gnutls_certificate_set_rawpk_key_file(3) — Linux manual page



NAME         top

       gnutls_certificate_set_rawpk_key_file - API function

SYNOPSIS         top

       #include <gnutls/gnutls.h>

       cred, const char* rawpkfile, const char* privkeyfile,
       gnutls_x509_crt_fmt_t format, const char * pass, unsigned int
       key_usage, const char ** names, unsigned int names_length, unsigned
       int privkey_flags, unsigned int pkcs11_flags);

ARGUMENTS         top

       gnutls_certificate_credentials_t cred
                   is a gnutls_certificate_credentials_t type.

       const char* rawpkfile
                   contains a raw public key in PKIX.SubjectPublicKeyInfo

       const char* privkeyfile
                   contains a file path to a private key.

       gnutls_x509_crt_fmt_t format
                   encoding of the keys. DER or PEM.

       const char * pass
                   an optional password to unlock the private key

       unsigned int key_usage
                   an ORed sequence of GNUTLS_KEY_* flags.

       const char ** names
                   is an array of DNS names belonging to the public-key
                   (NULL if none).

       unsigned int names_length
                   holds the length of the names list.

       unsigned int privkey_flags
                   an ORed sequence of gnutls_pkcs_encrypt_flags_t.  These
                   apply to the private key pkey.

       unsigned int pkcs11_flags
                   one of gnutls_pkcs11_obj_flags. These apply to URLs.

DESCRIPTION         top

       This function sets a public/private keypair read from file in the
       gnutls_certificate_credentials_t type to be used for authentication
       and/or encryption.  spki and  privkey should match otherwise set
       signatures cannot be validated. In case of no match this function
       returns GNUTLS_E_CERTIFICATE_KEY_MISMATCH. This function should be
       called once for the client because there is currently no mechanism to
       determine which raw public-key to select for the peer when there are
       multiple present. Multiple raw public keys for the server can be
       distinghuished by setting the  names .

       Note here that  spki is a raw public-key as defined in RFC7250. It
       means that there is no surrounding certificate that holds the public
       key and that there is therefore no direct mechanism to prove the
       authenticity of this key. The keypair can be used during a TLS
       handshake but its authenticity should be established via a different
       mechanism (e.g. TOFU or known fingerprint).

       The supported formats are basic unencrypted key, PKCS8, PKCS12, and
       the openssl format and will be autodetected.

       If the raw public-key and the private key are given in PEM encoding
       then the strings that hold their values must be null terminated.

       Key usage (as defined by X.509 extension ( can be
       explicitly set because there is no certificate structure around the
       key to define this value. See for more info

       Note that, this function by default returns zero on success and a
       negative value on error. Since 3.5.6, when the flag
       GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
       it returns an index (greater or equal to zero). That index can be
       used in other functions to refer to the added key-pair.

RETURNS         top

       On success, GNUTLS_E_SUCCESS (0) is returned, in case the key pair
       does not match GNUTLS_E_CERTIFICATE_KEY_MISMATCH is returned, in
       other erroneous cases a different negative error code is returned.

SINCE         top


REPORTING BUGS         top

       Report bugs to <>.
       Home page:

COPYRIGHT         top

       Copyright © 2001-2019 Free Software Foundation, Inc., and others.
       Copying and distribution of this file, with or without modification,
       are permitted in any medium without royalty provided the copyright
       notice and this notice are preserved.

SEE ALSO         top

       The full documentation for gnutls is maintained as a Texinfo manual.
       If the /usr/share/doc/gnutls/ directory does not contain the HTML
       form visit 

COLOPHON         top

       This page is part of the GnuTLS (GnuTLS Transport Layer Security
       Library) project.  Information about the project can be found at 
       ⟨⟩.  If you have a bug report for this manual
       page, send it to  This page was obtained from the
       tarball gnutls-3.6.9.tar.xz fetched from
       ⟨⟩ on 2020-09-18.  If you discover
       any rendering problems in this HTML version of the page, or you
       believe there is a better or more up-to-date source for the page, or
       you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a mail

gnutls                              3g.n6u.t9ls_certificate_set_rawpk_key_file(3)