@subheading gnutls_pkcs11_add_provider
@anchor{gnutls_pkcs11_add_provider}
@deftypefun {int} {gnutls_pkcs11_add_provider} (const char * @var{name}, const char * @var{params})
@var{name}: The filename of the module
@var{params}: should be NULL or a known string (see description)
This function will load and add a PKCS 11 module to the module
list used in gnutls. After this function is called the module will
be used for PKCS 11 operations.
When loading a module to be used for certificate verification,
use the string 'trusted' as @code{params} .
Note that this function is not thread safe.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_copy_attached_extension
@anchor{gnutls_pkcs11_copy_attached_extension}
@deftypefun {int} {gnutls_pkcs11_copy_attached_extension} (const char * @var{token_url}, gnutls_x509_crt_t @var{crt}, gnutls_datum_t * @var{data}, const char * @var{label}, unsigned int @var{flags})
@var{token_url}: A PKCS @code{11} URL specifying a token
@var{crt}: An X.509 certificate object
@var{data}: the attached extension
@var{label}: A name to be used for the attached extension (may be @code{NULL} )
@var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy an the attached extension in @code{data} for
the certificate provided in @code{crt} in the PKCS @code{11} token specified
by the URL (typically a trust module). The extension must be in
RFC5280 Extension format.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.3.8
@end deftypefun
@subheading gnutls_pkcs11_copy_pubkey
@anchor{gnutls_pkcs11_copy_pubkey}
@deftypefun {int} {gnutls_pkcs11_copy_pubkey} (const char * @var{token_url}, gnutls_pubkey_t @var{pubkey}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{key_usage}, unsigned int @var{flags})
@var{token_url}: A PKCS @code{11} URL specifying a token
@var{pubkey}: The public key to copy
@var{label}: The name to be used for the stored data
@var{cid}: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key
@var{key_usage}: One of GNUTLS_KEY_*
@var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy a public key object into a PKCS @code{11} token specified by
a URL. Valid flags to mark the key: @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE} , @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_CA} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH} .
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.4.6
@end deftypefun
@subheading gnutls_pkcs11_copy_secret_key
@anchor{gnutls_pkcs11_copy_secret_key}
@deftypefun {int} {gnutls_pkcs11_copy_secret_key} (const char * @var{token_url}, gnutls_datum_t * @var{key}, const char * @var{label}, unsigned int @var{key_usage}, unsigned int @var{flags})
@var{token_url}: A PKCS @code{11} URL specifying a token
@var{key}: The raw key
@var{label}: A name to be used for the stored data
@var{key_usage}: One of GNUTLS_KEY_*
@var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy a raw secret (symmetric) key into a PKCS @code{11}
token specified by a URL. The key can be marked as sensitive or not.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_copy_x509_crt
@anchor{gnutls_pkcs11_copy_x509_crt}
@deftypefun {int} {gnutls_pkcs11_copy_x509_crt} (const char * @var{token_url}, gnutls_x509_crt_t @var{crt}, const char * @var{label}, unsigned int @var{flags})
@var{token_url}: A PKCS @code{11} URL specifying a token
@var{crt}: A certificate
@var{label}: A name to be used for the stored data
@var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy a certificate into a PKCS @code{11} token specified by
a URL. The certificate can be marked as trusted or not.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_copy_x509_crt2
@anchor{gnutls_pkcs11_copy_x509_crt2}
@deftypefun {int} {gnutls_pkcs11_copy_x509_crt2} (const char * @var{token_url}, gnutls_x509_crt_t @var{crt}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{flags})
@var{token_url}: A PKCS @code{11} URL specifying a token
@var{crt}: The certificate to copy
@var{label}: The name to be used for the stored data
@var{cid}: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key
@var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy a certificate into a PKCS @code{11} token specified by
a URL. Valid flags to mark the certificate: @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE} , @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_CA} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH} .
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.4.0
@end deftypefun
@subheading gnutls_pkcs11_copy_x509_privkey
@anchor{gnutls_pkcs11_copy_x509_privkey}
@deftypefun {int} {gnutls_pkcs11_copy_x509_privkey} (const char * @var{token_url}, gnutls_x509_privkey_t @var{key}, const char * @var{label}, unsigned int @var{key_usage}, unsigned int @var{flags})
@var{token_url}: A PKCS @code{11} URL specifying a token
@var{key}: A private key
@var{label}: A name to be used for the stored data
@var{key_usage}: One of GNUTLS_KEY_*
@var{flags}: One of GNUTLS_PKCS11_OBJ_* flags
This function will copy a private key into a PKCS @code{11} token specified by
a URL.
Since 3.6.3 the objects are marked as sensitive by default unless
@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE} is specified.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_copy_x509_privkey2
@anchor{gnutls_pkcs11_copy_x509_privkey2}
@deftypefun {int} {gnutls_pkcs11_copy_x509_privkey2} (const char * @var{token_url}, gnutls_x509_privkey_t @var{key}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{key_usage}, unsigned int @var{flags})
@var{token_url}: A PKCS @code{11} URL specifying a token
@var{key}: A private key
@var{label}: A name to be used for the stored data
@var{cid}: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key
@var{key_usage}: One of GNUTLS_KEY_*
@var{flags}: One of GNUTLS_PKCS11_OBJ_* flags
This function will copy a private key into a PKCS @code{11} token specified by
a URL.
