1 /* 2 * Copyright (C) 2010-2012 Free Software Foundation, Inc. 3 * Copyright (C) 2016-2018 Red Hat, Inc. 4 * 5 * Author: Nikos Mavrogiannopoulos 6 * 7 * This file is part of GnuTLS. 8 * 9 * The GnuTLS is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU Lesser General Public License 11 * as published by the Free Software Foundation; either version 2.1 of 12 * the License, or (at your option) any later version. 13 * 14 * This library is distributed in the hope that it will be useful, but 15 * WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 17 * Lesser General Public License for more details. 18 * 19 * You should have received a copy of the GNU Lesser General Public License 20 * along with this program. If not, see <https://www.gnu.org/licenses/> 21 * 22 */ 23 24 #ifndef __GNUTLS_PKCS11_H 25 #define __GNUTLS_PKCS11_H 26 27 #include <stdarg.h> 28 #include <gnutls/gnutls.h> 29 #include <gnutls/x509.h> 30 31 /* *INDENT-OFF* */ 32 #ifdef __cplusplus 33 extern "C" { 34 #endif 35 /* *INDENT-ON* */ 36 37 #define GNUTLS_PKCS11_MAX_PIN_LEN 32 38 39 /** 40 * gnutls_pkcs11_token_callback_t: 41 * @userdata: user-controlled data from gnutls_pkcs11_set_token_function(). 42 * @label: token label. 43 * @retry: retry counter, initially 0. 44 * 45 * Token callback function. The callback will be used to ask the user 46 * to re-insert the token with given (null terminated) label. The 47 * callback should return zero if token has been inserted by user and 48 * a negative error code otherwise. It might be called multiple times 49 * if the token is not detected and the retry counter will be 50 * increased. 51 * 52 * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code 53 * on error. 54 * 55 * Since: 2.12.0 56 **/ 57 typedef int (*gnutls_pkcs11_token_callback_t) (void *const 58 userdata, 59 const char *const 60 label, unsigned retry); 61 62 63 struct gnutls_pkcs11_obj_st; 64 typedef struct gnutls_pkcs11_obj_st *gnutls_pkcs11_obj_t; 65 66 67 #define GNUTLS_PKCS11_FLAG_MANUAL 0 /* Manual loading of libraries */ 68 #define GNUTLS_PKCS11_FLAG_AUTO 1 /* Automatically load libraries by reading /usr/local/etc/gnutls/pkcs11.conf */ 69 #define GNUTLS_PKCS11_FLAG_AUTO_TRUSTED (1<<1) /* Automatically load trusted libraries by reading /usr/local/etc/gnutls/pkcs11.conf */ 70 71 /* pkcs11.conf format: 72 * load = /lib/xxx-pkcs11.so 73 * load = /lib/yyy-pkcs11.so 74 */ 75 76 int gnutls_pkcs11_init(unsigned int flags, 77 const char *deprecated_config_file); 78 int gnutls_pkcs11_reinit(void); 79 void gnutls_pkcs11_deinit(void); 80 void gnutls_pkcs11_set_token_function 81 (gnutls_pkcs11_token_callback_t fn, void *userdata); 82 83 void gnutls_pkcs11_set_pin_function(gnutls_pin_callback_t fn, 84 void *userdata); 85 86 gnutls_pin_callback_t gnutls_pkcs11_get_pin_function(void 87 **userdata); 88 89 int gnutls_pkcs11_add_provider(const char *name, const char *params); 90 int gnutls_pkcs11_obj_init(gnutls_pkcs11_obj_t * obj); 91 void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj, 92 gnutls_pin_callback_t fn, 93 void *userdata); 94 95 /** 96 * gnutls_pkcs11_obj_flags: 97 * @GNUTLS_PKCS11_OBJ_FLAG_LOGIN: Force login in the token for the operation (seek+store). 