### GnuTLS Anti-Replay Server Setup Source: https://www.gnutls.org/manual/gnutls.html This example demonstrates the server-side setup for GnuTLS anti-replay protection. It includes initializing the anti-replay mechanism, setting a database add function, and enabling it for a server session. Early data reception is handled via a handshake hook. ```c #define MAX_EARLY_DATA_SIZE 16384 static int db_add_func(void *dbf, gnutls_datum_t key, gnutls_datum_t data) { /* Return GNUTLS_E_DB_ENTRY_EXISTS, if KEY is found in the database. * Otherwise, store it and return 0. */ } static int handshake_hook_func(gnutls_session_t session, unsigned int htype, unsigned when, unsigned int incoming, const gnutls_datum_t *msg) { int ret; char buf[MAX_EARLY_DATA_SIZE]; assert(htype == GNUTLS_HANDSHAKE_END_OF_EARLY_DATA); assert(when == GNUTLS_HOOK_POST); if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_EARLY_DATA) { ret = gnutls_record_recv_early_data(session, buf, sizeof(buf)); assert(ret >= 0); } return ret; } int main(void) { ... /* Initialize anti-replay measure, which can be shared * among multiple sessions. */ gnutls_anti_replay_init(&anti_replay); /* Set the database back-end function for the anti-replay data. */ gnutls_anti_replay_set_add_function(anti_replay, db_add_func); gnutls_anti_replay_set_ptr(anti_replay, NULL); ... gnutls_init(&server, GNUTLS_SERVER | GNUTLS_ENABLE_EARLY_DATA); gnutls_record_set_max_early_data_size(server, MAX_EARLY_DATA_SIZE); ... /* Set the anti-replay measure to the session. */ gnutls_anti_replay_enable(server, anti_replay); ... /* Retrieve early data in a handshake hook; * you can also do that after handshake. */ gnutls_handshake_set_hook_function(server, GNUTLS_HANDSHAKE_END_OF_EARLY_DATA, GNUTLS_HOOK_POST, handshake_hook_func); ... } ``` -------------------------------- ### Example certtool Template File Source: https://www.gnutls.org/manual/gnutls.html An example configuration file for certtool, specifying subject details like organization and organizational unit for certificate generation. ```ini # X.509 Certificate options # # DN options # The organization of the subject. organization = "Koko inc." # The organizational unit of the subject. unit = "sleeping dept." # The locality of the subject. # locality = ``` -------------------------------- ### Example PKCS #11 Module Configuration Source: https://www.gnutls.org/manual/gnutls.html This is an example of a configuration file that instructs GnuTLS to load the OpenSC PKCS #11 module. It specifies the path to the shared library. ```configuration module: /usr/lib/opensc-pkcs11.so ``` -------------------------------- ### PKCS#11 Object URL Example Source: https://www.gnutls.org/manual/gnutls.html Example of a URL referencing a public key object on a smart card. ```text pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315;manufacturer=EnterSafe;object=test1;type=public;id=32f153f3e37990b08624141077ca5dec2d15faed ``` -------------------------------- ### PKCS#11 Token URL Example Source: https://www.gnutls.org/manual/gnutls.html Example of a URL referencing a smart card token itself. ```text pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315;manufacturer=EnterSafe ``` -------------------------------- ### GnuTLS PSK Client Example Source: https://www.gnutls.org/manual/gnutls.html A basic TLS client using PSK authentication. It connects to a server, performs a handshake, sends a GET request, and receives a response. Ensure GnuTLS 3.6.3 or later is installed. ```c /* This example code is placed in the public domain. */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #include #include #include #include #include /* A very basic TLS client, with PSK authentication. */ #define CHECK(x) assert((x) >= 0) #define LOOP_CHECK(rval, cmd) \ do { \ rval = cmd; \ } while (rval == GNUTLS_E_AGAIN || rval == GNUTLS_E_INTERRUPTED); \ assert(rval >= 0) #define MAX_BUF 1024 #define MSG "GET / HTTP/1.0\r\n\r\n" extern int tcp_connect(void); extern void tcp_close(int sd); int main(void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; const char *err; gnutls_psk_client_credentials_t pskcred; const gnutls_datum_t key = { (void *)"DEADBEEF", 8 }; if (gnutls_check_version("3.6.3") == NULL) { fprintf(stderr, "GnuTLS 3.6.3 or later is required for this example\n"); exit(1); } CHECK(gnutls_global_init()); CHECK(gnutls_psk_allocate_client_credentials(&pskcred)); CHECK(gnutls_psk_set_client_credentials(pskcred, "test", &key, GNUTLS_PSK_KEY_HEX)); /* Initialize TLS session */ CHECK(gnutls_init(&session, GNUTLS_CLIENT)); ret = gnutls_set_default_priority_append( session, "-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK", &err, 0); /* Alternative for pre-3.6.3 versions: * gnutls_priority_set_direct(session, "NORMAL:+ECDHE-PSK:+DHE-PSK:+PSK", &err) */ if (ret < 0) { if (ret == GNUTLS_E_INVALID_REQUEST) { fprintf(stderr, "Syntax error at: %s\n", err); } exit(1); } /* put the x509 credentials to the current session */ CHECK(gnutls_credentials_set(session, GNUTLS_CRD_PSK, pskcred)); /* connect to the peer */ sd = tcp_connect(); gnutls_transport_set_int(session, sd); gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fprintf(stderr, "*** Handshake failed\n"); gnutls_perror(ret); goto end; } else { char *desc; desc = gnutls_session_get_desc(session); printf("- Session info: %s\n", desc); gnutls_free(desc); } LOOP_CHECK(ret, gnutls_record_send(session, MSG, strlen(MSG))); LOOP_CHECK(ret, gnutls_record_recv(session, buffer, MAX_BUF)); if (ret == 0) { printf("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret)); } else if (ret < 0) { fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret)); goto end; } if (ret > 0) { printf("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc(buffer[ii], stdout); } fputs("\n", stdout); } CHECK(gnutls_bye(session, GNUTLS_SHUT_RDWR)); end: tcp_close(sd); gnutls_deinit(session); gnutls_psk_free_client_credentials(pskcred); gnutls_global_deinit(); return 0; } ``` -------------------------------- ### Enabling Allowlisting Mode with RSA-SHA256 Source: https://www.gnutls.org/manual/gnutls.html Demonstrates the use of allowlisting mode where only specified algorithms are enabled. This example enables RSA-SHA256 and SHA256. ```ini [global] override-mode = allowlist [overrides] secure-hash = sha256 secure-sig = rsa-sha256 ``` -------------------------------- ### Basic TLS Client with Anonymous Authentication Source: https://www.gnutls.org/manual/gnutls.html This C example demonstrates a simple TLS client that uses anonymous authentication. It connects to a server, sends a GET request, and prints the response. Ensure 'tcp_connect' and 'tcp_close' are defined elsewhere. ```c /* This example code is placed in the public domain. */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #include #include #include #include #include /* A very basic TLS client, with anonymous authentication. */ #define LOOP_CHECK(rval, cmd) \ do { rval = cmd; } while (rval == GNUTLS_E_AGAIN || rval == GNUTLS_E_INTERRUPTED); \ assert(rval >= 0) #define MAX_BUF 1024 #define MSG "GET / HTTP/1.0\r\n\r\n" extern int tcp_connect(void); extern void tcp_close(int sd); int main(void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_anon_client_credentials_t anoncred; /* Need to enable anonymous KX specifically. */ gnutls_global_init(); gnutls_anon_allocate_client_credentials(&anoncred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_priority_set_direct(session, "PERFORMANCE:+ANON-ECDH:+ANON-DH", NULL); /* put the anonymous credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); /* connect to the peer */ sd = tcp_connect(); gnutls_transport_set_int(session, sd); gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fprintf(stderr, "*** Handshake failed\n"); gnutls_perror(ret); goto end; } else { char *desc; desc = gnutls_session_get_desc(session); printf("- Session info: %s\n", desc); gnutls_free(desc); } LOOP_CHECK(ret, gnutls_record_send(session, MSG, strlen(MSG))); LOOP_CHECK(ret, gnutls_record_recv(session, buffer, MAX_BUF)); if (ret == 0) { printf("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret)); } else if (ret < 0) { fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret)); goto end; } if (ret > 0) { printf("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc(buffer[ii], stdout); } fputs("\n", stdout); } LOOP_CHECK(ret, gnutls_bye(session, GNUTLS_SHUT_RDWR)); end: tcp_close(sd); gnutls_deinit(session); gnutls_anon_free_client_credentials(anoncred); gnutls_global_deinit(); return 0; } ``` -------------------------------- ### gnutls_x509_ext_ct_scts_init Source: https://www.gnutls.org/manual/gnutls.html Initializes an empty Certificate Transparency SCT list structure. ```APIDOC ## gnutls_x509_ext_ct_scts_init ### Description Initializes an empty Certificate Transparency SCT list. ### Function Signature `int gnutls_x509_ext_ct_scts_init(gnutls_x509_ct_scts_t * scts)` ### Parameters - **scts** (gnutls_x509_ct_scts_t *) - A pointer to the SCT list to be initialized. ### Returns - `GNUTLS_E_SUCCESS` (0) on success. - A negative error value on failure. ``` -------------------------------- ### gnutls_x509_crq_init Source: https://www.gnutls.org/manual/gnutls.html Initializes an empty PKCS#10 certificate request structure, preparing it for further population. ```APIDOC ## gnutls_x509_crq_init ### Description Initializes a PKCS#10 certificate request structure. This function must be called before using other functions to populate the certificate request. ### Function Signature `int gnutls_x509_crq_init(gnutls_x509_crq_t * crq)` ### Parameters * **crq** (`gnutls_x509_crq_t *`) - A pointer to the type to be initialized. ### Returns On success, `GNUTLS_E_SUCCESS` (0) is returned. Otherwise, a negative error value is returned. ``` -------------------------------- ### Check if False Start was Used Source: https://www.gnutls.org/manual/gnutls.html After a handshake, use gnutls_session_get_flags and check for the GNUTLS_SFLAGS_FALSE_START flag to verify if false start was successfully employed. ```c #define GNUTLS_SFLAGS_FALSE_START 0x00000001 ``` -------------------------------- ### Set X.509 Key File with Options Source: https://www.gnutls.org/manual/gnutls.html Loads a private key and certificate file for TLS authentication. Supports password and flags for key loading. ```c int gnutls_certificate_set_x509_key_file2 (gnutls_certificate_credentials_t res, const char * certfile, const char * keyfile, gnutls_x509_crt_fmt_t type, const char * pass, unsigned int flags) ``` -------------------------------- ### gnutls_pubkey_init Source: https://www.gnutls.org/manual/gnutls.html Initializes the abstract key API. This function is part of the Abstract key API. ```APIDOC ## gnutls_pubkey_init ### Description Initializes the abstract key API. ### API Area Abstract key API ``` -------------------------------- ### Server with Raw Public-Key Support Source: https://www.gnutls.org/manual/gnutls.html Starts an HTTPS server with support for raw public-key credentials. Explicitly enables raw public-key certificate types in the priority string. ```bash gnutls-serv --http --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \ --rawpkfile srv.rawpk.pem \ --rawpkkeyfile srv.key.pem ``` -------------------------------- ### Get OCSP Status Request Source: https://www.gnutls.org/manual/gnutls.html Retrieves the OCSP status request from a TLS session. Used by client applications to get OCSP responses sent by the server. ```c int gnutls_ocsp_status_request_get (gnutls_session_t session, gnutls_datum_t * response) ``` ```c int gnutls_ocsp_status_request_get2 (gnutls_session_t session, unsigned idx, gnutls_datum_t * response) ``` -------------------------------- ### gnutls_x509_policies_init Source: https://www.gnutls.org/manual/gnutls.html Initializes a structure for X.509 certificate policies. ```APIDOC ## gnutls_x509_policies_init ### Description Initializes a structure to hold X.509 certificate policies. ### Method Not applicable (function call) ### Endpoint Not applicable (function call) ### Parameters None explicitly documented in the provided text. ### Request Example Not applicable (function call) ### Response None explicitly documented in the provided text. ``` -------------------------------- ### HSM Certificate URI Example Source: https://www.gnutls.org/manual/gnutls.html This is an example of a URI that can be used to identify a certificate stored in an HSM. The URI specifies details like the token, serial number, model, manufacturer, object name, and type. ```plaintext pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315; \ manufacturer=EnterSafe;object=test1;type=cert ``` -------------------------------- ### gnutls_x509_privkey_init Source: https://www.gnutls.org/manual/gnutls.html Initializes a GnuTLS private key structure. ```APIDOC ## gnutls_x509_privkey_init ### Description This function will initialize a private key type. ### Parameters - **key** (gnutls_x509_privkey_t *) - A pointer to the type to be initialized. ### Returns On success, `GNUTLS_E_SUCCESS` (0) is returned, otherwise a negative error value. ``` -------------------------------- ### gnutls_hpke_init Source: https://www.gnutls.org/manual/gnutls.html Initializes an HPKE context with specified mode, role, KEM, KDF, and AEAD algorithms. ```APIDOC ## gnutls_hpke_init ### Description Initializes an HPKE context with the specified mode, role, KEM, KDF, and AEAD algorithms. ### Function Signature `int gnutls_hpke_init (gnutls_hpke_context_t * ctx, gnutls_hpke_mode_t mode, gnutls_hpke_role_t role, gnutls_hpke_kem_t kem, gnutls_hpke_kdf_t kdf, gnutls_hpke_aead_t aead)` ### Parameters * **ctx** (gnutls_hpke_context_t *) - Pointer to the HPKE context to be initialized. * **mode** (gnutls_hpke_mode_t) - The HPKE mode to use. * **role** (gnutls_hpke_role_t) - The role of the current party (e.g., sender or receiver). * **kem** (gnutls_hpke_kem_t) - The Key Encapsulation Mechanism algorithm. * **kdf** (gnutls_hpke_kdf_t) - The Key Derivation Function algorithm. * **aead** (gnutls_hpke_aead_t) - The Authenticated Encryption with Additional Data algorithm. ``` -------------------------------- ### gnutls_pkcs12_bag_get_count Source: https://www.gnutls.org/manual/gnutls.html Gets the number of items within a PKCS #12 bag. ```APIDOC ## gnutls_pkcs12_bag_get_count ### Description Returns the number of items (e.g., certificates, keys) contained