CryptoSys PKI Toolkit Manual

PEM string alternative for X.509 certificates, RSA keys, etc

In the same way you can pass a base64 string instead of an X.509 filename, you can pass a string containing the certificate in PEM format. The PEM format looks like

-----BEGIN CERTIFICATE-----
MIHgMIGaAgEBMA0GCSqG...
-----END CERTIFICATE-----

Similarly, those RSA functions which require you to pass the filename of an RSA key file will accept a string that contains the file contents in PEM format. An RSA key file in PEM format looks like

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICojAcBgoqhkiG9w0BDAEDMA4ECHPQz6NdAmoFAgIH0ASCAoBKn9KXr+dm
Vtc0ZhEog7t3Prs4rJazwUsXExU78ePLMquxLi/cPmqtyjb472r6XUOa...
-----END ENCRYPTED PRIVATE KEY-----

[New in v3.5]Similarly for CMS objects.

The functions will accept all strings that start with "-----BEGIN" and are of the form

-----BEGIN XXX-----
(base64-encoded data)
-----END XXX-----

provided there is a newline character, either LF or CRLF (indicated as \n above) between the pre-encapsulation boundary "-----BEGIN XXX-----" and the start of the base64 data, and another before the post-encapsulation boundary "-----END XXX-----" [this is no longer required as of v3.5]

The exact word or words used for "XXX" do not matter, but there must be exactly 5 dash characters "-" before and after. Any non-base64 characters found in the encoded data, including newline characters or spaces, will be ignored.

This means, for example, that you can store your certificates and encrypted private keys as strings in a database. Note that an X.509 certificate can be passed either as a plain base64 string or in PEM format; that is, both with and without the "-----BEGIN CERTIFICATE-----" encapsulation; but RSA key data can only be passed in PEM format.

Examples

This first example shows how an encrypted private key can be read from a string instead of a file.

Dim strKeyPemData As String
strKeyPemData = _
  "-----BEGIN ENCRYPTED PRIVATE KEY-----" & _
  "MIICojAcBgoqhkiG9w0BDAEDMA4ECHPQz6NdAmoFAgIH0ASCAoBKn9KXr+dm" & _
  "Vtc0ZhEog7t3Prs4rJazwUsXExU78ePLMquxLi/cPmqtyjb472r6XUOa9J/v" & _
  "g2gYHlJ7D7FfAdTdVbHmXWfZzdIqI+AKZmrMoIfSVSSrI8mLDXLDgJVm2Gxa" & _
  "r/YJ154L4fwqWjj0b06v8nTrXTp7G3ZSxjmXc3auf8tS1RatpDuSn027jBGt" & _
  "Pg2CGPjeSomOU7Efd89R+gryW3RfXaMEv1TtGmdS+szxN4TAzgFTzjzE7qJ2" & _
  "+WL09hBRxSyi5JybbxblrO5zDbGJD8rq4kGawWUj4PYDpOkxQYQyK/cALEvv" & _
  "EipLeWvk03CadKER3EcpL7wQT3N5wJGNx7GR3efkO7lO/VfGf6kYFsJ8Qt94" & _
  "vBlgq84abgSD+rlRX03re/NLJQ00Qxl3bDrkSiRoXSfBiOeVzBVTsh03Sj4B" & _
  "V0v2KLENsMXr40rMqTGfKD3V+FyYUehWEkEl3NrIVpBSJir+g4H3tl76SdNe" & _
  "mq/cTtQP+EY8fpC3I46dyDXFat3wQfubw+E5nGfv7xp6vRVRRolpZx7DpuB/" & _
  "z1tzO3uP0vJ0pjATriO/ZAVs6UrXx+DJ6XsfrAVt0jpW5Ngr8rm2EiD3/1T9" & _
  "7q1dELJ7GzCY1dG99XVjt9ZXb7cI8zsPpT/gzQJLfeLe3U5Mdw0hKZLfPCex" & _
  "0urs3ytK0XNu+jZAYeSaysG8/rHJaH74WOgJ8gnSPY4QtWsu6+3qBErS2jbq" & _
  "7E2jRvBKWICVd1yiQCDq/c6s9LeYhNhZsmcWxuX9b4lG9f1LHZy0djhIYi4x" & _
  "IpcEfjkTH+7zUOkMQ+fXZHtSEVFt9L2Ci49jB8YReqbfOuDFzzwsk3xxfL2h" & _
  "ZoRK" & _
  "-----END ENCRYPTED PRIVATE KEY-----"
Dim nLen As Long
Dim strPassword As String
Dim strPrivateKey As String
strPassword = "password"
' How long is PrivateKey string?
nLen = RSA_ReadEncPrivateKey("", 0, strKeyPemData, strPassword, 0)
If nLen <= 0 Then
  Debug.Print "ERROR: RSA_ReadEncPrivateKey returns " & nLen
  Exit Sub
End If
' Pre-dimension the string to receive data
strPrivateKey = String(nLen, " ")
' Read in the Private Key
nLen = RSA_ReadEncPrivateKey(strPrivateKey, Len(strPrivateKey), strKeyPemData, strPassword, 0)
If nLen <= 0 Then
  Debug.Print "ERROR: RSA_ReadEncPrivateKey returns " & nLen
  Exit Sub
End If
' ... do something with the private key...
Debug.Print "Private key is " & RSA_KeyBits(strPrivateKey) & " bits long."
Debug.Print "KeyHashCode=" & Hex(RSA_KeyHashCode(strPrivateKey))
' then make sure it is deleted
strPrivateKey = wipeString(strPrivateKey)

This should produce the output

Private key is 1024 bits long.
KeyHashCode=48BFEF2C

[Contents] [Index]

[HOME]   [NEXT: Base64 and PEM string alternatives for CMS objects...]

Copyright © 2004-12 D.I. Management Services Pty Ltd. All rights reserved.