static CURLcode pkp_pin_peer_pubkey(struct SessionHandle *data,
gnutls_x509_crt_t cert,
const char *pinnedpubkey)
{
/* Scratch */
size_t len1 = 0, len2 = 0;
unsigned char *buff1 = NULL;
gnutls_pubkey_t key = NULL;
/* Result is returned to caller */
int ret = 0;
CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
/* if a path wasn't specified, don't pin */
if(NULL == pinnedpubkey)
return CURLE_OK;
if(NULL == cert)
return result;
do {
/* Begin Gyrations to get the public key */
gnutls_pubkey_init(&key);
ret = gnutls_pubkey_import_x509(key, cert, 0);
if(ret < 0)
break; /* failed */
ret = gnutls_pubkey_export(key, GNUTLS_X509_FMT_DER, NULL, &len1);
if(ret != GNUTLS_E_SHORT_MEMORY_BUFFER || len1 == 0)
break; /* failed */
buff1 = malloc(len1);
if(NULL == buff1)
break; /* failed */
len2 = len1;
ret = gnutls_pubkey_export(key, GNUTLS_X509_FMT_DER, buff1, &len2);
if(ret < 0 || len1 != len2)
break; /* failed */
/* End Gyrations */
/* The one good exit point */
result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
} while(0);
if(NULL != key)
gnutls_pubkey_deinit(key);
Curl_safefree(buff1);
return result;
}
static
int dcrypt_gnutls_store_public_key(struct dcrypt_public_key *key, buffer_t *destination, const char **error_r)
{
gnutls_pubkey_t pub = (gnutls_pubkey_t)key;
size_t outl = 0;
gnutls_pubkey_export(pub, GNUTLS_X509_FMT_PEM, NULL, &outl);
char buffer[outl];
gnutls_pubkey_export(pub, GNUTLS_X509_FMT_PEM, buffer, &outl);
buffer_append(destination, buffer, outl);
return 0;
}
void _pubkey_info(FILE * outfile,
gnutls_certificate_print_formats_t format,
gnutls_pubkey_t pubkey)
{
gnutls_datum_t data;
int ret;
size_t size;
ret = gnutls_pubkey_print(pubkey, format, &data);
if (ret < 0) {
fprintf(stderr, "pubkey_print error: %s\n",
gnutls_strerror(ret));
exit(1);
}
fprintf(outfile, "%s\n", data.data);
gnutls_free(data.data);
size = buffer_size;
ret =
gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_PEM, buffer,
&size);
if (ret < 0) {
fprintf(stderr, "export error: %s\n", gnutls_strerror(ret));
exit(1);
}
fprintf(outfile, "\n%s\n", buffer);
}
void
PublicKey::pack(Blob& b) const
{
std::vector<uint8_t> tmp(2048);
size_t sz = tmp.size();
int err = gnutls_pubkey_export(pk, GNUTLS_X509_FMT_DER, tmp.data(), &sz);
if (err != GNUTLS_E_SUCCESS)
throw CryptoException(std::string("Could not export public key: ") + gnutls_strerror(err));
tmp.resize(sz);
serialize<Blob>(tmp, b);
}
static void dane_info(const char *host, const char *proto,
unsigned int port, unsigned int ca,
unsigned int domain, common_info_st * cinfo)
{
gnutls_pubkey_t pubkey;
gnutls_x509_crt_t crt;
unsigned char digest[64];
gnutls_datum_t t;
int ret;
unsigned int usage, selector, type;
size_t size;
if (proto == NULL)
proto = "tcp";
if (port == 0)
port = 443;
crt = load_cert(0, cinfo);
if (crt != NULL && HAVE_OPT(X509)) {