Since 3.6.3 the objects are marked as sensitive by default unless
@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE} is specified.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.4.0
@end deftypefun
@subheading gnutls_pkcs11_crt_is_known
@anchor{gnutls_pkcs11_crt_is_known}
@deftypefun {unsigned} {gnutls_pkcs11_crt_is_known} (const char * @var{url}, gnutls_x509_crt_t @var{cert}, unsigned int @var{flags})
@var{url}: A PKCS 11 url identifying a token
@var{cert}: is the certificate to find issuer for
@var{flags}: Use zero or flags from @code{GNUTLS_PKCS11_OBJ_FLAG} .
This function will check whether the provided certificate is stored
in the specified token. This is useful in combination with
@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED} or
@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED} ,
to check whether a CA is present or a certificate is blacklisted in
a trust PKCS @code{11} module.
This function can be used with a @code{url} of "pkcs11:", and in that case all modules
will be searched. To restrict the modules to the marked as trusted in p11-kit
use the @code{GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE} flag.
Note that the flag @code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED} is
specific to p11-kit trust modules.
@strong{Returns:} If the certificate exists non-zero is returned, otherwise zero.
@strong{Since:} 3.3.0
@end deftypefun
@subheading gnutls_pkcs11_deinit
@anchor{gnutls_pkcs11_deinit}
@deftypefun {void} {gnutls_pkcs11_deinit} ( @var{void})
This function will deinitialize the PKCS 11 subsystem in gnutls.
This function is only needed if you need to deinitialize the
subsystem without calling @code{gnutls_global_deinit()} .
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_delete_url
@anchor{gnutls_pkcs11_delete_url}
@deftypefun {int} {gnutls_pkcs11_delete_url} (const char * @var{object_url}, unsigned int @var{flags})
@var{object_url}: The URL of the object to delete.
@var{flags}: One of GNUTLS_PKCS11_OBJ_* flags
This function will delete objects matching the given URL.
Note that not all tokens support the delete operation.
@strong{Returns:} On success, the number of objects deleted is returned, otherwise a
negative error value.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_get_pin_function
@anchor{gnutls_pkcs11_get_pin_function}
@deftypefun {gnutls_pin_callback_t} {gnutls_pkcs11_get_pin_function} (void ** @var{userdata})
@var{userdata}: data to be supplied to callback
This function will return the callback function set using
@code{gnutls_pkcs11_set_pin_function()} .
@strong{Returns:} The function set or NULL otherwise.
@strong{Since:} 3.1.0
@end deftypefun
@subheading gnutls_pkcs11_get_raw_issuer
@anchor{gnutls_pkcs11_get_raw_issuer}
@deftypefun {int} {gnutls_pkcs11_get_raw_issuer} (const char * @var{url}, gnutls_x509_crt_t @var{cert}, gnutls_datum_t * @var{issuer}, gnutls_x509_crt_fmt_t @var{fmt}, unsigned int @var{flags})
@var{url}: A PKCS 11 url identifying a token
@var{cert}: is the certificate to find issuer for
@var{issuer}: Will hold the issuer if any in an allocated buffer.
@var{fmt}: The format of the exported issuer.
@var{flags}: Use zero or flags from @code{GNUTLS_PKCS11_OBJ_FLAG} .
This function will return the issuer of a given certificate, if it
is stored in the token. By default only marked as trusted issuers
are returned. If any issuer should be returned specify
@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY} in @code{flags} .
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.2.7
@end deftypefun
@subheading gnutls_pkcs11_get_raw_issuer_by_dn
@anchor{gnutls_pkcs11_get_raw_issuer_by_dn}
@deftypefun {int} {gnutls_pkcs11_get_raw_issuer_by_dn} (const char * @var{url}, const gnutls_datum_t * @var{dn}, gnutls_datum_t * @var{issuer}, gnutls_x509_crt_fmt_t @var{fmt}, unsigned int @var{flags})
@var{url}: A PKCS 11 url identifying a token
@var{dn}: is the DN to search for
@var{issuer}: Will hold the issuer if any in an allocated buffer.
@var{fmt}: The format of the exported issuer.
@var{flags}: Use zero or flags from @code{GNUTLS_PKCS11_OBJ_FLAG} .
This function will return the certificate with the given DN, if it
is stored in the token. By default only marked as trusted issuers
are returned. If any issuer should be returned specify
@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY} in @code{flags} .
The name of the function includes issuer because it can
be used to discover issuers of certificates.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.4.0
@end deftypefun
@subheading gnutls_pkcs11_get_raw_issuer_by_subject_key_id
@anchor{gnutls_pkcs11_get_raw_issuer_by_subject_key_id}
@deftypefun {int} {gnutls_pkcs11_get_raw_issuer_by_subject_key_id} (const char * @var{url}, const gnutls_datum_t * @var{dn}, const gnutls_datum_t * @var{spki}, gnutls_datum_t * @var{issuer}, gnutls_x509_crt_fmt_t @var{fmt}, unsigned int @var{flags})
@var{url}: A PKCS 11 url identifying a token
@var{dn}: is the DN to search for (may be @code{NULL} )
@var{spki}: is the subject key ID to search for
@var{issuer}: Will hold the issuer if any in an allocated buffer.
@var{fmt}: The format of the exported issuer.
@var{flags}: Use zero or flags from @code{GNUTLS_PKCS11_OBJ_FLAG} .
This function will return the certificate with the given DN and @code{spki} , if it
is stored in the token. By default only marked as trusted issuers
are returned. If any issuer should be returned specify
@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY} in @code{flags} .
