summaryrefslogtreecommitdiffstats
path: root/upstream/archlinux/man3/PEM_read.3ssl
blob: c3c838dc6a3c521f070b2214458ad69c0ef58224 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
.\" -*- mode: troff; coding: utf-8 -*-
.\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "PEM_READ 3ssl"
.TH PEM_READ 3ssl 2024-04-28 3.3.0 OpenSSL
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH NAME
PEM_write, PEM_write_bio,
PEM_read, PEM_read_bio, PEM_do_header, PEM_get_EVP_CIPHER_INFO
\&\- PEM encoding routines
.SH SYNOPSIS
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pem.h>
\&
\& int PEM_write(FILE *fp, const char *name, const char *header,
\&               const unsigned char *data, long len);
\& int PEM_write_bio(BIO *bp, const char *name, const char *header,
\&                   const unsigned char *data, long len);
\&
\& int PEM_read(FILE *fp, char **name, char **header,
\&              unsigned char **data, long *len);
\& int PEM_read_bio(BIO *bp, char **name, char **header,
\&                  unsigned char **data, long *len);
\&
\& int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cinfo);
\& int PEM_do_header(EVP_CIPHER_INFO *cinfo, unsigned char *data, long *len,
\&                   pem_password_cb *cb, void *u);
.Ve
.SH DESCRIPTION
.IX Header "DESCRIPTION"
These functions read and write PEM-encoded objects, using the PEM
type \fBname\fR, any additional \fBheader\fR information, and the raw
\&\fBdata\fR of length \fBlen\fR.
.PP
PEM is the term used for binary content encoding first defined in IETF
RFC 1421.  The content is a series of base64\-encoded lines, surrounded
by begin/end markers each on their own line.  For example:
.PP
.Vb 4
\& \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
\& MIICdg....
\& ... bhTQ==
\& \-\-\-\-\-END PRIVATE KEY\-\-\-\-\-
.Ve
.PP
Optional header line(s) may appear after the begin line, and their
existence depends on the type of object being written or read.
.PP
\&\fBPEM_write()\fR writes to the file \fBfp\fR, while \fBPEM_write_bio()\fR writes to
the BIO \fBbp\fR.  The \fBname\fR is the name to use in the marker, the
\&\fBheader\fR is the header value or NULL, and \fBdata\fR and \fBlen\fR specify
the data and its length.
.PP
The final \fBdata\fR buffer is typically an ASN.1 object which can be decoded with
the \fBd2i\fR function appropriate to the type \fBname\fR; see \fBd2i_X509\fR\|(3)
for examples.
.PP
\&\fBPEM_read()\fR reads from the file \fBfp\fR, while \fBPEM_read_bio()\fR reads
from the BIO \fBbp\fR.
Both skip any non-PEM data that precedes the start of the next PEM object.
When an object is successfully retrieved, the type name from the "\-\-\-\-BEGIN
<type>\-\-\-\-\-" is returned via the \fBname\fR argument, any encapsulation headers
are returned in \fBheader\fR and the base64\-decoded content and its length are
returned via \fBdata\fR and \fBlen\fR respectively.
The \fBname\fR, \fBheader\fR and \fBdata\fR pointers are allocated via \fBOPENSSL_malloc()\fR
and should be freed by the caller via \fBOPENSSL_free()\fR when no longer needed.
.PP
\&\fBPEM_get_EVP_CIPHER_INFO()\fR can be used to determine the \fBdata\fR returned by
\&\fBPEM_read()\fR or \fBPEM_read_bio()\fR is encrypted and to retrieve the associated cipher
and IV.
The caller passes a pointer to structure of type \fBEVP_CIPHER_INFO\fR via the
\&\fBcinfo\fR argument and the \fBheader\fR returned via \fBPEM_read()\fR or \fBPEM_read_bio()\fR.
If the call is successful 1 is returned and the cipher and IV are stored at the
address pointed to by \fBcinfo\fR.
When the header is malformed, or not supported or when the cipher is unknown
or some internal error happens 0 is returned.
This function is deprecated, see \fBNOTES\fR below.
.PP
\&\fBPEM_do_header()\fR can then be used to decrypt the data if the header
indicates encryption.
The \fBcinfo\fR argument is a pointer to the structure initialized by the previous
call to \fBPEM_get_EVP_CIPHER_INFO()\fR.
The \fBdata\fR and \fBlen\fR arguments are those returned by the previous call to
\&\fBPEM_read()\fR or \fBPEM_read_bio()\fR.
The \fBcb\fR and \fBu\fR arguments make it possible to override the default password
prompt function as described in \fBPEM_read_PrivateKey\fR\|(3).
On successful completion the \fBdata\fR is decrypted in place, and \fBlen\fR is
updated to indicate the plaintext length.
This function is deprecated, see \fBNOTES\fR below.
.PP
If the data is a priori known to not be encrypted, then neither \fBPEM_do_header()\fR
nor \fBPEM_get_EVP_CIPHER_INFO()\fR need be called.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPEM_read()\fR and \fBPEM_read_bio()\fR return 1 on success and 0 on failure, the latter
includes the case when no more PEM objects remain in the input file.
To distinguish end of file from more serious errors the caller must peek at the
error stack and check for \fBPEM_R_NO_START_LINE\fR, which indicates that no more
PEM objects were found.  See \fBERR_peek_last_error\fR\|(3), \fBERR_GET_REASON\fR\|(3).
.PP
\&\fBPEM_get_EVP_CIPHER_INFO()\fR and \fBPEM_do_header()\fR return 1 on success, and 0 on
failure.
The \fBdata\fR is likely meaningless if these functions fail.
.SH NOTES
.IX Header "NOTES"
The \fBPEM_get_EVP_CIPHER_INFO()\fR and \fBPEM_do_header()\fR functions are deprecated.
This is because the underlying PEM encryption format is obsolete, and should
be avoided.
It uses an encryption format with an OpenSSL-specific key-derivation function,
which employs MD5 with an iteration count of 1!
Instead, private keys should be stored in PKCS#8 form, with a strong PKCS#5
v2.0 PBE.
See \fBPEM_write_PrivateKey\fR\|(3) and \fBd2i_PKCS8PrivateKey_bio\fR\|(3).
.PP
\&\fBPEM_do_header()\fR makes no assumption regarding the pass phrase received from the
password callback.
It will simply be treated as a byte sequence.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_peek_last_error\fR\|(3), \fBERR_GET_LIB\fR\|(3),
\&\fBd2i_PKCS8PrivateKey_bio\fR\|(3),
\&\fBpassphrase\-encoding\fR\|(7)
.SH COPYRIGHT
.IX Header "COPYRIGHT"
Copyright 1998\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
<https://www.openssl.org/source/license.html>.