1PEM_READ_BIO_PRIVATEKEY(3ossl) OpenSSL PEM_READ_BIO_PRIVATEKEY(3ossl)
2
3
4
6 pem_password_cb, PEM_read_bio_PrivateKey_ex, PEM_read_bio_PrivateKey,
7 PEM_read_PrivateKey_ex, PEM_read_PrivateKey,
8 PEM_write_bio_PrivateKey_ex, PEM_write_bio_PrivateKey,
9 PEM_write_bio_PrivateKey_traditional, PEM_write_PrivateKey_ex,
10 PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey,
11 PEM_write_PKCS8PrivateKey, PEM_write_bio_PKCS8PrivateKey_nid,
12 PEM_write_PKCS8PrivateKey_nid, PEM_read_bio_PUBKEY_ex,
13 PEM_read_bio_PUBKEY, PEM_read_PUBKEY_ex, PEM_read_PUBKEY,
14 PEM_write_bio_PUBKEY_ex, PEM_write_bio_PUBKEY, PEM_write_PUBKEY_ex,
15 PEM_write_PUBKEY, PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey,
16 PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey,
17 PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey,
18 PEM_write_bio_RSAPublicKey, PEM_write_RSAPublicKey,
19 PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, PEM_write_bio_RSA_PUBKEY,
20 PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey,
21 PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey,
22 PEM_write_DSAPrivateKey, PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY,
23 PEM_write_bio_DSA_PUBKEY, PEM_write_DSA_PUBKEY,
24 PEM_read_bio_Parameters_ex, PEM_read_bio_Parameters,
25 PEM_write_bio_Parameters, PEM_read_bio_DSAparams, PEM_read_DSAparams,
26 PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams,
27 PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams,
28 PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509,
29 PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX,
30 PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ,
31 PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW,
32 PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL,
33 PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7,
34 PEM_read_PKCS7, PEM_write_bio_PKCS7, PEM_write_PKCS7 - PEM routines
35
37 #include <openssl/pem.h>
38
39 typedef int pem_password_cb(char *buf, int size, int rwflag, void *u);
40
41 EVP_PKEY *PEM_read_bio_PrivateKey_ex(BIO *bp, EVP_PKEY **x,
42 pem_password_cb *cb, void *u,
43 OSSL_LIB_CTX *libctx, const char *propq);
44 EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x,
45 pem_password_cb *cb, void *u);
46 EVP_PKEY *PEM_read_PrivateKey_ex(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,
47 void *u, OSSL_LIB_CTX *libctx,
48 const char *propq);
49 EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,
50 pem_password_cb *cb, void *u);
51 int PEM_write_bio_PrivateKey_ex(BIO *bp, const EVP_PKEY *x,
52 const EVP_CIPHER *enc,
53 unsigned char *kstr, int klen,
54 pem_password_cb *cb, void *u,
55 OSSL_LIB_CTX *libctx, const char *propq);
56 int PEM_write_bio_PrivateKey(BIO *bp, const EVP_PKEY *x, const EVP_CIPHER *enc,
57 unsigned char *kstr, int klen,
58 pem_password_cb *cb, void *u);
59 int PEM_write_bio_PrivateKey_traditional(BIO *bp, EVP_PKEY *x,
60 const EVP_CIPHER *enc,
61 unsigned char *kstr, int klen,
62 pem_password_cb *cb, void *u);
63 int PEM_write_PrivateKey_ex(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
64 unsigned char *kstr, int klen,
65 pem_password_cb *cb, void *u,
66 OSSL_LIB_CTX *libctx, const char *propq);
67 int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
68 unsigned char *kstr, int klen,
69 pem_password_cb *cb, void *u);
70 int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
71 char *kstr, int klen,
72 pem_password_cb *cb, void *u);
73 int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
74 char *kstr, int klen,
75 pem_password_cb *cb, void *u);
76 int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, const EVP_PKEY *x, int nid,
77 char *kstr, int klen,
78 pem_password_cb *cb, void *u);
79 int PEM_write_PKCS8PrivateKey_nid(FILE *fp, const EVP_PKEY *x, int nid,
80 char *kstr, int klen,
81 pem_password_cb *cb, void *u);
82
83 EVP_PKEY *PEM_read_bio_PUBKEY_ex(BIO *bp, EVP_PKEY **x,
84 pem_password_cb *cb, void *u,
85 OSSL_LIB_CTX *libctx, const char *propq);
86 EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x,
87 pem_password_cb *cb, void *u);
88 EVP_PKEY *PEM_read_PUBKEY_ex(FILE *fp, EVP_PKEY **x,
89 pem_password_cb *cb, void *u,
90 OSSL_LIB_CTX *libctx, const char *propq);
91 EVP_PKEY *PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x,
92 pem_password_cb *cb, void *u);
93 int PEM_write_bio_PUBKEY_ex(BIO *bp, EVP_PKEY *x,
94 OSSL_LIB_CTX *libctx, const char *propq);