98 * @GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED: object marked as trusted (seek+store). 99 * @GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE: object is explicitly marked as sensitive -unexportable (store). 100 * @GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO: force login as a security officer in the token for the operation (seek+store). 101 * @GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE: marked as private -requires PIN to access (store). 102 * @GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE: marked as not private (store). 103 * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY: When retrieving an object, do not set any requirements (store). 104 * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED: When retrieving an object, only retrieve the marked as trusted (alias to %GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED). 105 * In gnutls_pkcs11_crt_is_known() it implies %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_COMPARE if %GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is not given. 106 * @GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED: When writing an object, mark it as distrusted (store). 107 * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED: When retrieving an object, only retrieve the marked as distrusted (seek). 108 * @GNUTLS_PKCS11_OBJ_FLAG_COMPARE: When checking an object's presence, fully compare it before returning any result (seek). 109 * @GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY: When checking an object's presence, compare the key before returning any result (seek). 110 * @GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE: The object must be present in a marked as trusted module (seek). 111 * @GNUTLS_PKCS11_OBJ_FLAG_MARK_CA: Mark the object as a CA (seek+store). 112 * @GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP: Mark the generated key pair as wrapping and unwrapping keys (store). 113 * @GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT: When an issuer is requested, override its extensions with the ones present in the trust module (seek). 114 * @GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH: Mark the key pair as requiring authentication (pin entry) before every operation (seek+store). 115 * @GNUTLS_PKCS11_OBJ_FLAG_MARK_EXTRACTABLE: Mark the key pair as being extractable (store). 116 * @GNUTLS_PKCS11_OBJ_FLAG_NEVER_EXTRACTABLE: If set, the object was never marked as extractable (store). 117 * @GNUTLS_PKCS11_OBJ_FLAG_CRT: When searching, restrict to certificates only (seek). 118 * @GNUTLS_PKCS11_OBJ_FLAG_PUBKEY: When searching, restrict to public key objects only (seek). 119 * @GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY: When searching, restrict to private key objects only (seek). 120 * @GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY: When generating a keypair don't store the public key (store). 121 * @GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE: object marked as not sensitive -exportable (store). 