The name of the function includes issuer because it can
be used to discover issuers of certificates.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.4.2
@end deftypefun
@subheading gnutls_pkcs11_init
@anchor{gnutls_pkcs11_init}
@deftypefun {int} {gnutls_pkcs11_init} (unsigned int @var{flags}, const char * @var{deprecated_config_file})
@var{flags}: An ORed sequence of @code{GNUTLS_PKCS11_FLAG_} *
@var{deprecated_config_file}: either NULL or the location of a deprecated
configuration file
This function will initialize the PKCS 11 subsystem in gnutls. It will
read configuration files if @code{GNUTLS_PKCS11_FLAG_AUTO} is used or allow
you to independently load PKCS 11 modules using @code{gnutls_pkcs11_add_provider()}
if @code{GNUTLS_PKCS11_FLAG_MANUAL} is specified.
You don't need to call this function since GnuTLS 3.3.0 because it is being called
during the first request PKCS 11 operation. That call will assume the @code{GNUTLS_PKCS11_FLAG_AUTO}
flag. If another flags are required then it must be called independently
prior to any PKCS 11 operation.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_obj_deinit
@anchor{gnutls_pkcs11_obj_deinit}
@deftypefun {void} {gnutls_pkcs11_obj_deinit} (gnutls_pkcs11_obj_t @var{obj})
@var{obj}: The type to be deinitialized
This function will deinitialize a certificate structure.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_obj_export
@anchor{gnutls_pkcs11_obj_export}
@deftypefun {int} {gnutls_pkcs11_obj_export} (gnutls_pkcs11_obj_t @var{obj}, void * @var{output_data}, size_t * @var{output_data_size})
@var{obj}: Holds the object
@var{output_data}: will contain the object data
@var{output_data_size}: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will export the PKCS11 object data. It is normal for
data to be inaccessible and in that case @code{GNUTLS_E_INVALID_REQUEST}
will be returned.
If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.
@strong{Returns:} In case of failure a negative error code will be
returned, and @code{GNUTLS_E_SUCCESS} (0) on success.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_obj_export2
@anchor{gnutls_pkcs11_obj_export2}
@deftypefun {int} {gnutls_pkcs11_obj_export2} (gnutls_pkcs11_obj_t @var{obj}, gnutls_datum_t * @var{out})
@var{obj}: Holds the object
@var{out}: will contain the object data
This function will export the PKCS11 object data. It is normal for
data to be inaccessible and in that case @code{GNUTLS_E_INVALID_REQUEST}
will be returned.
The output buffer is allocated using @code{gnutls_malloc()} .
@strong{Returns:} In case of failure a negative error code will be
returned, and @code{GNUTLS_E_SUCCESS} (0) on success.
@strong{Since:} 3.1.3
@end deftypefun
@subheading gnutls_pkcs11_obj_export3
@anchor{gnutls_pkcs11_obj_export3}
@deftypefun {int} {gnutls_pkcs11_obj_export3} (gnutls_pkcs11_obj_t @var{obj}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{out})
@var{obj}: Holds the object
@var{fmt}: The format of the exported data
@var{out}: will contain the object data
This function will export the PKCS11 object data. It is normal for
data to be inaccessible and in that case @code{GNUTLS_E_INVALID_REQUEST}
will be returned.
The output buffer is allocated using @code{gnutls_malloc()} .
@strong{Returns:} In case of failure a negative error code will be
returned, and @code{GNUTLS_E_SUCCESS} (0) on success.
@strong{Since:} 3.2.7
@end deftypefun
@subheading gnutls_pkcs11_obj_export_url
@anchor{gnutls_pkcs11_obj_export_url}
@deftypefun {int} {gnutls_pkcs11_obj_export_url} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_url_type_t @var{detailed}, char ** @var{url})
@var{obj}: Holds the PKCS 11 certificate
@var{detailed}: non zero if a detailed URL is required
@var{url}: will contain an allocated url
This function will export a URL identifying the given object.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_obj_flags_get_str
@anchor{gnutls_pkcs11_obj_flags_get_str}
@deftypefun {char *} {gnutls_pkcs11_obj_flags_get_str} (unsigned int @var{flags})
@var{flags}: holds the flags
This function given an or-sequence of @code{GNUTLS_PKCS11_OBJ_FLAG_MARK} ,
will return an allocated string with its description. The string
needs to be deallocated using @code{gnutls_free()} .
@strong{Returns:} If flags is zero @code{NULL} is returned, otherwise an allocated string.
@strong{Since:} 3.3.7
@end deftypefun
@subheading gnutls_pkcs11_obj_get_exts
@anchor{gnutls_pkcs11_obj_get_exts}
@deftypefun {int} {gnutls_pkcs11_obj_get_exts} (gnutls_pkcs11_obj_t @var{obj}, gnutls_x509_ext_st ** @var{exts}, unsigned int * @var{exts_size}, unsigned int @var{flags})
@var{obj}: should contain a @code{gnutls_pkcs11_obj_t} type
@var{exts}: a pointer to a @code{gnutls_x509_ext_st} pointer
@var{exts_size}: will be updated with the number of @code{exts}
@var{flags}: Or sequence of @code{GNUTLS_PKCS11_OBJ_} * flags
This function will return information about attached extensions
that associate to the provided object (which should be a certificate).
The extensions are the attached p11-kit trust module extensions.