95 int PEM_write_bio_PUBKEY(BIO *bp, EVP_PKEY *x);
96 int PEM_write_PUBKEY_ex(FILE *fp, EVP_PKEY *x,
97 OSSL_LIB_CTX *libctx, const char *propq);
98 int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x);
99
100 EVP_PKEY *PEM_read_bio_Parameters_ex(BIO *bp, EVP_PKEY **x,
101 OSSL_LIB_CTX *libctx, const char *propq);
102 EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x);
103 int PEM_write_bio_Parameters(BIO *bp, const EVP_PKEY *x);
104
105 X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
106 X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
107 int PEM_write_bio_X509(BIO *bp, X509 *x);
108 int PEM_write_X509(FILE *fp, X509 *x);
109
110 X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
111 X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
112 int PEM_write_bio_X509_AUX(BIO *bp, X509 *x);
113 int PEM_write_X509_AUX(FILE *fp, X509 *x);
114
115 X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x,
116 pem_password_cb *cb, void *u);
117 X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x,
118 pem_password_cb *cb, void *u);
119 int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x);
120 int PEM_write_X509_REQ(FILE *fp, X509_REQ *x);
121 int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x);
122 int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x);
123
124 X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x,
125 pem_password_cb *cb, void *u);
126 X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x,
127 pem_password_cb *cb, void *u);
128 int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x);
129 int PEM_write_X509_CRL(FILE *fp, X509_CRL *x);
130
131 PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u);
132 PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u);
133 int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x);
134 int PEM_write_PKCS7(FILE *fp, PKCS7 *x);
135
136 The following functions have been deprecated since OpenSSL 3.0, and can
137 be hidden entirely by defining OPENSSL_API_COMPAT with a suitable
138 version value, see openssl_user_macros(7):
139
140 RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x,
141 pem_password_cb *cb, void *u);
142 RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x,
143 pem_password_cb *cb, void *u);
144 int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
145 unsigned char *kstr, int klen,
146 pem_password_cb *cb, void *u);
147 int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
148 unsigned char *kstr, int klen,
149 pem_password_cb *cb, void *u);
150
151 RSA *PEM_read_bio_RSAPublicKey(BIO *bp, RSA **x,
152 pem_password_cb *cb, void *u);
153 RSA *PEM_read_RSAPublicKey(FILE *fp, RSA **x,
154 pem_password_cb *cb, void *u);
155 int PEM_write_bio_RSAPublicKey(BIO *bp, RSA *x);
156 int PEM_write_RSAPublicKey(FILE *fp, RSA *x);
157
158 RSA *PEM_read_bio_RSA_PUBKEY(BIO *bp, RSA **x,
159 pem_password_cb *cb, void *u);
160 RSA *PEM_read_RSA_PUBKEY(FILE *fp, RSA **x,
161 pem_password_cb *cb, void *u);
162 int PEM_write_bio_RSA_PUBKEY(BIO *bp, RSA *x);
163 int PEM_write_RSA_PUBKEY(FILE *fp, RSA *x);
164
165 DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **x,
166 pem_password_cb *cb, void *u);
167 DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **x,
168 pem_password_cb *cb, void *u);
169 int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
170 unsigned char *kstr, int klen,
171 pem_password_cb *cb, void *u);
172 int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
173 unsigned char *kstr, int klen,
174 pem_password_cb *cb, void *u);
175
176 DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x,
177 pem_password_cb *cb, void *u);
178 DSA *PEM_read_DSA_PUBKEY(FILE *fp, DSA **x,
179 pem_password_cb *cb, void *u);
180 int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x);
181 int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x);
182 DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u);
183 DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u);
184 int PEM_write_bio_DSAparams(BIO *bp, DSA *x);
185 int PEM_write_DSAparams(FILE *fp, DSA *x);
186
187 DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
188 DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u);
189 int PEM_write_bio_DHparams(BIO *bp, DH *x);
190 int PEM_write_DHparams(FILE *fp, DH *x);
191
193 All of the functions described on this page that have a TYPE of DH, DSA
194 and RSA are deprecated. Applications should use OSSL_ENCODER_to_bio(3)
195 and OSSL_DECODER_from_bio(3) instead.
