1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This manual is last updated 1 January 2014 for version
3.2.9 of GnuTLS.
Copyright (C) 2001-2013 Free Software Foundation, Inc.\\
Copyright (C) 2001-2013 Nikos Mavrogiannopoulos
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 5.2, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GnuTLS 3.2.9: Managing encrypted keys</title>
<meta name="description" content="GnuTLS 3.2.9: Managing encrypted keys">
<meta name="keywords" content="GnuTLS 3.2.9: Managing encrypted keys">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-and-Data-Index.html#Function-and-Data-Index" rel="index" title="Function and Data Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="More-on-certificate-authentication.html#More-on-certificate-authentication" rel="up" title="More on certificate authentication">
<link href="certtool-Invocation.html#certtool-Invocation" rel="next" title="certtool Invocation">
<link href="OCSP-certificate-status-checking.html#OCSP-certificate-status-checking" rel="prev" title="OCSP certificate status checking">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.indentedblock {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smallindentedblock {margin-left: 3.2em; font-size: smaller}
div.smalllisp {margin-left: 3.2em}
kbd {font-style:oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nocodebreak {white-space:nowrap}
span.nolinebreak {white-space:nowrap}
span.roman {font-family:serif; font-weight:normal}
span.sansserif {font-family:sans-serif; font-weight:normal}
ul.no-bullet {list-style: none}
body {
margin: 2%;
padding: 0 5%;
background: #ffffff;
}
h1,h2,h3,h4,h5 {
font-weight: bold;
padding: 5px 5px 5px 5px;
background-color: #c2e0ff;
color: #336699;
}
h1 {
padding: 2em 2em 2em 5%;
color: white;
background: #336699;
text-align: center;
letter-spacing: 3px;
}
h2 { text-decoration: underline; }
pre {
margin: 0 5%;
padding: 0.5em;
}
pre.example,pre.verbatim {
padding-bottom: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 1px 1px 1px 5px;
margin: 1em auto;
width: 90%;
}
div.node {
margin: 0 -5% 0 -2%;
padding: 0.5em 0.5em;
margin-top: 0.5em;
margin-bottom: 0.5em;
font-weight: bold;
}
dd, li {
padding-top: 0.1em;
padding-bottom: 0.1em;
}
div.float {
margin-bottom: 0.5em;
text-align: center;
}
table {
text-align: left;
margin-left:auto;
margin-right:auto;
width: 50%;
}
th {
padding: 0;
color: #336699;
background-color: #c2e0ff;
border: solid #000000;
border-width: 0px;
margin: 1em auto;
text-align: center;
margin-left:auto;
margin-right:auto;
}
td {
padding: 0;
border: solid #000000;
background-color: #f0faff;
border-width: 0px;
margin: 1em auto;
text-align: left;
margin-left:auto;
margin-right:auto;
padding-left: 1em;
}
dl {
text-align: left;
margin-left:auto;
margin-right:auto;
width: 50%;
padding-left: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 5px 1px 1px 1px;
margin: 1em auto;
}
-->
</style>
</head>
<body lang="en" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#800080" alink="#FF0000">
<a name="Managing-encrypted-keys"></a>
<div class="header">
<p>
Next: <a href="certtool-Invocation.html#certtool-Invocation" accesskey="n" rel="next">certtool Invocation</a>, Previous: <a href="OCSP-certificate-status-checking.html#OCSP-certificate-status-checking" accesskey="p" rel="prev">OCSP certificate status checking</a>, Up: <a href="More-on-certificate-authentication.html#More-on-certificate-authentication" accesskey="u" rel="up">More on certificate authentication</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Managing-encrypted-keys-1"></a>
<h4 class="subsection">4.2.4 Managing encrypted keys</h4>
<a name="index-Encrypted-keys"></a>
<p>Transferring or storing private keys in plain may not be a
good idea, since any compromise is irreparable.
Storing the keys in hardware security modules (see <a href="Smart-cards-and-HSMs.html#Smart-cards-and-HSMs">Smart cards and HSMs</a>)
could solve the storage problem but it is not always practical
or efficient enough. This section describes ways to store and
transfer encrypted private keys.
</p>
<p>There are methods for key encryption, namely the
PKCS #8, PKCS #12 and OpenSSL’s custom encrypted private key formats.