Each element of @code{exts} must be deinitialized using @code{gnutls_x509_ext_deinit()}
while @code{exts} should be deallocated using @code{gnutls_free()} .
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
@strong{Since:} 3.3.8
@end deftypefun
@subheading gnutls_pkcs11_obj_get_flags
@anchor{gnutls_pkcs11_obj_get_flags}
@deftypefun {int} {gnutls_pkcs11_obj_get_flags} (gnutls_pkcs11_obj_t @var{obj}, unsigned int * @var{oflags})
@var{obj}: The pkcs11 object
@var{oflags}: Will hold the output flags
This function will return the flags of the object.
The @code{oflags} will be flags from @code{gnutls_pkcs11_obj_flags} . That is,
the @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_} * flags.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.3.7
@end deftypefun
@subheading gnutls_pkcs11_obj_get_info
@anchor{gnutls_pkcs11_obj_get_info}
@deftypefun {int} {gnutls_pkcs11_obj_get_info} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_obj_info_t @var{itype}, void * @var{output}, size_t * @var{output_size})
@var{obj}: should contain a @code{gnutls_pkcs11_obj_t} type
@var{itype}: Denotes the type of information requested
@var{output}: where output will be stored
@var{output_size}: contains the maximum size of the output buffer and will be
overwritten with the actual size.
This function will return information about the PKCS11 certificate
such as the label, id as well as token information where the key is
stored.
When output is text, a null terminated string is written to @code{output} and its
string length is written to @code{output_size} (without null terminator). If the
buffer is too small, @code{output_size} will contain the expected buffer size
(with null terminator for text) and return @code{GNUTLS_E_SHORT_MEMORY_BUFFER} .
In versions previously to 3.6.0 this function included the null terminator
to @code{output_size} . After 3.6.0 the output size doesn't include the terminator character.
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_obj_get_ptr
@anchor{gnutls_pkcs11_obj_get_ptr}
@deftypefun {int} {gnutls_pkcs11_obj_get_ptr} (gnutls_pkcs11_obj_t @var{obj}, void ** @var{ptr}, void ** @var{session}, void ** @var{ohandle}, unsigned long * @var{slot_id}, unsigned int @var{flags})
@var{obj}: should contain a @code{gnutls_pkcs11_obj_t} type
@var{ptr}: will contain the CK_FUNCTION_LIST_PTR pointer (may be @code{NULL} )
@var{session}: will contain the CK_SESSION_HANDLE of the object
@var{ohandle}: will contain the CK_OBJECT_HANDLE of the object
@var{slot_id}: the identifier of the slot (may be @code{NULL} )
@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags
Obtains the PKCS@code{11} session handles of an object. @code{session} and @code{ohandle} must be deinitialized by the caller. The returned pointers are
independent of the @code{obj} lifetime.
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code
on error.
@strong{Since:} 3.6.3
@end deftypefun
@subheading gnutls_pkcs11_obj_get_type
@anchor{gnutls_pkcs11_obj_get_type}
@deftypefun {gnutls_pkcs11_obj_type_t} {gnutls_pkcs11_obj_get_type} (gnutls_pkcs11_obj_t @var{obj})
@var{obj}: Holds the PKCS 11 object
This function will return the type of the object being
stored in the structure.
@strong{Returns:} The type of the object
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_obj_import_url
@anchor{gnutls_pkcs11_obj_import_url}
@deftypefun {int} {gnutls_pkcs11_obj_import_url} (gnutls_pkcs11_obj_t @var{obj}, const char * @var{url}, unsigned int @var{flags})
@var{obj}: The structure to store the object
@var{url}: a PKCS 11 url identifying the key
@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags
This function will "import" a PKCS 11 URL identifying an object (e.g. certificate)
to the @code{gnutls_pkcs11_obj_t} type. This does not involve any
parsing (such as X.509 or OpenPGP) since the @code{gnutls_pkcs11_obj_t} is
format agnostic. Only data are transferred.
If the flag @code{GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT} is specified
any certificate read, will have its extensions overwritten by any
stapled extensions in the trust module.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_obj_init
@anchor{gnutls_pkcs11_obj_init}
@deftypefun {int} {gnutls_pkcs11_obj_init} (gnutls_pkcs11_obj_t * @var{obj})
@var{obj}: A pointer to the type to be initialized
This function will initialize a pkcs11 certificate structure.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_obj_list_import_url3
@anchor{gnutls_pkcs11_obj_list_import_url3}
@deftypefun {int} {gnutls_pkcs11_obj_list_import_url3} (gnutls_pkcs11_obj_t * @var{p_list}, unsigned int * @var{n_list}, const char * @var{url}, unsigned int @var{flags})
@var{p_list}: An uninitialized object list (may be @code{NULL} )
@var{n_list}: Initially should hold the maximum size of the list. Will contain the actual size.
@var{url}: A PKCS 11 url identifying a set of objects
@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags
This function will initialize and set values to an object list
by using all objects identified by a PKCS 11 URL.
This function will enumerate all the objects specified by the PKCS@code{11} URL
provided. It expects an already allocated @code{p_list} which has * @code{n_list} elements,
and that value will be updated to the actual number of present objects. The
@code{p_list} objects will be initialized and set by this function.
To obtain a list of all available objects use a @code{url} of 'pkcs11:'.
All returned objects must be deinitialized using @code{gnutls_pkcs11_obj_deinit()} .
