]> git.ipfire.org Git - thirdparty/openssl.git/blame - doc/man3/PEM_read_bio_PrivateKey.pod
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
PEM: Add a more generic way to implement PEM _ex functions for libctx
[thirdparty/openssl.git] / doc / man3 / PEM_read_bio_PrivateKey.pod
CommitLineData
a29d78e9
DSH		 1=pod
2
3=head1 NAME
4
91da5e77 5pem_password_cb,
9256e8a2
RL		 6PEM_read_bio_PrivateKey_ex, PEM_read_bio_PrivateKey,
7PEM_read_PrivateKey_ex, PEM_read_PrivateKey,
8PEM_write_bio_PrivateKey_ex, PEM_write_bio_PrivateKey,
9PEM_write_bio_PrivateKey_traditional,
10PEM_write_PrivateKey_ex, PEM_write_PrivateKey,
05dba815 11PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey,
f097f81c 12PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid,
9256e8a2
RL		 13PEM_read_bio_PUBKEY_ex, PEM_read_bio_PUBKEY,
14PEM_read_PUBKEY_ex, PEM_read_PUBKEY,
15PEM_write_bio_PUBKEY_ex, PEM_write_bio_PUBKEY,
16PEM_write_PUBKEY_ex, PEM_write_PUBKEY,
f097f81c
DSH		 17PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey,
18PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey,
19PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey,
20PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY,
21PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey,
22PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey,
23PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY,
6e5ccd58
RL		 24PEM_write_DSA_PUBKEY, PEM_read_bio_Parameters_ex, PEM_read_bio_Parameters,
25PEM_write_bio_Parameters, PEM_read_bio_DSAparams, PEM_read_DSAparams,
f097f81c
DSH		 26PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams,
27PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams,
28PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509,
29PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX,
30PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ,
31PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW,
32PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL,
33PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7,
a0474357 34PEM_write_bio_PKCS7, PEM_write_PKCS7 - PEM routines
a29d78e9
DSH		 35
36=head1 SYNOPSIS
37
38 #include <openssl/pem.h>
39
5bf6d418 40 typedef int pem_password_cb(char *buf, int size, int rwflag, void *u);
91da5e77 41
9256e8a2
RL		 42 EVP_PKEY *PEM_read_bio_PrivateKey_ex(BIO *bp, EVP_PKEY **x,
43 pem_password_cb *cb, void *u,
44 OSSL_LIB_CTX *libctx, const char *propq);
a29d78e9 45 EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x,
a0474357 46 pem_password_cb *cb, void *u);
137b274a 47 EVP_PKEY *PEM_read_PrivateKey_ex(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,
b4250010 48 void *u, OSSL_LIB_CTX *libctx,
137b274a 49 const char *propq);
a29d78e9 50 EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,
a0474357 51 pem_password_cb *cb, void *u);
9256e8a2
RL		 52 int PEM_write_bio_PrivateKey_ex(BIO *bp, const EVP_PKEY *x,
53 const EVP_CIPHER *enc,
54 unsigned char *kstr, int klen,
55 pem_password_cb *cb, void *u,
56 OSSL_LIB_CTX *libctx, const char *propq);
9fdcc21f 57 int PEM_write_bio_PrivateKey(BIO *bp, const EVP_PKEY *x, const EVP_CIPHER *enc,
a0474357
RS		 58 unsigned char *kstr, int klen,
59 pem_password_cb *cb, void *u);
05dba815
DSH		 60 int PEM_write_bio_PrivateKey_traditional(BIO *bp, EVP_PKEY *x,
61 const EVP_CIPHER *enc,
62 unsigned char *kstr, int klen,
63 pem_password_cb *cb, void *u);
9256e8a2
RL		 64 int PEM_write_PrivateKey_ex(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
65 unsigned char *kstr, int klen,
