]>
git.ipfire.org Git - thirdparty/openssl.git/blob - demos/encode/ec_encode.c
2 * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/decoder.h>
11 #include <openssl/encoder.h>
12 #include <openssl/evp.h>
15 * Example showing the encoding and decoding of EC public and private keys. A
16 * PEM-encoded EC key is read in from stdin, decoded, and then re-encoded and
17 * output for demonstration purposes. Both public and private keys are accepted.
19 * This can be used to load EC keys from a file or save EC keys to a file.
22 /* A property query used for selecting algorithm implementations. */
23 static const char *propq
= NULL
;
26 * Load a PEM-encoded EC key from a file, optionally decrypting it with a
27 * supplied passphrase.
29 static EVP_PKEY
*load_key(OSSL_LIB_CTX
*libctx
, FILE *f
, const char *passphrase
)
32 EVP_PKEY
*pkey
= NULL
;
33 OSSL_DECODER_CTX
*dctx
= NULL
;
37 * Create PEM decoder context expecting an EC key.
39 * For raw (non-PEM-encoded) keys, change "PEM" to "DER".
41 * The selection argument here specifies whether we are willing to accept a
42 * public key, private key, or either. If it is set to zero, either will be
43 * accepted. If set to EVP_PKEY_KEYPAIR, a private key will be required, and
44 * if set to EVP_PKEY_PUBLIC_KEY, a public key will be required.
46 dctx
= OSSL_DECODER_CTX_new_for_pkey(&pkey
, "PEM", NULL
, "EC",
50 fprintf(stderr
, "OSSL_DECODER_CTX_new_for_pkey() failed\n");
55 * Set passphrase if provided; needed to decrypt encrypted PEM files.
56 * If the input is not encrypted, any passphrase provided is ignored.
58 * Alternative methods for specifying passphrases exist, such as a callback
59 * (see OSSL_DECODER_CTX_set_passphrase_cb(3)), which may be more useful for
60 * interactive applications which do not know if a passphrase should be
61 * prompted for in advance, or for GUI applications.
63 if (passphrase
!= NULL
) {
64 if (OSSL_DECODER_CTX_set_passphrase(dctx
,
65 (const unsigned char *)passphrase
,
66 strlen(passphrase
)) == 0) {
67 fprintf(stderr
, "OSSL_DECODER_CTX_set_passphrase() failed\n");
72 /* Do the decode, reading from file. */
73 if (OSSL_DECODER_from_fp(dctx
, f
) == 0) {
74 fprintf(stderr
, "OSSL_DECODER_from_fp() failed\n");
80 OSSL_DECODER_CTX_free(dctx
);
83 * pkey is created by OSSL_DECODER_CTX_new_for_pkey, but we
84 * might fail subsequently, so ensure it's properly freed
96 * Store a EC public or private key to a file using PEM encoding.
98 * If a passphrase is supplied, the file is encrypted, otherwise
101 static int store_key(EVP_PKEY
*pkey
, FILE *f
, const char *passphrase
)
105 OSSL_ENCODER_CTX
*ectx
= NULL
;
108 * Create a PEM encoder context.
110 * For raw (non-PEM-encoded) output, change "PEM" to "DER".
112 * The selection argument controls whether the private key is exported
113 * (EVP_PKEY_KEYPAIR), or only the public key (EVP_PKEY_PUBLIC_KEY). The
114 * former will fail if we only have a public key.
116 * Note that unlike the decode API, you cannot specify zero here.
118 * Purely for the sake of demonstration, here we choose to export the whole
119 * key if a passphrase is provided and the public key otherwise.
121 selection
= (passphrase
!= NULL
)
123 : EVP_PKEY_PUBLIC_KEY
;
125 ectx
= OSSL_ENCODER_CTX_new_for_pkey(pkey
, selection
, "PEM", NULL
, propq
);
127 fprintf(stderr
, "OSSL_ENCODER_CTX_new_for_pkey() failed\n");
132 * Set passphrase if provided; the encoded output will then be encrypted
133 * using the passphrase.
135 * Alternative methods for specifying passphrases exist, such as a callback
136 * (see OSSL_ENCODER_CTX_set_passphrase_cb(3), just as for OSSL_DECODER_CTX;
137 * however you are less likely to need them as you presumably know whether
138 * encryption is desired in advance.
140 * Note that specifying a passphrase alone is not enough to cause the
141 * key to be encrypted. You must set both a cipher and a passphrase.
143 if (passphrase
!= NULL
) {
145 * Set cipher. Let's use AES-256-CBC, because it is
146 * more quantum resistant.
148 if (OSSL_ENCODER_CTX_set_cipher(ectx
, "AES-256-CBC", propq
) == 0) {
149 fprintf(stderr
, "OSSL_ENCODER_CTX_set_cipher() failed\n");
153 /* Set passphrase. */
154 if (OSSL_ENCODER_CTX_set_passphrase(ectx
,
155 (const unsigned char *)passphrase
,
156 strlen(passphrase
)) == 0) {
157 fprintf(stderr
, "OSSL_ENCODER_CTX_set_passphrase() failed\n");
162 /* Do the encode, writing to the given file. */
163 if (OSSL_ENCODER_to_fp(ectx
, f
) == 0) {
164 fprintf(stderr
, "OSSL_ENCODER_to_fp() failed\n");
170 OSSL_ENCODER_CTX_free(ectx
);
174 int main(int argc
, char **argv
)
176 int ret
= EXIT_FAILURE
;
177 OSSL_LIB_CTX
*libctx
= NULL
;
178 EVP_PKEY
*pkey
= NULL
;
179 const char *passphrase_in
= NULL
, *passphrase_out
= NULL
;
181 /* usage: ec_encode <passphrase-in> <passphrase-out> */
182 if (argc
> 1 && argv
[1][0])
183 passphrase_in
= argv
[1];
185 if (argc
> 2 && argv
[2][0])
186 passphrase_out
= argv
[2];
188 /* Decode PEM key from stdin and then PEM encode it to stdout. */
189 pkey
= load_key(libctx
, stdin
, passphrase_in
);
191 fprintf(stderr
, "Failed to decode key\n");
195 if (store_key(pkey
, stdout
, passphrase_out
) == 0) {
196 fprintf(stderr
, "Failed to encode key\n");
203 OSSL_LIB_CTX_free(libctx
);