Next: TPM API, Previous: PKCS 12 API, Up: API reference [Contents][Index]
The following functions are to be used for PKCS 11 handling. Their prototypes lie in gnutls/pkcs11.h.
name: The filename of the module
params: should be NULL or a known string (see description)
This function will load and add a PKCS 11 module to the module list used in gnutls. After this function is called the module will be used for PKCS 11 operations.
When loading a module to be used for certificate verification,
use the string ’trusted’ as params .
Note that this function is not thread safe.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 2.12.0
token_url: A PKCS 11 URL specifying a token
crt: An X.509 certificate object
data: the attached extension
label: A name to be used for the attached extension (may be NULL )
flags: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy an the attached extension in data for
the certificate provided in crt in the PKCS 11 token specified
by the URL (typically a trust module). The extension must be in
RFC5280 Extension format.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.3.8
token_url: A PKCS 11 URL specifying a token
pubkey: The public key to copy
label: The name to be used for the stored data
cid: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key
key_usage: One of GNUTLS_KEY_*
flags: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy a public key object into a PKCS 11 token specified by
a URL. Valid flags to mark the key: GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED ,
GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE , GNUTLS_PKCS11_OBJ_FLAG_MARK_CA ,
GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.4.6
token_url: A PKCS 11 URL specifying a token
key: The raw key
label: A name to be used for the stored data
key_usage: One of GNUTLS_KEY_*
flags: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy a raw secret (symmetric) key into a PKCS 11
token specified by a URL. The key can be marked as sensitive or not.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 2.12.0
token_url: A PKCS 11 URL specifying a token
crt: A certificate
label: A name to be used for the stored data
flags: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy a certificate into a PKCS 11 token specified by
a URL. The certificate can be marked as trusted or not.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 2.12.0
token_url: A PKCS 11 URL specifying a token
crt: The certificate to copy
label: The name to be used for the stored data
cid: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key
flags: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy a certificate into a PKCS 11 token specified by
a URL. Valid flags to mark the certificate: GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED ,
GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE , GNUTLS_PKCS11_OBJ_FLAG_MARK_CA ,
GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.4.0
token_url: A PKCS 11 URL specifying a token
key: A private key
label: A name to be used for the stored data
key_usage: One of GNUTLS_KEY_*
flags: One of GNUTLS_PKCS11_OBJ_* flags
This function will copy a private key into a PKCS 11 token specified by
a URL.
Since 3.6.3 the objects are marked as sensitive by default unless
GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 2.12.0
token_url: A PKCS 11 URL specifying a token
key: A private key
label: A name to be used for the stored data
cid: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key
key_usage: One of GNUTLS_KEY_*
flags: One of GNUTLS_PKCS11_OBJ_* flags
This function will copy a private key into a PKCS 11 token specified by
a URL.
Since 3.6.3 the objects are marked as sensitive by default unless
GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.4.0
url: A PKCS 11 url identifying a token
cert: is the certificate to find issuer for
flags: Use zero or flags from GNUTLS_PKCS11_OBJ_FLAG .
This function will check whether the provided certificate is stored
in the specified token. This is useful in combination with
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED ,
to check whether a CA is present or a certificate is distrusted in
a trust PKCS 11 module.
This function can be used with a url of "pkcs11:", and in that case all modules
will be searched. To restrict the modules to the marked as trusted in p11-kit
use the GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
Note that the flag GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
specific to p11-kit trust modules.
Returns: If the certificate exists non-zero is returned, otherwise zero.
Since: 3.3.0
This function will deinitialize the PKCS 11 subsystem in gnutls.
This function is only needed if you need to deinitialize the
subsystem without calling gnutls_global_deinit() .
Since: 2.12.0
object_url: The URL of the object to delete.
flags: One of GNUTLS_PKCS11_OBJ_* flags
This function will delete objects matching the given URL. Note that not all tokens support the delete operation.