66 pem_password_cb *cb, void *u,
67 OSSL_LIB_CTX *libctx, const char *propq);
a29d78e9 68 int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
a0474357
RS		 69 unsigned char *kstr, int klen,
70 pem_password_cb *cb, void *u);
a29d78e9 71 int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
a0474357
RS		 72 char *kstr, int klen,
73 pem_password_cb *cb, void *u);
a29d78e9 74 int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
a0474357
RS		 75 char *kstr, int klen,
76 pem_password_cb *cb, void *u);
9fdcc21f 77 int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, const EVP_PKEY *x, int nid,
a0474357
RS		 78 char *kstr, int klen,
79 pem_password_cb *cb, void *u);
9fdcc21f 80 int PEM_write_PKCS8PrivateKey_nid(FILE *fp, const EVP_PKEY *x, int nid,
a0474357
RS		 81 char *kstr, int klen,
82 pem_password_cb *cb, void *u);
a29d78e9 83
6e5ccd58
RL		 84 EVP_PKEY *PEM_read_bio_PUBKEY_ex(BIO *bp, EVP_PKEY **x,
85 pem_password_cb *cb, void *u,
b4250010 86 OSSL_LIB_CTX *libctx, const char *propq);
a29d78e9 87 EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x,
a0474357 88 pem_password_cb *cb, void *u);
6e5ccd58
RL		 89 EVP_PKEY *PEM_read_PUBKEY_ex(FILE *fp, EVP_PKEY **x,
90 pem_password_cb *cb, void *u,
b4250010 91 OSSL_LIB_CTX *libctx, const char *propq);
a29d78e9 92 EVP_PKEY *PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x,
a0474357 93 pem_password_cb *cb, void *u);
9256e8a2
RL		 94 int PEM_write_bio_PUBKEY_ex(BIO *bp, EVP_PKEY *x,
95 OSSL_LIB_CTX *libctx, const char *propq);
a29d78e9 96 int PEM_write_bio_PUBKEY(BIO *bp, EVP_PKEY *x);
9256e8a2
RL		 97 int PEM_write_PUBKEY_ex(FILE *fp, EVP_PKEY *x,
98 OSSL_LIB_CTX *libctx, const char *propq);
a29d78e9
DSH		 99 int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x);
100
101 RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x,
a0474357 102 pem_password_cb *cb, void *u);
a29d78e9 103 RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x,
a0474357 104 pem_password_cb *cb, void *u);
a29d78e9 105 int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
a0474357
RS		 106 unsigned char *kstr, int klen,
107 pem_password_cb *cb, void *u);
a29d78e9 108 int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
a0474357
RS		 109 unsigned char *kstr, int klen,
110 pem_password_cb *cb, void *u);
a29d78e9
DSH		 111
112 RSA *PEM_read_bio_RSAPublicKey(BIO *bp, RSA **x,
a0474357 113 pem_password_cb *cb, void *u);
a29d78e9 114 RSA *PEM_read_RSAPublicKey(FILE *fp, RSA **x,
a0474357 115 pem_password_cb *cb, void *u);
a29d78e9 116 int PEM_write_bio_RSAPublicKey(BIO *bp, RSA *x);
a29d78e9
DSH		 117 int PEM_write_RSAPublicKey(FILE *fp, RSA *x);
118
119 RSA *PEM_read_bio_RSA_PUBKEY(BIO *bp, RSA **x,
a0474357 120 pem_password_cb *cb, void *u);
a29d78e9 121 RSA *PEM_read_RSA_PUBKEY(FILE *fp, RSA **x,
a0474357 122 pem_password_cb *cb, void *u);
a29d78e9 123 int PEM_write_bio_RSA_PUBKEY(BIO *bp, RSA *x);
a29d78e9
DSH		 124 int PEM_write_RSA_PUBKEY(FILE *fp, RSA *x);
125
126 DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **x,
a0474357 127 pem_password_cb *cb, void *u);
a29d78e9 128 DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **x,
a0474357 129 pem_password_cb *cb, void *u);
a29d78e9 130 int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
a0474357
RS		 131 unsigned char *kstr, int klen,
132 pem_password_cb *cb, void *u);
a29d78e9 133 int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
a0474357
RS		 134 unsigned char *kstr, int klen,
135 pem_password_cb *cb, void *u);
a29d78e9
DSH		 136