The PKCS #8 and the OpenSSL’s method allow encryption of the private key,
while the PKCS #12 method allows, in addition, the bundling of accompanying
data into the structure. That is typically the corresponding certificate, as
well as a trusted CA certificate.
</p>
<a name="High-level-functionality"></a>
<h4 class="subsubheading">High level functionality</h4>
<p>Generic and higher level private key import functions are available, that
import plain or encrypted keys and will auto-detect the encrypted key format.
</p>
<dl>
<dt><a name="index-gnutls_005fprivkey_005fimport_005fx509_005fraw"></a>Function: <em>int</em> <strong>gnutls_privkey_import_x509_raw</strong> <em>(gnutls_privkey_t <var>pkey</var>, const gnutls_datum_t * <var>data</var>, gnutls_x509_crt_fmt_t <var>format</var>, const char * <var>password</var>, unsigned int <var>flags</var>)</em></dt>
<dd><p><var>pkey</var>: The private key
</p>
<p><var>data</var>: The private key data to be imported
</p>
<p><var>format</var>: The format of the private key
</p>
<p><var>password</var>: A password (optional)
</p>
<p><var>flags</var>: an ORed sequence of gnutls_pkcs_encrypt_flags_t
</p>
<p>This function will import the given private key to the abstract
<code>gnutls_privkey_t</code> structure.
</p>
<p>The supported formats are basic unencrypted key, PKCS8, PKCS12,
and the openssl format.
</p>
<p><strong>Returns:</strong> On success, <code>GNUTLS_E_SUCCESS</code> (0) is returned, otherwise a
negative error value.
</p>
<p><strong>Since:</strong> 3.1.0
</p></dd></dl>
<dl>
<dt><a name="index-gnutls_005fx509_005fprivkey_005fimport2"></a>Function: <em>int</em> <strong>gnutls_x509_privkey_import2</strong> <em>(gnutls_x509_privkey_t <var>key</var>, const gnutls_datum_t * <var>data</var>, gnutls_x509_crt_fmt_t <var>format</var>, const char * <var>password</var>, unsigned int <var>flags</var>)</em></dt>
<dd><p><var>key</var>: The structure to store the parsed key
</p>
<p><var>data</var>: The DER or PEM encoded key.
</p>
<p><var>format</var>: One of DER or PEM
</p>
<p><var>password</var>: A password (optional)
</p>
<p><var>flags</var>: an ORed sequence of gnutls_pkcs_encrypt_flags_t
</p>
<p>This function will import the given DER or PEM encoded key, to
the native <code>gnutls_x509_privkey_t</code> format, irrespective of the
input format. The input format is auto-detected.
</p>
<p>The supported formats are basic unencrypted key, PKCS8, PKCS12,
and the openssl format.
</p>
<p>If the provided key is encrypted but no password was given, then
<code>GNUTLS_E_DECRYPTION_FAILED</code> is returned.
</p>
<p><strong>Returns:</strong> On success, <code>GNUTLS_E_SUCCESS</code> (0) is returned, otherwise a
negative error value.
</p></dd></dl>
<p>Any keys imported using those functions can be imported to a certificate
credentials structure using <a href="Abstract-key-API.html#gnutls_005fcertificate_005fset_005fkey">gnutls_certificate_set_key</a>, or alternatively
they can be directly imported using <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fx509_005fkey_005ffile2">gnutls_certificate_set_x509_key_file2</a>.
</p>
<a name="PKCS-_00238-structures"></a>
<h4 class="subsubheading"><acronym>PKCS</acronym> #8 structures</h4>
<a name="index-PKCS-_00238"></a>
<p>PKCS #8 keys can be imported and exported as normal private keys using
the functions below. An addition to the normal import functions, are
a password and a flags argument. The flags can be any element of the <code>gnutls_pkcs_encrypt_flags_t</code>
enumeration. Note however, that GnuTLS only supports the PKCS #5 PBES2
encryption scheme. Keys encrypted with the obsolete PBES1 scheme cannot
be decrypted.
