t key
,const char *label
,unsigned int key_usage
,unsigned int flags
);
This function will copy a private key into a PKCS 11 token specified by
a URL. It is highly recommended flags to contain GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE
unless there is a strong reason not to.
int gnutls_pkcs11_delete_url (const char *object_url
,unsigned int flags
);
This function will delete objects matching the given URL.
int gnutls_pkcs11_obj_get_info (gnutls_pkcs11_obj_t crt
,gnutls_pkcs11_obj_info_t itype
,void *output
,size_t *output_size
);
This function will return information about the PKCS 11 certificatesuch
as the label, id as well as token information where the key is stored. When
output is text it returns null terminated string although output_size
contains
the size of the actual data only.
crt |
should contain a gnutls_pkcs11_obj_t structure |
|
itype |
Denotes the type of information requested |
|
output |
where output will be stored |
|
output_size |
contains the maximum size of the output and will be overwritten with actual |
int gnutls_pkcs11_token_get_url (unsigned int seq
,gnutls_pkcs11_url_type_t detailed
,char **url
);
This function will return the URL for each token available
in system. The url has to be released using gnutls_free()
seq |
sequence number starting from 0 |
|
detailed |
non zero if a detailed URL is required |
|
url |
will contain an allocated url |
On success, GNUTLS_E_SUCCESS
is returned, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
if the sequence number exceeds the available tokens, otherwise a negative error value.
int gnutls_pkcs11_token_get_info (const char *url
,gnutls_pkcs11_token_info_t ttype
,void *output
,size_t *output_size
);
This function will return information about the PKCS 11 token such as the label, id as well as token information where the key is stored.
int gnutls_pkcs11_token_get_flags (const char *url
,unsigned int *flags
);
This function will return information about the PKCS 11 token flags.
int gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t *p_list
,unsigned int *const n_list
,const char *url
,gnutls_pkcs11_obj_attr_t attrs
,unsigned int flags
);
This function will initialize and set values to an object list by using all objects identified by a PKCS 11 URL.
p_list |
An uninitialized object list (may be NULL) |
|
n_list |
initially should hold the maximum size of the list. Will contain the actual size. |
|
url |
A PKCS 11 url identifying a set of objects |
|
attrs |
Attributes of type gnutls_pkcs11_obj_attr_t that can be used to limit output |
|
flags |
One of GNUTLS_PKCS11_OBJ_* flags |
int gnutls_x509_crt_import_pkcs11 (gnutls_x509_crt_t crt
,gnutls_pkcs11_obj_t pkcs11_crt
);
This function will import a PKCS 11 certificate to a gnutls_x509_crt_t structure.
crt |
A certificate of type gnutls_x509_crt_t |
|
pkcs11_crt |
A PKCS 11 object that contains a certificate |
int gnutls_x509_crt_import_pkcs11_url (gnutls_x509_crt_t crt
,const char *url
,unsigned int flags
);
This function will import a PKCS 11 certificate directly from a token without involving the gnutls_pkcs11_obj_t structure. This function will fail if the certificate stored is not of X.509 type.
crt |
A certificate of type gnutls_x509_crt_t |
|
url |
A PKCS 11 url |
|
flags |
One of GNUTLS_PKCS11_OBJ_* flags |
gnutls_pkcs11_obj_type_t
gnutls_pkcs11_obj_get_type (gnutls_pkcs11_obj_t certificate
);
This function will return the type of the certificate being stored in the structure.
const char *
gnutls_pkcs11_type_get_name (gnutls_pkcs11_obj_type_t Param1
);
int gnutls_x509_crt_list_import_pkcs11 (gnutls_x509_crt_t *certs
,unsigned int cert_max
,gnutls_pkcs11_obj_t * const objs
,unsigned int flags
);
This function will import a PKCS 11 certificate list to a list of gnutls_x509_crt_t structure. These must not be initialized.
certs |
A list of certificates of type gnutls_x509_crt_t |
|
cert_max |
The maximum size of the list |
|
objs |
A list of PKCS 11 objects |
|
flags |
0 for now |
int
gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t *key
);
This function will initialize an private key structure.
void
gnutls_pkcs11_privkey_deinit (gnutls_pkcs11_privkey_t key
);
This function will deinitialize a private key structure.
int gnutls_pkcs11_privkey_get_pk_algorithm (gnutls_pkcs11_privkey_t key
,unsigned int *bits
);
This function will return the public key algorithm of a private key.
int gnutls_pkcs11_privkey_get_info (gnutls_pkcs11_privkey_t pkey
,gnutls_pkcs11_obj_info_t itype
,void *output
,size_t *output_size
);
This function will return information about the PKCS 11 private key such as the label, id as well as token information where the key is stored. When output is text it returns null terminated string although output_size contains the size of the actual data only.
pkey |
should contain a gnutls_pkcs11_privkey_t structure |
|
itype |
Denotes the type of information requested |
|
output |
where output will be stored |
|
output_size |
contains the maximum size of the output and will be overwritten with actual |
int gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey
,const char *url
,unsigned int flags
);
This function will "import" a PKCS 11 URL identifying a certificate key to the gnutls_pkcs11_obj_t structure. This does not involve any parsing (such as X.509 or OpenPGP) since the gnutls_pkcs11_obj_t is format agnostic. Only data are transferred.
int gnutls_pkcs11_privkey_export_url (gnutls_pkcs11_privkey_t key
,gnutls_pkcs11_url_type_t detailed
,char **url
);
This function will export a URL identifying the given key.
struct gnutls_pkcs11_obj_st { gnutls_datum_t raw; gnutls_pkcs11_obj_type_t type; struct p11_kit_uri *info; /* only when pubkey */ gnutls_datum_t pubkey[MAX_PUBLIC_PARAMS_SIZE]; gnutls_pk_algorithm pk_algorithm; unsigned int key_usage; };
#define GNUTLS_PKCS11_FLAG_AUTO 1 /* Automatically load libraries by reading /etc/gnutls/pkcs11.conf */
#define GNUTLS_PKCS11_OBJ_FLAG_LOGIN (1<<0) /* force login in the token for the operation */
#define GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED (1<<1) /* object marked as trusted */
#define GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE (1<<2) /* object marked as sensitive (unexportable) */
Enumeration of several object information types.
The object ID in hex. |
||
The object label. |
||
The token's label. |
||
The token's serial number. |
||
The token's manufacturer. |
||
The token's model. |
||
The object ID. |
||
The library's used to access the object version. |
||
The library's used to access the object description (name). |
||
The library's used to access the object manufacturer name. |
Enumeration of several attributes for object enumeration.