1gnutls_certificate_set_rawpk_key_fileg(n3ug)tnlustls_certificate_set_rawpk_key_file(3)
2
3
4
6 gnutls_certificate_set_rawpk_key_file - API function
7
9 #include <gnutls/gnutls.h>
10
11 int gnutls_certificate_set_rawpk_key_file(gnutls_certificate_creden‐
12 tials_t cred, const char* rawpkfile, const char* privkeyfile,
13 gnutls_x509_crt_fmt_t format, const char * pass, unsigned int
14 key_usage, const char ** names, unsigned int names_length, unsigned int
15 privkey_flags, unsigned int pkcs11_flags);
16
18 gnutls_certificate_credentials_t cred
19 is a gnutls_certificate_credentials_t type.
20
21 const char* rawpkfile
22 contains a raw public key in PKIX.SubjectPublicKeyInfo for‐
23 mat.
24
25 const char* privkeyfile
26 contains a file path to a private key.
27
28 gnutls_x509_crt_fmt_t format
29 encoding of the keys. DER or PEM.
30
31 const char * pass
32 an optional password to unlock the private key privkeyfile.
33
34 unsigned int key_usage
35 an ORed sequence of GNUTLS_KEY_* flags.
36
37 const char ** names
38 is an array of DNS names belonging to the public-key (NULL
39 if none).
40
41 unsigned int names_length
42 holds the length of the names list.
43
44 unsigned int privkey_flags
45 an ORed sequence of gnutls_pkcs_encrypt_flags_t. These
46 apply to the private key pkey.
47
48 unsigned int pkcs11_flags
49 one of gnutls_pkcs11_obj_flags. These apply to URLs.
50
52 This function sets a public/private keypair read from file in the
53 gnutls_certificate_credentials_t type to be used for authentication
54 and/or encryption. spki and privkey should match otherwise set signa‐
55 tures cannot be validated. In case of no match this function returns
56 GNUTLS_E_CERTIFICATE_KEY_MISMATCH. This function should be called once
57 for the client because there is currently no mechanism to determine
58 which raw public-key to select for the peer when there are multiple
59 present. Multiple raw public keys for the server can be distinghuished
60 by setting the names .
61
62 Note here that spki is a raw public-key as defined in RFC7250. It
63 means that there is no surrounding certificate that holds the public
64 key and that there is therefore no direct mechanism to prove the
65 authenticity of this key. The keypair can be used during a TLS hand‐
66 shake but its authenticity should be established via a different mecha‐
67 nism (e.g. TOFU or known fingerprint).
68
69 The supported formats are basic unencrypted key, PKCS8, PKCS12, and the
70 openssl format and will be autodetected.
71
72 If the raw public-key and the private key are given in PEM encoding
73 then the strings that hold their values must be null terminated.
74
75 Key usage (as defined by X.509 extension (2.5.29.15)) can be explicitly
76 set because there is no certificate structure around the key to define
77 this value. See for more info gnutls_x509_crt_get_key_usage().
78
79 Note that, this function by default returns zero on success and a nega‐
80 tive value on error. Since 3.5.6, when the flag GNUTLS_CERTIFI‐
81 CATE_API_V2 is set using gnutls_certificate_set_flags() it returns an
82 index (greater or equal to zero). That index can be used in other func‐
83 tions to refer to the added key-pair.
84
86 On success, GNUTLS_E_SUCCESS (0) is returned, in case the key pair does
87 not match GNUTLS_E_CERTIFICATE_KEY_MISMATCH is returned, in other erro‐
88 neous cases a different negative error code is returned.
89
91 3.6.6
92
94 Report bugs to <bugs@gnutls.org>.
95 Home page: https://www.gnutls.org
96
97
99 Copyright © 2001-2019 Free Software Foundation, Inc., and others.
100 Copying and distribution of this file, with or without modification,
101 are permitted in any medium without royalty provided the copyright
102 notice and this notice are preserved.
103
105 The full documentation for gnutls is maintained as a Texinfo manual.
106 If the /usr/share/doc/gnutls/ directory does not contain the HTML form
107 visit
108
109 https://www.gnutls.org/manual/
110
111gnutls 3.g6n.u7tls_certificate_set_rawpk_key_file(3)