RSA sign/verify and hash generation functions

Murray S. Kucherawy msk at
Mon Dec 6 23:00:53 CET 2010

> -----Original Message-----
> From: n.mavrogiannopoulos at
> [mailto:n.mavrogiannopoulos at] On Behalf Of Nikos
> Mavrogiannopoulos
> Sent: Wednesday, December 01, 2010 2:20 AM
> To: Murray S. Kucherawy
> Cc: help-gnutls at
> Subject: Re: RSA sign/verify and hash generation functions
> If you remove the BEGIN and END tags then it is not PEM format any
> more. It is just a base64 of the DER data. With gnutls you can decode
> PEM or DER encoded keys, check the manual for more information. To
> handle your case you will have to base64 decode the key(gnutls has
> some helper functions for that) and then parse it as a DER key.

I'm working my way through the conversion.  The hash stuff appears pretty straightforward, but I'm missing how to import an simple RSA key in either PEM or DER format.  Since I already have a DER key decoded, let's focus on that.  The functions I see in the info pages for 2.11.4 include:

* gnutls_privkey_import_openpgp:         Core functions.     (line 3897)
* gnutls_privkey_import_pkcs11:          Core functions.     (line 3914)
* gnutls_privkey_import_x509:            Core functions.     (line 3931)

I don't see the way to get a DER key imported just from that.  The X509 function takes a parameter that can be DER, so maybe that's the one I'm looking for.  Is that correct?

For public keys it appears to be more comprehensive interface so far:

* gnutls_pubkey_import:                  Core functions.     (line 4583)
* gnutls_pubkey_import_dsa_raw:          Core functions.     (line 4474)
* gnutls_pubkey_import_openpgp:          Core functions.     (line 4497)
* gnutls_pubkey_import_pkcs11:           Core functions.     (line 4531)
* gnutls_pubkey_import_pkcs11_url:       Core functions.     (line 4514)
* gnutls_pubkey_import_rsa_raw:          Core functions.     (line 4548)
* gnutls_pubkey_import_x509:             Core functions.     (line 4566)
* gnutls_pubkey_init:                    Core functions.     (line 4601)

I think I want the first one for what I'm doing, namely using DER-formatted RSA keys to verify signatures.

With private keys, I need to do two things: encrypt some data, and extract a matching public key in DER format.  I think the encryption piece is done with gnutls_pkcs11_privkey_sign_data(), but I don't see how to do the latter thing so far.  Which function is used to do that?

Also, can gnutls_hash_deinit() take a NULL second pointer if all I want to do is deallocate the hash object, as I've previously gotten the result out from gnutls_hash_output()?


More information about the Gnutls-help mailing list