selector = 0; /* X.509 */
size = lbuffer_size;
ret =
gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER,
lbuffer, &size);
if (ret < 0) {
fprintf(stderr, "export error: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_deinit(crt);
} else { /* use public key only */
selector = 1;
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0) {
fprintf(stderr, "pubkey_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (crt != NULL) {
ret = gnutls_pubkey_import_x509(pubkey, crt, 0);
if (ret < 0) {
fprintf(stderr, "pubkey_import_x509: %s\n",
gnutls_strerror(ret));
exit(1);
}
size = lbuffer_size;
ret =
gnutls_pubkey_export(pubkey,
GNUTLS_X509_FMT_DER,
lbuffer, &size);
if (ret < 0) {
fprintf(stderr, "pubkey_export: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_deinit(crt);
} else {
pubkey = load_pubkey(1, cinfo);
size = lbuffer_size;
ret =
gnutls_pubkey_export(pubkey,
GNUTLS_X509_FMT_DER,
lbuffer, &size);
if (ret < 0) {
fprintf(stderr, "export error: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
gnutls_pubkey_deinit(pubkey);
}
if (default_dig != GNUTLS_DIG_SHA256
&& default_dig != GNUTLS_DIG_SHA512) {
if (default_dig != GNUTLS_DIG_UNKNOWN)
fprintf(stderr,
"Unsupported digest. Assuming SHA256.\n");
default_dig = GNUTLS_DIG_SHA256;
}
ret = gnutls_hash_fast(default_dig, lbuffer, size, digest);
if (ret < 0) {
fprintf(stderr, "hash error: %s\n", gnutls_strerror(ret));
exit(1);
}
if (default_dig == GNUTLS_DIG_SHA256)
type = 1;
else
type = 2;
/* DANE certificate classification crap */
if (domain == 0) {
if (ca)
usage = 0;
else
usage = 1;
} else {
if (ca)
usage = 2;
else
usage = 3;
}
t.data = digest;
t.size = gnutls_hash_get_len(default_dig);
size = lbuffer_size;
ret = gnutls_hex_encode(&t, (void *) lbuffer, &size);
if (ret < 0) {
fprintf(stderr, "hex encode error: %s\n",
gnutls_strerror(ret));
exit(1);
}
fprintf(outfile, "_%u._%s.%s. IN TLSA ( %.2x %.2x %.2x %s )\n",
port, proto, host, usage, selector, type, lbuffer);
}
/**
* gnutls_tpm_privkey_generate:
* @pk: the public key algorithm
* @bits: the security bits
* @srk_password: a password to protect the exported key (optional)
* @key_password: the password for the TPM (optional)
* @format: the format of the private key
* @pub_format: the format of the public key
* @privkey: the generated key
* @pubkey: the corresponding public key (may be null)
* @flags: should be a list of GNUTLS_TPM_* flags
*
* This function will generate a private key in the TPM
* chip. The private key will be generated within the chip
* and will be exported in a wrapped with TPM's master key
* form. Furthermore the wrapped key can be protected with
* the provided @password.
*
* Note that bits in TPM is quantized value. If the input value
* is not one of the allowed values, then it will be quantized to
* one of 512, 1024, 2048, 4096, 8192 and 16384.
