mirror of
https://github.com/openssl/openssl.git
synced 2024-12-27 06:21:43 +08:00
0f84cbc3e2
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12595)
133 lines
5.2 KiB
Plaintext
133 lines
5.2 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
PEM_write, PEM_write_bio,
|
|
PEM_read, PEM_read_bio, PEM_do_header, PEM_get_EVP_CIPHER_INFO
|
|
- PEM encoding routines
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
#include <openssl/pem.h>
|
|
|
|
int PEM_write(FILE *fp, const char *name, const char *header,
|
|
const unsigned char *data, long len);
|
|
int PEM_write_bio(BIO *bp, const char *name, const char *header,
|
|
const unsigned char *data, long len);
|
|
|
|
int PEM_read(FILE *fp, char **name, char **header,
|
|
unsigned char **data, long *len);
|
|
int PEM_read_bio(BIO *bp, char **name, char **header,
|
|
unsigned char **data, long *len);
|
|
|
|
int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cinfo);
|
|
int PEM_do_header(EVP_CIPHER_INFO *cinfo, unsigned char *data, long *len,
|
|
pem_password_cb *cb, void *u);
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
These functions read and write PEM-encoded objects, using the PEM
|
|
type B<name>, any additional B<header> information, and the raw
|
|
B<data> of length B<len>.
|
|
|
|
PEM is the term used for binary content encoding first defined in IETF
|
|
RFC 1421. The content is a series of base64-encoded lines, surrounded
|
|
by begin/end markers each on their own line. For example:
|
|
|
|
-----BEGIN PRIVATE KEY-----
|
|
MIICdg....
|
|
... bhTQ==
|
|
-----END PRIVATE KEY-----
|
|
|
|
Optional header line(s) may appear after the begin line, and their
|
|
existence depends on the type of object being written or read.
|
|
|
|
PEM_write() writes to the file B<fp>, while PEM_write_bio() writes to
|
|
the BIO B<bp>. The B<name> is the name to use in the marker, the
|
|
B<header> is the header value or NULL, and B<data> and B<len> specify
|
|
the data and its length.
|
|
|
|
The final B<data> buffer is typically an ASN.1 object which can be decoded with
|
|
the B<d2i> function appropriate to the type B<name>; see L<d2i_X509(3)>
|
|
for examples.
|
|
|
|
PEM_read() reads from the file B<fp>, while PEM_read_bio() reads
|
|
from the BIO B<bp>.
|
|
Both skip any non-PEM data that precedes the start of the next PEM object.
|
|
When an object is successfully retrieved, the type name from the "----BEGIN
|
|
<type>-----" is returned via the B<name> argument, any encapsulation headers
|
|
are returned in B<header> and the base64-decoded content and its length are
|
|
returned via B<data> and B<len> respectively.
|
|
The B<name>, B<header> and B<data> pointers are allocated via OPENSSL_malloc()
|
|
and should be freed by the caller via OPENSSL_free() when no longer needed.
|
|
|
|
PEM_get_EVP_CIPHER_INFO() can be used to determine the B<data> returned by
|
|
PEM_read() or PEM_read_bio() is encrypted and to retrieve the associated cipher
|
|
and IV.
|
|
The caller passes a pointer to structure of type B<EVP_CIPHER_INFO> via the
|
|
B<cinfo> argument and the B<header> returned via PEM_read() or PEM_read_bio().
|
|
If the call is successful 1 is returned and the cipher and IV are stored at the
|
|
address pointed to by B<cinfo>.
|
|
When the header is malformed, or not supported or when the cipher is unknown
|
|
or some internal error happens 0 is returned.
|
|
This function is deprecated, see B<NOTES> below.
|
|
|
|
PEM_do_header() can then be used to decrypt the data if the header
|
|
indicates encryption.
|
|
The B<cinfo> argument is a pointer to the structure initialized by the previous
|
|
call to PEM_get_EVP_CIPHER_INFO().
|
|
The B<data> and B<len> arguments are those returned by the previous call to
|
|
PEM_read() or PEM_read_bio().
|
|
The B<cb> and B<u> arguments make it possible to override the default password
|
|
prompt function as described in L<PEM_read_PrivateKey(3)>.
|
|
On successful completion the B<data> is decrypted in place, and B<len> is
|
|
updated to indicate the plaintext length.
|
|
This function is deprecated, see B<NOTES> below.
|
|
|
|
If the data is a priori known to not be encrypted, then neither PEM_do_header()
|
|
nor PEM_get_EVP_CIPHER_INFO() need be called.
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
PEM_read() and PEM_read_bio() return 1 on success and 0 on failure, the latter
|
|
includes the case when no more PEM objects remain in the input file.
|
|
To distinguish end of file from more serious errors the caller must peek at the
|
|
error stack and check for B<PEM_R_NO_START_LINE>, which indicates that no more
|
|
PEM objects were found. See L<ERR_peek_last_error(3)>, L<ERR_GET_REASON(3)>.
|
|
|
|
PEM_get_EVP_CIPHER_INFO() and PEM_do_header() return 1 on success, and 0 on
|
|
failure.
|
|
The B<data> is likely meaningless if these functions fail.
|
|
|
|
=head1 NOTES
|
|
|
|
The PEM_get_EVP_CIPHER_INFO() and PEM_do_header() functions are deprecated.
|
|
This is because the underlying PEM encryption format is obsolete, and should
|
|
be avoided.
|
|
It uses an encryption format with an OpenSSL-specific key-derivation function,
|
|
which employs MD5 with an iteration count of 1!
|
|
Instead, private keys should be stored in PKCS#8 form, with a strong PKCS#5
|
|
v2.0 PBE.
|
|
See L<PEM_write_PrivateKey(3)> and L<d2i_PKCS8PrivateKey_bio(3)>.
|
|
|
|
PEM_do_header() makes no assumption regarding the pass phrase received from the
|
|
password callback.
|
|
It will simply be treated as a byte sequence.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<ERR_peek_last_error(3)>, L<ERR_GET_LIB(3)>,
|
|
L<d2i_PKCS8PrivateKey_bio(3)>,
|
|
L<passphrase-encoding(7)>
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|