Botan  2.9.0
Crypto and TLS for C++11
Functions
Botan::PKCS8 Namespace Reference

Functions

secure_vector< uint8_t > BER_encode (const Private_Key &key)
 
std::vector< uint8_t > BER_encode (const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, std::chrono::milliseconds msec, const std::string &pbe_algo)
 
std::vector< uint8_t > BER_encode_encrypted_pbkdf_iter (const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, size_t pbkdf_iterations, const std::string &cipher, const std::string &pbkdf_hash)
 
std::vector< uint8_t > BER_encode_encrypted_pbkdf_msec (const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, std::chrono::milliseconds pbkdf_msec, size_t *pbkdf_iterations, const std::string &cipher, const std::string &pbkdf_hash)
 
std::unique_ptr< Private_Keycopy_key (const Private_Key &key)
 
Private_Keycopy_key (const Private_Key &key, RandomNumberGenerator &rng)
 
std::unique_ptr< Private_Keyload_key (DataSource &source, std::function< std::string()> get_pass)
 
std::unique_ptr< Private_Keyload_key (DataSource &source, const std::string &pass)
 
std::unique_ptr< Private_Keyload_key (DataSource &source)
 
Private_Keyload_key (DataSource &source, RandomNumberGenerator &rng, std::function< std::string()> get_pass)
 
Private_Keyload_key (DataSource &source, RandomNumberGenerator &rng, const std::string &pass)
 
Private_Keyload_key (DataSource &source, RandomNumberGenerator &rng)
 
std::string PEM_encode (const Private_Key &key)
 
std::string PEM_encode (const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, std::chrono::milliseconds msec, const std::string &pbe_algo)
 
std::string PEM_encode_encrypted_pbkdf_iter (const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, size_t pbkdf_iterations, const std::string &cipher, const std::string &pbkdf_hash)
 
std::string PEM_encode_encrypted_pbkdf_msec (const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, std::chrono::milliseconds pbkdf_msec, size_t *pbkdf_iterations, const std::string &cipher, const std::string &pbkdf_hash)
 

Detailed Description

This namespace contains functions for handling PKCS #8 private keys

Function Documentation

◆ BER_encode() [1/2]

secure_vector< uint8_t > Botan::PKCS8::BER_encode ( const Private_Key key)

BER encode a private key

Parameters
keythe private key to encode
Returns
BER encoded key

Definition at line 139 of file pkcs8.cpp.

References Botan::Private_Key::private_key_info().

Referenced by BER_encode(), botan_privkey_export(), Botan::TLS::Session::DER_encode(), Botan::Certificate_Store_In_SQL::insert_key(), and PEM_encode().

140  {
141  // keeping around for compat
142  return key.private_key_info();
143  }

◆ BER_encode() [2/2]

std::vector< uint8_t > Botan::PKCS8::BER_encode ( const Private_Key key,
RandomNumberGenerator rng,
const std::string &  pass,
std::chrono::milliseconds  msec = std::chrono::milliseconds(300),
const std::string &  pbe_algo = "" 
)

Encrypt a key using PKCS #8 encryption

Parameters
keythe key to encode
rngthe rng to use
passthe password to use for encryption
msecnumber of milliseconds to run the password derivation
pbe_algothe name of the desired password-based encryption algorithm; if empty ("") a reasonable (portable/secure) default will be chosen.
Returns
encrypted key in binary BER form

Definition at line 187 of file pkcs8.cpp.

References Botan::Public_Key::algo_name(), BER_encode(), BOTAN_UNUSED, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::OCTET_STRING, Botan::pbes2_encrypt_msec(), Botan::SEQUENCE, and Botan::DER_Encoder::start_cons().

192  {
193 #if defined(BOTAN_HAS_PKCS5_PBES2)
194  const auto pbe_params = choose_pbe_params(pbe_algo, key.algo_name());
195 
196  const std::pair<AlgorithmIdentifier, std::vector<uint8_t>> pbe_info =
197  pbes2_encrypt_msec(PKCS8::BER_encode(key), pass, msec, nullptr,
198  pbe_params.first, pbe_params.second, rng);
199 
200  std::vector<uint8_t> output;
201  DER_Encoder der(output);
202  der.start_cons(SEQUENCE)
203  .encode(pbe_info.first)
204  .encode(pbe_info.second, OCTET_STRING)
205  .end_cons();
206 
207  return output;
208 #else
209  BOTAN_UNUSED(key, rng, pass, msec, pbe_algo);
210  throw Encoding_Error("PKCS8::BER_encode cannot encrypt because PBES2 was disabled in build");
211 #endif
212  }
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_msec(const secure_vector< uint8_t > &key_bits, const std::string &passphrase, std::chrono::milliseconds msec, size_t *out_iterations_if_nonnull, const std::string &cipher, const std::string &digest, RandomNumberGenerator &rng)
Definition: pbes2.cpp:276
std::vector< uint8_t > BER_encode(const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, std::chrono::milliseconds msec, const std::string &pbe_algo)
Definition: pkcs8.cpp:187
#define BOTAN_UNUSED(...)
Definition: assert.h:142