*
* Allowed flags are:
*
* %GNUTLS_TPM_KEY_SIGNING: Generate a signing key instead of a legacy,
* %GNUTLS_TPM_REGISTER_KEY: Register the generate key in TPM. In that
* case @privkey would contain a URL with the UUID.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.1.0
**/
int
gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
const char *srk_password,
const char *key_password,
gnutls_tpmkey_fmt_t format,
gnutls_x509_crt_fmt_t pub_format,
gnutls_datum_t * privkey,
gnutls_datum_t * pubkey, unsigned int flags)
{
TSS_FLAG tpm_flags = TSS_KEY_VOLATILE;
TSS_HKEY key_ctx;
TSS_RESULT tssret;
int ret;
void *tdata;
UINT32 tint;
gnutls_datum_t tmpkey = { NULL, 0 };
TSS_HPOLICY key_policy;
gnutls_pubkey_t pub;
struct tpm_ctx_st s;
TSS_FLAG storage_type;
TSS_HTPM htpm;
uint8_t buf[32];
if (flags & GNUTLS_TPM_KEY_SIGNING)
tpm_flags |= TSS_KEY_TYPE_SIGNING;
else
tpm_flags |= TSS_KEY_TYPE_LEGACY;
if (flags & GNUTLS_TPM_KEY_USER)
storage_type = TSS_PS_TYPE_USER;
else
storage_type = TSS_PS_TYPE_SYSTEM;
if (bits <= 512)
tpm_flags |= TSS_KEY_SIZE_512;
else if (bits <= 1024)
tpm_flags |= TSS_KEY_SIZE_1024;
else if (bits <= 2048)
tpm_flags |= TSS_KEY_SIZE_2048;
else if (bits <= 4096)
tpm_flags |= TSS_KEY_SIZE_4096;
else if (bits <= 8192)
tpm_flags |= TSS_KEY_SIZE_8192;
else
tpm_flags |= TSS_KEY_SIZE_16384;
ret = tpm_open_session(&s, srk_password);
if (ret < 0)
return gnutls_assert_val(ret);
/* put some randomness into TPM.
* Let's not trust it completely.
*/
tssret = Tspi_Context_GetTpmObject(s.tpm_ctx, &htpm);
if (tssret != 0) {
gnutls_assert();
ret = tss_err(tssret);
goto err_cc;
}
ret = _gnutls_rnd(GNUTLS_RND_RANDOM, buf, sizeof(buf));
if (ret < 0) {
gnutls_assert();
goto err_cc;
}
tssret = Tspi_TPM_StirRandom(htpm, sizeof(buf), buf);
if (tssret) {
gnutls_assert();
}
tssret =
Tspi_Context_CreateObject(s.tpm_ctx, TSS_OBJECT_TYPE_RSAKEY,
tpm_flags, &key_ctx);
if (tssret != 0) {
gnutls_assert();
ret = tss_err(tssret);
goto err_cc;
}
tssret =
Tspi_SetAttribUint32(key_ctx, TSS_TSPATTRIB_KEY_INFO,
TSS_TSPATTRIB_KEYINFO_SIGSCHEME,
TSS_SS_RSASSAPKCS1V15_DER);
if (tssret != 0) {
gnutls_assert();
ret = tss_err(tssret);
goto err_sa;
}
/* set the password of the actual key */
if (key_password) {
tssret =
Tspi_GetPolicyObject(key_ctx, TSS_POLICY_USAGE,
&key_policy);
if (tssret != 0) {
gnutls_assert();
ret = tss_err(tssret);
goto err_sa;
}
tssret = myTspi_Policy_SetSecret(key_policy,
SAFE_LEN(key_password),
(void *) key_password);
if (tssret != 0) {
gnutls_assert();
ret = tss_err(tssret);
goto err_sa;
}
}
tssret = Tspi_Key_CreateKey(key_ctx, s.srk, 0);
if (tssret != 0) {
gnutls_assert();
ret = tss_err(tssret);
goto err_sa;
}
if (flags & GNUTLS_TPM_REGISTER_KEY) {
TSS_UUID key_uuid;
ret = randomize_uuid(&key_uuid);
if (ret < 0) {
gnutls_assert();
goto err_sa;
}
tssret =
Tspi_Context_RegisterKey(s.tpm_ctx, key_ctx,
storage_type, key_uuid,
TSS_PS_TYPE_SYSTEM, srk_uuid);
if (tssret != 0) {
gnutls_assert();
ret = tss_err(tssret);
goto err_sa;
}
ret =
encode_tpmkey_url((char **) &privkey->data, &key_uuid,
storage_type);
if (ret < 0) {
TSS_HKEY tkey;
Tspi_Context_UnregisterKey(s.tpm_ctx, storage_type,
key_uuid, &tkey);
