MK mk at
Tue Oct 9 23:18:09 CEST 2012

Hi gang!

I just started using gnuTLS, and one of the first things I needed to do
was incorporate a certificate with encrypted key generated by openSSL.
This seemed like a very simple task, here's a minimal reproduction of
the technique I used to decrypt the original key:

void usage (const char *name) {
		"Usage: %s [password] < > keyfile.out\n",

int main (int argc, const char *argv[]) {
	if (argc != 2) usage(argv[0]);

	unsigned char buffer[4096] = { 0 };
	int i = 0,
		c = fgetc(stdin);

	while (c != EOF) {
		buffer[i++] = c;
		c = fgetc(stdin);

	const gnutls_datum_t raw = {
		.data = buffer,
		.size = i

	gnutls_x509_privkey_t decrypted;
	int check = gnutls_x509_privkey_import_openssl(decrypted, &raw,
	if (check) fatal("Import error", check);     

Feeding in the key file resulted in GNUTLS_E_DECRYPTION_FAILED.  Since
the key can be decrypted other ways (eg, via "openssl -rsa") and used
successfully, I realized perhaps I should just use the encrypted data
in the file sans header*, but this led to GNUTLS_E_PARSING_ERROR.
Glancing at the gnutls source, that bail appears to happen before
DECRYPTION_FAILED, so I presume I am correct to feed in the entire file.

So I'm at a loss -- what am I doing wrong?  I'm using 3.1.2 built from

* the header being:
Proc-Type: 4,ENCRYPTED

Thanks -- Mark

"Enthusiasm is not the enemy of the intellect." (said of Irving Howe)
"The angel of history[...]is turned toward the past." (Walter Benjamin)

More information about the Gnutls-help mailing list