</p>
<dl compact="compact">
<dt><code><var>int</var> <a href="X509-certificate-API.html#gnutls_005fx509_005fprivkey_005fimport_005fpkcs8">gnutls_x509_privkey_import_pkcs8</a> (gnutls_x509_privkey_t <var>key</var>, const gnutls_datum_t * <var>data</var>, gnutls_x509_crt_fmt_t <var>format</var>, const char * <var>password</var>, unsigned int <var>flags</var>)</code></dt>
<dt><code><var>int</var> <a href="X509-certificate-API.html#gnutls_005fx509_005fprivkey_005fexport_005fpkcs8">gnutls_x509_privkey_export_pkcs8</a> (gnutls_x509_privkey_t <var>key</var>, gnutls_x509_crt_fmt_t <var>format</var>, const char * <var>password</var>, unsigned int <var>flags</var>, void * <var>output_data</var>, size_t * <var>output_data_size</var>)</code></dt>
<dt><code><var>int</var> <a href="X509-certificate-API.html#gnutls_005fx509_005fprivkey_005fexport2_005fpkcs8">gnutls_x509_privkey_export2_pkcs8</a> (gnutls_x509_privkey_t <var>key</var>, gnutls_x509_crt_fmt_t <var>format</var>, const char * <var>password</var>, unsigned int <var>flags</var>, gnutls_datum_t * <var>out</var>)</code></dt>
</dl>
<div class="float"><a name="gnutls_005fpkcs_005fencrypt_005fflags_005ft"></a>
<dl compact="compact">
<dt><code>GNUTLS_PKCS_PLAIN</code></dt>
<dd><p>Unencrypted private key.
</p></dd>
<dt><code>GNUTLS_PKCS_USE_PKCS12_3DES</code></dt>
<dd><p>PKCS-12 3DES.
</p></dd>
<dt><code>GNUTLS_PKCS_USE_PKCS12_ARCFOUR</code></dt>
<dd><p>PKCS-12 ARCFOUR.
</p></dd>
<dt><code>GNUTLS_PKCS_USE_PKCS12_RC2_40</code></dt>
<dd><p>PKCS-12 RC2-40.
</p></dd>
<dt><code>GNUTLS_PKCS_USE_PBES2_3DES</code></dt>
<dd><p>PBES2 3DES.
</p></dd>
<dt><code>GNUTLS_PKCS_USE_PBES2_AES_128</code></dt>
<dd><p>PBES2 AES-128.
</p></dd>
<dt><code>GNUTLS_PKCS_USE_PBES2_AES_192</code></dt>
<dd><p>PBES2 AES-192.
</p></dd>
<dt><code>GNUTLS_PKCS_USE_PBES2_AES_256</code></dt>
<dd><p>PBES2 AES-256.
</p></dd>
<dt><code>GNUTLS_PKCS_NULL_PASSWORD</code></dt>
<dd><p>Some schemas distinguish between an empty and a NULL password.
</p></dd>
</dl>
<div class="float-caption"><p><strong>Figure 4.6: </strong>Encryption flags</p></div></div>
<a name="PKCS-_002312-structures"></a>
<h4 class="subsubheading"><acronym>PKCS</acronym> #12 structures</h4>
<a name="index-PKCS-_002312"></a>
<p>A <acronym>PKCS</acronym> #12 structure [<em>PKCS12</em>] usually contains a user’s
private keys and certificates. It is commonly used in browsers to
export and import the user’s identities. A file containing such a key can
be directly imported to a certificate credentials structure by using
<a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fx509_005fsimple_005fpkcs12_005ffile">gnutls_certificate_set_x509_simple_pkcs12_file</a>.
</p>
<p>In <acronym>GnuTLS</acronym> the <acronym>PKCS</acronym> #12 structures are handled
using the <code>gnutls_pkcs12_t</code> type. This is an abstract type that
may hold several <code>gnutls_pkcs12_bag_t</code> types. The bag types are
the holders of the actual data, which may be certificates, private
keys or encrypted data. A bag of type encrypted should be decrypted
in order for its data to be accessed.
</p>
<p>To reduce the complexity in parsing the structures the simple
helper function <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fsimple_005fparse">gnutls_pkcs12_simple_parse</a> is provided. For more
advanced uses, manual parsing of the structure is required using the
functions below.