gnutls_assert();
goto err_sa;
}
privkey->size = strlen((char *) privkey->data);
} else { /* get the key as blob */
tssret =
Tspi_GetAttribData(key_ctx, TSS_TSPATTRIB_KEY_BLOB,
TSS_TSPATTRIB_KEYBLOB_BLOB, &tint,
(void *) &tdata);
if (tssret != 0) {
gnutls_assert();
ret = tss_err(tssret);
goto err_sa;
}
if (format == GNUTLS_TPMKEY_FMT_CTK_PEM) {
ret =
_gnutls_x509_encode_string
(ASN1_ETYPE_OCTET_STRING, tdata, tint,
&tmpkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
_gnutls_fbase64_encode("TSS KEY BLOB",
tmpkey.data,
tmpkey.size, privkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
} else {
UINT32 tint2;
tmpkey.size = tint + 32; /* spec says no more than 20 */
tmpkey.data = gnutls_malloc(tmpkey.size);
if (tmpkey.data == NULL) {
gnutls_assert();
ret = GNUTLS_E_MEMORY_ERROR;
goto cleanup;
}
tint2 = tmpkey.size;
tssret =
Tspi_EncodeDER_TssBlob(tint, tdata,
TSS_BLOB_TYPE_PRIVATEKEY,
&tint2, tmpkey.data);
if (tssret != 0) {
gnutls_assert();
ret = tss_err(tssret);
goto cleanup;
}
tmpkey.size = tint2;
privkey->data = tmpkey.data;
privkey->size = tmpkey.size;
tmpkey.data = NULL;
}
}
/* read the public key */
if (pubkey != NULL) {
size_t psize;
ret = gnutls_pubkey_init(&pub);
if (ret < 0) {
gnutls_assert();
goto privkey_cleanup;
}
ret = read_pubkey(pub, key_ctx, &psize);
if (ret < 0) {
gnutls_assert();
goto privkey_cleanup;
}
psize += 512;
pubkey->data = gnutls_malloc(psize);
if (pubkey->data == NULL) {
gnutls_assert();
ret = GNUTLS_E_MEMORY_ERROR;
goto pubkey_cleanup;
}
ret =
gnutls_pubkey_export(pub, pub_format, pubkey->data,
&psize);
if (ret < 0) {
gnutls_assert();
goto pubkey_cleanup;
}
pubkey->size = psize;
gnutls_pubkey_deinit(pub);
}
ret = 0;
goto cleanup;
pubkey_cleanup:
gnutls_pubkey_deinit(pub);
privkey_cleanup:
gnutls_free(privkey->data);
privkey->data = NULL;
cleanup:
gnutls_free(tmpkey.data);
tmpkey.data = NULL;
err_sa:
Tspi_Context_CloseObject(s.tpm_ctx, key_ctx);
err_cc:
tpm_close_session(&s);
return ret;
}
static int pgp_crt_to_raw_pubkey(const gnutls_datum_t * cert, gnutls_datum_t *rpubkey)
{
#ifdef ENABLE_OPENPGP
gnutls_openpgp_crt_t crt = NULL;
gnutls_pubkey_t pubkey = NULL;
size_t size;
int ret;
ret = gnutls_openpgp_crt_init(&crt);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0)
{
gnutls_assert();
goto cleanup;
}
ret = gnutls_openpgp_crt_import(crt, cert, GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0)
{
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_import_openpgp (pubkey, crt, 0);
if (ret < 0)
{
gnutls_assert();
goto cleanup;
}
size = 0;
ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, NULL, &size);
if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
gnutls_assert();
goto cleanup;
}
rpubkey->data = gnutls_malloc(size);
if (rpubkey->data == NULL)
if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
ret = GNUTLS_E_MEMORY_ERROR;
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, rpubkey->data, &size);
if (ret < 0)
{
gnutls_free(rpubkey->data);
gnutls_assert();
goto cleanup;
}
rpubkey->size = size;
ret = 0;
cleanup:
gnutls_openpgp_crt_deinit(crt);
gnutls_pubkey_deinit(pubkey);
return ret;
#else
return GNUTLS_E_UNIMPLEMENTED_FEATURE;
#endif
}