122 * 123 * Enumeration of different PKCS #11 object flags. Some flags are used 124 * to mark objects when storing, while others are also used while seeking 125 * or retrieving objects. 126 */ 127 typedef enum gnutls_pkcs11_obj_flags { 128 GNUTLS_PKCS11_OBJ_FLAG_LOGIN = (1<<0), 129 GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED = (1<<1), 130 GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE = (1<<2), 131 GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO = (1<<3), 132 GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE = (1<<4), 133 GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE = (1<<5), 134 GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY = (1<<6), 135 GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED = GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED, 136 GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED = (1<<8), 137 GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED = GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED, 138 GNUTLS_PKCS11_OBJ_FLAG_COMPARE = (1<<9), 139 GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE = (1<<10), 140 GNUTLS_PKCS11_OBJ_FLAG_MARK_CA = (1<<11), 141 GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP = (1<<12), 142 GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY = (1<<13), 143 GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT = (1<<14), 144 GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH = (1<<15), 145 GNUTLS_PKCS11_OBJ_FLAG_MARK_EXTRACTABLE = (1<<16), 146 GNUTLS_PKCS11_OBJ_FLAG_NEVER_EXTRACTABLE = (1<<17), 147 GNUTLS_PKCS11_OBJ_FLAG_CRT = (1<<18), 148 GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY = (1<<19), 149 GNUTLS_PKCS11_OBJ_FLAG_PUBKEY = (1<<20), 150 GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY = GNUTLS_PKCS11_OBJ_FLAG_PUBKEY, 151 GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY = (1<<21), 152 GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE = (1<<22), 153 /* flags 1<<29 and later are reserved - see pkcs11_int.h */ 154 } gnutls_pkcs11_obj_flags; 155 156 #define gnutls_pkcs11_obj_attr_t gnutls_pkcs11_obj_flags 157 158 /** 159 * gnutls_pkcs11_url_type_t: 160 * @GNUTLS_PKCS11_URL_GENERIC: A generic-purpose URL. 161 * @GNUTLS_PKCS11_URL_LIB: A URL that specifies the library used as well. 162 * @GNUTLS_PKCS11_URL_LIB_VERSION: A URL that specifies the library and its version. 163 * 164 * Enumeration of different URL extraction flags. 165 */ 166 typedef enum { 167 GNUTLS_PKCS11_URL_GENERIC, /* URL specifies the object on token level */ 168 GNUTLS_PKCS11_URL_LIB, /* URL specifies the object on module level */ 169 GNUTLS_PKCS11_URL_LIB_VERSION /* URL specifies the object on module and version level */ 170 } gnutls_pkcs11_url_type_t; 171 172 int gnutls_pkcs11_obj_import_url(gnutls_pkcs11_obj_t obj, 173 const char *url, unsigned int flags 174 /* GNUTLS_PKCS11_OBJ_FLAG_* */ ); 175 int gnutls_pkcs11_obj_export_url(gnutls_pkcs11_obj_t obj, 176 gnutls_pkcs11_url_type_t detailed, 177 char **url); 178 void gnutls_pkcs11_obj_deinit(gnutls_pkcs11_obj_t obj); 179 180 int gnutls_pkcs11_obj_export(gnutls_pkcs11_obj_t obj, 181 void *output_data, size_t * output_data_size); 182 int