within a specific PKCS #12 bag. ### Method `int gnutls_pkcs12_bag_get_count (gnutls_pkcs12_bag_t bag)` ### Parameters * **bag** (gnutls_pkcs12_bag_t) - The PKCS #12 bag. ``` -------------------------------- ### Connect to STARTTLS Services Source: https://www.gnutls.org/manual/gnutls.html Connect to services that support STARTTLS, such as SMTP, by specifying the protocol and port. ```bash $ gnutls-cli --starttls-proto smtp --port 25 localhost ``` -------------------------------- ### Get CRL This Update Time Source: https://www.gnutls.org/manual/gnutls.html Retrieves the time when the CRL was issued. ```c time_t gnutls_x509_crl_get_this_update (gnutls_x509_crl_t crl) ``` -------------------------------- ### List all tokens Source: https://www.gnutls.org/manual/gnutls.html Use this command to view all available tokens on your system. ```bash $ p11tool --list-tokens ``` -------------------------------- ### Get CRL Version Source: https://www.gnutls.org/manual/gnutls.html Retrieves the version number of the CRL structure. ```c int gnutls_x509_crl_get_version (gnutls_x509_crl_t crl) ``` -------------------------------- ### Import and Print Certificates with Private Keys from PKCS#11 Source: https://www.gnutls.org/manual/gnutls.html Lists all certificates in a PKCS#11 token that have a corresponding private key, imports them, and prints their details. Requires the URL of the token and appropriate flags. ```c /* This example code is placed in the public domain. */ #include #include #include #include #include #define URL "pkcs11:URL" int main(int argc, char **argv) { gnutls_pkcs11_obj_t *obj_list; gnutls_x509_crt_t xcrt; unsigned int obj_list_size = 0; gnutls_datum_t cinfo; int ret; unsigned int i; ret = gnutls_pkcs11_obj_list_import_url4( &obj_list, &obj_list_size, URL, GNUTLS_PKCS11_OBJ_FLAG_CRT | GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY); if (ret < 0) return -1; /* now all certificates are in obj_list */ for (i = 0; i < obj_list_size; i++) { gnutls_x509_crt_init(&xcrt); gnutls_x509_crt_import_pkcs11(xcrt, obj_list[i]); gnutls_x509_crt_print(xcrt, GNUTLS_CRT_PRINT_FULL, &cinfo); fprintf(stdout, "cert[%d]:\n %s\n\n", i, cinfo.data); gnutls_free(cinfo.data); gnutls_x509_crt_deinit(xcrt); } for (i = 0; i < obj_list_size; i++) gnutls_pkcs11_obj_deinit(obj_list[i]); gnutls_free(obj_list); return 0; } ``` -------------------------------- ### gnutls_dh_get_peers_public_bits Source: https://www.gnutls.org/manual/gnutls.html Gets the bit size of the Diffie-Hellman public key used by the peer. ```APIDOC ## gnutls_dh_get_peers_public_bits ### Description Gets the Diffie-Hellman public key bit size. Can be used for both anonymous and ephemeral Diffie-Hellman. ### Function Signature `int gnutls_dh_get_peers_public_bits(gnutls_session_t session)` ### Parameters - **session** (`gnutls_session_t`) - A GnuTLS session. ### Returns The public key bit size used in the last Diffie-Hellman key exchange with the peer, or a negative error code in case of error. ``` -------------------------------- ### Server with PSK Authentication Source: https://www.gnutls.org/manual/gnutls.html Starts an HTTPS server with support for PSK (Pre-Shared Key) authentication. Requires a pre-configured PSK password file. ```bash gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK \ --pskpasswd psk-passwd.txt ``` -------------------------------- ### gnutls_session_get_master_secret Source: https://www.gnutls.org/manual/gnutls.html Gets the master secret for the session. This function is part of the Core TLS API. ```APIDOC ## gnutls_session_get_master_secret ### Description Gets the master secret for the session. ### API Area Core TLS API ``` -------------------------------- ### Parse and Print X.509 Certificate Information Source: https://www.gnutls.org/manual/gnutls.html This example demonstrates parsing X.509 certificates to display details such as validity period, serial number, distinguished names (DN), and public key algorithm. It requires the peer to provide certificates. ```c /* This example code is placed in the public domain. */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #include "examples.h" static const char *bin2hex(const void *bin, size_t bin_size) { static char printable[110]; const unsigned char *_bin = bin; char *print; size_t i; if (bin_size > 50) bin_size = 50; print = printable; for (i = 0; i < bin_size; i++) { sprintf(print, "%.2x ", _bin[i]); print += 2; } return printable; } /* This function will print information about this session's peer * certificate. */ void print_x509_certificate_info(gnutls_session_t session) { char serial[40]; char dn[256]; size_t size; unsigned int algo, bits; time_t expiration_time, activation_time; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; gnutls_x509_crt_t cert; gnutls_datum_t cinfo; /* This function only works for X.509 certificates. */ if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) return; cert_list = gnutls_certificate_get_peers(session, &cert_list_size); printf("Peer provided %d certificates.