Next: , Previous: GnuTLS-extra functions, Up: Function reference


9.4 OpenPGP functions

The following functions are to be used for OpenPGP certificate handling. Their prototypes lie in gnutls/openpgp.h. You need to link with libgnutls-extra to be able to use these functions (see GnuTLS-extra functions).

gnutls_certificate_set_openpgp_key_file

— Function: int gnutls_certificate_set_openpgp_key_file (gnutls_certificate_credentials_t res, const char * certfile, const char * keyfile)

res: the destination context to save the data.

certfile: the file that contains the public key.

keyfile: the file that contains the secret key.

This funtion is used to load OpenPGP keys into the GnuTLS credentials structure. It doesn't matter whether the keys are armored or but, but the files should only contain one key which should not be encrypted.

gnutls_certificate_set_openpgp_key_mem

— Function: int gnutls_certificate_set_openpgp_key_mem (gnutls_certificate_credentials_t res, const gnutls_datum_t * cert, const gnutls_datum_t * key)

res: the destination context to save the data.

cert: the datum that contains the public key.

key: the datum that contains the secret key.

This funtion is used to load OpenPGP keys into the GnuTLS credential structure. It doesn't matter whether the keys are armored or but, but the files should only contain one key which should not be encrypted.

gnutls_certificate_set_openpgp_keyring_file

— Function: int gnutls_certificate_set_openpgp_keyring_file (gnutls_certificate_credentials_t c, const char * file)

c: A certificate credentials structure

file: filename of the keyring.

The function is used to set keyrings that will be used internally by various OpenPGP functions. For example to find a key when it is needed for an operations. The keyring will also be used at the verification functions.

gnutls_certificate_set_openpgp_keyring_mem

— Function: int gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t c, const opaque * data, size_t dlen)

c: A certificate credentials structure

data: buffer with keyring data.

dlen: length of data buffer.

The function is used to set keyrings that will be used internally by various OpenPGP functions. For example to find a key when it is needed for an operations. The keyring will also be used at the verification functions.

gnutls_certificate_set_openpgp_keyserver

— Function: int gnutls_certificate_set_openpgp_keyserver (gnutls_certificate_credentials_t res, const char * keyserver, int port)

res: the destination context to save the data.

keyserver: is the key server address

port: is the key server port to connect to

This funtion will set a key server for use with openpgp keys. This key server will only be used if the peer sends a key fingerprint instead of a key in the handshake. Using a key server may delay the handshake process.

gnutls_certificate_set_openpgp_key

— Function: int gnutls_certificate_set_openpgp_key (gnutls_certificate_credentials_t res, gnutls_openpgp_key_t key, gnutls_openpgp_privkey_t pkey)

res: is an gnutls_certificate_credentials_t structure.

key: contains an openpgp public key

pkey: is an openpgp private key

This function sets a certificate/private key pair in the gnutls_certificate_credentials_t structure. This function may be called more than once (in case multiple keys/certificates exist for the server).

gnutls_certificate_set_openpgp_trustdb

— Function: int gnutls_certificate_set_openpgp_trustdb (gnutls_certificate_credentials_t res, const char * trustdb)

res: the destination context to save the data.

trustdb: is the trustdb filename

This funtion will set a GnuPG trustdb which will be used in key verification functions. Only version 3 trustdb files are supported.

gnutls_openpgp_key_check_hostname

— Function: int gnutls_openpgp_key_check_hostname (gnutls_openpgp_key_t key, const char * hostname)

key: should contain an gnutls_openpgp_key_t structure

hostname: A null terminated string that contains a DNS name

This function will check if the given key's owner matches the given hostname. This is a basic implementation of the matching described in RFC2818 (HTTPS), which takes into account wildcards.

Returns non zero on success, and zero on failure.

gnutls_openpgp_key_deinit

— Function: void gnutls_openpgp_key_deinit (gnutls_openpgp_key_t key)

key: The structure to be initialized

This function will deinitialize a key structure.

gnutls_openpgp_key_export

— Function: int gnutls_openpgp_key_export (gnutls_openpgp_key_t key, gnutls_openpgp_key_fmt_t format, void * output_data, size_t * output_data_size)

key: Holds the key.

format: One of gnutls_openpgp_key_fmt_t elements.

output_data: will contain the key base64 encoded or raw

output_data_size: holds the size of output_data (and will be replaced by the actual size of parameters)

This function will convert the given key to RAW or Base64 format. If the buffer provided is not long enough to hold the output, then GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.

Returns 0 on success.

gnutls_openpgp_key_get_creation_time

— Function: time_t gnutls_openpgp_key_get_creation_time (gnutls_openpgp_key_t key)

key: the structure that contains the OpenPGP public key.

Returns the timestamp when the OpenPGP key was created.

gnutls_openpgp_key_get_expiration_time

— Function: time_t gnutls_openpgp_key_get_expiration_time (gnutls_openpgp_key_t key)

key: the structure that contains the OpenPGP public key.