gnutls_pkcs11_obj_export2(gnutls_pkcs11_obj_t obj, 183 gnutls_datum_t * out); 184 185 int gnutls_pkcs11_obj_export3(gnutls_pkcs11_obj_t obj, gnutls_x509_crt_fmt_t fmt, 186 gnutls_datum_t * out); 187 188 int gnutls_pkcs11_get_raw_issuer(const char *url, gnutls_x509_crt_t cert, 189 gnutls_datum_t * issuer, 190 gnutls_x509_crt_fmt_t fmt, 191 unsigned int flags); 192 193 int gnutls_pkcs11_get_raw_issuer_by_dn (const char *url, const gnutls_datum_t *dn, 194 gnutls_datum_t *issuer, 195 gnutls_x509_crt_fmt_t fmt, 196 unsigned int flags); 197 198 int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, 199 const gnutls_datum_t *dn, 200 const gnutls_datum_t *spki, 201 gnutls_datum_t *issuer, 202 gnutls_x509_crt_fmt_t fmt, 203 unsigned int flags); 204 205 unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, 206 unsigned int flags); 207 208 #if 0 209 /* for documentation */ 210 int gnutls_pkcs11_copy_x509_crt(const char *token_url, 211 gnutls_x509_crt_t crt, 212 const char *label, unsigned int flags 213 /* GNUTLS_PKCS11_OBJ_FLAG_* */ ); 214 215 int gnutls_pkcs11_copy_x509_privkey(const char *token_url, 216 gnutls_x509_privkey_t key, 217 const char *label, 218 unsigned int key_usage, 219 unsigned int flags); 220 int 221 gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, 222 unsigned int bits, const char *label, 223 gnutls_x509_crt_fmt_t fmt, 224 gnutls_datum_t * pubkey, 225 unsigned int flags); 226 int 227 gnutls_pkcs11_privkey_generate(const char *url, gnutls_pk_algorithm_t pk, 228 unsigned int bits, const char *label, 229 unsigned int flags); 230 #endif 231 232 int 233 gnutls_pkcs11_copy_pubkey(const char *token_url, 234 gnutls_pubkey_t crt, const char *label, 235 const gnutls_datum_t *cid, 236 unsigned int key_usage, unsigned int flags); 237 238 #define gnutls_pkcs11_copy_x509_crt(url, crt, label, flags) \ 239 gnutls_pkcs11_copy_x509_crt2(url, crt, label, NULL, flags) 240 241 int gnutls_pkcs11_copy_x509_crt2(const char *token_url, 242 gnutls_x509_crt_t crt, 243 const char *label, 244 const gnutls_datum_t *id, 245 unsigned int flags /* GNUTLS_PKCS11_OBJ_FLAG_* */); 246 247 #define gnutls_pkcs11_copy_x509_privkey(url, key, label, usage, flags) \ 248 gnutls_pkcs11_copy_x509_privkey2(url, key, label, NULL, usage, flags) 249 int gnutls_pkcs11_copy_x509_privkey2(const char *token_url, 250 gnutls_x509_privkey_t key, 251 const char *label, 252 const gnutls_datum_t *cid, 253 unsigned int key_usage 254 /*GNUTLS_KEY_* */ , 255 unsigned int flags 256 /* GNUTLS_PKCS11_OBJ_FLAG_* */ 257 ); 258 259 int gnutls_pkcs11_delete_url(const char *object_url, unsigned int flags 260 /* GNUTLS_PKCS11_OBJ_FLAG_* */ ); 261 262 int gnutls_pkcs11_copy_secret_key(const char *token_url, 263 gnutls_datum_t * key, 264 const char *label, unsigned int key_usage 265 /* GNUTLS_KEY_* */ , 266 unsigned int flags 267 /* GNUTLS_PKCS11_OBJ_FLAG_* */ ); 268 269 /** 270 * gnutls_pkcs11_obj_info_t: 271 * @GNUTLS_PKCS11_OBJ_ID_HEX: The object ID in hex. Null-terminated text. 272 * @GNUTLS_PKCS11_OBJ_LABEL: The object label. Null-terminated text. 273 * @GNUTLS_PKCS11_OBJ_TOKEN_LABEL: The token's label. Null-terminated text. 274 * @GNUTLS_PKCS11_OBJ_TOKEN_SERIAL: The token's serial number. Null-terminated text. 275 * @GNUTLS_PKCS11_OBJ_TOKEN_MANUFACTURER: The token's manufacturer. Null-terminated text. 276 * @GNUTLS_PKCS11_OBJ_TOKEN_MODEL: The token's model. Null-terminated text. 277 * @GNUTLS_PKCS11_OBJ_ID: The object ID. Raw bytes. 