196
197 The PEM functions read or write structures in PEM format. In this sense
198 PEM format is simply base64 encoded data surrounded by header lines.
199
200 For more details about the meaning of arguments see the PEM FUNCTION
201 ARGUMENTS section.
202
203 Each operation has four functions associated with it. For brevity the
204 term "TYPE functions" will be used below to collectively refer to the
205 PEM_read_bio_TYPE(), PEM_read_TYPE(), PEM_write_bio_TYPE(), and
206 PEM_write_TYPE() functions.
207
208 Some operations have additional variants that take a library context
209 libctx and a property query string propq. The X509, X509_REQ and
210 X509_CRL objects may have an associated library context or property
211 query string but there are no variants of these functions that take a
212 library context or property query string parameter. In this case it is
213 possible to set the appropriate library context or property query
214 string by creating an empty X509, X509_REQ or X509_CRL object using
215 X509_new_ex(3), X509_REQ_new_ex(3) or X509_CRL_new_ex(3) respectively.
216 Then pass the empty object as a parameter to the relevant PEM function.
217 See the "EXAMPLES" section below.
218
219 The PrivateKey functions read or write a private key in PEM format
220 using an EVP_PKEY structure. The write routines use PKCS#8 private key
221 format and are equivalent to PEM_write_bio_PKCS8PrivateKey(). The read
222 functions transparently handle traditional and PKCS#8 format encrypted
223 and unencrypted keys.
224
225 PEM_write_bio_PrivateKey_traditional() writes out a private key in the
226 "traditional" format with a simple private key marker and should only
227 be used for compatibility with legacy programs.
228
229 PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey() write a
230 private key in an EVP_PKEY structure in PKCS#8 EncryptedPrivateKeyInfo
231 format using PKCS#5 v2.0 password based encryption algorithms. The
232 cipher argument specifies the encryption algorithm to use: unlike some
233 other PEM routines the encryption is applied at the PKCS#8 level and
234 not in the PEM headers. If cipher is NULL then no encryption is used
235 and a PKCS#8 PrivateKeyInfo structure is used instead.
236
237 PEM_write_bio_PKCS8PrivateKey_nid() and PEM_write_PKCS8PrivateKey_nid()
238 also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo
239 however it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead.
240 The algorithm to use is specified in the nid parameter and should be
241 the NID of the corresponding OBJECT IDENTIFIER (see NOTES section).
242
243 The PUBKEY functions process a public key using an EVP_PKEY structure.
244 The public key is encoded as a SubjectPublicKeyInfo structure.
245
246 The RSAPrivateKey functions process an RSA private key using an RSA
247 structure. The write routines uses traditional format. The read
248 routines handles the same formats as the PrivateKey functions but an
249 error occurs if the private key is not RSA.
250
251 The RSAPublicKey functions process an RSA public key using an RSA
252 structure. The public key is encoded using a PKCS#1 RSAPublicKey
253 structure.
254
255 The RSA_PUBKEY functions also process an RSA public key using an RSA
256 structure. However, the public key is encoded using a
257 SubjectPublicKeyInfo structure and an error occurs if the public key is
258 not RSA.
259
260 The DSAPrivateKey functions process a DSA private key using a DSA
261 structure. The write routines uses traditional format. The read
262 routines handles the same formats as the PrivateKey functions but an
263 error occurs if the private key is not DSA.
