Botan 3.12.0
Crypto and TLS for C&
Functions
Botan::PKCS8 Namespace Reference

Functions

secure_vector< uint8_t > BER_encode (const Private_Key &key)
std::vector< uint8_t > BER_encode (const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, std::chrono::milliseconds msec, std::string_view pbe_algo)
std::vector< uint8_t > BER_encode_encrypted_pbkdf_iter (const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, size_t pbkdf_iterations, std::string_view cipher, std::string_view pbkdf_hash)
std::vector< uint8_t > BER_encode_encrypted_pbkdf_msec (const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, std::chrono::milliseconds pbkdf_msec, size_t *pbkdf_iterations, std::string_view cipher, std::string_view pbkdf_hash)
std::unique_ptr< Private_Keycopy_key (const Private_Key &key)
std::unique_ptr< Private_Keyload_key (DataSource &source)
std::unique_ptr< Private_Keyload_key (DataSource &source, const std::function< std::string()> &get_pass)
std::unique_ptr< Private_Keyload_key (DataSource &source, std::string_view pass)
std::unique_ptr< Private_Keyload_key (std::span< const uint8_t > source)
std::unique_ptr< Private_Keyload_key (std::span< const uint8_t > source, const std::function< std::string()> &get_passphrase)
std::unique_ptr< Private_Keyload_key (std::span< const uint8_t > source, std::string_view pass)
std::string PEM_encode (const Private_Key &key)
std::string PEM_encode (const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, std::chrono::milliseconds msec, std::string_view pbe_algo)
std::string PEM_encode_encrypted_pbkdf_iter (const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, size_t pbkdf_iterations, std::string_view cipher, std::string_view pbkdf_hash)
std::string PEM_encode_encrypted_pbkdf_msec (const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, std::chrono::milliseconds pbkdf_msec, size_t *pbkdf_iterations, std::string_view cipher, std::string_view pbkdf_hash)

Detailed Description

This namespace contains functions for handling PKCS #8 private keys

Function Documentation

◆ BER_encode() [1/2]

secure_vector< uint8_t > Botan::PKCS8::BER_encode ( const Private_Key & key)
inline

BER encode a private key

Parameters
keythe private key to encode
Returns
BER encoded key

Definition at line 43 of file pkcs8.h.

43 {
44 return key.private_key_info();
45}
Botan::Private_Key::private_key_info
secure_vector< uint8_t > private_key_info() const
Definition pk_keys.cpp:75

References Botan::Private_Key::private_key_info().

◆ BER_encode() [2/2]

std::vector< uint8_t > Botan::PKCS8::BER_encode ( const Private_Key & key,
RandomNumberGenerator & rng,
std::string_view pass,
std::chrono::milliseconds msec = std::chrono::milliseconds(300),
std::string_view pbe_algo = "" )

Encrypt a key using PKCS #8 encryption

Parameters
keythe key to encode
Random Number Generatorsthe rng to use
passthe password to use for encryption
msecnumber of milliseconds to run the password derivation
pbe_algothe name of the desired password-based encryption algorithm; if empty ("") a reasonable (portable/secure) default will be chosen.
Returns
encrypted key in binary BER form

Definition at line 166 of file pkcs8.cpp.

