how to use gnutls_privkey_import_ext

Carolin Latze latze at
Sun Jun 10 12:56:02 CEST 2012

Ok, this is what I did now: I defined a sign_func and a decrypt_func 
based on the type found in abstract.h:

int gnutls_tpm_sign_func (gnutls_privkey_t key,
                           void *userdata,
                           const gnutls_datum_t * raw_data,
                           gnutls_datum_t * signature);
int gnutls_tpm_decrypt_func (gnutls_privkey_t key,
                              void *userdata,
                              const gnutls_datum_t * ciphertext,
                              gnutls_datum_t * plaintext);

The decrypt func will just return -1, whereas the sign func will call 
the TPM. Furthermore I create a NULL privkey:

gnutls_privkey_t key;

and assigned a NULL privkey to the credentials of this session: (even if 
I assign the &key here, it does not help)

gnutls_certificate_set_x509_key_mem(xcred, &ccert, NULL, 

Later, after gnutls_init, I tried to import the key callbacks:


Now I see that gnutls_privkey_import_ext is executed without problems 
(no errors, no segfault, valgrind just silent), but none of the 
callbacks will be called.  I guess I miss something during the 
initialization. Do you have an idea what I miss here?


On 06/10/2012 11:58 AM, Carolin Latze wrote:
> On 06/10/2012 11:55 AM, Nikos Mavrogiannopoulos wrote:
>> On 06/10/2012 11:37 AM, Carolin Latze wrote:
>>>> Hello,
>>>>    Did you check the error code from this function? It should have 
>>>> failed
>>>> because it requires a sign function and a decryption function. You 
>>>> also
>>>> do not set the public key algorithm to be used and put a NULL there.
>>> I also tried with GNUTLS_PK_RSA, but that did not help. And yeah I also
>>> switched on logging with a level of 15, but did not really see what the
>>> problem could. Well I thought it would be the pk algorithm, but as I
>>> said, that did not solve the problem.
>> Note that I didn't refer to logging but to checking the error code
>> returned by the function. If such a function fails the results are
>> inpredictable (like the crash you see). If possible send me an output of
>> valgrind with the crash to see whether an error code can be returned
>> instead of crash.
> I will try that.
>>>> I see that trousers comes with a PKCS #11 module (or they claim to).
>>>> I've never tried it, but doesn't it work?
>>> It does. But the TPM has never been designed to meet the PKCS#11 spec,
>>> so it requires for instance to set some keys to NULL. I could do that
>>> but I need to clear and reset my TPM to do that and I was hoping that I
>>> could prevent that. Maybe that is the next thing I try if I don't 
>>> manage
>>> to get the other function to work.
>> This function works (I know it is used in windows which usually has no
>> pkcs #11), so if you have more issues let me know. Just make sure you
>> provide functions of the correct type (note that the parameters in
>> gnutls_privkey_sign_func are different than the old gnutls_sign_func).
> Aha, ok, that helps :) I will rewrite the sign callback then.
>> btw. If you manage to use the TPM with this, would be nice if you point
>> me to your code (if it is lgpl). Would be nice to have some code to 
>> use TPM.
> Yeah sure.
>> regards,
>> Nikos
> _______________________________________________
> Help-gnutls mailing list
> Help-gnutls at

More information about the Gnutls-help mailing list