◆ BER_encode_encrypted_pbkdf_iter()

std::vector< uint8_t > Botan::PKCS8::BER_encode_encrypted_pbkdf_iter ( const Private_Key key,
RandomNumberGenerator rng,
const std::string &  pass,
size_t  pbkdf_iter,
const std::string &  cipher = "",
const std::string &  pbkdf_hash = "" 
)

Encrypt a key using PKCS #8 encryption and a fixed iteration count

Parameters
keythe key to encode
rngthe rng to use
passthe password to use for encryption
pbkdf_iternumber of interations to run PBKDF2
cipherif non-empty specifies the cipher to use. CBC and GCM modes are supported, for example "AES-128/CBC", "AES-256/GCM", "Serpent/CBC". If empty a suitable default is chosen.
pbkdf_hashif non-empty specifies the PBKDF hash function to use. For example "SHA-256" or "SHA-384". If empty a suitable default is chosen.
Returns
encrypted key in binary BER form

Definition at line 233 of file pkcs8.cpp.

References BOTAN_UNUSED, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::OCTET_STRING, Botan::pbes2_encrypt_iter(), Botan::Private_Key::private_key_info(), Botan::SEQUENCE, and Botan::DER_Encoder::start_cons().

Referenced by botan_privkey_export_encrypted_pbkdf_iter(), and PEM_encode_encrypted_pbkdf_iter().

239  {
240 #if defined(BOTAN_HAS_PKCS5_PBES2)
241  const std::pair<AlgorithmIdentifier, std::vector<uint8_t>> pbe_info =
242  pbes2_encrypt_iter(key.private_key_info(),
243  pass, pbkdf_iterations,
244  cipher.empty() ? "AES-256/CBC" : cipher,
245  pbkdf_hash.empty() ? "SHA-256" : pbkdf_hash,
246  rng);
247 
248  std::vector<uint8_t> output;
249  DER_Encoder der(output);
250  der.start_cons(SEQUENCE)
251  .encode(pbe_info.first)
252  .encode(pbe_info.second, OCTET_STRING)
253  .end_cons();
254 
255  return output;
256 
257 #else
258  BOTAN_UNUSED(key, rng, pass, pbkdf_iterations, cipher, pbkdf_hash);
259  throw Encoding_Error("PKCS8::BER_encode_encrypted_pbkdf_iter cannot encrypt because PBES2 disabled in build");
260 #endif
261  }
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_iter(const secure_vector< uint8_t > &key_bits, const std::string &passphrase, size_t pbkdf_iter, const std::string &cipher, const std::string &digest, RandomNumberGenerator &rng)
Definition: pbes2.cpp:295
#define BOTAN_UNUSED(...)
Definition: assert.h:142

◆ BER_encode_encrypted_pbkdf_msec()

std::vector< uint8_t > Botan::PKCS8::BER_encode_encrypted_pbkdf_msec ( const Private_Key key,
RandomNumberGenerator rng,
const std::string &  pass,
std::chrono::milliseconds  pbkdf_msec,
size_t *  pbkdf_iterations,
const std::string &  cipher = "",
const std::string &  pbkdf_hash = "" 
)

Encrypt a key using PKCS #8 encryption and a variable iteration count

Parameters
keythe key to encode
rngthe rng to use
passthe password to use for encryption
pbkdf_msechow long to run PBKDF2
pbkdf_iterationsif non-null, set to the number of iterations used
cipherif non-empty specifies the cipher to use. CBC and GCM modes are supported, for example "AES-128/CBC", "AES-256/GCM", "Serpent/CBC". If empty a suitable default is chosen.
pbkdf_hashif non-empty specifies the PBKDF hash function to use. For example "SHA-256" or "SHA-384". If empty a suitable default is chosen.
Returns
encrypted key in binary BER form

Definition at line 281 of file pkcs8.cpp.