170 {
171#if defined(BOTAN_HAS_PKCS5_PBES2)
172 const auto pbe_params = choose_pbe_params(pbe_algo, key.algo_name());
173
174 const std::pair<AlgorithmIdentifier, std::vector<uint8_t>> pbe_info =
175 pbes2_encrypt_msec(PKCS8::BER_encode(key), pass, msec, nullptr, pbe_params.first, pbe_params.second, rng);
176
177 std::vector<uint8_t> output;
178 DER_Encoder der(output);
179 der.start_sequence().encode(pbe_info.first).encode(pbe_info.second, ASN1_Type::OctetString).end_cons();
180
181 return output;
182#else
183 BOTAN_UNUSED(key, rng, pass, msec, pbe_algo);
184 throw Encoding_Error("PKCS8::BER_encode cannot encrypt because PBES2 was disabled in build");
185#endif
186}
BOTAN_UNUSED
#define BOTAN_UNUSED
Definition assert.h:144
Botan::Asymmetric_Key::algo_name
virtual std::string algo_name() const =0
Botan::DER_Encoder
Definition der_enc.h:25
Botan::Encoding_Error
Definition exceptn.h:182
Botan::PKCS8::BER_encode
std::vector< uint8_t > BER_encode(const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, std::chrono::milliseconds msec, std::string_view pbe_algo)
Definition pkcs8.cpp:166
Botan::pbes2_encrypt_msec
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_msec(std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, size_t *out_iterations_if_nonnull, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
Definition pbes2.cpp:264

References Botan::Asymmetric_Key::algo_name(), BER_encode(), BOTAN_UNUSED, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::OctetString, Botan::pbes2_encrypt_msec(), and Botan::DER_Encoder::start_sequence().

Referenced by BER_encode(), Botan::Certificate_Store_In_SQL::insert_key(), and PEM_encode().

◆ BER_encode_encrypted_pbkdf_iter()

std::vector< uint8_t > Botan::PKCS8::BER_encode_encrypted_pbkdf_iter ( const Private_Key & key,
RandomNumberGenerator & rng,
std::string_view pass,
size_t pbkdf_iter,
std::string_view cipher = "",
std::string_view pbkdf_hash = "" )

Encrypt a key using PKCS #8 encryption and a fixed iteration count

Parameters
keythe key to encode
Random Number Generatorsthe rng to use
passthe password to use for encryption
pbkdf_iternumber of iterations to run PBKDF2
cipherif non-empty specifies the cipher to use. CBC and GCM modes are supported, for example "AES-128/CBC", "AES-256/GCM", "Serpent/CBC". If empty a suitable default is chosen.
pbkdf_hashif non-empty specifies the PBKDF hash function to use. For example "SHA-256" or "SHA-384". If empty a suitable default is chosen.
Returns
encrypted key in binary BER form

Definition at line 206 of file pkcs8.cpp.

211 {
212#if defined(BOTAN_HAS_PKCS5_PBES2)
213 const std::pair<AlgorithmIdentifier, std::vector<uint8_t>> pbe_info =
214 pbes2_encrypt_iter(key.private_key_info(),
215 pass,
216 pbkdf_iterations,
217 cipher.empty() ? "AES-256/CBC" : cipher,
218 pbkdf_hash.empty() ? "SHA-256" : pbkdf_hash,
219 rng);
220
221 std::vector<uint8_t> output;
222 DER_Encoder der(output);
223 der.start_sequence().encode(pbe_info.first).encode(pbe_info.second, ASN1_Type::OctetString).end_cons();
224
225 return output;
226
227#else
228 BOTAN_UNUSED(key, rng, pass, pbkdf_iterations, cipher, pbkdf_hash);
229 throw Encoding_Error("PKCS8::BER_encode_encrypted_pbkdf_iter cannot encrypt because PBES2 disabled in build");
230#endif
231}
Botan::pbes2_encrypt_iter
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_iter(std::span< const uint8_t > key_bits, std::string_view passphrase, size_t pbkdf_iter, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
Definition pbes2.cpp:282

References BOTAN_UNUSED, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::OctetString, Botan::pbes2_encrypt_iter(), Botan::Private_Key::private_key_info(), and Botan::DER_Encoder::start_sequence().

Referenced by botan_privkey_view_encrypted_der(), and PEM_encode_encrypted_pbkdf_iter().