Returns: On success, the number of objects deleted is returned, otherwise a negative error value.
Since: 2.12.0
userdata: data to be supplied to callback
This function will return the callback function set using
gnutls_pkcs11_set_pin_function() .
Returns: The function set or NULL otherwise.
Since: 3.1.0
url: A PKCS 11 url identifying a token
cert: is the certificate to find issuer for
issuer: Will hold the issuer if any in an allocated buffer.
fmt: The format of the exported issuer.
flags: Use zero or flags from GNUTLS_PKCS11_OBJ_FLAG .
This function will return the issuer of a given certificate, if it
is stored in the token. By default only marked as trusted issuers
are returned. If any issuer should be returned specify
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY in flags .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.2.7
url: A PKCS 11 url identifying a token
dn: is the DN to search for
issuer: Will hold the issuer if any in an allocated buffer.
fmt: The format of the exported issuer.
flags: Use zero or flags from GNUTLS_PKCS11_OBJ_FLAG .
This function will return the certificate with the given DN, if it
is stored in the token. By default only marked as trusted issuers
are returned. If any issuer should be returned specify
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY in flags .
The name of the function includes issuer because it can be used to discover issuers of certificates.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.4.0
url: A PKCS 11 url identifying a token
dn: is the DN to search for (may be NULL )
spki: is the subject key ID to search for
issuer: Will hold the issuer if any in an allocated buffer.
fmt: The format of the exported issuer.
flags: Use zero or flags from GNUTLS_PKCS11_OBJ_FLAG .
This function will return the certificate with the given DN and spki , if it
is stored in the token. By default only marked as trusted issuers
are returned. If any issuer should be returned specify
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY in flags .
The name of the function includes issuer because it can be used to discover issuers of certificates.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.4.2
flags: An ORed sequence of GNUTLS_PKCS11_FLAG_ *
deprecated_config_file: either NULL or the location of a deprecated configuration file
This function will initialize the PKCS 11 subsystem in gnutls. It will
read configuration files if GNUTLS_PKCS11_FLAG_AUTO is used or allow
you to independently load PKCS 11 modules using gnutls_pkcs11_add_provider()
if GNUTLS_PKCS11_FLAG_MANUAL is specified.
You don’t need to call this function since GnuTLS 3.3.0 because it is being called
during the first request PKCS 11 operation. That call will assume the GNUTLS_PKCS11_FLAG_AUTO
flag. If another flags are required then it must be called independently
prior to any PKCS 11 operation.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 2.12.0
obj: The type to be deinitialized
This function will deinitialize a certificate structure.
Since: 2.12.0
obj: Holds the object
output_data: will contain the object data
output_data_size: holds the size of output_data (and will be replaced by the actual size of parameters)
This function will export the PKCS11 object data. It is normal for
data to be inaccessible and in that case GNUTLS_E_INVALID_REQUEST
will be returned.
If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
Returns: In case of failure a negative error code will be
returned, and GNUTLS_E_SUCCESS (0) on success.
Since: 2.12.0
obj: Holds the object
out: will contain the object data
This function will export the PKCS11 object data. It is normal for
data to be inaccessible and in that case GNUTLS_E_INVALID_REQUEST
will be returned.
The output buffer is allocated using gnutls_malloc() .
Returns: In case of failure a negative error code will be
returned, and GNUTLS_E_SUCCESS (0) on success.
Since: 3.1.3
obj: Holds the object
fmt: The format of the exported data
out: will contain the object data
This function will export the PKCS11 object data. It is normal for
data to be inaccessible and in that case GNUTLS_E_INVALID_REQUEST
will be returned.
The output buffer is allocated using gnutls_malloc() .
Returns: In case of failure a negative error code will be
returned, and GNUTLS_E_SUCCESS (0) on success.