The supported in this function @code{flags} are @code{GNUTLS_PKCS11_OBJ_FLAG_LOGIN} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO} , @code{GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_CRT} , @code{GNUTLS_PKCS11_OBJ_FLAG_PUBKEY} , @code{GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY} , @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_CA} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED} , and since 3.5.1 the @code{GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT} .
On versions of GnuTLS prior to 3.4.0 the equivalent function was
@code{gnutls_pkcs11_obj_list_import_url()} . That is also available on this version
as a macro which maps to this function.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.4.0
@end deftypefun
@subheading gnutls_pkcs11_obj_list_import_url4
@anchor{gnutls_pkcs11_obj_list_import_url4}
@deftypefun {int} {gnutls_pkcs11_obj_list_import_url4} (gnutls_pkcs11_obj_t ** @var{p_list}, unsigned int * @var{n_list}, const char * @var{url}, unsigned int @var{flags})
@var{p_list}: An uninitialized object list (may be NULL)
@var{n_list}: It will contain the size of the list.
@var{url}: A PKCS 11 url identifying a set of objects
@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags
This function will enumerate all the objects specified by the PKCS@code{11} URL
provided. It will initialize and set values to the object pointer list ( @code{p_list} )
provided. To obtain a list of all available objects use a @code{url} of 'pkcs11:'.
All returned objects must be deinitialized using @code{gnutls_pkcs11_obj_deinit()} ,
and @code{p_list} must be deinitialized using @code{gnutls_free()} .
The supported in this function @code{flags} are @code{GNUTLS_PKCS11_OBJ_FLAG_LOGIN} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO} , @code{GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_CRT} , @code{GNUTLS_PKCS11_OBJ_FLAG_PUBKEY} , @code{GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY} , @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_CA} ,
@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED} , and since 3.5.1 the @code{GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT} .
On versions of GnuTLS prior to 3.4.0 the equivalent function was
@code{gnutls_pkcs11_obj_list_import_url2()} . That is also available on this version
as a macro which maps to this function.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.4.0
@end deftypefun
@subheading gnutls_pkcs11_obj_set_info
@anchor{gnutls_pkcs11_obj_set_info}
@deftypefun {int} {gnutls_pkcs11_obj_set_info} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_obj_info_t @var{itype}, const void * @var{data}, size_t @var{data_size}, unsigned @var{flags})
@var{obj}: should contain a @code{gnutls_pkcs11_obj_t} type
@var{itype}: Denotes the type of information to be set
@var{data}: the data to set
@var{data_size}: the size of data
@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags
This function will set attributes on the provided object.
Available options for @code{itype} are @code{GNUTLS_PKCS11_OBJ_LABEL} ,
@code{GNUTLS_PKCS11_OBJ_ID_HEX} , and @code{GNUTLS_PKCS11_OBJ_ID} .
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
@strong{Since:} 3.4.0
@end deftypefun
@subheading gnutls_pkcs11_obj_set_pin_function
@anchor{gnutls_pkcs11_obj_set_pin_function}
@deftypefun {void} {gnutls_pkcs11_obj_set_pin_function} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pin_callback_t @var{fn}, void * @var{userdata})
@var{obj}: The object structure
@var{fn}: the callback
@var{userdata}: data associated with the callback
This function will set a callback function to be used when
required to access the object. This function overrides the global
set using @code{gnutls_pkcs11_set_pin_function()} .
@strong{Since:} 3.1.0
@end deftypefun
@subheading gnutls_pkcs11_privkey_cpy
@anchor{gnutls_pkcs11_privkey_cpy}
@deftypefun {int} {gnutls_pkcs11_privkey_cpy} (gnutls_pkcs11_privkey_t @var{dst}, gnutls_pkcs11_privkey_t @var{src})
@var{dst}: The destination key, which should be initialized.
@var{src}: The source key
This function will copy a private key from source to destination
key. Destination has to be initialized.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.4.0
@end deftypefun
@subheading gnutls_pkcs11_privkey_deinit
@anchor{gnutls_pkcs11_privkey_deinit}
@deftypefun {void} {gnutls_pkcs11_privkey_deinit} (gnutls_pkcs11_privkey_t @var{key})
@var{key}: the key to be deinitialized
This function will deinitialize a private key structure.
@end deftypefun
@subheading gnutls_pkcs11_privkey_export_pubkey
@anchor{gnutls_pkcs11_privkey_export_pubkey}
@deftypefun {int} {gnutls_pkcs11_privkey_export_pubkey} (gnutls_pkcs11_privkey_t @var{pkey}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{data}, unsigned int @var{flags})
@var{pkey}: The private key
@var{fmt}: the format of output params. PEM or DER.
@var{data}: will hold the public key
@var{flags}: should be zero
This function will extract the public key (modulus and public
exponent) from the private key specified by the @code{url} private key.
This public key will be stored in @code{pubkey} in the format specified
by @code{fmt} . @code{pubkey} should be deinitialized using @code{gnutls_free()} .
