/** * gnutls_x509_privkey_export2_pkcs8: * @key: Holds the key * @format: the format of output params. One of PEM or DER. * @password: the password that will be used to encrypt the key. * @flags: an ORed sequence of gnutls_pkcs_encrypt_flags_t * @out: will contain a private key PEM or DER encoded * * This function will export the private key to a PKCS8 structure. * Both RSA and DSA keys can be exported. For DSA keys we use * PKCS #11 definitions. If the flags do not specify the encryption * cipher, then the default 3DES (PBES2) will be used. * * The @password can be either ASCII or UTF-8 in the default PBES2 * encryption schemas, or ASCII for the PKCS12 schemas. * * The output buffer is allocated using gnutls_malloc(). * * If the structure is PEM encoded, it will have a header * of "BEGIN ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if * encryption is not used. * * Returns: In case of failure a negative error code will be * returned, and 0 on success. * * Since 3.1.3 **/ int gnutls_x509_privkey_export2_pkcs8(gnutls_x509_privkey_t key, gnutls_x509_crt_fmt_t format, const char *password, unsigned int flags, gnutls_datum_t * out) { ASN1_TYPE pkcs8_asn = NULL, pkey_info; int ret; gnutls_datum_t tmp = {NULL, 0}; schema_id schema; if (key == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } /* Get the private key info * tmp holds the DER encoding. */ ret = encode_to_private_key_info(key, &tmp, &pkey_info); if (ret < 0) { gnutls_assert(); return ret; } schema = _gnutls_pkcs_flags_to_schema(flags); if (((flags & GNUTLS_PKCS_PLAIN) || password == NULL) && !(flags & GNUTLS_PKCS_NULL_PASSWORD)) { _gnutls_free_key_datum(&tmp); ret = _gnutls_x509_export_int2(pkey_info, format, PEM_UNENCRYPTED_PKCS8, out); asn1_delete_structure2(&pkey_info, ASN1_DELETE_FLAG_ZEROIZE); } else { asn1_delete_structure2(&pkey_info, ASN1_DELETE_FLAG_ZEROIZE); /* we don't need it */ ret = encode_to_pkcs8_key(schema, &tmp, password, &pkcs8_asn); _gnutls_free_key_datum(&tmp); if (ret < 0) { gnutls_assert(); return ret; } ret = _gnutls_x509_export_int2(pkcs8_asn, format, PEM_PKCS8, out); asn1_delete_structure2(&pkcs8_asn, ASN1_DELETE_FLAG_ZEROIZE); } return ret; }
/** * gnutls_pkcs7_export2: * @pkcs7: Holds the pkcs7 structure * @format: the format of output params. One of PEM or DER. * @out: will contain a structure PEM or DER encoded * * This function will export the pkcs7 structure to DER or PEM format. * * The output buffer is allocated using gnutls_malloc(). * * If the structure is PEM encoded, it will have a header * of "BEGIN PKCS7". * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. * * Since: 3.1.3 **/ int gnutls_pkcs7_export2(gnutls_pkcs7_t pkcs7, gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) { if (pkcs7 == NULL) return GNUTLS_E_INVALID_REQUEST; return _gnutls_x509_export_int2(pkcs7->pkcs7, format, PEM_PKCS7, out); }
/** * gnutls_x509_crl_export2: * @crl: Holds the revocation list * @format: the format of output params. One of PEM or DER. * @out: will contain a private key PEM or DER encoded * * This function will export the revocation list to DER or PEM format. * * The output buffer is allocated using gnutls_malloc(). * * If the structure is PEM encoded, it will have a header * of "BEGIN X509 CRL". * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. and a negative error code on failure. * * Since 3.1.3 **/ int gnutls_x509_crl_export2(gnutls_x509_crl_t crl, gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) { if (crl == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } return _gnutls_x509_export_int2(crl->crl, format, PEM_CRL, out); }
/** * gnutls_pkcs12_export2: * @pkcs12: A pkcs12 type * @format: the format of output params. One of PEM or DER. * @out: will contain a structure PEM or DER encoded * * This function will export the pkcs12 structure to DER or PEM format. * * The output buffer is allocated using gnutls_malloc(). * * If the structure is PEM encoded, it will have a header * of "BEGIN PKCS12". * * Returns: In case of failure a negative error code will be * returned, and 0 on success. * * Since: 3.1.3 **/ int gnutls_pkcs12_export2(gnutls_pkcs12_t pkcs12, gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) { if (pkcs12 == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } return _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12, out); }
/** * gnutls_x509_privkey_export2: * @key: Holds the key * @format: the format of output params. One of PEM or DER. * @out: will contain a private key PEM or DER encoded * * This function will export the private key to a PKCS1 structure for * RSA keys, or an integer sequence for DSA keys. The DSA keys are in * the same format with the parameters used by openssl. * * The output buffer is allocated using gnutls_malloc(). * * If the structure is PEM encoded, it will have a header * of "BEGIN RSA PRIVATE KEY". * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. * * Since 3.1.3 **/ int gnutls_x509_privkey_export2(gnutls_x509_privkey_t key, gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) { const char *msg; if (key == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } msg = set_msg(key); return _gnutls_x509_export_int2(key->key, format, msg, out); }
/* Encodes a private key to the raw format PKCS #8 needs. * For RSA it is a PKCS #1 DER private key and for DSA it is * an ASN.1 INTEGER of the x value. */ inline static int _encode_privkey(gnutls_x509_privkey_t pkey, gnutls_datum_t * raw) { int ret; ASN1_TYPE spk = ASN1_TYPE_EMPTY; switch (pkey->params.algo) { case GNUTLS_PK_EDDSA_ED25519: /* we encode as octet string (which is going to be stored inside * another octet string). No comments. */ ret = _gnutls_x509_encode_string(ASN1_ETYPE_OCTET_STRING, pkey->params.raw_priv.data, pkey->params.raw_priv.size, raw); if (ret < 0) gnutls_assert(); return ret; case GNUTLS_PK_GOST_01: case GNUTLS_PK_GOST_12_256: case GNUTLS_PK_GOST_12_512: if ((ret = asn1_create_element (_gnutls_get_gnutls_asn(), "GNUTLS.GOSTPrivateKey", &spk)) != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(ret); goto error; } ret = _gnutls_x509_write_key_int_le(spk, "", pkey->params.params[GOST_K]); if (ret < 0) { gnutls_assert(); goto error; } ret = _gnutls_x509_der_encode(spk, "", raw, 0); if (ret < 0) { gnutls_assert(); goto error; } asn1_delete_structure2(&spk, ASN1_DELETE_FLAG_ZEROIZE); break; case GNUTLS_PK_RSA: case GNUTLS_PK_RSA_PSS: case GNUTLS_PK_ECDSA: ret = _gnutls_x509_export_int2(pkey->key, GNUTLS_X509_FMT_DER, "", raw); if (ret < 0) { gnutls_assert(); goto error; } break; case GNUTLS_PK_DSA: /* DSAPublicKey == INTEGER */ if ((ret = asn1_create_element (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", &spk)) != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(ret); } ret = _gnutls_x509_write_int(spk, "", pkey->params.params[4], 1); if (ret < 0) { gnutls_assert(); goto error; } ret = _gnutls_x509_der_encode(spk, "", raw, 0); if (ret < 0) { gnutls_assert(); goto error; } asn1_delete_structure2(&spk, ASN1_DELETE_FLAG_ZEROIZE); break; default: gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } return 0; error: asn1_delete_structure2(&spk, ASN1_DELETE_FLAG_ZEROIZE); asn1_delete_structure(&spk); return ret; }