Since: 3.2.7
obj: Holds the PKCS 11 certificate
detailed: non zero if a detailed URL is required
url: will contain an allocated url
This function will export a URL identifying the given object.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 2.12.0
flags: holds the flags
This function given an or-sequence of GNUTLS_PKCS11_OBJ_FLAG_MARK ,
will return an allocated string with its description. The string
needs to be deallocated using gnutls_free() .
Returns: If flags is zero NULL is returned, otherwise an allocated string.
Since: 3.3.7
obj: should contain a gnutls_pkcs11_obj_t type
exts: a pointer to a gnutls_x509_ext_st pointer
exts_size: will be updated with the number of exts
flags: Or sequence of GNUTLS_PKCS11_OBJ_ * flags
This function will return information about attached extensions that associate to the provided object (which should be a certificate). The extensions are the attached p11-kit trust module extensions.
Each element of exts must be deinitialized using gnutls_x509_ext_deinit()
while exts should be deallocated using gnutls_free() .
Returns: GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
Since: 3.3.8
obj: The pkcs11 object
oflags: Will hold the output flags
This function will return the flags of the object.
The oflags will be flags from gnutls_pkcs11_obj_flags . That is,
the GNUTLS_PKCS11_OBJ_FLAG_MARK_ * flags.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.3.7
obj: should contain a gnutls_pkcs11_obj_t type
itype: Denotes the type of information requested
output: where output will be stored
output_size: contains the maximum size of the output buffer and will be overwritten with the actual size.
This function will return information about the PKCS11 certificate such as the label, id as well as token information where the key is stored.
When output is text, a null terminated string is written to output and its
string length is written to output_size (without null terminator). If the
buffer is too small, output_size will contain the expected buffer size
(with null terminator for text) and return GNUTLS_E_SHORT_MEMORY_BUFFER .
In versions previously to 3.6.0 this function included the null terminator
to output_size . After 3.6.0 the output size doesn’t include the terminator character.
Returns: GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
Since: 2.12.0
obj: should contain a gnutls_pkcs11_obj_t type
ptr: will contain the CK_FUNCTION_LIST_PTR pointer (may be NULL )
session: will contain the CK_SESSION_HANDLE of the object
ohandle: will contain the CK_OBJECT_HANDLE of the object
slot_id: the identifier of the slot (may be NULL )
flags: Or sequence of GNUTLS_PKCS11_OBJ_* flags
Obtains the PKCS11 session handles of an object. session and ohandle must be deinitialized by the caller. The returned pointers are
independent of the obj lifetime.
Returns: GNUTLS_E_SUCCESS (0) on success or a negative error code
on error.
Since: 3.6.3
obj: Holds the PKCS 11 object
This function will return the type of the object being stored in the structure.
Returns: The type of the object
Since: 2.12.0
obj: The structure to store the object
url: a PKCS 11 url identifying the key
flags: Or sequence of GNUTLS_PKCS11_OBJ_* flags
This function will "import" a PKCS 11 URL identifying an object (e.g. certificate)
to the gnutls_pkcs11_obj_t type. This does not involve any
parsing (such as X.509 or OpenPGP) since the gnutls_pkcs11_obj_t is
format agnostic. Only data are transferred.
If the flag GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT is specified
any certificate read, will have its extensions overwritten by any
stapled extensions in the trust module.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 2.12.0
obj: A pointer to the type to be initialized
This function will initialize a pkcs11 certificate structure.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 2.12.0
p_list: An uninitialized object list (may be NULL )
n_list: Initially should hold the maximum size of the list. Will contain the actual size.
url: A PKCS 11 url identifying a set of objects
flags: Or sequence of GNUTLS_PKCS11_OBJ_* flags
This function will initialize and set values to an object list by using all objects identified by a PKCS 11 URL.
This function will enumerate all the objects specified by the PKCS11 URL
provided. It expects an already allocated p_list which has * n_list elements,
and that value will be updated to the actual number of present objects. The
p_list objects will be initialized and set by this function.
To obtain a list of all available objects use a url of ’pkcs11:’.