137 DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x,
a0474357 138 pem_password_cb *cb, void *u);
a29d78e9 139 DSA *PEM_read_DSA_PUBKEY(FILE *fp, DSA **x,
a0474357 140 pem_password_cb *cb, void *u);
a29d78e9 141 int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x);
a29d78e9
DSH		 142 int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x);
143
6e5ccd58 144 EVP_PKEY *PEM_read_bio_Parameters_ex(BIO *bp, EVP_PKEY **x,
b4250010 145 OSSL_LIB_CTX *libctx, const char *propq);
9a6abb95
RL		 146 EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x);
147 int PEM_write_bio_Parameters(BIO *bp, const EVP_PKEY *x);
148
a29d78e9 149 DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u);
a29d78e9 150 DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u);
a29d78e9 151 int PEM_write_bio_DSAparams(BIO *bp, DSA *x);
a29d78e9
DSH		 152 int PEM_write_DSAparams(FILE *fp, DSA *x);
153
154 DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
a29d78e9 155 DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u);
a29d78e9 156 int PEM_write_bio_DHparams(BIO *bp, DH *x);
a29d78e9
DSH		 157 int PEM_write_DHparams(FILE *fp, DH *x);
158
159 X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
a29d78e9 160 X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
a29d78e9 161 int PEM_write_bio_X509(BIO *bp, X509 *x);
a29d78e9
DSH		 162 int PEM_write_X509(FILE *fp, X509 *x);
163
164 X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
a29d78e9 165 X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
a29d78e9 166 int PEM_write_bio_X509_AUX(BIO *bp, X509 *x);
a29d78e9
DSH		 167 int PEM_write_X509_AUX(FILE *fp, X509 *x);
168
169 X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x,
a0474357 170 pem_password_cb *cb, void *u);
a29d78e9 171 X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x,
a0474357 172 pem_password_cb *cb, void *u);
a29d78e9 173 int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x);
a29d78e9 174 int PEM_write_X509_REQ(FILE *fp, X509_REQ *x);
a29d78e9 175 int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x);
a29d78e9
DSH		 176 int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x);
177
178 X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x,
a0474357 179 pem_password_cb *cb, void *u);
a29d78e9 180 X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x,
a0474357 181 pem_password_cb *cb, void *u);
a29d78e9
DSH		 182 int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x);
183 int PEM_write_X509_CRL(FILE *fp, X509_CRL *x);
184
185 PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u);
a29d78e9 186 PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u);
a29d78e9 187 int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x);
a29d78e9
DSH		 188 int PEM_write_PKCS7(FILE *fp, PKCS7 *x);
189
a29d78e9
DSH		 190=head1 DESCRIPTION
191
192The PEM functions read or write structures in PEM format. In
193this sense PEM format is simply base64 encoded data surrounded
194by header lines.
195
196For more details about the meaning of arguments see the
197B<PEM FUNCTION ARGUMENTS> section.
198
199Each operation has four functions associated with it. For
bbecf04e
RL		 200brevity the term "B<I<TYPE>> functions" will be used below to collectively
201refer to the B<PEM_read_bio_I<TYPE>>(), B<PEM_read_I<TYPE>>(),
202B<PEM_write_bio_I<TYPE>>(), and B<PEM_write_I<TYPE>>() functions.
a29d78e9 203
137b274a
MC		 204Some operations have additional variants that take a library context I<libctx>
205and a property query string I<propq>.