</p>
<dl compact="compact">
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fget_005fbag">gnutls_pkcs12_get_bag</a> (gnutls_pkcs12_t <var>pkcs12</var>, int <var>indx</var>, gnutls_pkcs12_bag_t <var>bag</var>)</code></dt>
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fverify_005fmac">gnutls_pkcs12_verify_mac</a> (gnutls_pkcs12_t <var>pkcs12</var>, const char * <var>pass</var>)</code></dt>
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fbag_005fdecrypt">gnutls_pkcs12_bag_decrypt</a> (gnutls_pkcs12_bag_t <var>bag</var>, const char * <var>pass</var>)</code></dt>
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fbag_005fget_005fcount">gnutls_pkcs12_bag_get_count</a> (gnutls_pkcs12_bag_t <var>bag</var>)</code></dt>
</dl>
<dl>
<dt><a name="index-gnutls_005fpkcs12_005fsimple_005fparse"></a>Function: <em>int</em> <strong>gnutls_pkcs12_simple_parse</strong> <em>(gnutls_pkcs12_t <var>p12</var>, const char * <var>password</var>, gnutls_x509_privkey_t * <var>key</var>, gnutls_x509_crt_t ** <var>chain</var>, unsigned int * <var>chain_len</var>, gnutls_x509_crt_t ** <var>extra_certs</var>, unsigned int * <var>extra_certs_len</var>, gnutls_x509_crl_t * <var>crl</var>, unsigned int <var>flags</var>)</em></dt>
<dd><p><var>p12</var>: the PKCS12 blob.
</p>
<p><var>password</var>: optional password used to decrypt PKCS12 blob, bags and keys.
</p>
<p><var>key</var>: a structure to store the parsed private key.
</p>
<p><var>chain</var>: the corresponding to key certificate chain (may be <code>NULL</code> )
</p>
<p><var>chain_len</var>: will be updated with the number of additional (may be <code>NULL</code> )
</p>
<p><var>extra_certs</var>: optional pointer to receive an array of additional
certificates found in the PKCS12 blob (may be <code>NULL</code> ).
</p>
<p><var>extra_certs_len</var>: will be updated with the number of additional
certs (may be <code>NULL</code> ).
</p>
<p><var>crl</var>: an optional structure to store the parsed CRL (may be <code>NULL</code> ).
</p>
<p><var>flags</var>: should be zero or one of GNUTLS_PKCS12_SP_*
</p>
<p>This function parses a PKCS12 blob in <code>p12blob</code> and extracts the
private key, the corresponding certificate chain, and any additional
certificates and a CRL.
</p>
<p>The <code>extra_certs_ret</code> and <code>extra_certs_len</code> parameters are optional
and both may be set to <code>NULL</code> . If either is non-<code>NULL</code> , then both must
be set.
</p>
<p>Encrypted PKCS12 bags and PKCS8 private keys are supported. However,
only password based security, and the same password for all
operations, are supported.
</p>
<p>A PKCS12 file may contain many keys and/or certificates, and there
is no way to identify which key/certificate pair you want. You
should make sure the PKCS12 file only contain one key/certificate
pair and/or one CRL.
</p>
<p>It is believed that the limitations of this function are acceptable
for common usage, and that any more flexibility would introduce
complexity that would make it harder to use this functionality at
all.
</p>
<p>If the provided structure has encrypted fields but no password
is provided then this function returns <code>GNUTLS_E_DECRYPTION_FAILED</code> .
</p>
<p>Note that normally the chain constructed does not include self signed
certificates, to comply with TLS’ requirements. If, however, the flag
<code>GNUTLS_PKCS12_SP_INCLUDE_SELF_SIGNED</code> is specified then
self signed certificates will be included in the chain.
</p>
<p><strong>Returns:</strong> On success, <code>GNUTLS_E_SUCCESS</code> (0) is returned, otherwise a
negative error value.
</p>
<p><strong>Since:</strong> 3.1
</p></dd></dl>
<dl compact="compact">
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fbag_005fget_005fdata">gnutls_pkcs12_bag_get_data</a> (gnutls_pkcs12_bag_t <var>bag</var>, int <var>indx</var>, gnutls_datum_t * <var>data</var>)</code></dt>
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fbag_005fget_005fkey_005fid">gnutls_pkcs12_bag_get_key_id</a> (gnutls_pkcs12_bag_t <var>bag</var>, int <var>indx</var>, gnutls_datum_t * <var>id</var>)</code></dt>
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fbag_005fget_005ffriendly_005fname">gnutls_pkcs12_bag_get_friendly_name</a> (gnutls_pkcs12_bag_t <var>bag</var>, int <var>indx</var>, char ** <var>name</var>)</code></dt>
</dl>
<p>The functions below are used to generate a PKCS #12 structure. An example
of their usage is shown at <a href="PKCS12-structure-generation-example.html#PKCS12-structure-generation-example">PKCS12 structure generation example</a>.