Returns the time when the OpenPGP key expires. A value of '0' means that the key doesn't expire at all.

gnutls_openpgp_key_get_fingerprint

— Function: int gnutls_openpgp_key_get_fingerprint (gnutls_openpgp_key_t key, void * fpr, size_t * fprlen)

key: the raw data that contains the OpenPGP public key.

fpr: the buffer to save the fingerprint.

fprlen: the integer to save the length of the fingerprint.

Returns the fingerprint of the OpenPGP key. Depends on the algorithm, the fingerprint can be 16 or 20 bytes.

gnutls_openpgp_key_get_id

— Function: int gnutls_openpgp_key_get_id (gnutls_openpgp_key_t key, unsigned char keyid[8])

key: the structure that contains the OpenPGP public key.

Returns the 64-bit keyID of the OpenPGP key.

gnutls_openpgp_key_get_key_usage

— Function: int gnutls_openpgp_key_get_key_usage (gnutls_openpgp_key_t key, unsigned int * key_usage)

key: should contain a gnutls_openpgp_key_t structure

key_usage: where the key usage bits will be stored

This function will return certificate's key usage, by checking the key algorithm. The key usage value will ORed values of the: GNUTLS_KEY_DIGITAL_SIGNATURE, GNUTLS_KEY_KEY_ENCIPHERMENT.

A negative value may be returned in case of parsing error.

gnutls_openpgp_key_get_name

— Function: int gnutls_openpgp_key_get_name (gnutls_openpgp_key_t key, int idx, char * buf, size_t * sizeof_buf)

key: the structure that contains the OpenPGP public key.

idx: the index of the ID to extract

buf: a pointer to a structure to hold the name

sizeof_buf: holds the size of 'buf'

Extracts the userID from the parsed OpenPGP key.

Returns 0 on success, and GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the index of the ID does not exist.

gnutls_openpgp_key_get_pk_algorithm

— Function: int gnutls_openpgp_key_get_pk_algorithm (gnutls_openpgp_key_t key, unsigned int * bits)

key: is an OpenPGP key

bits: if bits is non null it will hold the size of the parameters' in bits

This function will return the public key algorithm of an OpenPGP certificate.

If bits is non null, it should have enough size to hold the parameters size in bits. For RSA the bits returned is the modulus. For DSA the bits returned are of the public exponent.

Returns a member of the GNUTLS_PKAlgorithm enumeration on success, or a negative value on error.

gnutls_openpgp_key_get_version

— Function: int gnutls_openpgp_key_get_version (gnutls_openpgp_key_t key)

key: the structure that contains the OpenPGP public key.

Extract the version of the OpenPGP key.

gnutls_openpgp_key_import

— Function: int gnutls_openpgp_key_import (gnutls_openpgp_key_t key, const gnutls_datum_t * data, gnutls_openpgp_key_fmt_t format)

key: The structure to store the parsed key.

data: The RAW or BASE64 encoded key.

format: One of gnutls_openpgp_key_fmt_t elements.

This function will convert the given RAW or Base64 encoded key to the native gnutls_openpgp_key_t format. The output will be stored in 'key'.

Returns 0 on success.

gnutls_openpgp_key_init

— Function: int gnutls_openpgp_key_init (gnutls_openpgp_key_t * key)

key: The structure to be initialized

This function will initialize an OpenPGP key structure.

Returns 0 on success.

gnutls_openpgp_key_to_xml

— Function: int gnutls_openpgp_key_to_xml (gnutls_openpgp_key_t key, gnutls_datum_t * xmlkey, int ext)

xmlkey: he datum struct to store the XML result.

ext: extension mode (1/0), 1 means include key signatures and key data.

This function will return the all OpenPGP key information encapsulated as a XML string.

gnutls_openpgp_key_verify_ring

— Function: int gnutls_openpgp_key_verify_ring (gnutls_openpgp_key_t key, gnutls_openpgp_keyring_t keyring, unsigned int flags, unsigned int * verify)

key: the structure that holds the key.

keyring: holds the keyring to check against

flags: unused (should be 0)

verify: will hold the certificate verification output.

Verify all signatures in the key, using the given set of keys (keyring).

The key verification output will be put in verify and will be one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd.

GNUTLS_CERT_INVALID: A signature on the key is invalid.

GNUTLS_CERT_REVOKED: The key has been revoked.

Note that this function does not verify using any "web of trust". You may use GnuPG for that purpose, or any other external PGP application.

Returns 0 on success.

gnutls_openpgp_key_verify_self

— Function: int gnutls_openpgp_key_verify_self (gnutls_openpgp_key_t key, unsigned int flags, unsigned int * verify)

key: the structure that holds the key.

flags: unused (should be 0)

verify: will hold the key verification output.

Verifies the self signature in the key. The key verification output will be put in verify and will be one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd.

GNUTLS_CERT_INVALID: The self signature on the key is invalid.