206
9256e8a2
RL		 207The B<PrivateKey> functions read or write a private key in PEM format using
208an EVP_PKEY structure. The write routines use PKCS#8 private key format and are
209equivalent to PEM_write_bio_PKCS8PrivateKey(). The read functions transparently
05dba815 210handle traditional and PKCS#8 format encrypted and unencrypted keys.
a29d78e9 211
a95d7574
RS		 212PEM_write_bio_PrivateKey_traditional() writes out a private key in the
213"traditional" format with a simple private key marker and should only
214be used for compatibility with legacy programs.
05dba815
DSH		 215
216PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey() write a private
217key in an EVP_PKEY structure in PKCS#8 EncryptedPrivateKeyInfo format using
bbecf04e 218PKCS#5 v2.0 password based encryption algorithms. The I<cipher> argument
05dba815
DSH		 219specifies the encryption algorithm to use: unlike some other PEM routines the
220encryption is applied at the PKCS#8 level and not in the PEM headers. If
bbecf04e 221I<cipher> is NULL then no encryption is used and a PKCS#8 PrivateKeyInfo
05dba815 222structure is used instead.
a29d78e9
DSH		 223
224PEM_write_bio_PKCS8PrivateKey_nid() and PEM_write_PKCS8PrivateKey_nid()
225also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however
226it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead. The algorithm
bbecf04e 227to use is specified in the I<nid> parameter and should be the NID of the
a29d78e9
DSH		 228corresponding OBJECT IDENTIFIER (see NOTES section).
229
230The B<PUBKEY> functions process a public key using an EVP_PKEY
231structure. The public key is encoded as a SubjectPublicKeyInfo
232structure.
233
234The B<RSAPrivateKey> functions process an RSA private key using an
05dba815
DSH		 235RSA structure. The write routines uses traditional format. The read
236routines handles the same formats as the B<PrivateKey>
a29d78e9
DSH		 237functions but an error occurs if the private key is not RSA.
238
239The B<RSAPublicKey> functions process an RSA public key using an
240RSA structure. The public key is encoded using a PKCS#1 RSAPublicKey
241structure.
242
243The B<RSA_PUBKEY> functions also process an RSA public key using
8c1cbc72 244an RSA structure. However, the public key is encoded using a
a29d78e9
DSH		 245SubjectPublicKeyInfo structure and an error occurs if the public
246key is not RSA.
247
248The B<DSAPrivateKey> functions process a DSA private key using a
05dba815
DSH		 249DSA structure. The write routines uses traditional format. The read
250routines handles the same formats as the B<PrivateKey>
a29d78e9
DSH		 251functions but an error occurs if the private key is not DSA.
252
253The B<DSA_PUBKEY> functions process a DSA public key using
254a DSA structure. The public key is encoded using a
255SubjectPublicKeyInfo structure and an error occurs if the public
256key is not DSA.
257
9a6abb95
RL		 258The B<Parameters> functions read or write key parameters in PEM format using
259an EVP_PKEY structure. The encoding depends on the type of key; for DSA key
260parameters, it will be a Dss-Parms structure as defined in RFC2459, and for DH
261key parameters, it will be a PKCS#3 DHparameter structure. I<These functions
262only exist for the B<BIO> type>.
263
a29d78e9 264The B<DSAparams> functions process DSA parameters using a DSA
f097f81c
DSH		 265structure. The parameters are encoded using a Dss-Parms structure
266as defined in RFC2459.
a29d78e9
DSH		 267
268The B<DHparams> functions process DH parameters using a DH
269structure. The parameters are encoded using a PKCS#3 DHparameter
270structure.
271
272The B<X509> functions process an X509 certificate using an X509
273structure. They will also process a trusted X509 certificate but
274any trust settings are discarded.