static int x509_crt_to_raw_pubkey(const gnutls_datum_t * cert, gnutls_datum_t *rpubkey)
{
gnutls_x509_crt_t crt = NULL;
gnutls_pubkey_t pubkey = NULL;
size_t size;
int ret;
ret = gnutls_x509_crt_init(&crt);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0)
{
gnutls_assert();
goto cleanup;
}
ret = gnutls_x509_crt_import(crt, cert, GNUTLS_X509_FMT_DER);
if (ret < 0)
{
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_import_x509 (pubkey, crt, 0);
if (ret < 0)
{
gnutls_assert();
goto cleanup;
}
size = 0;
ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, NULL, &size);
if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
gnutls_assert();
goto cleanup;
}
rpubkey->data = gnutls_malloc(size);
if (rpubkey->data == NULL)
if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
ret = GNUTLS_E_MEMORY_ERROR;
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, rpubkey->data, &size);
if (ret < 0)
{
gnutls_free(rpubkey->data);
gnutls_assert();
goto cleanup;
}
rpubkey->size = size;
ret = 0;
cleanup:
gnutls_x509_crt_deinit(crt);
gnutls_pubkey_deinit(pubkey);
return ret;
}
void Plugin::_loadCertificate()
{
QFile file(this->crtFile);
gnutls_datum_t datum;
size_t size = 2048;
QByteArray data;
gnutls_privkey_t privkey;
gnutls_pubkey_t pubkey;
gnutls_pubkey_t pubkeyCrt;
int error;
QMap<char *, QByteArray> oid;
gnutls_digest_algorithm_t digest;
if (!file.open(QIODevice::ReadWrite))
throw Properties("error", "Unable to open the certificate file").add("file", this->crtFile);
ASSERT_INIT(gnutls_x509_crt_init(&this->crt), "crt");
ASSERT(gnutls_privkey_init(&privkey));
ASSERT(gnutls_privkey_import_x509(privkey, this->key, 0));
ASSERT(gnutls_pubkey_init(&pubkey));
ASSERT(gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0));
// Verifies that the certificate is valid
if (file.size() > 0)
{
ASSERT(gnutls_pubkey_init(&pubkeyCrt));
data = file.readAll();
datum.size = data.size();
datum.data = (unsigned char *)data.data();
if (gnutls_x509_crt_import(this->crt, &datum, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
file.resize(0);
else if (gnutls_x509_crt_get_expiration_time(this->crt) < ::time(NULL) + CRT_EXPIRATION_REGEN)
file.resize(0);
else if (gnutls_pubkey_import_x509(pubkeyCrt, this->crt, 0) != GNUTLS_E_SUCCESS)
file.resize(0);
// Ensures that the public keys of the certificate and the private key match
size_t size1 = size, size2 = size;
QByteArray pub1((int)size1, 0), pub2((int)size2, 0);
if (gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_PEM, pub1.data(), &size1) != GNUTLS_E_SUCCESS
|| gnutls_pubkey_export(pubkeyCrt, GNUTLS_X509_FMT_PEM, pub2.data(), &size2) != GNUTLS_E_SUCCESS
|| size1 != size2 || pub1 != pub2)
file.resize(0);
gnutls_pubkey_deinit(pubkeyCrt);
}
// Generates a new certificate
if (file.size() == 0)
{
gnutls_x509_crt_deinit(this->crt);
this->init.removeAll("crt");
ASSERT_INIT(gnutls_x509_crt_init(&this->crt), "crt");
LOG_INFO("Generating a new certificate", "Plugin", "_generateCertificate");
oid.insert((char *)GNUTLS_OID_X520_COMMON_NAME, "LightBird");
oid.insert((char *)GNUTLS_OID_X520_ORGANIZATION_NAME, "LightBird");
QMapIterator<char *, QByteArray> it(oid);
while (it.hasNext())