◆ BER_encode_encrypted_pbkdf_msec()

std::vector< uint8_t > Botan::PKCS8::BER_encode_encrypted_pbkdf_msec ( const Private_Key & key,
RandomNumberGenerator & rng,
std::string_view pass,
std::chrono::milliseconds pbkdf_msec,
size_t * pbkdf_iterations,
std::string_view cipher = "",
std::string_view pbkdf_hash = "" )

Encrypt a key using PKCS #8 encryption and a variable iteration count

Parameters
keythe key to encode
Random Number Generatorsthe rng to use
passthe password to use for encryption
pbkdf_msechow long to run PBKDF2
pbkdf_iterationsif non-null, set to the number of iterations used
cipherif non-empty specifies the cipher to use. CBC and GCM modes are supported, for example "AES-128/CBC", "AES-256/GCM", "Serpent/CBC". If empty a suitable default is chosen.
pbkdf_hashif non-empty specifies the PBKDF hash function to use. For example "SHA-256" or "SHA-384". If empty a suitable default is chosen.
Returns
encrypted key in binary BER form

Definition at line 249 of file pkcs8.cpp.

255 {
256#if defined(BOTAN_HAS_PKCS5_PBES2)
257 const std::pair<AlgorithmIdentifier, std::vector<uint8_t>> pbe_info =
258 pbes2_encrypt_msec(key.private_key_info(),
259 pass,
260 pbkdf_msec,
261 pbkdf_iterations,
262 cipher.empty() ? "AES-256/CBC" : cipher,
263 pbkdf_hash.empty() ? "SHA-256" : pbkdf_hash,
264 rng);
265
266 std::vector<uint8_t> output;
267 DER_Encoder(output)
268 .start_sequence()
269 .encode(pbe_info.first)
270 .encode(pbe_info.second, ASN1_Type::OctetString)
271 .end_cons();
272
273 return output;
274#else
275 BOTAN_UNUSED(key, rng, pass, pbkdf_msec, pbkdf_iterations, cipher, pbkdf_hash);
276 throw Encoding_Error("BER_encode_encrypted_pbkdf_msec cannot encrypt because PBES2 disabled in build");
277#endif
278}
Botan::DER_Encoder::start_sequence
DER_Encoder & start_sequence()
Definition der_enc.h:67
Botan::DER_Encoder::end_cons
DER_Encoder & end_cons()
Definition der_enc.cpp:173
Botan::DER_Encoder::encode
DER_Encoder & encode(bool b)
Definition der_enc.cpp:245

References BOTAN_UNUSED, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::OctetString, Botan::pbes2_encrypt_msec(), Botan::Private_Key::private_key_info(), and Botan::DER_Encoder::start_sequence().

Referenced by botan_privkey_view_encrypted_der_timed(), and PEM_encode_encrypted_pbkdf_msec().

◆ copy_key()

std::unique_ptr< Private_Key > Botan::PKCS8::copy_key ( const Private_Key & key)
inline

Copy an existing encoded key object.

Parameters
keythe key to copy
Returns
new copy of the key

Definition at line 236 of file pkcs8.h.

236 {
237 DataSource_Memory source(key.private_key_info());
238 return PKCS8::load_key(source);
239}
Botan::DataSource_Memory
Definition data_src.h:111
Botan::PKCS8::load_key
std::unique_ptr< Private_Key > load_key(DataSource &source, const std::function< std::string()> &get_pass)
Definition pkcs8.cpp:319

References copy_key(), and load_key().

Referenced by copy_key().

◆ load_key() [1/6]

std::unique_ptr< Private_Key > Botan::PKCS8::load_key ( DataSource & source)

Load an unencrypted key from a data source.

Parameters
sourcethe data source providing the encoded key
Returns
loaded private key object

Definition at line 350 of file pkcs8.cpp.

350 {
351 auto fail_fn = []() -> std::string {
352 throw PKCS8_Exception("Internal error: Attempt to read password for unencrypted key");
353 };
354
355 return load_key(source, fail_fn, false);
356}
Botan::PKCS8_Exception
Definition pkcs8.h:28

References load_key().

◆ load_key() [2/6]

std::unique_ptr< Private_Key > Botan::PKCS8::load_key ( DataSource & source,
const std::function< std::string()> & get_passphrase )

Load an encrypted key from a data source.

