1
2
3
4
5@deftypefun {int} {gnutls_certificate_set_rawpk_key_file} (gnutls_certificate_credentials_t @var{cred}, const char* @var{rawpkfile}, const char* @var{privkeyfile}, gnutls_x509_crt_fmt_t @var{format}, const char * @var{pass}, unsigned int @var{key_usage}, const char ** @var{names}, unsigned int @var{names_length}, unsigned int @var{privkey_flags}, unsigned int @var{pkcs11_flags})
6@var{cred}: is a @code{gnutls_certificate_credentials_t}  type.
7
8@var{rawpkfile}: contains a raw public key in
9PKIX.SubjectPublicKeyInfo format.
10
11@var{privkeyfile}: contains a file path to a private key.
12
13@var{format}: encoding of the keys. DER or PEM.
14
15@var{pass}: an optional password to unlock the private key privkeyfile.
16
17@var{key_usage}: an ORed sequence of @code{GNUTLS_KEY_} * flags.
18
19@var{names}: is an array of DNS names belonging to the public-key (NULL if none).
20
21@var{names_length}: holds the length of the names list.
22
23@var{privkey_flags}: an ORed sequence of @code{gnutls_pkcs_encrypt_flags_t} .
24These apply to the private key pkey.
25
26@var{pkcs11_flags}: one of gnutls_pkcs11_obj_flags. These apply to URLs.
27
28This function sets a public/private keypair read from file in the
29@code{gnutls_certificate_credentials_t}  type to be used for authentication
30and/or encryption.  @code{spki} and  @code{privkey} should match otherwise set
31signatures cannot be validated. In case of no match this function
32returns @code{GNUTLS_E_CERTIFICATE_KEY_MISMATCH} . This function should
33be called once for the client because there is currently no mechanism
34to determine which raw public-key to select for the peer when there
35are multiple present. Multiple raw public keys for the server can be
36distinghuished by setting the  @code{names} .
37
38Note here that  @code{spki} is a raw public-key as defined
39in RFC7250. It means that there is no surrounding certificate that
40holds the public key and that there is therefore no direct mechanism
41to prove the authenticity of this key. The keypair can be used during
42a TLS handshake but its authenticity should be established via a
43different mechanism (e.g. TOFU or known fingerprint).
44
45The supported formats are basic unencrypted key, PKCS8, PKCS12,
46and the openssl format and will be autodetected.
47
48If the raw public-key and the private key are given in PEM encoding
49then the strings that hold their values must be null terminated.
50
51Key usage (as defined by X.509 extension (2.5.29.15)) can be explicitly
52set because there is no certificate structure around the key to define
53this value. See for more info @code{gnutls_x509_crt_get_key_usage()} .
54
55Note that, this function by default returns zero on success and a
56negative value on error. Since 3.5.6, when the flag @code{GNUTLS_CERTIFICATE_API_V2}
57is set using @code{gnutls_certificate_set_flags()}  it returns an index
58(greater or equal to zero). That index can be used in other functions
59to refer to the added key-pair.
60
61@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS}  (0) is returned, in case the
62key pair does not match @code{GNUTLS_E_CERTIFICATE_KEY_MISMATCH}  is returned,
63in other erroneous cases a different negative error code is returned.
64
65@strong{Since:} 3.6.6
66@end deftypefun
67