278 * @GNUTLS_PKCS11_OBJ_LIBRARY_VERSION: The library's version. Null-terminated text. 279 * @GNUTLS_PKCS11_OBJ_LIBRARY_DESCRIPTION: The library's description. Null-terminated text. 280 * @GNUTLS_PKCS11_OBJ_LIBRARY_MANUFACTURER: The library's manufacturer name. Null-terminated text. 281 * 282 * Enumeration of several object information types. 283 */ 284 typedef enum { 285 GNUTLS_PKCS11_OBJ_ID_HEX = 1, 286 GNUTLS_PKCS11_OBJ_LABEL, 287 GNUTLS_PKCS11_OBJ_TOKEN_LABEL, 288 GNUTLS_PKCS11_OBJ_TOKEN_SERIAL, 289 GNUTLS_PKCS11_OBJ_TOKEN_MANUFACTURER, 290 GNUTLS_PKCS11_OBJ_TOKEN_MODEL, 291 GNUTLS_PKCS11_OBJ_ID, 292 /* the pkcs11 provider library info */ 293 GNUTLS_PKCS11_OBJ_LIBRARY_VERSION, 294 GNUTLS_PKCS11_OBJ_LIBRARY_DESCRIPTION, 295 GNUTLS_PKCS11_OBJ_LIBRARY_MANUFACTURER 296 } gnutls_pkcs11_obj_info_t; 297 298 int 299 gnutls_pkcs11_obj_get_ptr(gnutls_pkcs11_obj_t obj, void **ptr, 300 void **session, void **ohandle, 301 unsigned long *slot_id, 302 unsigned int flags); 303 304 int gnutls_pkcs11_obj_get_info(gnutls_pkcs11_obj_t obj, 305 gnutls_pkcs11_obj_info_t itype, 306 void *output, size_t * output_size); 307 int gnutls_pkcs11_obj_set_info(gnutls_pkcs11_obj_t obj, 308 gnutls_pkcs11_obj_info_t itype, 309 const void *data, size_t data_size, 310 unsigned flags); 311 312 #define GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL GNUTLS_PKCS11_OBJ_FLAG_CRT 313 #define GNUTLS_PKCS11_OBJ_ATTR_MATCH 0 /* always match the given URL */ 314 #define GNUTLS_PKCS11_OBJ_ATTR_ALL 0 /* match everything! */ 315 #define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) 316 #define GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY) 317 #define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) 318 #define GNUTLS_PKCS11_OBJ_ATTR_PUBKEY GNUTLS_PKCS11_OBJ_FLAG_PUBKEY 319 #define GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY 320 321 /** 322 * gnutls_pkcs11_token_info_t: 323 * @GNUTLS_PKCS11_TOKEN_LABEL: The token's label (string) 324 * @GNUTLS_PKCS11_TOKEN_SERIAL: The token's serial number (string) 325 * @GNUTLS_PKCS11_TOKEN_MANUFACTURER: The token's manufacturer (string) 326 * @GNUTLS_PKCS11_TOKEN_MODEL: The token's model (string) 327 * @GNUTLS_PKCS11_TOKEN_MODNAME: The token's module name (string - since 3.4.3). This value is 328 * unavailable for providers which were manually loaded. 329 * 330 * Enumeration of types for retrieving token information. 331 */ 332 typedef enum { 333 GNUTLS_PKCS11_TOKEN_LABEL, 334 GNUTLS_PKCS11_TOKEN_SERIAL, 335 GNUTLS_PKCS11_TOKEN_MANUFACTURER, 336 GNUTLS_PKCS11_TOKEN_MODEL, 337 GNUTLS_PKCS11_TOKEN_MODNAME 338 } gnutls_pkcs11_token_info_t; 339 340 /** 341 * gnutls_pkcs11_obj_type_t: 342 * @GNUTLS_PKCS11_OBJ_UNKNOWN: Unknown PKCS11 object. 343 * @GNUTLS_PKCS11_OBJ_X509_CRT: X.509 certificate. 