\n", cert_list_size); if (cert_list_size > 0) { int ret; /* we only print information about the first certificate. */ gnutls_x509_crt_init(&cert); gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER); printf("Certificate info:\n"); /* This is the preferred way of printing short information about a certificate. */ ret = gnutls_x509_crt_print(cert, GNUTLS_CRT_PRINT_ONELINE, &cinfo); if (ret == 0) { printf("\t%s\n", cinfo.data); gnutls_free(cinfo.data); } /* If you want to extract fields manually for some other reason, below are popular example calls. */ expiration_time = gnutls_x509_crt_get_expiration_time(cert); activation_time = gnutls_x509_crt_get_activation_time(cert); printf("\tCertificate is valid since: %s", ctime(&activation_time)); printf("\tCertificate expires: %s", ctime(&expiration_time)); /* Print the serial number of the certificate. */ size = sizeof(serial); gnutls_x509_crt_get_serial(cert, serial, &size); printf("\tCertificate serial number: %s\n", bin2hex(serial, size)); /* Extract some of the public key algorithm's parameters */ algo = gnutls_x509_crt_get_pk_algorithm(cert, &bits); printf("Certificate public key: %s", gnutls_pk_algorithm_get_name(algo)); /* Print the version of the X.509 * certificate. */ printf("\tCertificate version: #%d\n", gnutls_x509_crt_get_version(cert)); size = sizeof(dn); gnutls_x509_crt_get_dn(cert, dn, &size); printf("\tDN: %s\n", dn); size = sizeof(dn); gnutls_x509_crt_get_issuer_dn(cert, dn, &size); printf("\tIssuer's DN: %s\n", dn); gnutls_x509_crt_deinit(cert); } } ``` -------------------------------- ### gnutls_server_name_get Source: https://www.gnutls.org/manual/gnutls.html Gets the server name from the session. This function is part of the Core TLS API. ```APIDOC ## gnutls_server_name_get ### Description Gets the server name from the session. ### API Area Core TLS API ``` -------------------------------- ### List Available PKCS#11 Tokens Source: https://www.gnutls.org/manual/gnutls.html Iterates through all available PKCS#11 tokens in the system and prints their URLs. Ensure gnutls_global_init() is called before and gnutls_global_deinit() after. ```c int i; char* url; gnutls_global_init(); for (i=0;;i++) { ret = gnutls_pkcs11_token_get_url(i, &url); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; if (ret < 0) exit(1); fprintf(stdout, "Token[%d]: URL: %s\n", i, url); gnutls_free(url); } gnutls_global_deinit(); ``` -------------------------------- ### gnutls_record_get_max_size Source: https://www.gnutls.org/manual/gnutls.html Gets the maximum record size. This function is part of the Core TLS API. ```APIDOC ## gnutls_record_get_max_size ### Description Gets the maximum record size. ### API Area Core TLS API ``` -------------------------------- ### Comprehensive Server Configuration Source: https://www.gnutls.org/manual/gnutls.html Starts an HTTPS server with a combination of X.509 (RSA and ECDSA), SRP, PSK, and raw public-key authentication methods enabled. ```bash gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \ --x509cafile x509-ca.pem \ --x509keyfile x509-server-key.pem \ --x509certfile x509-server.pem \ --x509keyfile x509-server-key-ecc.pem \ --x509certfile x509-server-ecc.pem \ --srppasswdconf srp-tpasswd.conf \ --srppasswd srp-passwd.txt \ --pskpasswd psk-passwd.txt \ ``` -------------------------------- ### gnutls_x509_privkey_get_pk_algorithm2 Source: https://www.gnutls.org/manual/gnutls.html Gets the public key algorithm of an X.509 private key using an updated method. ```APIDOC ## gnutls_x509_privkey_get_pk_algorithm2 ### Description Retrieves the public key algorithm used by an X.509 private key using an updated function. ### Method Not applicable (function call) ### Endpoint Not applicable (function call) ### Parameters None explicitly documented in the provided text. ### Request Example Not applicable (function call) ### Response None explicitly documented in the provided text. ``` -------------------------------- ### gnutls_x509_crt_init Source: https://www.gnutls.org/manual/gnutls.html Initializes an empty X.509 certificate structure. ```APIDOC ## gnutls_x509_crt_init ### Description This function initializes an X.509 certificate structure. ### Function Signature `int gnutls_x509_crt_init(gnutls_x509_crt_t * cert)` ### Parameters - **cert** (gnutls_x509_crt_t *) - A pointer to the type to be initialized. ### Returns On success, `GNUTLS_E_SUCCESS` (0) is returned, otherwise a negative error value. ``` -------------------------------- ### gnutls_session_get_verify_cert_status Source: https://www.gnutls.org/manual/gnutls.html Gets the certificate verification status for the session. This function is part of the Core TLS API. ```APIDOC ## gnutls_session_get_verify_cert_status ### Description Gets the certificate verification status for the session. ### API Area Core TLS API ``` -------------------------------- ### Generate Private Key and Certificate Request Source: https://www.gnutls.org/manual/gnutls.html Example demonstrating the generation of an RSA private key and a PKCS #10 certificate request. The request is then signed and exported. ```c /* This example code is placed in the public domain. */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #include #include #include /* This example will generate a private key and a certificate * request. */ int main(void) { gnutls_x509_crq_t crq; gnutls_x509_privkey_t key; unsigned char buffer[10 * 1024]; size_t buffer_size = sizeof(buffer); unsigned int bits; gnutls_global_init(); /* Initialize an empty certificate request, and * an empty private key. */ gnutls_x509_crq_init(&crq); gnutls_x509_privkey_init(&key); /* Generate an RSA key of moderate security. */ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM); gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, bits, 0); /* Add stuff to the distinguished name */ gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_COUNTRY_NAME, 0, "GR", 2); gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_COMMON_NAME, 0, "Nikos", strlen("Nikos")); /* Set the request version. */ gnutls_x509_crq_set_version(crq, 1); /* Set a challenge password. */ gnutls_x509_crq_set_challenge_password(crq, "something to remember here"); /* Associate the request with the private key */ gnutls_x509_crq_set_key(crq, key); /* Self sign the certificate request. */ gnutls_x509_crq_sign2(crq, key, GNUTLS_DIG_SHA1, 0); /* Export the PEM encoded certificate request, and * display it. */ gnutls_x509_crq_export(crq, GNUTLS_X509_FMT_PEM, buffer, &buffer_size); printf("Certificate Request: \n%s", buffer); /* Export the PEM encoded private key, and * display it. */ ``` -------------------------------- ### gnutls_session_get_keylog_function Source: https://www.gnutls.org/manual/gnutls.html Gets the key log function for the session. This function is part of the Core TLS API. ```APIDOC ## gnutls_session_get_keylog_function ### Description Gets the key log function for the session. ### API Area Core TLS API ``` -------------------------------- ### Get Hash Output Source: https://www.gnutls.org/manual/gnutls.html Retrieves the computed hash digest. This function should be called after all data has been processed. ```c void gnutls_hash_output (gnutls_hash_hd_t handle, void * digest) ``` -------------------------------- ### List all objects on a token Source: https://www.gnutls.org/manual/gnutls.html Log in to a token and list all objects (keys, certificates) stored on it. Replace "pkcs11:TOKEN-URL" with the actual token URL. ```bash $ p11tool --login --list-all "pkcs11:TOKEN-URL" ``` -------------------------------- ### Get HMAC Output Source: https://www.gnutls.org/manual/gnutls.html Retrieves the computed HMAC digest. This function should be called after all data has been processed. ```c void gnutls_hmac_output (gnutls_hmac_hd_t handle, void * digest) ``` -------------------------------- ### gnutls-serv Usage and Options Source: https://www.gnutls.org/manual/gnutls.html Displays the help and usage information for the gnutls-serv command, listing all available options for configuring the server. The 'help' and 'more-help' options provide this information, with 'more-help' passing the output through a pager. ```bash gnutls-serv - GnuTLS server Usage: gnutls-serv [ - [] | --[{=| }] ]... None: -d, --debug=num Enable debugging - it must be in the range: 0 to 9999 --sni-hostname=str Server's hostname for server name extension --sni-hostname-fatal Send fatal alert on sni-hostname mismatch --alpn=str Specify ALPN protocol to be enabled by the server --alpn-fatal Send fatal alert on non-matching ALPN name --noticket Don't accept session tickets --earlydata Accept early data --maxearlydata=num The maximum early data size to accept - it must be in the range: 1 to 2147483648 --nocookie Don't require cookie on DTLS sessions -g, --generate Generate Diffie-Hellman parameters -q, --quiet Suppress some messages --nodb Do not use a resumption database --http Act as an HTTP server --echo Act as an Echo server --crlf Do not replace CRLF by LF in Echo server mode -u, --udp Use DTLS (datagram TLS) over UDP --mtu=num Set MTU for datagram TLS - it must be in the range: 0 to 17000 --srtp-profiles=str Offer SRTP profiles -a, --disable-client-cert Do not request a client certificate - prohibits the option 'require-client-cert' -r, --require-client-cert Require a client certificate --verify-client-cert If a client certificate is sent then verify it --compress-cert=str Compress certificate -b, --heartbeat Activate heartbeat support --x509fmtder Use DER format for certificates to read from --priority=str Priorities string --dhparams=file DH params file to use - file must pre-exist --x509cafile=str Certificate file or PKCS #11 URL to use --x509crlfile=file CRL file to use - file must pre-exist --x509keyfile=str X.509 key file or PKCS #11 URL to use --x509certfile=str X.509 Certificate file or PKCS #11 URL to use --rawpkkeyfile=str Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use --rawpkfile=str Raw public-key file to use - requires the option 'rawpkkeyfile' --srppasswd=file SRP password file to use - file must pre-exist --srppasswdconf=file SRP password configuration file to use - file must pre-exist --pskpasswd=file PSK password file to use - file must pre-exist --pskhint=str PSK identity hint to use --ocsp-response=str The OCSP response to send to client --ignore-ocsp-response-errors Ignore any errors when setting the OCSP response -p, --port=num The port to connect to -l, --list Print a list of the supported algorithms and modes --provider=file Specify the PKCS #11 provider library - file must pre-exist --keymatexport=str Label used for exporting keying material --keymatexportsize=num Size of the exported keying material --recordsize=num The maximum record size to advertise - it must be in the range: 0 to 16384 --httpdata=file The data used as HTTP response - file must pre-exist --timeout=num The timeout period for server --attime=str Perform validation at the timestamp instead of the system time Version, usage and configuration options: -v, --version[=arg] output version information and exit -h, --help display extended usage information and exit -!, --more-help extended usage information passed thru pager Options are specified by doubled hyphens and their name or by a single hyphen and the flag character. Server program that listens to incoming TLS connections. Note that this program is only meant for testing and diagnostic purposes. Please send bug reports to: ``` -------------------------------- ### Get PKCS #12 Bag Source: https://www.gnutls.org/manual/gnutls.html Retrieves a specific bag from a PKCS #12 structure by its index. ```c int gnutls_pkcs12_get_bag (gnutls_pkcs12_t pkcs12, int indx, gnutls_pkcs12_bag_t bag) ``` -------------------------------- ### gnutls_x509_policies_init Source: https://www.gnutls.org/manual/gnutls.html Initializes an authority key ID type, preparing it for use. ```APIDOC ## gnutls_x509_policies_init ### Description Initializes an authority key ID type. ### Function Signature `int gnutls_x509_policies_init(gnutls_x509_policies_t * policies)` ### Parameters - **policies** (gnutls_x509_policies_t *) - Pointer to the authority key ID to be initialized. ### Returns - On success, `GNUTLS_E_SUCCESS` (0). - Otherwise, a negative error value. ### Since 3.3.0 ``` -------------------------------- ### gnutls-serv Raw Public Key Authentication Source: https://www.gnutls.org/manual/gnutls.html This example shows how to configure gnutls-serv to use raw public key files for authentication. Ensure that the specified certificate and key files exist. ```bash --rawpkfile srv.rawpk.pem \ --rawpkkeyfile srv.key.pem ``` -------------------------------- ### Get Number of Revoked Certificates Source: https://www.gnutls.org/manual/gnutls.html Retrieves the total count of revoked certificates listed in the CRL. ```c int gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl) ``` -------------------------------- ### Get CRL Next Update Time Source: https://www.gnutls.org/manual/gnutls.html Retrieves the time when the next CRL update is scheduled. ```c time_t gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl) ``` -------------------------------- ### Initialize and Deinitialize PKCS#7 Structure Source: https://www.gnutls.org/manual/gnutls.html Use gnutls_pkcs7_init to initialize a PKCS#7 structure and gnutls_pkcs7_deinit to release its resources. ```c int gnutls_pkcs7_init (gnutls_pkcs7_t * pkcs7) ``` ```c void gnutls_pkcs7_deinit (gnutls_pkcs7_t pkcs7) ``` -------------------------------- ### Set PKCS #11 Certificate and Key Environment Variables Source: https://www.gnutls.org/manual/gnutls.html Set environment variables MYCERT and MYKEY to the respective PKCS #11 URLs for the certificate and private key. The private key URL is similar to the certificate URL, differing only in the 'type' parameter. ```bash $ MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=cert" $ MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=private" $ export MYCERT MYKEY ``` -------------------------------- ### Get SRTP Profile Name Source: https://www.gnutls.org/manual/gnutls.html Converts