All returned objects must be deinitialized using gnutls_pkcs11_obj_deinit() .
The supported in this function flags are GNUTLS_PKCS11_OBJ_FLAG_LOGIN ,
GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO , GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE ,
GNUTLS_PKCS11_OBJ_FLAG_CRT , GNUTLS_PKCS11_OBJ_FLAG_PUBKEY , GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY ,
GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY , GNUTLS_PKCS11_OBJ_FLAG_MARK_CA ,
GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED , and since 3.5.1 the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT .
On versions of GnuTLS prior to 3.4.0 the equivalent function was
gnutls_pkcs11_obj_list_import_url() . That is also available on this version
as a macro which maps to this function.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.4.0
p_list: An uninitialized object list (may be NULL)
n_list: It will contain the size of the list.
url: A PKCS 11 url identifying a set of objects
flags: Or sequence of GNUTLS_PKCS11_OBJ_* flags
This function will enumerate all the objects specified by the PKCS11 URL
provided. It will initialize and set values to the object pointer list ( p_list )
provided. To obtain a list of all available objects use a url of ’pkcs11:’.
All returned objects must be deinitialized using gnutls_pkcs11_obj_deinit() ,
and p_list must be deinitialized using gnutls_free() .
The supported in this function flags are GNUTLS_PKCS11_OBJ_FLAG_LOGIN ,
GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO , GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE ,
GNUTLS_PKCS11_OBJ_FLAG_CRT , GNUTLS_PKCS11_OBJ_FLAG_PUBKEY , GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY ,
GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY , GNUTLS_PKCS11_OBJ_FLAG_MARK_CA ,
GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED , and since 3.5.1 the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT .
On versions of GnuTLS prior to 3.4.0 the equivalent function was
gnutls_pkcs11_obj_list_import_url2() . That is also available on this version
as a macro which maps to this function.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.4.0
obj: should contain a gnutls_pkcs11_obj_t type
itype: Denotes the type of information to be set
data: the data to set
data_size: the size of data
flags: Or sequence of GNUTLS_PKCS11_OBJ_* flags
This function will set attributes on the provided object.
Available options for itype are GNUTLS_PKCS11_OBJ_LABEL ,
GNUTLS_PKCS11_OBJ_ID_HEX , and GNUTLS_PKCS11_OBJ_ID .
Returns: GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
Since: 3.4.0
obj: The object structure
fn: the callback
userdata: data associated with the callback
This function will set a callback function to be used when
required to access the object. This function overrides the global
set using gnutls_pkcs11_set_pin_function() .
Since: 3.1.0
dst: The destination key, which should be initialized.
src: The source key
This function will copy a private key from source to destination key. Destination has to be initialized.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.4.0
key: the key to be deinitialized
This function will deinitialize a private key structure.
pkey: The private key
fmt: the format of output params. PEM or DER.
data: will hold the public key
flags: should be zero
This function will extract the public key (modulus and public
exponent) from the private key specified by the url private key.
This public key will be stored in pubkey in the format specified
by fmt . pubkey should be deinitialized using gnutls_free() .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.3.7
key: Holds the PKCS 11 key
detailed: non zero if a detailed URL is required
url: will contain an allocated url
This function will export a URL identifying the given key.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
url: a token URL
pk: the public key algorithm
bits: the security bits
label: a label
flags: should be zero
This function will generate a private key in the specified
by the url token. The private key will be generate within
the token and will not be exportable.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.0
url: a token URL
pk: the public key algorithm
bits: the security bits
label: a label
fmt: the format of output params. PEM or DER
pubkey: will hold the public key (may be NULL )
flags: zero or an OR’ed sequence of GNUTLS_PKCS11_OBJ_FLAGs
This function will generate a private key in the specified
by the url token. The private key will be generate within
the token and will not be exportable. This function will
store the DER-encoded public key in the SubjectPublicKeyInfo format
in pubkey . The pubkey should be deinitialized using gnutls_free() .
