2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/decoder.h>
11 #include <openssl/encoder.h>
12 #include <openssl/evp.h>
15 * Example showing the encoding and decoding of EC public and private keys. A
16 * PEM-encoded EC key is read in from stdin, decoded, and then re-encoded and
17 * output for demonstration purposes. Both public and private keys are accepted.
19 * This can be used to load EC keys from a file or save EC keys to a file.
22 /* A property query used for selecting algorithm implementations. */
23 static const char *propq = NULL;
26 * Load a PEM-encoded EC key from a file, optionally decrypting it with a
27 * supplied passphrase.
29 static EVP_PKEY *load_key(OSSL_LIB_CTX *libctx, FILE *f, const char *passphrase)
32 EVP_PKEY *pkey = NULL;
33 OSSL_DECODER_CTX *dctx = NULL;
37 * Create PEM decoder context expecting an EC key.
39 * For raw (non-PEM-encoded) keys, change "PEM" to "DER".
41 * The selection argument here specifies whether we are willing to accept a
42 * public key, private key, or either. If it is set to zero, either will be
43 * accepted. If set to EVP_PKEY_KEYPAIR, a private key will be required, and
44 * if set to EVP_PKEY_PUBLIC_KEY, a public key will be required.
46 dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", NULL, "EC",
50 fprintf(stderr, "OSSL_DECODER_CTX_new_for_pkey() failed\n");
55 * Set passphrase if provided; needed to decrypt encrypted PEM files.
56 * If the input is not encrypted, any passphrase provided is ignored.
58 * Alternative methods for specifying passphrases exist, such as a callback
59 * (see OSSL_DECODER_CTX_set_passphrase_cb(3)), which may be more useful for
60 * interactive applications which do not know if a passphrase should be
61 * prompted for in advance, or for GUI applications.
63 if (passphrase != NULL) {
64 if (OSSL_DECODER_CTX_set_passphrase(dctx,
65 (const unsigned char *)passphrase,
66 strlen(passphrase)) == 0) {
67 fprintf(stderr, "OSSL_DECODER_CTX_set_passphrase() failed\n");
72 /* Do the decode, reading from file. */
73 if (OSSL_DECODER_from_fp(dctx, f) == 0) {
74 fprintf(stderr, "OSSL_DECODER_from_fp() failed\n");
80 OSSL_DECODER_CTX_free(dctx);
83 * pkey is created by OSSL_DECODER_CTX_new_for_pkey, but we
84 * might fail subsequently, so ensure it's properly freed
96 * Store a EC public or private key to a file using PEM encoding.
98 * If a passphrase is supplied, the file is encrypted, otherwise
101 static int store_key(EVP_PKEY *pkey, FILE *f, const char *passphrase)
105 OSSL_ENCODER_CTX *ectx = NULL;
108 * Create a PEM encoder context.
110 * For raw (non-PEM-encoded) output, change "PEM" to "DER".
112 * The selection argument controls whether the private key is exported
113 * (EVP_PKEY_KEYPAIR), or only the public key (EVP_PKEY_PUBLIC_KEY). The
114 * former will fail if we only have a public key.
116 * Note that unlike the decode API, you cannot specify zero here.
118 * Purely for the sake of demonstration, here we choose to export the whole
119 * key if a passphrase is provided and the public key otherwise.
121 selection = (passphrase != NULL)
123 : EVP_PKEY_PUBLIC_KEY;
125 ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "PEM", NULL, propq);
127 fprintf(stderr, "OSSL_ENCODER_CTX_new_for_pkey() failed\n");
132 * Set passphrase if provided; the encoded output will then be encrypted
133 * using the passphrase.
135 * Alternative methods for specifying passphrases exist, such as a callback
136 * (see OSSL_ENCODER_CTX_set_passphrase_cb(3), just as for OSSL_DECODER_CTX;
137 * however you are less likely to need them as you presumably know whether
138 * encryption is desired in advance.
140 * Note that specifying a passphrase alone is not enough to cause the
141 * key to be encrypted. You must set both a cipher and a passphrase.
143 if (passphrase != NULL) {
145 * Set cipher. Let's use AES-256-CBC, because it is
146 * more quantum resistant.
148 if (OSSL_ENCODER_CTX_set_cipher(ectx, "AES-256-CBC", propq) == 0) {
149 fprintf(stderr, "OSSL_ENCODER_CTX_set_cipher() failed\n");
153 /* Set passphrase. */
154 if (OSSL_ENCODER_CTX_set_passphrase(ectx,
155 (const unsigned char *)passphrase,
156 strlen(passphrase)) == 0) {
157 fprintf(stderr, "OSSL_ENCODER_CTX_set_passphrase() failed\n");
162 /* Do the encode, writing to the given file. */
163 if (OSSL_ENCODER_to_fp(ectx, f) == 0) {
164 fprintf(stderr, "OSSL_ENCODER_to_fp() failed\n");
170 OSSL_ENCODER_CTX_free(ectx);
174 int main(int argc, char **argv)
177 OSSL_LIB_CTX *libctx = NULL;
178 EVP_PKEY *pkey = NULL;
179 const char *passphrase_in = NULL, *passphrase_out = NULL;
181 /* usage: ec_encode <passphrase-in> <passphrase-out> */
182 if (argc > 1 && argv[1][0])
183 passphrase_in = argv[1];
185 if (argc > 2 && argv[2][0])
186 passphrase_out = argv[2];
188 /* Decode PEM key from stdin and then PEM encode it to stdout. */
189 pkey = load_key(libctx, stdin, passphrase_in);
191 fprintf(stderr, "Failed to decode key\n");
195 if (store_key(pkey, stdout, passphrase_out) == 0) {
196 fprintf(stderr, "Failed to encode key\n");
203 OSSL_LIB_CTX_free(libctx);