/**
* gnutls_x509_privkey_export2_pkcs8:
* @key: Holds the key
* @format: the format of output params. One of PEM or DER.
* @password: the password that will be used to encrypt the key.
* @flags: an ORed sequence of gnutls_pkcs_encrypt_flags_t
* @out: will contain a private key PEM or DER encoded
*
* This function will export the private key to a PKCS8 structure.
* Both RSA and DSA keys can be exported. For DSA keys we use
* PKCS #11 definitions. If the flags do not specify the encryption
* cipher, then the default 3DES (PBES2) will be used.
*
* The @password can be either ASCII or UTF-8 in the default PBES2
* encryption schemas, or ASCII for the PKCS12 schemas.
*
* The output buffer is allocated using gnutls_malloc().
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if
* encryption is not used.
*
* Returns: In case of failure a negative error code will be
* returned, and 0 on success.
*
* Since 3.1.3
**/
int
gnutls_x509_privkey_export2_pkcs8(gnutls_x509_privkey_t key,
gnutls_x509_crt_fmt_t format,
const char *password,
unsigned int flags, gnutls_datum_t * out)
{
ASN1_TYPE pkcs8_asn = NULL, pkey_info;
int ret;
gnutls_datum_t tmp = {NULL, 0};
schema_id schema;
if (key == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
/* Get the private key info
* tmp holds the DER encoding.
*/
ret = encode_to_private_key_info(key, &tmp, &pkey_info);
if (ret < 0) {
gnutls_assert();
return ret;
}
schema = _gnutls_pkcs_flags_to_schema(flags);
if (((flags & GNUTLS_PKCS_PLAIN) || password == NULL)
&& !(flags & GNUTLS_PKCS_NULL_PASSWORD)) {
_gnutls_free_key_datum(&tmp);
ret =
_gnutls_x509_export_int2(pkey_info, format,
PEM_UNENCRYPTED_PKCS8, out);
asn1_delete_structure2(&pkey_info, ASN1_DELETE_FLAG_ZEROIZE);
} else {
asn1_delete_structure2(&pkey_info, ASN1_DELETE_FLAG_ZEROIZE); /* we don't need it */
ret =
encode_to_pkcs8_key(schema, &tmp, password,
&pkcs8_asn);
_gnutls_free_key_datum(&tmp);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret =
_gnutls_x509_export_int2(pkcs8_asn, format, PEM_PKCS8,
out);
asn1_delete_structure2(&pkcs8_asn, ASN1_DELETE_FLAG_ZEROIZE);
}
return ret;
}
/**
* gnutls_pkcs7_export2:
* @pkcs7: Holds the pkcs7 structure
* @format: the format of output params. One of PEM or DER.
* @out: will contain a structure PEM or DER encoded
*
* This function will export the pkcs7 structure to DER or PEM format.
*
* The output buffer is allocated using gnutls_malloc().
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN PKCS7".
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.1.3
**/
int
gnutls_pkcs7_export2(gnutls_pkcs7_t pkcs7,
gnutls_x509_crt_fmt_t format, gnutls_datum_t * out)
{
if (pkcs7 == NULL)
return GNUTLS_E_INVALID_REQUEST;
return _gnutls_x509_export_int2(pkcs7->pkcs7, format, PEM_PKCS7,
out);
}
/**
* gnutls_x509_crl_export2:
* @crl: Holds the revocation list
* @format: the format of output params. One of PEM or DER.
* @out: will contain a private key PEM or DER encoded
*
* This function will export the revocation list to DER or PEM format.
*
* The output buffer is allocated using gnutls_malloc().
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN X509 CRL".
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value. and a negative error code on failure.
*
* Since 3.1.3
**/
int
gnutls_x509_crl_export2(gnutls_x509_crl_t crl,
gnutls_x509_crt_fmt_t format, gnutls_datum_t * out)
{
if (crl == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
return _gnutls_x509_export_int2(crl->crl, format, PEM_CRL, out);
}
/**
* gnutls_pkcs12_export2:
* @pkcs12: A pkcs12 type
* @format: the format of output params. One of PEM or DER.
