[Help-gnutls] Re: _gnutls_fbase64_decode and PEM headers

[Simon Josefsson]

Michael Welsh Duggan <mwd at cert.org> writes:

> Why does _gnutls_fbase64_decode not appear to account for encapsulated
> header fields before the base-64 encoded data, as exemplified by
> section 4.6 of rfc1421?  I ran into this error using gnutls 1.4.1,
> using the gnutls_certificate_set_x509_key_file function with a key
> file that includes encapsulated headers.
>
>         rv = gnutls_certificate_set_x509_key_file(queue->root->cred,
>                                                   cert_filename,
>                                                   key_filename,
>                                                   GNUTLS_X509_FMT_PEM);
>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,ED00000000000000
>
> BASE64ENCODEDSTUFF...
> -----END RSA PRIVATE KEY-----
>
> This ends up returning GNUTLS_E_BASE64_DECODING_ERROR, due to the fact
> that it assumes Proc-Type:, etc., are part of the base-64 encoding.

That formats is not supported by GnuTLS.  As far as I know, the format
is not standardized, and is specific to OpenSSL.  Without more
information or security analysis, I would be sceptic about its security
properties.

If you or someone wants to work on supporting this, we could add it to
libgnutls-extra (let's not add more non-essential stuff to the core
libgnutls).

> Question B: Am I doing something wrong?

Yes, most likely you really want to use PKCS#12 to transport encrypted
private keys instead.  That format can also encode client certificates
and/or CA certificates as well.  The API to use is:

  extern int
    gnutls_certificate_set_x509_simple_pkcs12_file
    (gnutls_certificate_credentials_t res, const char *pkcs12file,
     gnutls_x509_crt_fmt_t type, const char *password);

You should be able to convert to from OpenSSL-encrypted files to PKCS#11
using one of the OpenSSL command line tools.

/Simon