275
276The B<X509_AUX> functions process a trusted X509 certificate using
1bc74519 277an X509 structure.
a29d78e9
DSH		 278
279The B<X509_REQ> and B<X509_REQ_NEW> functions process a PKCS#10
280certificate request using an X509_REQ structure. The B<X509_REQ>
281write functions use B<CERTIFICATE REQUEST> in the header whereas
282the B<X509_REQ_NEW> functions use B<NEW CERTIFICATE REQUEST>
283(as required by some CAs). The B<X509_REQ> read functions will
284handle either form so there are no B<X509_REQ_NEW> read functions.
285
286The B<X509_CRL> functions process an X509 CRL using an X509_CRL
287structure.
288
289The B<PKCS7> functions process a PKCS#7 ContentInfo using a PKCS7
290structure.
291
a29d78e9
DSH		 292=head1 PEM FUNCTION ARGUMENTS
293
294The PEM functions have many common arguments.
295
bbecf04e 296The I<bp> BIO parameter (if present) specifies the BIO to read from
a29d78e9
DSH		 297or write to.
298
bbecf04e 299The I<fp> FILE parameter (if present) specifies the FILE pointer to
a29d78e9
DSH		 300read from or write to.
301
bbecf04e
RL		 302The PEM read functions all take an argument I<B<TYPE> **x> and return
303a I<B<TYPE> *> pointer. Where I<B<TYPE>> is whatever structure the function
304uses. If I<x> is NULL then the parameter is ignored. If I<x> is not
305NULL but I<*x> is NULL then the structure returned will be written
306to I<*x>. If neither I<x> nor I<*x> is NULL then an attempt is made
307to reuse the structure at I<*x> (but see BUGS and EXAMPLES sections).
308Irrespective of the value of I<x> a pointer to the structure is always
a29d78e9
DSH		 309returned (or NULL if an error occurred).
310
bbecf04e 311The PEM functions which write private keys take an I<enc> parameter
a29d78e9
DSH		 312which specifies the encryption algorithm to use, encryption is done
313at the PEM level. If this parameter is set to NULL then the private
314key is written in unencrypted form.
315
bbecf04e 316The I<cb> argument is the callback to use when querying for the pass
a29d78e9
DSH		 317phrase used for encrypted PEM structures (normally only private keys).
318
bbecf04e
RL		 319For the PEM write routines if the I<kstr> parameter is not NULL then
320I<klen> bytes at I<kstr> are used as the passphrase and I<cb> is
a29d78e9
DSH		 321ignored.
322
bbecf04e
RL		 323If the I<cb> parameters is set to NULL and the I<u> parameter is not
324NULL then the I<u> parameter is interpreted as a null terminated string
325to use as the passphrase. If both I<cb> and I<u> are NULL then the
a29d78e9
DSH		 326default callback routine is used which will typically prompt for the
327passphrase on the current terminal with echoing turned off.
328
329The default passphrase callback is sometimes inappropriate (for example
330in a GUI application) so an alternative can be supplied. The callback
331routine has the following form:
332
333 int cb(char *buf, int size, int rwflag, void *u);
334
bbecf04e
RL		 335I<buf> is the buffer to write the passphrase to. I<size> is the maximum
336length of the passphrase (i.e. the size of buf). I<rwflag> is a flag
a29d78e9
DSH		 337which is set to 0 when reading and 1 when writing. A typical routine
338will ask the user to verify the passphrase (for example by prompting
bbecf04e
RL		 339for it twice) if I<rwflag> is 1. The I<u> parameter has the same
340value as the I<u> parameter passed to the PEM routine. It allows
a29d78e9
DSH		 341arbitrary data to be passed to the callback by the application
342(for example a window handle in a GUI application). The callback
bbecf04e 343I<must> return the number of characters in the passphrase or -1 if
a29d78e9
DSH		 344an error occurred.
345
137b274a
MC		 346Some implementations may need to use cryptographic algorithms during their
347operation. If this is the case and I<libctx> and I<propq> parameters have been
348passed then any algorithm fetches will use that library context and property
349query string. Otherwise the default library context and property query string
350will be used.