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.3.7
@end deftypefun
@subheading gnutls_pkcs11_privkey_export_url
@anchor{gnutls_pkcs11_privkey_export_url}
@deftypefun {int} {gnutls_pkcs11_privkey_export_url} (gnutls_pkcs11_privkey_t @var{key}, gnutls_pkcs11_url_type_t @var{detailed}, char ** @var{url})
@var{key}: Holds the PKCS 11 key
@var{detailed}: non zero if a detailed URL is required
@var{url}: will contain an allocated url
This function will export a URL identifying the given key.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading gnutls_pkcs11_privkey_generate
@anchor{gnutls_pkcs11_privkey_generate}
@deftypefun {int} {gnutls_pkcs11_privkey_generate} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, unsigned int @var{flags})
@var{url}: a token URL
@var{pk}: the public key algorithm
@var{bits}: the security bits
@var{label}: a label
@var{flags}: should be zero
This function will generate a private key in the specified
by the @code{url} token. The private key will be generate within
the token and will not be exportable.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.0
@end deftypefun
@subheading gnutls_pkcs11_privkey_generate2
@anchor{gnutls_pkcs11_privkey_generate2}
@deftypefun {int} {gnutls_pkcs11_privkey_generate2} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{pubkey}, unsigned int @var{flags})
@var{url}: a token URL
@var{pk}: the public key algorithm
@var{bits}: the security bits
@var{label}: a label
@var{fmt}: the format of output params. PEM or DER
@var{pubkey}: will hold the public key (may be @code{NULL} )
@var{flags}: zero or an OR'ed sequence of @code{GNUTLS_PKCS11_OBJ_FLAGs}
This function will generate a private key in the specified
by the @code{url} token. The private key will be generate within
the token and will not be exportable. This function will
store the DER-encoded public key in the SubjectPublicKeyInfo format
in @code{pubkey} . The @code{pubkey} should be deinitialized using @code{gnutls_free()} .
Note that when generating an elliptic curve key, the curve
can be substituted in the place of the bits parameter using the
@code{GNUTLS_CURVE_TO_BITS()} macro.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.1.5
@end deftypefun
@subheading gnutls_pkcs11_privkey_generate3
@anchor{gnutls_pkcs11_privkey_generate3}
@deftypefun {int} {gnutls_pkcs11_privkey_generate3} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, const gnutls_datum_t * @var{cid}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{pubkey}, unsigned int @var{key_usage}, unsigned int @var{flags})
@var{url}: a token URL
@var{pk}: the public key algorithm
@var{bits}: the security bits
@var{label}: a label
@var{cid}: The CKA_ID to use for the new object
@var{fmt}: the format of output params. PEM or DER
@var{pubkey}: will hold the public key (may be @code{NULL} )
@var{key_usage}: One of GNUTLS_KEY_*
@var{flags}: zero or an OR'ed sequence of @code{GNUTLS_PKCS11_OBJ_FLAGs}
This function will generate a private key in the specified
by the @code{url} token. The private key will be generate within
the token and will not be exportable. This function will
store the DER-encoded public key in the SubjectPublicKeyInfo format
in @code{pubkey} . The @code{pubkey} should be deinitialized using @code{gnutls_free()} .
Note that when generating an elliptic curve key, the curve
can be substituted in the place of the bits parameter using the
@code{GNUTLS_CURVE_TO_BITS()} macro.
Since 3.6.3 the objects are marked as sensitive by default unless
@code{GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE} is specified.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.4.0
@end deftypefun
@subheading gnutls_pkcs11_privkey_get_info
@anchor{gnutls_pkcs11_privkey_get_info}
@deftypefun {int} {gnutls_pkcs11_privkey_get_info} (gnutls_pkcs11_privkey_t @var{pkey}, gnutls_pkcs11_obj_info_t @var{itype}, void * @var{output}, size_t * @var{output_size})
@var{pkey}: should contain a @code{gnutls_pkcs11_privkey_t} type
@var{itype}: Denotes the type of information requested
@var{output}: where output will be stored
@var{output_size}: contains the maximum size of the output and will be overwritten with actual
This function will return information about the PKCS 11 private key such
as the label, id as well as token information where the key is stored. When
output is text it returns null terminated string although @code{output_size} contains
the size of the actual data only.
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
@end deftypefun
@subheading gnutls_pkcs11_privkey_get_pk_algorithm
@anchor{gnutls_pkcs11_privkey_get_pk_algorithm}
@deftypefun {int} {gnutls_pkcs11_privkey_get_pk_algorithm} (gnutls_pkcs11_privkey_t @var{key}, unsigned int * @var{bits})
@var{key}: should contain a @code{gnutls_pkcs11_privkey_t} type
@var{bits}: if bits is non null it will hold the size of the parameters' in bits
This function will return the public key algorithm of a private
key.
@strong{Returns:} a member of the @code{gnutls_pk_algorithm_t} enumeration on
success, or a negative error code on error.
@end deftypefun
@subheading gnutls_pkcs11_privkey_import_url
@anchor{gnutls_pkcs11_privkey_import_url}
@deftypefun {int} {gnutls_pkcs11_privkey_import_url} (gnutls_pkcs11_privkey_t @var{pkey}, const char * @var{url}, unsigned int @var{flags})
@var{pkey}: The private key
@var{url}: a PKCS 11 url identifying the key
@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags
This function will "import" a PKCS 11 URL identifying a private
key to the @code{gnutls_pkcs11_privkey_t} type. In reality since
in most cases keys cannot be exported, the private key structure
is being associated with the available operations on the token.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading gnutls_pkcs11_privkey_init
@anchor{gnutls_pkcs11_privkey_init}
@deftypefun {int} {gnutls_pkcs11_privkey_init} (gnutls_pkcs11_privkey_t * @var{key})
@var{key}: A pointer to the type to be initialized
This function will initialize an private key structure. This
structure can be used for accessing an underlying PKCS@code{11} object.