264
265 The DSA_PUBKEY functions process a DSA public key using a DSA
266 structure. The public key is encoded using a SubjectPublicKeyInfo
267 structure and an error occurs if the public key is not DSA.
268
269 The Parameters functions read or write key parameters in PEM format
270 using an EVP_PKEY structure. The encoding depends on the type of key;
271 for DSA key parameters, it will be a Dss-Parms structure as defined in
272 RFC2459, and for DH key parameters, it will be a PKCS#3 DHparameter
273 structure. These functions only exist for the BIO type.
274
275 The DSAparams functions process DSA parameters using a DSA structure.
276 The parameters are encoded using a Dss-Parms structure as defined in
277 RFC2459.
278
279 The DHparams functions process DH parameters using a DH structure. The
280 parameters are encoded using a PKCS#3 DHparameter structure.
281
282 The X509 functions process an X509 certificate using an X509 structure.
283 They will also process a trusted X509 certificate but any trust
284 settings are discarded.
285
286 The X509_AUX functions process a trusted X509 certificate using an X509
287 structure.
288
289 The X509_REQ and X509_REQ_NEW functions process a PKCS#10 certificate
290 request using an X509_REQ structure. The X509_REQ write functions use
291 CERTIFICATE REQUEST in the header whereas the X509_REQ_NEW functions
292 use NEW CERTIFICATE REQUEST (as required by some CAs). The X509_REQ
293 read functions will handle either form so there are no X509_REQ_NEW
294 read functions.
295
296 The X509_CRL functions process an X509 CRL using an X509_CRL structure.
297
298 The PKCS7 functions process a PKCS#7 ContentInfo using a PKCS7
299 structure.
300
302 The PEM functions have many common arguments.
303
304 The bp BIO parameter (if present) specifies the BIO to read from or
305 write to.
306
307 The fp FILE parameter (if present) specifies the FILE pointer to read
308 from or write to.
309
310 The PEM read functions all take an argument TYPE **x and return a TYPE
311 * pointer. Where TYPE is whatever structure the function uses. If x is
312 NULL then the parameter is ignored. If x is not NULL but *x is NULL
313 then the structure returned will be written to *x. If neither x nor *x
314 is NULL then an attempt is made to reuse the structure at *x (but see
315 BUGS and EXAMPLES sections). Irrespective of the value of x a pointer
316 to the structure is always returned (or NULL if an error occurred).
317
318 The PEM functions which write private keys take an enc parameter which
319 specifies the encryption algorithm to use, encryption is done at the
320 PEM level. If this parameter is set to NULL then the private key is
321 written in unencrypted form.
322
323 The cb argument is the callback to use when querying for the pass
324 phrase used for encrypted PEM structures (normally only private keys).
325
326 For the PEM write routines if the kstr parameter is not NULL then klen
327 bytes at kstr are used as the passphrase and cb is ignored.
328
329 If the cb parameters is set to NULL and the u parameter is not NULL
330 then the u parameter is interpreted as a NUL terminated string to use
331 as the passphrase. If both cb and u are NULL then the default callback
332 routine is used which will typically prompt for the passphrase on the
333 current terminal with echoing turned off.
334
335 The default passphrase callback is sometimes inappropriate (for example
336 in a GUI application) so an alternative can be supplied. The callback
337 routine has the following form:
338
339 int cb(char *buf, int size, int rwflag, void *u);
340
341 buf is the buffer to write the passphrase to. size is the maximum
342 length of the passphrase (i.e. the size of buf). rwflag is a flag which
343 is set to 0 when reading and 1 when writing. A typical routine will ask
344 the user to verify the passphrase (for example by prompting for it
345 twice) if rwflag is 1. The u parameter has the same value as the u
346 parameter passed to the PEM routine. It allows arbitrary data to be
347 passed to the callback by the application (for example a window handle
348 in a GUI application). The callback must return the number of
349 characters in the passphrase or -1 if an error occurred. The passphrase
350 can be arbitrary data; in the case where it is a string, it is not NUL
351 terminated. See the "EXAMPLES" section below.