351
a29d78e9
DSH		 352=head1 NOTES
353
354The old B<PrivateKey> write routines are retained for compatibility.
355New applications should write private keys using the
356PEM_write_bio_PKCS8PrivateKey() or PEM_write_PKCS8PrivateKey() routines
357because they are more secure (they use an iteration count of 2048 whereas
358the traditional routines use a count of 1) unless compatibility with older
359versions of OpenSSL is important.
360
361The B<PrivateKey> read routines can be used in all applications because
362they handle all formats transparently.
363
364A frequent cause of problems is attempting to use the PEM routines like
365this:
366
367 X509 *x;
e9b77246 368
a29d78e9
DSH		 369 PEM_read_bio_X509(bp, &x, 0, NULL);
370
bbecf04e 371this is a bug because an attempt will be made to reuse the data at I<x>
a29d78e9
DSH		 372which is an uninitialised pointer.
373
84814344
RL		 374These functions make no assumption regarding the pass phrase received from the
375password callback.
376It will simply be treated as a byte sequence.
377
06623ff0
DSH		 378=head1 PEM ENCRYPTION FORMAT
379
a0474357 380These old B<PrivateKey> routines use a non standard technique for encryption.
06623ff0 381
1bc74519 382The private key (or other data) takes the following form:
06623ff0
DSH		 383
384 -----BEGIN RSA PRIVATE KEY-----
385 Proc-Type: 4,ENCRYPTED
386 DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89
387
388 ...base64 encoded data...
389 -----END RSA PRIVATE KEY-----
390
a0474357
RS		 391The line beginning with I<Proc-Type> contains the version and the
392protection on the encapsulated data. The line beginning I<DEK-Info>
393contains two comma separated values: the encryption algorithm name as
394used by EVP_get_cipherbyname() and an initialization vector used by the
395cipher encoded as a set of hexadecimal digits. After those two lines is
396the base64-encoded encrypted data.
06623ff0 397
a0474357 398The encryption key is derived using EVP_BytesToKey(). The cipher's
bbecf04e 399initialization vector is passed to EVP_BytesToKey() as the I<salt>
a0474357
RS		 400parameter. Internally, B<PKCS5_SALT_LEN> bytes of the salt are used
401(regardless of the size of the initialization vector). The user's
bbecf04e 402password is passed to EVP_BytesToKey() using the I<data> and I<datal>
a0474357
RS		 403parameters. Finally, the library uses an iteration count of 1 for
404EVP_BytesToKey().
06623ff0 405
bbecf04e
RL		 406The I<key> derived by EVP_BytesToKey() along with the original initialization
407vector is then used to decrypt the encrypted data. The I<iv> produced by
a0474357
RS		 408EVP_BytesToKey() is not utilized or needed, and NULL should be passed to
409the function.
410
411The pseudo code to derive the key would look similar to:
412
413 EVP_CIPHER* cipher = EVP_des_ede3_cbc();
414 EVP_MD* md = EVP_md5();
415
416 unsigned int nkey = EVP_CIPHER_key_length(cipher);
417 unsigned int niv = EVP_CIPHER_iv_length(cipher);
418 unsigned char key[nkey];
419 unsigned char iv[niv];
420
421 memcpy(iv, HexToBin("3F17F5316E2BAC89"), niv);
422 rc = EVP_BytesToKey(cipher, md, iv /*salt*/, pword, plen, 1, key, NULL /*iv*/);
2947af32 423 if (rc != nkey)
a0474357 424 /* Error */
a0474357
RS		 425
426 /* On success, use key and iv to initialize the cipher */
06623ff0 427
a29d78e9
DSH		 428=head1 BUGS
429
430The PEM read routines in some versions of OpenSSL will not correctly reuse
8c1cbc72 431an existing structure. Therefore, the following:
a29d78e9 432
e88c5777 433 PEM_read_bio_X509(bp, &x, 0, NULL);
a29d78e9 434
bbecf04e 435where I<x> already contains a valid certificate, may not work, whereas:
a29d78e9
DSH		 436
437 X509_free(x);
e88c5777 438 x = PEM_read_bio_X509(bp, NULL, 0, NULL);
a29d78e9
DSH		 439
440is guaranteed to work.