344 * @GNUTLS_PKCS11_OBJ_PUBKEY: Public key. 345 * @GNUTLS_PKCS11_OBJ_PRIVKEY: Private key. 346 * @GNUTLS_PKCS11_OBJ_SECRET_KEY: Secret key. 347 * @GNUTLS_PKCS11_OBJ_DATA: Data object. 348 * @GNUTLS_PKCS11_OBJ_X509_CRT_EXTENSION: X.509 certificate extension (supported by p11-kit trust module only). 349 * 350 * Enumeration of object types. 351 */ 352 typedef enum { 353 GNUTLS_PKCS11_OBJ_UNKNOWN, 354 GNUTLS_PKCS11_OBJ_X509_CRT, 355 GNUTLS_PKCS11_OBJ_PUBKEY, 356 GNUTLS_PKCS11_OBJ_PRIVKEY, 357 GNUTLS_PKCS11_OBJ_SECRET_KEY, 358 GNUTLS_PKCS11_OBJ_DATA, 359 GNUTLS_PKCS11_OBJ_X509_CRT_EXTENSION 360 } gnutls_pkcs11_obj_type_t; 361 362 int 363 gnutls_pkcs11_token_init(const char *token_url, 364 const char *so_pin, const char *label); 365 366 int 367 gnutls_pkcs11_token_get_ptr(const char *url, void **ptr, unsigned long *slot_id, 368 unsigned int flags); 369 370 int 371 gnutls_pkcs11_token_get_mechanism(const char *url, 372 unsigned int idx, 373 unsigned long *mechanism); 374 375 unsigned 376 gnutls_pkcs11_token_check_mechanism(const char *url, 377 unsigned long mechanism, 378 void *ptr, unsigned psize, unsigned flags); 379 380 int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin, const char *newpin, unsigned int flags /*gnutls_pin_flag_t */); 381 382 int gnutls_pkcs11_token_get_url(unsigned int seq, 383 gnutls_pkcs11_url_type_t detailed, 384 char **url); 385 int gnutls_pkcs11_token_get_info(const char *url, 386 gnutls_pkcs11_token_info_t ttype, 387 void *output, size_t * output_size); 388 389 #define GNUTLS_PKCS11_TOKEN_HW 1 390 #define GNUTLS_PKCS11_TOKEN_TRUSTED (1<<1) /* p11-kit trusted */ 391 #define GNUTLS_PKCS11_TOKEN_RNG (1<<2) /* CKF_RNG */ 392 #define GNUTLS_PKCS11_TOKEN_LOGIN_REQUIRED (1<<3) /* CKF_LOGIN_REQUIRED */ 393 #define GNUTLS_PKCS11_TOKEN_PROTECTED_AUTHENTICATION_PATH (1<<4) /* CKF_PROTECTED_AUTHENTICATION_PATH */ 394 #define GNUTLS_PKCS11_TOKEN_INITIALIZED (1<<5) /* CKF_TOKEN_INITIALIZED */ 395 #define GNUTLS_PKCS11_TOKEN_USER_PIN_COUNT_LOW (1<<6) /* CKF_USER_PIN_COUNT_LOW */ 396 #define GNUTLS_PKCS11_TOKEN_USER_PIN_FINAL_TRY (1<<7) /* CKF_USER_PIN_FINAL_TRY */ 397 #define GNUTLS_PKCS11_TOKEN_USER_PIN_LOCKED (1<<8) /* CKF_USER_PIN_LOCKED */ 398 #define GNUTLS_PKCS11_TOKEN_SO_PIN_COUNT_LOW (1<<9) /* CKF_SO_PIN_COUNT_LOW */ 399 #define GNUTLS_PKCS11_TOKEN_SO_PIN_FINAL_TRY (1<<10) /* CKF_SO_PIN_FINAL_TRY */ 400 #define GNUTLS_PKCS11_TOKEN_SO_PIN_LOCKED (1<<11) /* CKF_SO_PIN_LOCKED */ 401 #define GNUTLS_PKCS11_TOKEN_USER_PIN_INITIALIZED (1<<12) /* CKF_USER_PIN_INITIALIZED */ 402 #define GNUTLS_PKCS11_TOKEN_ERROR_STATE (1<<13) /* CKF_ERROR_STATE */ 403 404 int gnutls_pkcs11_token_get_flags(const char *url, unsigned int *flags); 405 406 #define gnutls_pkcs11_obj_list_import_url(p_list, n_list, url, attrs, flags) gnutls_pkcs11_obj_list_import_url3(p_list, n_list, url, attrs|flags) 407 #define gnutls_pkcs11_obj_list_import_url2(p_list, n_list, url, attrs, flags) gnutls_pkcs11_obj_list_import_url4(p_list, n_list, url, attrs|flags) 408 409 int gnutls_pkcs11_obj_list_import_url3(gnutls_pkcs11_obj_t * p_list, 410 unsigned int *const n_list, 411 const char *url, 412 unsigned int flags 413 /* GNUTLS_PKCS11_OBJ_FLAG_* */ 414 ); 415 416 int 417 