In versions of GnuTLS later than 3.5.11 the object is protected
using locks and a single @code{gnutls_pkcs11_privkey_t} can be re-used
by many threads. However, for performance it is recommended to utilize
one object per key per thread.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading gnutls_pkcs11_privkey_set_pin_function
@anchor{gnutls_pkcs11_privkey_set_pin_function}
@deftypefun {void} {gnutls_pkcs11_privkey_set_pin_function} (gnutls_pkcs11_privkey_t @var{key}, gnutls_pin_callback_t @var{fn}, void * @var{userdata})
@var{key}: The private key
@var{fn}: the callback
@var{userdata}: data associated with the callback
This function will set a callback function to be used when
required to access the object. This function overrides the global
set using @code{gnutls_pkcs11_set_pin_function()} .
@strong{Since:} 3.1.0
@end deftypefun
@subheading gnutls_pkcs11_privkey_status
@anchor{gnutls_pkcs11_privkey_status}
@deftypefun {unsigned} {gnutls_pkcs11_privkey_status} (gnutls_pkcs11_privkey_t @var{key})
@var{key}: Holds the key
Checks the status of the private key token.
@strong{Returns:} this function will return non-zero if the token
holding the private key is still available (inserted), and zero otherwise.
@strong{Since:} 3.1.9
@end deftypefun
@subheading gnutls_pkcs11_reinit
@anchor{gnutls_pkcs11_reinit}
@deftypefun {int} {gnutls_pkcs11_reinit} ( @var{void})
This function will reinitialize the PKCS 11 subsystem in gnutls.
This is required by PKCS 11 when an application uses @code{fork()} . The
reinitialization function must be called on the child.
Note that since GnuTLS 3.3.0, the reinitialization of the PKCS @code{11}
subsystem occurs automatically after fork.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 3.0
@end deftypefun
@subheading gnutls_pkcs11_set_pin_function
@anchor{gnutls_pkcs11_set_pin_function}
@deftypefun {void} {gnutls_pkcs11_set_pin_function} (gnutls_pin_callback_t @var{fn}, void * @var{userdata})
@var{fn}: The PIN callback, a @code{gnutls_pin_callback_t()} function.
@var{userdata}: data to be supplied to callback
This function will set a callback function to be used when a PIN is
required for PKCS 11 operations. See
@code{gnutls_pin_callback_t()} on how the callback should behave.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_set_token_function
@anchor{gnutls_pkcs11_set_token_function}
@deftypefun {void} {gnutls_pkcs11_set_token_function} (gnutls_pkcs11_token_callback_t @var{fn}, void * @var{userdata})
@var{fn}: The token callback
@var{userdata}: data to be supplied to callback
This function will set a callback function to be used when a token
needs to be inserted to continue PKCS 11 operations.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_token_check_mechanism
@anchor{gnutls_pkcs11_token_check_mechanism}
@deftypefun {unsigned} {gnutls_pkcs11_token_check_mechanism} (const char * @var{url}, unsigned long @var{mechanism}, void * @var{ptr}, unsigned @var{psize}, unsigned @var{flags})
@var{url}: should contain a PKCS 11 URL
@var{mechanism}: The PKCS @code{11} mechanism ID
@var{ptr}: if set it should point to a CK_MECHANISM_INFO struct
@var{psize}: the size of CK_MECHANISM_INFO struct (for safety)
@var{flags}: must be zero
This function will return whether a mechanism is supported
by the given token. If the mechanism is supported and
@code{ptr} is set, it will be updated with the token information.
@strong{Returns:} Non-zero if the mechanism is supported or zero otherwise.
@strong{Since:} 3.6.0
@end deftypefun
@subheading gnutls_pkcs11_token_get_flags
@anchor{gnutls_pkcs11_token_get_flags}
@deftypefun {int} {gnutls_pkcs11_token_get_flags} (const char * @var{url}, unsigned int * @var{flags})
@var{url}: should contain a PKCS 11 URL
@var{flags}: The output flags (GNUTLS_PKCS11_TOKEN_*)
This function will return information about the PKCS 11 token flags.
The supported flags are: @code{GNUTLS_PKCS11_TOKEN_HW} and @code{GNUTLS_PKCS11_TOKEN_TRUSTED} .
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_token_get_info
@anchor{gnutls_pkcs11_token_get_info}
@deftypefun {int} {gnutls_pkcs11_token_get_info} (const char * @var{url}, gnutls_pkcs11_token_info_t @var{ttype}, void * @var{output}, size_t * @var{output_size})
@var{url}: should contain a PKCS 11 URL
@var{ttype}: Denotes the type of information requested
@var{output}: where output will be stored
@var{output_size}: contains the maximum size of the output buffer and will be
overwritten with the actual size.
This function will return information about the PKCS 11 token such
as the label, id, etc.
When output is text, a null terminated string is written to @code{output} and its
string length is written to @code{output_size} (without null terminator). If the
buffer is too small, @code{output_size} will contain the expected buffer size
(with null terminator for text) and return @code{GNUTLS_E_SHORT_MEMORY_BUFFER} .
