NAME
PEM_write
,
PEM_write_bio
, PEM_read
,
PEM_read_bio
, PEM_do_header
,
PEM_get_EVP_CIPHER_INFO
—
PEM encoding routines
SYNOPSIS
#include
<openssl/pem.h>
int
PEM_write
(FILE *fp,
char *name, char *header,
unsigned char *data, long
len);
int
PEM_write_bio
(BIO *bp,
const char *name, char *header,
unsigned char *data, long
len);
int
PEM_read
(FILE *fp,
char **name, char **header,
unsigned char **data, long
*len);
int
PEM_read_bio
(BIO *bp,
char **name, char **header,
unsigned char **data, long
*len);
int
PEM_get_EVP_CIPHER_INFO
(char
*header, EVP_CIPHER_INFO *cinfo);
int
PEM_do_header
(EVP_CIPHER_INFO
*cinfo, unsigned char *data,
long *len, pem_password_cb *cb,
void *u);
DESCRIPTION
These functions read and write PEM-encoded objects, using the PEM type name, any additional header information, and the raw data of length len.
PEM is the binary content encoding first defined in IETF RFC 1421. The content is a series of base64-encoded lines, surrounded by begin/end markers each on their own line. For example:
-----BEGIN PRIVATE KEY----- MIICdg.... ... bhTQ== -----END PRIVATE KEY-----
Optional header line(s) may appear after the begin line, and their existence depends on the type of object being written or read.
PEM_write
()
writes to the file fp, while
PEM_write_bio
()
writes to the BIO bp. The name
is the name to use in the marker, the header is the
header value or NULL
, and data
and len specify the data and its length.
The final data buffer is
typically an ASN.1 object which can be decoded with the
d2i_*
()
function appropriate to the type name; see
d2i_X509(3) for examples.
PEM_read
()
reads from the file fp, while
PEM_read_bio
()
reads from the BIO bp. Both skip any non-PEM data that
precedes the start of the next PEM object. When an object is successfully
retrieved, the type name from the "----BEGIN <type>-----" is
returned via the name argument, any encapsulation
headers are returned in header, and the base64-decoded
content and its length are returned via data and
len, respectively. The name,
header, and data pointers should
be freed by the caller when no longer needed.
The remaining functions are deprecated because the underlying PEM encryption format is obsolete and should be avoided. It uses an encryption format with an OpenSSL-specific key-derivation function, which employs MD5 with an iteration count of 1. Instead, private keys should be stored in PKCS#8 form, with a strong PKCS#5 v2.0 PBE; see PEM_write_PrivateKey(3) and d2i_PKCS8PrivateKey_bio(3).
PEM_get_EVP_CIPHER_INFO
()
can be used to determine the data returned by
PEM_read
() or PEM_read_bio
()
is encrypted and to retrieve the associated cipher and IV. The caller passes
a pointer to a structure of type EVP_CIPHER_INFO via
the cinfo argument and the
header returned via PEM_read
()
or PEM_read_bio
(). If the call is successful, 1 is
returned and the cipher and IV are stored at the address pointed to by
cinfo. When the header is malformed or not supported
or when the cipher is unknown or some internal error happens, 0 is
returned.
PEM_do_header
()
can then be used to decrypt the data if the header indicates encryption. The
cinfo argument is a pointer to the structure
initialized by the previous call to
PEM_get_EVP_CIPHER_INFO
(). The
data and len arguments are those
returned by the previous call to PEM_read
() or
PEM_read_bio
(). The cb and
u arguments make it possible to override the default
password prompt function as described in
PEM_read_PrivateKey(3). On successful completion, the
data is decrypted in place, and
len is updated to indicate the plaintext length.
If the data is a priori known to not be
encrypted, then neither
PEM_do_header
()
nor PEM_get_EVP_CIPHER_INFO
() need to be called.
RETURN VALUES
PEM_read
() and
PEM_read_bio
() return 1 on success or 0 on failure.
The latter includes the case when no more PEM objects remain in the input
file. To distinguish end of file from more serious errors, the caller must
peek at the error stack and check for
PEM_R_NO_START_LINE
, which indicates that no more
PEM objects were found. See
ERR_peek_last_error(3) and
ERR_GET_REASON(3).
PEM_get_EVP_CIPHER_INFO
() and
PEM_do_header
() return 1 on success or 0 on failure.
The data is likely meaningless if these functions
fail.
SEE ALSO
d2i_PKCS8PrivateKey_bio(3), ERR_GET_LIB(3), ERR_peek_last_error(3), PEM_bytes_read_bio(3), PEM_read_bio_PrivateKey(3)
HISTORY
These functions appeared in SSLeay 0.8.1b or earlier and have been available since OpenBSD 2.4.