References BOTAN_UNUSED, Botan::DER_Encoder::encode(), Botan::DER_Encoder::end_cons(), Botan::OCTET_STRING, Botan::pbes2_encrypt_msec(), Botan::Private_Key::private_key_info(), Botan::SEQUENCE, and Botan::DER_Encoder::start_cons().

Referenced by botan_privkey_export_encrypted_pbkdf_msec(), and PEM_encode_encrypted_pbkdf_msec().

288  {
289 #if defined(BOTAN_HAS_PKCS5_PBES2)
290  const std::pair<AlgorithmIdentifier, std::vector<uint8_t>> pbe_info =
291  pbes2_encrypt_msec(key.private_key_info(), pass,
292  pbkdf_msec, pbkdf_iterations,
293  cipher.empty() ? "AES-256/CBC" : cipher,
294  pbkdf_hash.empty() ? "SHA-256" : pbkdf_hash,
295  rng);
296 
297  std::vector<uint8_t> output;
298  DER_Encoder(output)
299  .start_cons(SEQUENCE)
300  .encode(pbe_info.first)
301  .encode(pbe_info.second, OCTET_STRING)
302  .end_cons();
303 
304  return output;
305 #else
306  BOTAN_UNUSED(key, rng, pass, pbkdf_msec, pbkdf_iterations, cipher, pbkdf_hash);
307  throw Encoding_Error("BER_encode_encrypted_pbkdf_msec cannot encrypt because PBES2 disabled in build");
308 #endif
309  }
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_msec(const secure_vector< uint8_t > &key_bits, const std::string &passphrase, std::chrono::milliseconds msec, size_t *out_iterations_if_nonnull, const std::string &cipher, const std::string &digest, RandomNumberGenerator &rng)
Definition: pbes2.cpp:276
#define BOTAN_UNUSED(...)
Definition: assert.h:142

◆ copy_key() [1/2]

std::unique_ptr< Private_Key > Botan::PKCS8::copy_key ( const Private_Key key)

Copy an existing encoded key object.

Parameters
keythe key to copy
Returns
new copy of the key

Definition at line 383 of file pkcs8.cpp.

References load_key(), and PEM_encode().

Referenced by copy_key().

384  {
385  DataSource_Memory source(PEM_encode(key));
386  return PKCS8::load_key(source);
387  }
Private_Key * load_key(DataSource &source, RandomNumberGenerator &rng)
Definition: pkcs8.cpp:414
std::string PEM_encode(const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, std::chrono::milliseconds msec, const std::string &pbe_algo)
Definition: pkcs8.cpp:217

◆ copy_key() [2/2]

Private_Key * Botan::PKCS8::copy_key ( const Private_Key key,
RandomNumberGenerator rng 
)

Copy an existing encoded key object.

Parameters
keythe key to copy
rngignored for compatibility
Returns
new copy of the key

Definition at line 462 of file pkcs8.cpp.

References BOTAN_UNUSED, and copy_key().

464  {
465  BOTAN_UNUSED(rng);
466  return PKCS8::copy_key(key).release();
467  }
Private_Key * copy_key(const Private_Key &key, RandomNumberGenerator &rng)
Definition: pkcs8.cpp:462
#define BOTAN_UNUSED(...)
Definition: assert.h:142

◆ load_key() [1/6]

std::unique_ptr< Private_Key > Botan::PKCS8::load_key ( DataSource source,
std::function< std::string()>  get_passphrase 
)

Load an encrypted key from a data source.

Parameters
sourcethe data source providing the encoded key
get_passphrasea function that returns passphrases
Returns
loaded private key object

Definition at line 353 of file pkcs8.cpp.

Referenced by botan_privkey_load(), copy_key(), Botan::Certificate_Store_In_SQL::find_key(), and load_key().

355  {
356  return load_key(source, get_pass, true);
357  }
Private_Key * load_key(DataSource &source, RandomNumberGenerator &rng)
Definition: pkcs8.cpp:414

◆ load_key() [2/6]

std::unique_ptr< Private_Key > Botan::PKCS8::load_key ( DataSource source,
const std::string &  pass 
)

Load an encrypted key from a data source.

Parameters
sourcethe data source providing the encoded key
passthe passphrase to decrypt the key
Returns
loaded private key object

Definition at line 362 of file pkcs8.cpp.