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code
on error.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_token_get_mechanism
@anchor{gnutls_pkcs11_token_get_mechanism}
@deftypefun {int} {gnutls_pkcs11_token_get_mechanism} (const char * @var{url}, unsigned int @var{idx}, unsigned long * @var{mechanism})
@var{url}: should contain a PKCS 11 URL
@var{idx}: The index of the mechanism
@var{mechanism}: The PKCS @code{11} mechanism ID
This function will return the names of the supported mechanisms
by the token. It should be called with an increasing index until
it return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_token_get_ptr
@anchor{gnutls_pkcs11_token_get_ptr}
@deftypefun {int} {gnutls_pkcs11_token_get_ptr} (const char * @var{url}, void ** @var{ptr}, unsigned long * @var{slot_id}, unsigned int @var{flags})
@var{url}: should contain a PKCS@code{11} URL identifying a token
@var{ptr}: will contain the CK_FUNCTION_LIST_PTR pointer
@var{slot_id}: will contain the slot_id (may be @code{NULL} )
@var{flags}: should be zero
This function will return the function pointer of the specified
token by the URL. The returned pointers are valid until
gnutls is deinitialized, c.f. @code{_global_deinit()} .
@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code
on error.
@strong{Since:} 3.6.3
@end deftypefun
@subheading gnutls_pkcs11_token_get_random
@anchor{gnutls_pkcs11_token_get_random}
@deftypefun {int} {gnutls_pkcs11_token_get_random} (const char * @var{token_url}, void * @var{rnddata}, size_t @var{len})
@var{token_url}: A PKCS @code{11} URL specifying a token
@var{rnddata}: A pointer to the memory area to be filled with random data
@var{len}: The number of bytes of randomness to request
This function will get random data from the given token.
It will store rnddata and fill the memory pointed to by rnddata with
len random bytes from the token.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading gnutls_pkcs11_token_get_url
@anchor{gnutls_pkcs11_token_get_url}
@deftypefun {int} {gnutls_pkcs11_token_get_url} (unsigned int @var{seq}, gnutls_pkcs11_url_type_t @var{detailed}, char ** @var{url})
@var{seq}: sequence number starting from 0
@var{detailed}: non zero if a detailed URL is required
@var{url}: will contain an allocated url
This function will return the URL for each token available
in system. The url has to be released using @code{gnutls_free()}
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned,
@code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} if the sequence number
exceeds the available tokens, otherwise a negative error value.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_pkcs11_token_init
@anchor{gnutls_pkcs11_token_init}
@deftypefun {int} {gnutls_pkcs11_token_init} (const char * @var{token_url}, const char * @var{so_pin}, const char * @var{label})
@var{token_url}: A PKCS @code{11} URL specifying a token
@var{so_pin}: Security Officer's PIN
@var{label}: A name to be used for the token
This function will initialize (format) a token. If the token is
at a factory defaults state the security officer's PIN given will be
set to be the default. Otherwise it should match the officer's PIN.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading gnutls_pkcs11_token_set_pin
@anchor{gnutls_pkcs11_token_set_pin}
@deftypefun {int} {gnutls_pkcs11_token_set_pin} (const char * @var{token_url}, const char * @var{oldpin}, const char * @var{newpin}, unsigned int @var{flags})
@var{token_url}: A PKCS @code{11} URL specifying a token
@var{oldpin}: old user's PIN
@var{newpin}: new user's PIN
@var{flags}: one of @code{gnutls_pin_flag_t} .
This function will modify or set a user or administrator's PIN for
the given token. If it is called to set a PIN for first time
the oldpin must be @code{NULL} . When setting the admin's PIN with the
@code{GNUTLS_PIN_SO} flag, the @code{oldpin} value must be provided (this requirement
is relaxed after GnuTLS 3.6.5 since which the PIN will be requested if missing).
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading gnutls_pkcs11_type_get_name
@anchor{gnutls_pkcs11_type_get_name}
@deftypefun {const char *} {gnutls_pkcs11_type_get_name} (gnutls_pkcs11_obj_type_t @var{type})
@var{type}: Holds the PKCS 11 object type, a @code{gnutls_pkcs11_obj_type_t} .
This function will return a human readable description of the
PKCS11 object type @code{obj} . It will return "Unknown" for unknown
types.
@strong{Returns:} human readable string labeling the PKCS11 object type
@code{type} .
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_x509_crt_import_pkcs11
@anchor{gnutls_x509_crt_import_pkcs11}
@deftypefun {int} {gnutls_x509_crt_import_pkcs11} (gnutls_x509_crt_t @var{crt}, gnutls_pkcs11_obj_t @var{pkcs11_crt})
@var{crt}: A certificate of type @code{gnutls_x509_crt_t}
@var{pkcs11_crt}: A PKCS 11 object that contains a certificate
This function will import a PKCS 11 certificate to a @code{gnutls_x509_crt_t}
structure.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 2.12.0
@end deftypefun
@subheading gnutls_x509_crt_list_import_pkcs11
@anchor{gnutls_x509_crt_list_import_pkcs11}
@deftypefun {int} {gnutls_x509_crt_list_import_pkcs11} (gnutls_x509_crt_t * @var{certs}, unsigned int @var{cert_max}, gnutls_pkcs11_obj_t * const @var{objs}, unsigned int @var{flags})
@var{certs}: A list of certificates of type @code{gnutls_x509_crt_t}
@var{cert_max}: The maximum size of the list
@var{objs}: A list of PKCS 11 objects
@var{flags}: 0 for now
This function will import a PKCS 11 certificate list to a list of
@code{gnutls_x509_crt_t} type. These must not be initialized.
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@strong{Since:} 2.12.0
@end deftypefun