Parameters
sourcethe data source providing the encoded key
get_passphrasea function that returns passphrases
Returns
loaded private key object

Definition at line 319 of file pkcs8.cpp.

319 {
320 return load_key(source, get_pass, true);
321}

References load_key().

Referenced by botan_privkey_load(), copy_key(), Botan::Certificate_Store_In_SQL::find_key(), load_key(), load_key(), load_key(), load_key(), load_key(), and load_key().

◆ load_key() [3/6]

std::unique_ptr< Private_Key > Botan::PKCS8::load_key ( DataSource & source,
std::string_view pass )

Load an encrypted key from a data source.

Parameters
sourcethe data source providing the encoded key
passthe passphrase to decrypt the key
Returns
loaded private key object

Definition at line 342 of file pkcs8.cpp.

342 {
343 return load_key(
344 source, [pass]() { return std::string(pass); }, true);
345}

References load_key().

◆ load_key() [4/6]

std::unique_ptr< Private_Key > Botan::PKCS8::load_key ( std::span< const uint8_t > source)

Load an unencrypted key from memory.

Parameters
sourcethe byte buffer containing the encoded key
Returns
loaded private key object

Definition at line 334 of file pkcs8.cpp.

334 {
335 Botan::DataSource_Memory ds(source);
336 return load_key(ds);
337}

References load_key().

◆ load_key() [5/6]

std::unique_ptr< Private_Key > Botan::PKCS8::load_key ( std::span< const uint8_t > source,
const std::function< std::string()> & get_passphrase )

Load an encrypted key from memory.

Parameters
sourcethe byte buffer containing the encoded key
get_passphrasea function that returns passphrases
Returns
loaded private key object

Definition at line 323 of file pkcs8.cpp.

324 {
325 Botan::DataSource_Memory ds(source);
326 return load_key(ds, get_passphrase);
327}

References load_key().

◆ load_key() [6/6]

std::unique_ptr< Private_Key > Botan::PKCS8::load_key ( std::span< const uint8_t > source,
std::string_view pass )

Load an encrypted key from memory.

Parameters
sourcethe byte buffer containing the encoded key
passthe passphrase to decrypt the key
Returns
loaded private key object

Definition at line 329 of file pkcs8.cpp.

329 {
330 Botan::DataSource_Memory ds(source);
331 return load_key(ds, pass);
332}

References load_key().

◆ PEM_encode() [1/2]

std::string Botan::PKCS8::PEM_encode ( const Private_Key & key)

Get a string containing a PEM encoded private key.

Parameters
keythe key to encode
Returns
encoded key

Definition at line 121 of file pkcs8.cpp.

121 {
122 return PEM_Code::encode(key.private_key_info(), "PRIVATE KEY");
123}
Botan::PEM_Code::encode
std::string encode(const uint8_t der[], size_t length, std::string_view label, size_t width)
Definition pem.cpp:39

References Botan::PEM_Code::encode(), and Botan::Private_Key::private_key_info().

Referenced by botan_privkey_view_pem(), and PEM_encode().

◆ PEM_encode() [2/2]

std::string Botan::PKCS8::PEM_encode ( const Private_Key & key,
RandomNumberGenerator & rng,
std::string_view pass,
std::chrono::milliseconds msec = std::chrono::milliseconds(300),
std::string_view pbe_algo = "" )

Get a string containing a PEM encoded private key, encrypting it with a password.

Parameters
keythe key to encode
Random Number Generatorsthe rng to use
passthe password to use for encryption
msecnumber of milliseconds to run the password derivation
pbe_algothe name of the desired password-based encryption algorithm; if empty ("") a reasonable (portable/secure) default will be chosen.
Returns
encrypted key in PEM form

Definition at line 191 of file pkcs8.cpp.

195 {
196 if(pass.empty()) {
197 return PEM_encode(key);
198 }
199
200 return PEM_Code::encode(PKCS8::BER_encode(key, rng, pass, msec, pbe_algo), "ENCRYPTED PRIVATE KEY");
201}
Botan::PKCS8::PEM_encode
std::string PEM_encode(const Private_Key &key)
Definition pkcs8.cpp:121

References BER_encode(), Botan::PEM_Code::encode(), and PEM_encode().