References load_key().

364  {
365  return load_key(source, [pass]() { return pass; }, true);
366  }
Private_Key * load_key(DataSource &source, RandomNumberGenerator &rng)
Definition: pkcs8.cpp:414

◆ load_key() [3/6]

std::unique_ptr< Private_Key > Botan::PKCS8::load_key ( DataSource source)

Load an unencrypted key from a data source.

Parameters
sourcethe data source providing the encoded key
Returns
loaded private key object

Definition at line 371 of file pkcs8.cpp.

References load_key().

372  {
373  auto fail_fn = []() -> std::string {
374  throw PKCS8_Exception("Internal error: Attempt to read password for unencrypted key");
375  };
376 
377  return load_key(source, fail_fn, false);
378  }
Private_Key * load_key(DataSource &source, RandomNumberGenerator &rng)
Definition: pkcs8.cpp:414

◆ load_key() [4/6]

Private_Key * Botan::PKCS8::load_key ( DataSource source,
RandomNumberGenerator rng,
std::function< std::string()>  get_passphrase 
)

Load an encrypted key from a data source.

Parameters
sourcethe data source providing the encoded key
rngignored for compatibility
get_passphrasea function that returns passphrases
Returns
loaded private key object

Definition at line 392 of file pkcs8.cpp.

References BOTAN_UNUSED, and load_key().

395  {
396  BOTAN_UNUSED(rng);
397  return PKCS8::load_key(source, get_pass).release();
398  }
Private_Key * load_key(DataSource &source, RandomNumberGenerator &rng)
Definition: pkcs8.cpp:414
#define BOTAN_UNUSED(...)
Definition: assert.h:142

◆ load_key() [5/6]

Private_Key * Botan::PKCS8::load_key ( DataSource source,
RandomNumberGenerator rng,
const std::string &  pass 
)

Load an encrypted key from a data source.

Parameters
sourcethe data source providing the encoded key
rngignored for compatibility
passthe passphrase to decrypt the key
Returns
loaded private key object

Definition at line 403 of file pkcs8.cpp.

References BOTAN_UNUSED, and load_key().

406  {
407  BOTAN_UNUSED(rng);
408  return PKCS8::load_key(source, pass).release();
409  }
Private_Key * load_key(DataSource &source, RandomNumberGenerator &rng)
Definition: pkcs8.cpp:414
#define BOTAN_UNUSED(...)
Definition: assert.h:142

◆ load_key() [6/6]

Private_Key * Botan::PKCS8::load_key ( DataSource source,
RandomNumberGenerator rng 
)

Load an unencrypted key from a data source.

Parameters
sourcethe data source providing the encoded key
rngignored for compatibility
Returns
loaded private key object

Definition at line 414 of file pkcs8.cpp.

References BOTAN_UNUSED, and load_key().

416  {
417  BOTAN_UNUSED(rng);
418  return PKCS8::load_key(source).release();
419  }
Private_Key * load_key(DataSource &source, RandomNumberGenerator &rng)
Definition: pkcs8.cpp:414
#define BOTAN_UNUSED(...)
Definition: assert.h:142

◆ PEM_encode() [1/2]

std::string Botan::PKCS8::PEM_encode ( const Private_Key key)

Get a string containing a PEM encoded private key.

Parameters
keythe key to encode
Returns
encoded key

Definition at line 148 of file pkcs8.cpp.

References BER_encode(), and Botan::PEM_Code::encode().

Referenced by botan_privkey_export(), copy_key(), and PEM_encode().

149  {
150  return PEM_Code::encode(PKCS8::BER_encode(key), "PRIVATE KEY");
151  }
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
std::vector< uint8_t > BER_encode(const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, std::chrono::milliseconds msec, const std::string &pbe_algo)
Definition: pkcs8.cpp:187

◆ PEM_encode() [2/2]

std::string Botan::PKCS8::PEM_encode ( const Private_Key key,
RandomNumberGenerator rng,
const std::string &  pass,
std::chrono::milliseconds  msec = std::chrono::milliseconds(300),
const std::string &  pbe_algo = "" 
)

Get a string containing a PEM encoded private key, encrypting it with a password.

Parameters
keythe key to encode
rngthe rng to use
passthe password to use for encryption
msecnumber of milliseconds to run the password derivation
pbe_algothe name of the desired password-based encryption algorithm; if empty ("") a reasonable (portable/secure) default will be chosen.
Returns
encrypted key in PEM form

Definition at line 217 of file pkcs8.cpp.

