Sample code for 30+ languages & platforms
Tcl

Working with PEM Encrypted Private Keys

See more PEM Examples

Demonstrates how to load and save PEM encrypted private keys.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

# This example assumes the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

set success 0

set pem [new_CkPem]

set pemPassword "secret"

# To load a PEM file containing encrypted private keys, simply
# provide the password.
set success [CkPem_LoadPemFile $pem "/Users/chilkat/testData/pem/pemContainingEncryptedPrivateKeys.pem" $pemPassword]
if {$success == 0} then {
    puts [CkPem_lastErrorText $pem]
    delete_CkPem $pem
    exit
}

set fac [new_CkFileAccess]

set pemText [CkFileAccess_readEntireTextFile $fac "/Users/chilkat/testData/pem/pemContainingEncryptedPrivateKeys.pem" $pemPassword]

# To load a PEM from a string, call LoadPem instead of LoadPemFile:
set success [CkPem_LoadPem $pem $pemText]
if {$success == 0} then {
    puts [CkPem_lastErrorText $pem]
    delete_CkPem $pem
    delete_CkFileAccess $fac
    exit
}

# A few notes:
# The PEM may contain both private keys and certificates (or anything else).
# The password is utilized for whatever content in the PEM is encrypted.  
# It is OK to have both encrypted and non-encrypted content within a given PEM.

# PEM private keys can be encrypted in different formats.  The LoadPem and LoadPemFile
# methods automatically handle the different formats.
# One format is PKCS8 and is indicated by this delimiter within the PEM:

# -----BEGIN ENCRYPTED PRIVATE KEY-----
# MIICoTAbBgkqhkiG9w0BBQMwDgQIfdD0zv24lgkCAggABIICgE0PdHJmRbNs6cBX
# ...

# Another format, we'll call "passphrase" looks like this in the PEM:
# -----BEGIN RSA PRIVATE KEY-----
# Proc-Type: 4,ENCRYPTED
# DEK-Info: DES-EDE3-CBC,A4215544D11C5D0C
# 
# paqy9XRexcSjurHfG0xhCaUD0HrvIdhuC0CbRxxxeMlkLaV6+uT80rBxt2AaibWG
# ...

# Show the bit length of each private key:

set numPrivateKeys [CkPem_get_NumPrivateKeys $pem]
if {$numPrivateKeys == 0} then {
    puts "Error: Expected the PEM to contain private keys."
    delete_CkPem $pem
    delete_CkFileAccess $fac
    exit
}

set privKey [new_CkPrivateKey]

for {set i 1} {$i <= $numPrivateKeys} {incr i} {
    CkPem_PrivateKeyAt $pem [expr $i - 1] $privKey
    puts "$i: [CkPrivateKey_get_BitLength $privKey] bits"
}

delete_CkPem $pem
delete_CkFileAccess $fac
delete_CkPrivateKey $privKey