◆ PEM_encode_encrypted_pbkdf_iter()

std::string Botan::PKCS8::PEM_encode_encrypted_pbkdf_iter ( const Private_Key & key,
RandomNumberGenerator & rng,
std::string_view pass,
size_t pbkdf_iter,
std::string_view cipher = "",
std::string_view pbkdf_hash = "" )

Get a string containing a PEM encoded private key, encrypting it with a password.

Parameters
keythe key to encode
Random Number Generatorsthe rng to use
passthe password to use for encryption
pbkdf_iternumber of iterations to run PBKDF
cipherif non-empty specifies the cipher to use. CBC and GCM modes are supported, for example "AES-128/CBC", "AES-256/GCM", "Serpent/CBC". If empty a suitable default is chosen.
pbkdf_hashif non-empty specifies the PBKDF hash function to use. For example "SHA-256" or "SHA-384". If empty a suitable default is chosen.
Returns
encrypted key in PEM form

Definition at line 236 of file pkcs8.cpp.

241 {
242 return PEM_Code::encode(PKCS8::BER_encode_encrypted_pbkdf_iter(key, rng, pass, pbkdf_iterations, cipher, pbkdf_hash),
243 "ENCRYPTED PRIVATE KEY");
244}
Botan::PKCS8::BER_encode_encrypted_pbkdf_iter
std::vector< uint8_t > BER_encode_encrypted_pbkdf_iter(const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, size_t pbkdf_iterations, std::string_view cipher, std::string_view pbkdf_hash)
Definition pkcs8.cpp:206

References BER_encode_encrypted_pbkdf_iter(), and Botan::PEM_Code::encode().

Referenced by botan_privkey_view_encrypted_pem().

◆ PEM_encode_encrypted_pbkdf_msec()

std::string Botan::PKCS8::PEM_encode_encrypted_pbkdf_msec ( const Private_Key & key,
RandomNumberGenerator & rng,
std::string_view pass,
std::chrono::milliseconds pbkdf_msec,
size_t * pbkdf_iterations,
std::string_view cipher = "",
std::string_view pbkdf_hash = "" )

Get a string containing a PEM encoded private key, encrypting it with a password.

Parameters
keythe key to encode
Random Number Generatorsthe rng to use
passthe password to use for encryption
pbkdf_msechow long in milliseconds to run PBKDF2
pbkdf_iterations(output argument) number of iterations of PBKDF that ended up being used
cipherif non-empty specifies the cipher to use. CBC and GCM modes are supported, for example "AES-128/CBC", "AES-256/GCM", "Serpent/CBC". If empty a suitable default is chosen.
pbkdf_hashif non-empty specifies the PBKDF hash function to use. For example "SHA-256" or "SHA-384". If empty a suitable default is chosen.
Returns
encrypted key in PEM form

Definition at line 283 of file pkcs8.cpp.

289 {
290 return PEM_Code::encode(
291 PKCS8::BER_encode_encrypted_pbkdf_msec(key, rng, pass, pbkdf_msec, pbkdf_iterations, cipher, pbkdf_hash),
292 "ENCRYPTED PRIVATE KEY");
293}
Botan::PKCS8::BER_encode_encrypted_pbkdf_msec
std::vector< uint8_t > BER_encode_encrypted_pbkdf_msec(const Private_Key &key, RandomNumberGenerator &rng, std::string_view pass, std::chrono::milliseconds pbkdf_msec, size_t *pbkdf_iterations, std::string_view cipher, std::string_view pbkdf_hash)
Definition pkcs8.cpp:249

References BER_encode_encrypted_pbkdf_msec(), and Botan::PEM_Code::encode().

Referenced by botan_privkey_view_encrypted_pem_timed().

Generated by doxygen 1.16.1