</p>
<dl compact="compact">
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fset_005fbag">gnutls_pkcs12_set_bag</a> (gnutls_pkcs12_t <var>pkcs12</var>, gnutls_pkcs12_bag_t <var>bag</var>)</code></dt>
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fbag_005fencrypt">gnutls_pkcs12_bag_encrypt</a> (gnutls_pkcs12_bag_t <var>bag</var>, const char * <var>pass</var>, unsigned int <var>flags</var>)</code></dt>
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fgenerate_005fmac">gnutls_pkcs12_generate_mac</a> (gnutls_pkcs12_t <var>pkcs12</var>, const char * <var>pass</var>)</code></dt>
</dl>
<dl compact="compact">
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fbag_005fset_005fdata">gnutls_pkcs12_bag_set_data</a> (gnutls_pkcs12_bag_t <var>bag</var>, gnutls_pkcs12_bag_type_t <var>type</var>, const gnutls_datum_t * <var>data</var>)</code></dt>
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fbag_005fset_005fcrl">gnutls_pkcs12_bag_set_crl</a> (gnutls_pkcs12_bag_t <var>bag</var>, gnutls_x509_crl_t <var>crl</var>)</code></dt>
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fbag_005fset_005fcrt">gnutls_pkcs12_bag_set_crt</a> (gnutls_pkcs12_bag_t <var>bag</var>, gnutls_x509_crt_t <var>crt</var>)</code></dt>
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fbag_005fset_005fkey_005fid">gnutls_pkcs12_bag_set_key_id</a> (gnutls_pkcs12_bag_t <var>bag</var>, int <var>indx</var>, const gnutls_datum_t * <var>id</var>)</code></dt>
<dt><code><var>int</var> <a href="PKCS-12-API.html#gnutls_005fpkcs12_005fbag_005fset_005ffriendly_005fname">gnutls_pkcs12_bag_set_friendly_name</a> (gnutls_pkcs12_bag_t <var>bag</var>, int <var>indx</var>, const char * <var>name</var>)</code></dt>
</dl>
<a name="OpenSSL-encrypted-keys"></a>
<h4 class="subsubheading">OpenSSL encrypted keys</h4>
<a name="index-OpenSSL-encrypted-keys"></a>
<p>Unfortunately the structures discussed in the previous sections are
not the only structures that may hold an encrypted private key. For example
the OpenSSL library offers a custom key encryption method. Those structures
are also supported in GnuTLS with <a href="X509-certificate-API.html#gnutls_005fx509_005fprivkey_005fimport_005fopenssl">gnutls_x509_privkey_import_openssl</a>.
</p>
<dl>
<dt><a name="index-gnutls_005fx509_005fprivkey_005fimport_005fopenssl"></a>Function: <em>int</em> <strong>gnutls_x509_privkey_import_openssl</strong> <em>(gnutls_x509_privkey_t <var>key</var>, const gnutls_datum_t * <var>data</var>, const char * <var>password</var>)</em></dt>
<dd><p><var>key</var>: The structure to store the parsed key
</p>
<p><var>data</var>: The DER or PEM encoded key.
</p>
<p><var>password</var>: the password to decrypt the key (if it is encrypted).
</p>
<p>This function will convert the given PEM encrypted to
the native gnutls_x509_privkey_t format. The
output will be stored in <code>key</code> .
</p>
<p>The <code>password</code> should be in ASCII. If the password is not provided
or wrong then <code>GNUTLS_E_DECRYPTION_FAILED</code> will be returned.
</p>
<p>If the Certificate is PEM encoded it should have a header of
"PRIVATE KEY" and the "DEK-Info" header.
</p>
<p><strong>Returns:</strong> On success, <code>GNUTLS_E_SUCCESS</code> (0) is returned, otherwise a
negative error value.
</p></dd></dl>
<hr>
<div class="header">
<p>
Next: <a href="certtool-Invocation.html#certtool-Invocation" accesskey="n" rel="next">certtool Invocation</a>, Previous: <a href="OCSP-certificate-status-checking.html#OCSP-certificate-status-checking" accesskey="p" rel="prev">OCSP certificate status checking</a>, Up: <a href="More-on-certificate-authentication.html#More-on-certificate-authentication" accesskey="u" rel="up">More on certificate authentication</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
</body>
</html>
|