Note that when generating an elliptic curve key, the curve
can be substituted in the place of the bits parameter using the
GNUTLS_CURVE_TO_BITS() macro.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.1.5
url: a token URL
pk: the public key algorithm
bits: the security bits
label: a label
cid: The CKA_ID to use for the new object
fmt: the format of output params. PEM or DER
pubkey: will hold the public key (may be NULL )
key_usage: One of GNUTLS_KEY_*
flags: zero or an OR’ed sequence of GNUTLS_PKCS11_OBJ_FLAGs
This function will generate a private key in the specified
by the url token. The private key will be generate within
the token and will not be exportable. This function will
store the DER-encoded public key in the SubjectPublicKeyInfo format
in pubkey . The pubkey should be deinitialized using gnutls_free() .
Note that when generating an elliptic curve key, the curve
can be substituted in the place of the bits parameter using the
GNUTLS_CURVE_TO_BITS() macro.
Since 3.6.3 the objects are marked as sensitive by default unless
GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.4.0
pkey: should contain a gnutls_pkcs11_privkey_t type
itype: Denotes the type of information requested
output: where output will be stored
output_size: contains the maximum size of the output and will be overwritten with actual
This function will return information about the PKCS 11 private key such
as the label, id as well as token information where the key is stored. When
output is text it returns null terminated string although output_size contains
the size of the actual data only.
Returns: GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
key: should contain a gnutls_pkcs11_privkey_t type
bits: if bits is non null it will hold the size of the parameters’ in bits
This function will return the public key algorithm of a private key.
Returns: a member of the gnutls_pk_algorithm_t enumeration on
success, or a negative error code on error.
pkey: The private key
url: a PKCS 11 url identifying the key
flags: Or sequence of GNUTLS_PKCS11_OBJ_* flags
This function will "import" a PKCS 11 URL identifying a private
key to the gnutls_pkcs11_privkey_t type. In reality since
in most cases keys cannot be exported, the private key structure
is being associated with the available operations on the token.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
key: A pointer to the type to be initialized
This function will initialize an private key structure. This
structure can be used for accessing an underlying PKCS11 object.
In versions of GnuTLS later than 3.5.11 the object is protected
using locks and a single gnutls_pkcs11_privkey_t can be re-used
by many threads. However, for performance it is recommended to utilize
one object per key per thread.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
key: The private key
fn: the callback
userdata: data associated with the callback
This function will set a callback function to be used when
required to access the object. This function overrides the global
set using gnutls_pkcs11_set_pin_function() .
Since: 3.1.0
key: Holds the key
Checks the status of the private key token.
Returns: this function will return non-zero if the token holding the private key is still available (inserted), and zero otherwise.
Since: 3.1.9
This function will reinitialize the PKCS 11 subsystem in gnutls.
This is required by PKCS 11 when an application uses fork() . The
reinitialization function must be called on the child.
Note that since GnuTLS 3.3.0, the reinitialization of the PKCS 11
subsystem occurs automatically after fork.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 3.0
fn: The PIN callback, a gnutls_pin_callback_t() function.
userdata: data to be supplied to callback
This function will set a callback function to be used when a PIN is
required for PKCS 11 operations. See
gnutls_pin_callback_t() on how the callback should behave.
Since: 2.12.0
fn: The token callback
userdata: data to be supplied to callback
This function will set a callback function to be used when a token needs to be inserted to continue PKCS 11 operations.
Since: 2.12.0
url: should contain a PKCS 11 URL
mechanism: The PKCS 11 mechanism ID
ptr: if set it should point to a CK_MECHANISM_INFO struct
psize: the size of CK_MECHANISM_INFO struct (for safety)
flags: must be zero
This function will return whether a mechanism is supported
by the given token. If the mechanism is supported and
ptr is set, it will be updated with the token information.
Returns: Non-zero if the mechanism is supported or zero otherwise.