441
1f13ad31 442=head1 RETURN VALUES
a29d78e9
DSH		 443
444The read routines return either a pointer to the structure read or NULL
9449e385 445if an error occurred.
a29d78e9
DSH		 446
447The write routines return 1 for success or 0 for failure.
d48e78f0 448
4564e77a
PY		 449=head1 EXAMPLES
450
451Although the PEM routines take several arguments in almost all applications
452most of them are set to 0 or NULL.
453
6725682d
SL		 454To read a certificate with a library context in PEM format from a BIO:
455
d8652be0 456 X509 *x = X509_new_ex(libctx, NULL);
6725682d
SL		 457
458 if (x == NULL)
459 /* Error */
460
461 if (PEM_read_bio_X509(bp, &x, 0, NULL) == NULL)
462 /* Error */
463
4564e77a
PY		 464Read a certificate in PEM format from a BIO:
465
466 X509 *x;
467
468 x = PEM_read_bio_X509(bp, NULL, 0, NULL);
469 if (x == NULL)
470 /* Error */
471
472Alternative method:
473
474 X509 *x = NULL;
475
476 if (!PEM_read_bio_X509(bp, &x, 0, NULL))
477 /* Error */
478
479Write a certificate to a BIO:
480
481 if (!PEM_write_bio_X509(bp, x))
482 /* Error */
483
484Write a private key (using traditional format) to a BIO using
485triple DES encryption, the pass phrase is prompted for:
486
487 if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL))
488 /* Error */
489
490Write a private key (using PKCS#8 format) to a BIO using triple
491DES encryption, using the pass phrase "hello":
492
493 if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(),
494 NULL, 0, 0, "hello"))
495 /* Error */
496
497Read a private key from a BIO using a pass phrase callback:
498
499 key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key");
500 if (key == NULL)
501 /* Error */
502
503Skeleton pass phrase callback:
504
505 int pass_cb(char *buf, int size, int rwflag, void *u)
506 {
507
508 /* We'd probably do something else if 'rwflag' is 1 */
509 printf("Enter pass phrase for \"%s\"\n", (char *)u);
510
511 /* get pass phrase, length 'len' into 'tmp' */
512 char *tmp = "hello";
513 if (tmp == NULL) /* An error occurred */
514 return -1;
515
516 size_t len = strlen(tmp);
517
518 if (len > size)
519 len = size;
520 memcpy(buf, tmp, len);
521 return len;
522 }
523
b5c4bbbe
JL		 524=head1 SEE ALSO
525
526L<EVP_EncryptInit(3)>, L<EVP_BytesToKey(3)>,
527L<passphrase-encoding(7)>
528
a0474357
RS		 529=head1 HISTORY
530
531The old Netscape certificate sequences were no longer documented
a95d7574 532in OpenSSL 1.1.0; applications should use the PKCS7 standard instead
a0474357
RS		 533as they will be formally deprecated in a future releases.
534
6e5ccd58
RL		 535PEM_read_bio_PrivateKey_ex(), PEM_read_PrivateKey_ex(),
536PEM_read_bio_PUBKEY_ex(), PEM_read_PUBKEY_ex() and
537PEM_read_bio_Parameters_ex() were introduced in OpenSSL 3.0.
137b274a 538
e2f92610
RS		 539=head1 COPYRIGHT
540
33388b44 541Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
e2f92610 542
4746f25a 543Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610
RS		 544this file except in compliance with the License. You can obtain a copy
545in the file LICENSE in the source distribution or at
546L<https://www.openssl.org/source/license.html>.
547
548=cut
A mirror of the official openssl repository