gnutls_pkcs11_obj_list_import_url4(gnutls_pkcs11_obj_t ** p_list, 418 unsigned int *n_list, 419 const char *url, 420 unsigned int flags 421 /* GNUTLS_PKCS11_OBJ_FLAG_* */ 422 ); 423 424 int gnutls_x509_crt_import_pkcs11(gnutls_x509_crt_t crt, 425 gnutls_pkcs11_obj_t pkcs11_crt); 426 427 gnutls_pkcs11_obj_type_t 428 gnutls_pkcs11_obj_get_type(gnutls_pkcs11_obj_t obj); 429 const char *gnutls_pkcs11_type_get_name(gnutls_pkcs11_obj_type_t type); 430 431 int 432 gnutls_pkcs11_obj_get_exts(gnutls_pkcs11_obj_t obj, 433 struct gnutls_x509_ext_st **exts, unsigned int *exts_size, 434 unsigned int flags); 435 436 int 437 gnutls_pkcs11_obj_get_flags(gnutls_pkcs11_obj_t obj, unsigned int *oflags); 438 char *gnutls_pkcs11_obj_flags_get_str(unsigned int flags); 439 440 int gnutls_x509_crt_list_import_pkcs11(gnutls_x509_crt_t * certs, 441 unsigned int cert_max, 442 gnutls_pkcs11_obj_t * 443 const objs, unsigned int flags 444 /* must be zero */ ); 445 446 /* private key functions...*/ 447 int gnutls_pkcs11_privkey_init(gnutls_pkcs11_privkey_t * key); 448 449 int 450 gnutls_pkcs11_privkey_cpy(gnutls_pkcs11_privkey_t dst, 451 gnutls_pkcs11_privkey_t src); 452 453 void gnutls_pkcs11_privkey_set_pin_function(gnutls_pkcs11_privkey_t 454 key, 455 gnutls_pin_callback_t 456 fn, void *userdata); 457 void gnutls_pkcs11_privkey_deinit(gnutls_pkcs11_privkey_t key); 458 int gnutls_pkcs11_privkey_get_pk_algorithm(gnutls_pkcs11_privkey_t 459 key, unsigned int *bits); 460 int gnutls_pkcs11_privkey_get_info(gnutls_pkcs11_privkey_t pkey, 461 gnutls_pkcs11_obj_info_t itype, 462 void *output, size_t * output_size); 463 464 int gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey, 465 const char *url, unsigned int flags); 466 467 int gnutls_pkcs11_privkey_export_url(gnutls_pkcs11_privkey_t key, 468 gnutls_pkcs11_url_type_t 469 detailed, char **url); 470 unsigned gnutls_pkcs11_privkey_status(gnutls_pkcs11_privkey_t key); 471 472 #define gnutls_pkcs11_privkey_generate(url, pk, bits, label, flags) \ 473 gnutls_pkcs11_privkey_generate3(url, pk, bits, label, NULL, 0, NULL, 0, flags) 474 475 #define gnutls_pkcs11_privkey_generate2(url, pk, bits, label, fmt, pubkey, flags) \ 476 gnutls_pkcs11_privkey_generate3(url, pk, bits, label, NULL, fmt, pubkey, 0, flags) 477 478 int 479 gnutls_pkcs11_privkey_generate3(const char *url, 480 gnutls_pk_algorithm_t pk, 481 unsigned int bits, 482 const char *label, 483 const gnutls_datum_t *cid, 484 gnutls_x509_crt_fmt_t fmt, 485 gnutls_datum_t * pubkey, 486 unsigned int key_usage, 487 unsigned int flags); 488 489 int 490 gnutls_pkcs11_privkey_export_pubkey(gnutls_pkcs11_privkey_t pkey, 491 gnutls_x509_crt_fmt_t fmt, 492 gnutls_datum_t * pubkey, 493 unsigned int flags); 494 495 int 496 gnutls_pkcs11_token_get_random(const char *token_url, 497 void *data, size_t len); 498 499 int 500 gnutls_pkcs11_copy_attached_extension(const char *token_url, 501 gnutls_x509_crt_t crt, 502 gnutls_datum_t *data, 503 const char *label, 504 unsigned int flags); 505 506 #define gnutls_x509_crt_import_pkcs11_url gnutls_x509_crt_import_url 507 508 /* *INDENT-OFF* */ 509 #ifdef __cplusplus 510 } 511 #endif 512 /* *INDENT-ON* */ 513 #endif 514