Since: 3.6.0
url: should contain a PKCS 11 URL
flags: The output flags (GNUTLS_PKCS11_TOKEN_*)
This function will return information about the PKCS 11 token flags.
The supported flags are: GNUTLS_PKCS11_TOKEN_HW and GNUTLS_PKCS11_TOKEN_TRUSTED .
Returns: GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
Since: 2.12.0
url: should contain a PKCS 11 URL
ttype: Denotes the type of information requested
output: where output will be stored
output_size: contains the maximum size of the output buffer and will be overwritten with the actual size.
This function will return information about the PKCS 11 token such as the label, id, etc.
When output is text, a null terminated string is written to output and its
string length is written to output_size (without null terminator). If the
buffer is too small, output_size will contain the expected buffer size
(with null terminator for text) and return GNUTLS_E_SHORT_MEMORY_BUFFER .
Returns: GNUTLS_E_SUCCESS (0) on success or a negative error code
on error.
Since: 2.12.0
url: should contain a PKCS 11 URL
idx: The index of the mechanism
mechanism: The PKCS 11 mechanism ID
This function will return the names of the supported mechanisms by the token. It should be called with an increasing index until it return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.
Returns: GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
Since: 2.12.0
url: should contain a PKCS11 URL identifying a token
ptr: will contain the CK_FUNCTION_LIST_PTR pointer
slot_id: will contain the slot_id (may be NULL )
flags: should be zero
This function will return the function pointer of the specified
token by the URL. The returned pointers are valid until
gnutls is deinitialized, c.f. _global_deinit() .
Returns: GNUTLS_E_SUCCESS (0) on success or a negative error code
on error.
Since: 3.6.3
token_url: A PKCS 11 URL specifying a token
rnddata: A pointer to the memory area to be filled with random data
len: The number of bytes of randomness to request
This function will get random data from the given token. It will store rnddata and fill the memory pointed to by rnddata with len random bytes from the token.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
seq: sequence number starting from 0
detailed: non zero if a detailed URL is required
url: will contain an allocated url
This function will return the URL for each token available
in system. The url has to be released using gnutls_free()
Returns: On success, GNUTLS_E_SUCCESS (0) is returned,
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the sequence number
exceeds the available tokens, otherwise a negative error value.
Since: 2.12.0
token_url: A PKCS 11 URL specifying a token
so_pin: Security Officer’s PIN
label: A name to be used for the token
This function will initialize (format) a token. If the token is at a factory defaults state the security officer’s PIN given will be set to be the default. Otherwise it should match the officer’s PIN.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
token_url: A PKCS 11 URL specifying a token
oldpin: old user’s PIN
newpin: new user’s PIN
flags: one of gnutls_pin_flag_t .
This function will modify or set a user or administrator’s PIN for
the given token. If it is called to set a PIN for first time
the oldpin must be NULL . When setting the admin’s PIN with the
GNUTLS_PIN_SO flag, the oldpin value must be provided (this requirement
is relaxed after GnuTLS 3.6.5 since which the PIN will be requested if missing).
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
type: Holds the PKCS 11 object type, a gnutls_pkcs11_obj_type_t .
This function will return a human readable description of the
PKCS11 object type obj . It will return "Unknown" for unknown
types.
Returns: human readable string labeling the PKCS11 object type
type .
Since: 2.12.0
crt: A certificate of type gnutls_x509_crt_t
pkcs11_crt: A PKCS 11 object that contains a certificate
This function will import a PKCS 11 certificate to a gnutls_x509_crt_t
structure.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 2.12.0
certs: A list of certificates of type gnutls_x509_crt_t
cert_max: The maximum size of the list
objs: A list of PKCS 11 objects
flags: 0 for now
This function will import a PKCS 11 certificate list to a list of
gnutls_x509_crt_t type. These must not be initialized.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since: 2.12.0
Next: TPM API, Previous: PKCS 12 API, Up: API reference [Contents][Index]