References BER_encode(), Botan::PEM_Code::encode(), and PEM_encode().

222  {
223  if(pass.empty())
224  return PEM_encode(key);
225 
226  return PEM_Code::encode(PKCS8::BER_encode(key, rng, pass, msec, pbe_algo),
227  "ENCRYPTED PRIVATE KEY");
228  }
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43
std::vector< uint8_t > BER_encode(const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, std::chrono::milliseconds msec, const std::string &pbe_algo)
Definition: pkcs8.cpp:187
std::string PEM_encode(const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, std::chrono::milliseconds msec, const std::string &pbe_algo)
Definition: pkcs8.cpp:217

◆ PEM_encode_encrypted_pbkdf_iter()

std::string Botan::PKCS8::PEM_encode_encrypted_pbkdf_iter ( const Private_Key key,
RandomNumberGenerator rng,
const std::string &  pass,
size_t  pbkdf_iter,
const std::string &  cipher = "",
const std::string &  pbkdf_hash = "" 
)

Get a string containing a PEM encoded private key, encrypting it with a password.

Parameters
keythe key to encode
rngthe rng to use
passthe password to use for encryption
pbkdf_iternumber of iterations to run PBKDF
cipherif non-empty specifies the cipher to use. CBC and GCM modes are supported, for example "AES-128/CBC", "AES-256/GCM", "Serpent/CBC". If empty a suitable default is chosen.
pbkdf_hashif non-empty specifies the PBKDF hash function to use. For example "SHA-256" or "SHA-384". If empty a suitable default is chosen.
Returns
encrypted key in PEM form

Definition at line 266 of file pkcs8.cpp.

References BER_encode_encrypted_pbkdf_iter(), and Botan::PEM_Code::encode().

Referenced by botan_privkey_export_encrypted_pbkdf_iter().

272  {
273  return PEM_Code::encode(
274  PKCS8::BER_encode_encrypted_pbkdf_iter(key, rng, pass, pbkdf_iterations, cipher, pbkdf_hash),
275  "ENCRYPTED PRIVATE KEY");
276  }
std::vector< uint8_t > BER_encode_encrypted_pbkdf_iter(const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, size_t pbkdf_iterations, const std::string &cipher, const std::string &pbkdf_hash)
Definition: pkcs8.cpp:233
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43

◆ PEM_encode_encrypted_pbkdf_msec()

std::string Botan::PKCS8::PEM_encode_encrypted_pbkdf_msec ( const Private_Key key,
RandomNumberGenerator rng,
const std::string &  pass,
std::chrono::milliseconds  pbkdf_msec,
size_t *  pbkdf_iterations,
const std::string &  cipher = "",
const std::string &  pbkdf_hash = "" 
)

Get a string containing a PEM encoded private key, encrypting it with a password.

Parameters
keythe key to encode
rngthe rng to use
passthe password to use for encryption
pbkdf_msechow long in milliseconds to run PBKDF2
pbkdf_iterations(output argument) number of iterations of PBKDF that ended up being used
cipherif non-empty specifies the cipher to use. CBC and GCM modes are supported, for example "AES-128/CBC", "AES-256/GCM", "Serpent/CBC". If empty a suitable default is chosen.
pbkdf_hashif non-empty specifies the PBKDF hash function to use. For example "SHA-256" or "SHA-384". If empty a suitable default is chosen.
Returns
encrypted key in PEM form

Definition at line 314 of file pkcs8.cpp.

References BER_encode_encrypted_pbkdf_msec(), and Botan::PEM_Code::encode().

Referenced by botan_privkey_export_encrypted_pbkdf_msec().

321  {
322  return PEM_Code::encode(
323  PKCS8::BER_encode_encrypted_pbkdf_msec(key, rng, pass, pbkdf_msec, pbkdf_iterations, cipher, pbkdf_hash),
324  "ENCRYPTED PRIVATE KEY");
325  }
std::vector< uint8_t > BER_encode_encrypted_pbkdf_msec(const Private_Key &key, RandomNumberGenerator &rng, const std::string &pass, std::chrono::milliseconds pbkdf_msec, size_t *pbkdf_iterations, const std::string &cipher, const std::string &pbkdf_hash)
Definition: pkcs8.cpp:281
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43