Returns 0 on success.

gnutls_openpgp_key_verify_trustdb

— Function: int gnutls_openpgp_key_verify_trustdb (gnutls_openpgp_key_t key, gnutls_openpgp_trustdb_t trustdb, unsigned int flags, unsigned int * verify)

key: the structure that holds the key.

trustdb: holds the trustdb to check against

flags: unused (should be 0)

verify: will hold the certificate verification output.

Checks if the key is revoked or disabled, in the trustdb. The verification output will be put in verify and will be one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd.

GNUTLS_CERT_INVALID: A signature on the key is invalid.

GNUTLS_CERT_REVOKED: The key has been revoked.

Note that this function does not verify using any "web of trust". You may use GnuPG for that purpose, or any other external PGP application.

Returns 0 on success.

gnutls_openpgp_keyring_check_id

— Function: int gnutls_openpgp_keyring_check_id (gnutls_openpgp_keyring_t ring, const unsigned char keyid[8], unsigned int flags)

ring: holds the keyring to check against

flags: unused (should be 0)

Check if a given key ID exists in the keyring.

Returns 0 on success (if keyid exists) and a negative error code on failure.

gnutls_openpgp_keyring_deinit

— Function: void gnutls_openpgp_keyring_deinit (gnutls_openpgp_keyring_t keyring)

keyring: The structure to be initialized

This function will deinitialize a CRL structure.

gnutls_openpgp_keyring_import

— Function: int gnutls_openpgp_keyring_import (gnutls_openpgp_keyring_t keyring, const gnutls_datum_t * data, gnutls_openpgp_key_fmt_t format)

keyring: The structure to store the parsed key.

data: The RAW or BASE64 encoded keyring.

format: One of gnutls_openpgp_keyring_fmt elements.

This function will convert the given RAW or Base64 encoded keyring to the native gnutls_openpgp_keyring_t format. The output will be stored in 'keyring'.

Returns 0 on success.

gnutls_openpgp_keyring_init

— Function: int gnutls_openpgp_keyring_init (gnutls_openpgp_keyring_t * keyring)

keyring: The structure to be initialized

This function will initialize an OpenPGP keyring structure.

Returns 0 on success.

gnutls_openpgp_privkey_deinit

— Function: void gnutls_openpgp_privkey_deinit (gnutls_openpgp_privkey_t key)

key: The structure to be initialized

This function will deinitialize a key structure.

gnutls_openpgp_privkey_get_pk_algorithm

— Function: int gnutls_openpgp_privkey_get_pk_algorithm (gnutls_openpgp_privkey_t key, unsigned int * bits)

key: is an OpenPGP key

bits: if bits is non null it will hold the size of the parameters' in bits

This function will return the public key algorithm of an OpenPGP certificate.

If bits is non null, it should have enough size to hold the parameters size in bits. For RSA the bits returned is the modulus. For DSA the bits returned are of the public exponent.

Returns a member of the GNUTLS_PKAlgorithm enumeration on success, or a negative value on error.

gnutls_openpgp_privkey_import

— Function: int gnutls_openpgp_privkey_import (gnutls_openpgp_privkey_t key, const gnutls_datum_t * data, gnutls_openpgp_key_fmt_t format, const char * pass, unsigned int flags)

key: The structure to store the parsed key.

data: The RAW or BASE64 encoded key.

format: One of gnutls_openpgp_key_fmt_t elements.

pass: Unused for now

flags: should be zero

This function will convert the given RAW or Base64 encoded key to the native gnutls_openpgp_privkey_t format. The output will be stored in 'key'.

Returns 0 on success.

gnutls_openpgp_privkey_init

— Function: int gnutls_openpgp_privkey_init (gnutls_openpgp_privkey_t * key)

key: The structure to be initialized

This function will initialize an OpenPGP key structure.

Returns 0 on success.

gnutls_openpgp_set_recv_key_function

— Function: void gnutls_openpgp_set_recv_key_function (gnutls_session_t session, gnutls_openpgp_recv_key_func func)

session: a TLS session

func: the callback

This funtion will set a key retrieval function for OpenPGP keys. This callback is only useful in server side, and will be used if the peer sent a key fingerprint instead of a full key.

gnutls_openpgp_trustdb_deinit

— Function: void gnutls_openpgp_trustdb_deinit (gnutls_openpgp_trustdb_t trustdb)

trustdb: The structure to be initialized

This function will deinitialize a CRL structure.

gnutls_openpgp_trustdb_import_file

— Function: int gnutls_openpgp_trustdb_import_file (gnutls_openpgp_trustdb_t trustdb, const char * file)

trustdb: The structure to store the parsed key.

file: The file that holds the trustdb.

This function will convert the given RAW or Base64 encoded trustdb to the native gnutls_openpgp_trustdb_t format. The output will be stored in 'trustdb'.

Returns 0 on success.

gnutls_openpgp_trustdb_init

— Function: int gnutls_openpgp_trustdb_init (gnutls_openpgp_trustdb_t * trustdb)

trustdb: The structure to be initialized

This function will initialize an OpenPGP trustdb structure.

Returns 0 on success.