/**
* gnutls_x509_privkey_export:
* @key: Holds the key
* @format: the format of output params. One of PEM or DER.
* @output_data: will contain a private key PEM or DER encoded
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
*
* This function will export the private key to a PKCS1 structure for
* RSA keys, or an integer sequence for DSA keys. The DSA keys are in
* the same format with the parameters used by openssl.
*
* If the buffer provided is not long enough to hold the output, then
* *@output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER
* will be returned.
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN RSA PRIVATE KEY".
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
gnutls_x509_privkey_export (gnutls_x509_privkey_t key,
gnutls_x509_crt_fmt_t format, void *output_data,
size_t * output_data_size)
{
const char *msg;
if (key == NULL)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
if (key->pk_algorithm == GNUTLS_PK_RSA)
msg = PEM_KEY_RSA;
else if (key->pk_algorithm == GNUTLS_PK_DSA)
msg = PEM_KEY_DSA;
else if (key->pk_algorithm == GNUTLS_PK_EC)
msg = PEM_KEY_ECC;
else
msg = "UNKNOWN";
return _gnutls_x509_export_int (key->key, format, msg,
output_data, output_data_size);
}
/**
* gnutls_pkcs7_export:
* @pkcs7: Holds the pkcs7 structure
* @format: the format of output params. One of PEM or DER.
* @output_data: will contain a structure PEM or DER encoded
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
*
* This function will export the pkcs7 structure to DER or PEM format.
*
* If the buffer provided is not long enough to hold the output, then
* *@output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER
* will be returned.
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN PKCS7".
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
int
gnutls_pkcs7_export (gnutls_pkcs7_t pkcs7,
gnutls_x509_crt_fmt_t format, void *output_data,
size_t * output_data_size)
{
if (pkcs7 == NULL)
return GNUTLS_E_INVALID_REQUEST;
return _gnutls_x509_export_int (pkcs7->pkcs7, format, PEM_PKCS7,
output_data, output_data_size);
}
/**
* gnutls_x509_privkey_export - This function will export the private key
* @key: Holds the key
* @format: the format of output params. One of PEM or DER.
* @output_data: will contain a private key PEM or DER encoded
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
*
* This function will export the private key to a PKCS1 structure for
* RSA keys, or an integer sequence for DSA keys. The DSA keys are in
* the same format with the parameters used by openssl.
*
* If the buffer provided is not long enough to hold the output, then
* *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
* be returned.
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN RSA PRIVATE KEY".
*
* Return value: In case of failure a negative value will be
* returned, and 0 on success.
*
**/
int
gnutls_x509_privkey_export (gnutls_x509_privkey_t key,
gnutls_x509_crt_fmt_t format, void *output_data,
size_t * output_data_size)
{
char *msg;
int ret;
if (key == NULL)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
if (key->pk_algorithm == GNUTLS_PK_RSA)
msg = PEM_KEY_RSA;
else if (key->pk_algorithm == GNUTLS_PK_DSA)
msg = PEM_KEY_DSA;
else
msg = NULL;
if (key->crippled)
{ /* encode the parameters on the fly.
*/
switch (key->pk_algorithm)
{
case GNUTLS_PK_DSA:
ret = _encode_dsa (&key->key, key->params);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
break;
case GNUTLS_PK_RSA:
ret = _encode_rsa (&key->key, key->params);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
break;
default:
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
}
return _gnutls_x509_export_int (key->key, format, msg,
*output_data_size, output_data,
output_data_size);
}
/**
* gnutls_pkcs12_export:
* @pkcs12: A pkcs12 type
* @format: the format of output params. One of PEM or DER.
* @output_data: will contain a structure PEM or DER encoded
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
*
* This function will export the pkcs12 structure to DER or PEM format.
*
* If the buffer provided is not long enough to hold the output, then
* *output_data_size will be updated and GNUTLS_E_SHORT_MEMORY_BUFFER
* will be returned.
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN PKCS12".
*
* Returns: In case of failure a negative error code will be
* returned, and 0 on success.