an SRTP profile identifier to its corresponding string name. ```c const char * gnutls_srtp_get_profile_name (gnutls_srtp_profile_t profile) ``` -------------------------------- ### gnutls_session_set_keylog_function Source: https://www.gnutls.org/manual/gnutls.html Sets a callback function to be invoked when a new secret is derived and installed during the handshake process. ```APIDOC ## gnutls_session_set_keylog_function ### Description Sets a callback function to be called when a new secret is derived and installed during the handshake. ### Function Signature `void gnutls_session_set_keylog_function(gnutls_session_t session, gnutls_keylog_func func)` ### Parameters * **session** (`gnutls_session_t`): The GnuTLS session object. * **func** (`gnutls_keylog_func`): The callback function to be set. ### Since 3.6.13 ``` -------------------------------- ### dane_state_init Source: https://www.gnutls.org/manual/gnutls.html Initializes the DANE backend resolver with specified flags. ```APIDOC ## dane_state_init ### Description Initializes the backend resolver. Intended for scenarios with multiple resolvings to optimize against re-initializations. ### Function Signature `int dane_state_init(dane_state_t * s, unsigned int flags)` ### Parameters * **s** (dane_state_t *) - The structure to be initialized. * **flags** (unsigned int) - Flags from the `dane_state_flags` enumeration. ### Returns On success, `DANE_E_SUCCESS` (0) is returned, otherwise a negative error value. ``` -------------------------------- ### Get PKCS#7 Signature Count Source: https://www.gnutls.org/manual/gnutls.html Retrieves the number of signatures present in a PKCS#7 structure. ```c int gnutls_pkcs7_get_signature_count (gnutls_pkcs7_t pkcs7) ``` -------------------------------- ### Get TPM Key URL Source: https://www.gnutls.org/manual/gnutls.html Retrieves the URL (UUID) for a specific key in the TPM key list. ```c int gnutls_tpm_key_list_get_url (gnutls_tpm_key_list_t list, unsigned int idx, char ** url, unsigned int flags) ``` -------------------------------- ### Connect using PKCS #11 Token with gnutls-cli Source: https://www.gnutls.org/manual/gnutls.html Use gnutls-cli with the --x509keyfile and --x509certfile options pointing to the PKCS #11 URLs stored in environment variables to establish a TLS connection. ```bash $ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile $MYCERT ``` -------------------------------- ### Set X.509 Simple PKCS#12 File Source: https://www.gnutls.org/manual/gnutls.html Loads an X.509 certificate and private key from a PKCS#12 file. Requires the file path, format type, and optionally a password if the file is encrypted. ```c int gnutls_certificate_set_x509_simple_pkcs12_file (gnutls_certificate_credentials_t res, const char * pkcs12file, gnutls_x509_crt_fmt_t type, const char * password) ``` -------------------------------- ### Get SRTP Profile ID from Name Source: https://www.gnutls.org/manual/gnutls.html Converts an SRTP profile name string to its corresponding identifier. ```c int gnutls_srtp_get_profile_id (const char * name, gnutls_srtp_profile_t * profile) ``` -------------------------------- ### gnutls_handshake_set_private_extensions Source: https://www.gnutls.org/manual/gnutls.html Controls the advertisement and usage of private cipher suites (those starting with 0xFF). By default, these are disabled to ensure interoperability. ```APIDOC ## gnutls_handshake_set_private_extensions ### Description Enables or disables the use of private cipher suites (those starting with 0xFF). ### Function Signature `void gnutls_handshake_set_private_extensions(gnutls_session_t session, int allow)` ### Parameters * **session** (`gnutls_session_t`): The GnuTLS session. * **allow** (`int`): Set to 1 to enable private cipher suites, 0 to disable. ``` -------------------------------- ### gnutls_x509_aia_init Source: https://www.gnutls.org/manual/gnutls.html Initializes an authority information access (AIA) structure, preparing it for use. ```APIDOC ## gnutls_x509_aia_init ### Description Initializes an authority information access (AIA) type, allocating necessary resources. ### Function Signature `int gnutls_x509_aia_init(gnutls_x509_aia_t * aia)` ### Parameters - **aia** (gnutls_x509_aia_t *) - A pointer to the authority information access structure to be initialized. ### Returns On success, `GNUTLS_E_SUCCESS` (0) is returned, otherwise a negative error value. ``` -------------------------------- ### Get Transport Pointer Arguments Source: https://www.gnutls.org/manual/gnutls.html Retrieves the pointer arguments for the transport functions (PUSH/PULL) that were set using gnutls_transport_set_ptr2(). ```c void gnutls_transport_get_ptr2(gnutls_session_t session, gnutls_transport_ptr_t * recv_ptr, gnutls_transport_ptr_t * send_ptr); ```