352
353 Some implementations may need to use cryptographic algorithms during
354 their operation. If this is the case and libctx and propq parameters
355 have been passed then any algorithm fetches will use that library
356 context and property query string. Otherwise the default library
357 context and property query string will be used.
358
360 The PEM reading functions will skip any extraneous content or PEM data
361 of a different type than they expect. This allows for example having a
362 certificate (or multiple certificates) and a key in the PEM format in a
363 single file.
364
365 The old PrivateKey write routines are retained for compatibility. New
366 applications should write private keys using the
367 PEM_write_bio_PKCS8PrivateKey() or PEM_write_PKCS8PrivateKey() routines
368 because they are more secure (they use an iteration count of 2048
369 whereas the traditional routines use a count of 1) unless compatibility
370 with older versions of OpenSSL is important.
371
372 The PrivateKey read routines can be used in all applications because
373 they handle all formats transparently.
374
375 A frequent cause of problems is attempting to use the PEM routines like
376 this:
377
378 X509 *x;
379
380 PEM_read_bio_X509(bp, &x, 0, NULL);
381
382 this is a bug because an attempt will be made to reuse the data at x
383 which is an uninitialised pointer.
384
385 These functions make no assumption regarding the pass phrase received
386 from the password callback. It will simply be treated as a byte
387 sequence.
388
390 These old PrivateKey routines use a non standard technique for
391 encryption.
392
393 The private key (or other data) takes the following form:
394
395 -----BEGIN RSA PRIVATE KEY-----
396 Proc-Type: 4,ENCRYPTED
397 DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89
398
399 ...base64 encoded data...
400 -----END RSA PRIVATE KEY-----
401
402 The line beginning with Proc-Type contains the version and the
403 protection on the encapsulated data. The line beginning DEK-Info
404 contains two comma separated values: the encryption algorithm name as
405 used by EVP_get_cipherbyname() and an initialization vector used by the
406 cipher encoded as a set of hexadecimal digits. After those two lines is
407 the base64-encoded encrypted data.
408
409 The encryption key is derived using EVP_BytesToKey(). The cipher's
410 initialization vector is passed to EVP_BytesToKey() as the salt
411 parameter. Internally, PKCS5_SALT_LEN bytes of the salt are used
412 (regardless of the size of the initialization vector). The user's
413 password is passed to EVP_BytesToKey() using the data and datal
414 parameters. Finally, the library uses an iteration count of 1 for
415 EVP_BytesToKey().
416
417 The key derived by EVP_BytesToKey() along with the original
418 initialization vector is then used to decrypt the encrypted data. The
419 iv produced by EVP_BytesToKey() is not utilized or needed, and NULL
420 should be passed to the function.
421
422 The pseudo code to derive the key would look similar to:
423
424 EVP_CIPHER* cipher = EVP_des_ede3_cbc();
425 EVP_MD* md = EVP_md5();
426
427 unsigned int nkey = EVP_CIPHER_get_key_length(cipher);
428 unsigned int niv = EVP_CIPHER_get_iv_length(cipher);
429 unsigned char key[nkey];
430 unsigned char iv[niv];
431
432 memcpy(iv, HexToBin("3F17F5316E2BAC89"), niv);
433 rc = EVP_BytesToKey(cipher, md, iv /*salt*/, pword, plen, 1, key, NULL /*iv*/);
434 if (rc != nkey)
435 /* Error */
436
437 /* On success, use key and iv to initialize the cipher */
438
440 The PEM read routines in some versions of OpenSSL will not correctly
441 reuse an existing structure. Therefore, the following:
442
443 PEM_read_bio_X509(bp, &x, 0, NULL);
444
445 where x already contains a valid certificate, may not work, whereas:
446
447 X509_free(x);
448 x = PEM_read_bio_X509(bp, NULL, 0, NULL);
449
450 is guaranteed to work. It is always acceptable for x to contain a newly
451 allocated, empty X509 object (for example allocated via
452 X509_new_ex(3)).
453
455 The read routines return either a pointer to the structure read or NULL
456 if an error occurred.
457
458 The write routines return 1 for success or 0 for failure.
459
461 Although the PEM routines take several arguments in almost all
462 applications most of them are set to 0 or NULL.