**/
int
gnutls_pkcs12_export(gnutls_pkcs12_t pkcs12,
gnutls_x509_crt_fmt_t format, void *output_data,
size_t * output_data_size)
{
if (pkcs12 == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
return _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12,
output_data, output_data_size);
}
/**
* gnutls_x509_crl_export:
* @crl: Holds the revocation list
* @format: the format of output params. One of PEM or DER.
* @output_data: will contain a private key PEM or DER encoded
* @output_data_size: holds the size of output_data (and will
* be replaced by the actual size of parameters)
*
* This function will export the revocation list to DER or PEM format.
*
* If the buffer provided is not long enough to hold the output, then
* %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN X509 CRL".
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value. and a negative error code on failure.
**/
int
gnutls_x509_crl_export(gnutls_x509_crl_t crl,
gnutls_x509_crt_fmt_t format, void *output_data,
size_t * output_data_size)
{
if (crl == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
return _gnutls_x509_export_int(crl->crl, format, PEM_CRL,
output_data, output_data_size);
}
/**
* gnutls_x509_privkey_export:
* @key: Holds the key
* @format: the format of output params. One of PEM or DER.
* @output_data: will contain a private key PEM or DER encoded
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
*
* This function will export the private key to a PKCS1 structure for
* RSA keys, or an integer sequence for DSA keys. The DSA keys are in
* the same format with the parameters used by openssl.
*
* If the buffer provided is not long enough to hold the output, then
* *@output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER
* will be returned.
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN RSA PRIVATE KEY".
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
gnutls_x509_privkey_export(gnutls_x509_privkey_t key,
gnutls_x509_crt_fmt_t format, void *output_data,
size_t * output_data_size)
{
const char *msg;
if (key == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
msg = set_msg(key);
return _gnutls_x509_export_int(key->key, format, msg,
output_data, output_data_size);
}
/**
* gnutls_x509_privkey_export_pkcs8:
* @key: Holds the key
* @format: the format of output params. One of PEM or DER.
* @password: the password that will be used to encrypt the key.
* @flags: an ORed sequence of gnutls_pkcs_encrypt_flags_t
* @output_data: will contain a private key PEM or DER encoded
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
*
* This function will export the private key to a PKCS8 structure.
* Both RSA and DSA keys can be exported. For DSA keys we use
* PKCS #11 definitions. If the flags do not specify the encryption
* cipher, then the default 3DES (PBES2) will be used.
*
* The @password can be either ASCII or UTF-8 in the default PBES2
* encryption schemas, or ASCII for the PKCS12 schemas.
*
* If the buffer provided is not long enough to hold the output, then
* *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
* be returned.
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if
* encryption is not used.
*
* Returns: In case of failure a negative error code will be
* returned, and 0 on success.
**/
int
gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey_t key,
gnutls_x509_crt_fmt_t format,
const char *password,
unsigned int flags,
void *output_data,
size_t * output_data_size)
{
ASN1_TYPE pkcs8_asn = NULL, pkey_info;
int ret;
gnutls_datum_t tmp = {NULL, 0};
schema_id schema;
if (key == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
/* Get the private key info
* tmp holds the DER encoding.
*/
ret = encode_to_private_key_info(key, &tmp, &pkey_info);
if (ret < 0) {
gnutls_assert();
return ret;
}
schema = _gnutls_pkcs_flags_to_schema(flags);
if (((flags & GNUTLS_PKCS_PLAIN) || password == NULL)
&& !(flags & GNUTLS_PKCS_NULL_PASSWORD)) {
_gnutls_free_datum(&tmp);
ret =
_gnutls_x509_export_int(pkey_info, format,
PEM_UNENCRYPTED_PKCS8,
output_data, output_data_size);
asn1_delete_structure2(&pkey_info, ASN1_DELETE_FLAG_ZEROIZE);
} else {
asn1_delete_structure2(&pkey_info, ASN1_DELETE_FLAG_ZEROIZE); /* we don't need it */
ret =
encode_to_pkcs8_key(schema, &tmp, password,
&pkcs8_asn);
_gnutls_free_key_datum(&tmp);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret =
_gnutls_x509_export_int(pkcs8_asn, format, PEM_PKCS8,
output_data, output_data_size);
asn1_delete_structure2(&pkcs8_asn, ASN1_DELETE_FLAG_ZEROIZE);
}
return ret;
}