* @out: will contain a structure PEM or DER encoded
*
* This function will export the pkcs12 structure to DER or PEM format.
*
* The output buffer is allocated using gnutls_malloc().
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN PKCS12".
*
* Returns: In case of failure a negative error code will be
* returned, and 0 on success.
*
* Since: 3.1.3
**/
int
gnutls_pkcs12_export2(gnutls_pkcs12_t pkcs12,
gnutls_x509_crt_fmt_t format, gnutls_datum_t * out)
{
if (pkcs12 == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
return _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12,
out);
}
/**
* gnutls_x509_privkey_export2:
* @key: Holds the key
* @format: the format of output params. One of PEM or DER.
* @out: will contain a private key PEM or DER encoded
*
* This function will export the private key to a PKCS1 structure for
* RSA keys, or an integer sequence for DSA keys. The DSA keys are in
* the same format with the parameters used by openssl.
*
* The output buffer is allocated using gnutls_malloc().
*
* If the structure is PEM encoded, it will have a header
* of "BEGIN RSA PRIVATE KEY".
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since 3.1.3
**/
int
gnutls_x509_privkey_export2(gnutls_x509_privkey_t key,
gnutls_x509_crt_fmt_t format,
gnutls_datum_t * out)
{
const char *msg;
if (key == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
msg = set_msg(key);
return _gnutls_x509_export_int2(key->key, format, msg, out);
}
/* Encodes a private key to the raw format PKCS #8 needs.
* For RSA it is a PKCS #1 DER private key and for DSA it is
* an ASN.1 INTEGER of the x value.
*/
inline static int
_encode_privkey(gnutls_x509_privkey_t pkey, gnutls_datum_t * raw)
{
int ret;
ASN1_TYPE spk = ASN1_TYPE_EMPTY;
switch (pkey->params.algo) {
case GNUTLS_PK_EDDSA_ED25519:
/* we encode as octet string (which is going to be stored inside
* another octet string). No comments. */
ret = _gnutls_x509_encode_string(ASN1_ETYPE_OCTET_STRING,
pkey->params.raw_priv.data, pkey->params.raw_priv.size,
raw);
if (ret < 0)
gnutls_assert();
return ret;
case GNUTLS_PK_GOST_01:
case GNUTLS_PK_GOST_12_256:
case GNUTLS_PK_GOST_12_512:
if ((ret = asn1_create_element
(_gnutls_get_gnutls_asn(), "GNUTLS.GOSTPrivateKey", &spk))
!= ASN1_SUCCESS) {
gnutls_assert();
ret = _gnutls_asn2err(ret);
goto error;
}
ret = _gnutls_x509_write_key_int_le(spk, "", pkey->params.params[GOST_K]);
if (ret < 0) {
gnutls_assert();
goto error;
}
ret = _gnutls_x509_der_encode(spk, "", raw, 0);
if (ret < 0) {
gnutls_assert();
goto error;
}
asn1_delete_structure2(&spk, ASN1_DELETE_FLAG_ZEROIZE);
break;
case GNUTLS_PK_RSA:
case GNUTLS_PK_RSA_PSS:
case GNUTLS_PK_ECDSA:
ret =
_gnutls_x509_export_int2(pkey->key, GNUTLS_X509_FMT_DER,
"", raw);
if (ret < 0) {
gnutls_assert();
goto error;
}
break;
case GNUTLS_PK_DSA:
/* DSAPublicKey == INTEGER */
if ((ret = asn1_create_element
(_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey",
&spk))
!= ASN1_SUCCESS) {
gnutls_assert();
return _gnutls_asn2err(ret);
}
ret =
_gnutls_x509_write_int(spk, "", pkey->params.params[4],
1);
if (ret < 0) {
gnutls_assert();
goto error;
}
ret = _gnutls_x509_der_encode(spk, "", raw, 0);
if (ret < 0) {
gnutls_assert();
goto error;
}
asn1_delete_structure2(&spk, ASN1_DELETE_FLAG_ZEROIZE);
break;
default:
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
return 0;
error:
asn1_delete_structure2(&spk, ASN1_DELETE_FLAG_ZEROIZE);
asn1_delete_structure(&spk);
return ret;
}