463
464 To read a certificate with a library context in PEM format from a BIO:
465
466 X509 *x = X509_new_ex(libctx, NULL);
467
468 if (x == NULL)
469 /* Error */
470
471 if (PEM_read_bio_X509(bp, &x, 0, NULL) == NULL)
472 /* Error */
473
474 Read a certificate in PEM format from a BIO:
475
476 X509 *x;
477
478 x = PEM_read_bio_X509(bp, NULL, 0, NULL);
479 if (x == NULL)
480 /* Error */
481
482 Alternative method:
483
484 X509 *x = NULL;
485
486 if (!PEM_read_bio_X509(bp, &x, 0, NULL))
487 /* Error */
488
489 Write a certificate to a BIO:
490
491 if (!PEM_write_bio_X509(bp, x))
492 /* Error */
493
494 Write a private key (using traditional format) to a BIO using triple
495 DES encryption, the pass phrase is prompted for:
496
497 if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL))
498 /* Error */
499
500 Write a private key (using PKCS#8 format) to a BIO using triple DES
501 encryption, using the pass phrase "hello":
502
503 if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(),
504 NULL, 0, 0, "hello"))
505 /* Error */
506
507 Read a private key from a BIO using a pass phrase callback:
508
509 key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key");
510 if (key == NULL)
511 /* Error */
512
513 Skeleton pass phrase callback:
514
515 int pass_cb(char *buf, int size, int rwflag, void *u)
516 {
517
518 /* We'd probably do something else if 'rwflag' is 1 */
519 printf("Enter pass phrase for \"%s\"\n", (char *)u);
520
521 /* get pass phrase, length 'len' into 'tmp' */
522 char *tmp = "hello";
523 if (tmp == NULL) /* An error occurred */
524 return -1;
525
526 size_t len = strlen(tmp);
527
528 if (len > size)
529 len = size;
530 memcpy(buf, tmp, len);
531 return len;
532 }
533
535 EVP_EncryptInit(3), EVP_BytesToKey(3), passphrase-encoding(7)
536
538 The old Netscape certificate sequences were no longer documented in
539 OpenSSL 1.1.0; applications should use the PKCS7 standard instead as
540 they will be formally deprecated in a future releases.
541
542 PEM_read_bio_PrivateKey_ex(), PEM_read_PrivateKey_ex(),
543 PEM_read_bio_PUBKEY_ex(), PEM_read_PUBKEY_ex() and
544 PEM_read_bio_Parameters_ex() were introduced in OpenSSL 3.0.
545
546 The functions PEM_read_bio_RSAPrivateKey(), PEM_read_RSAPrivateKey(),
547 PEM_write_bio_RSAPrivateKey(), PEM_write_RSAPrivateKey(),
548 PEM_read_bio_RSAPublicKey(), PEM_read_RSAPublicKey(),
549 PEM_write_bio_RSAPublicKey(), PEM_write_RSAPublicKey(),
550 PEM_read_bio_RSA_PUBKEY(), PEM_read_RSA_PUBKEY(),
551 PEM_write_bio_RSA_PUBKEY(), PEM_write_RSA_PUBKEY(),
552 PEM_read_bio_DSAPrivateKey(), PEM_read_DSAPrivateKey(),
553 PEM_write_bio_DSAPrivateKey(), PEM_write_DSAPrivateKey(),
554 PEM_read_bio_DSA_PUBKEY(), PEM_read_DSA_PUBKEY(),
555 PEM_write_bio_DSA_PUBKEY(), PEM_write_DSA_PUBKEY();
556 PEM_read_bio_DSAparams(), PEM_read_DSAparams(),
557 PEM_write_bio_DSAparams(), PEM_write_DSAparams(),
558 PEM_read_bio_DHparams(), PEM_read_DHparams(), PEM_write_bio_DHparams()
559 and PEM_write_DHparams() were deprecated in 3.0.
560
562 Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
563
564 Licensed under the Apache License 2.0 (the "License"). You may not use
565 this file except in compliance with the License. You can obtain a copy
566 in the file LICENSE in the source distribution or at
567 <https://www.openssl.org/source/license.html>.
568
569
570
5713.0.9 2023-07-27 PEM_READ_BIO_PRIVATEKEY(3ossl)