ASSERT(gnutls_x509_crt_set_dn_by_oid(this->crt, it.key(), 0, it.value().data(), it.next().value().size()));
ASSERT(gnutls_x509_crt_set_pubkey(this->crt, pubkey));
data = this->_generateSerial();
ASSERT(gnutls_x509_crt_set_serial(this->crt, data.data(), data.size()));
ASSERT(gnutls_x509_crt_set_activation_time(this->crt, ::time(NULL)));
ASSERT(gnutls_x509_crt_set_expiration_time(this->crt, ::time(NULL) + CRT_EXPIRATION));
ASSERT(gnutls_x509_crt_set_basic_constraints(this->crt, 0, -1));
ASSERT(gnutls_x509_crt_set_key_purpose_oid(this->crt, GNUTLS_KP_TLS_WWW_SERVER, 0));
ASSERT(gnutls_x509_crt_set_key_usage(this->crt, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT));
data.resize((int)size);
ASSERT(gnutls_x509_crt_get_key_id(this->crt, 0, (unsigned char *)data.data(), &size));
ASSERT(gnutls_x509_crt_set_subject_key_id(this->crt, (unsigned char *)data.data(), size));
ASSERT(gnutls_x509_crt_set_version(this->crt, 3));
ASSERT(gnutls_pubkey_get_preferred_hash_algorithm(pubkey, &digest, NULL));
ASSERT(gnutls_x509_crt_privkey_sign(this->crt, this->crt, privkey, digest, 0));
size = data.size();
ASSERT(gnutls_x509_crt_export(this->crt, GNUTLS_X509_FMT_PEM, data.data(), &size));
data.resize((int)size);
file.write(data);
}
gnutls_pubkey_deinit(pubkey);
gnutls_privkey_deinit(privkey);
}
void
pkcs11_export (FILE * outfile, const char *url, unsigned int login,
common_info_st * info)
{
gnutls_pkcs11_obj_t crt;
gnutls_x509_crt_t xcrt;
gnutls_pubkey_t pubkey;
int ret;
size_t size;
unsigned int obj_flags = 0;
if (login)
obj_flags = GNUTLS_PKCS11_OBJ_FLAG_LOGIN;
pkcs11_common ();
if (url == NULL)
url = "pkcs11:";
ret = gnutls_pkcs11_obj_init (&crt);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_pkcs11_obj_import_url (crt, url, obj_flags);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
switch (gnutls_pkcs11_obj_get_type (crt))
{
case GNUTLS_PKCS11_OBJ_X509_CRT:
ret = gnutls_x509_crt_init (&xcrt);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_x509_crt_import_pkcs11 (xcrt, crt);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
size = buffer_size;
ret = gnutls_x509_crt_export (xcrt, GNUTLS_X509_FMT_PEM, buffer, &size);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
fwrite (buffer, 1, size, outfile);
gnutls_x509_crt_deinit (xcrt);
break;
case GNUTLS_PKCS11_OBJ_PUBKEY:
ret = gnutls_pubkey_init (&pubkey);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_pubkey_import_pkcs11 (pubkey, crt, 0);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
size = buffer_size;
ret = gnutls_pubkey_export (pubkey, GNUTLS_X509_FMT_PEM, buffer, &size);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
fwrite (buffer, 1, size, outfile);
gnutls_pubkey_deinit (pubkey);
break;
default:
{
gnutls_datum_t data, enc;
size = buffer_size;
ret = gnutls_pkcs11_obj_export (crt, buffer, &size);
if (ret < 0)
{
break;
}
data.data = buffer;
data.size = size;
ret = gnutls_pem_base64_encode_alloc ("DATA", &data, &enc);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
fwrite (enc.data, 1, enc.size, outfile);
gnutls_free (enc.data);
break;
}
}
fputs ("\n\n", outfile);
gnutls_pkcs11_obj_deinit (crt);
return;
}
