[Help-gnutls] Re: _gnutls_fbase64_decode and PEM headers
simon at josefsson.org
Mon Jun 11 22:08:46 CEST 2007
Michael Welsh Duggan <mwd at cert.org> writes:
> Why does _gnutls_fbase64_decode not appear to account for encapsulated
> header fields before the base-64 encoded data, as exemplified by
> section 4.6 of rfc1421? I ran into this error using gnutls 1.4.1,
> using the gnutls_certificate_set_x509_key_file function with a key
> file that includes encapsulated headers.
> rv = gnutls_certificate_set_x509_key_file(queue->root->cred,
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,ED00000000000000
> -----END RSA PRIVATE KEY-----
> This ends up returning GNUTLS_E_BASE64_DECODING_ERROR, due to the fact
> that it assumes Proc-Type:, etc., are part of the base-64 encoding.
That formats is not supported by GnuTLS. As far as I know, the format
is not standardized, and is specific to OpenSSL. Without more
information or security analysis, I would be sceptic about its security
If you or someone wants to work on supporting this, we could add it to
libgnutls-extra (let's not add more non-essential stuff to the core
> Question B: Am I doing something wrong?
Yes, most likely you really want to use PKCS#12 to transport encrypted
private keys instead. That format can also encode client certificates
and/or CA certificates as well. The API to use is:
(gnutls_certificate_credentials_t res, const char *pkcs12file,
gnutls_x509_crt_fmt_t type, const char *password);
You should be able to convert to from OpenSSL-encrypted files to PKCS#11
using one of the OpenSSL command line tools.
More information about the Gnutls-help