(rsa pkcs :12) - PKCS#12

This section describes the implementation of PKCS#12 specification library. However we do not describe PKCS#12 itself and I don't think it is necessary to know it if you just want to use it.

Library rsa pkcs :12

This library provides procedures for PKCS#12 operations.

Keystore APIs

The example shows how to use keystore APIs:

(import (rnrs) (rsa pkcs :12))

(define keystore (load-pkcs12-keystore-file "keystore.p12" "pass"))

(pkcs12-keystore-get-key keystore "key-name" "key-pass")
;; -> <private-key>

(pkcs12-keystore-get-certificate keystore "cert-name")
;; -> <x509-certificate>

;; certs are list of X509 certificate associated with given private-key
(pkcs12-keystore-set-key! keystore "key-name2" private-key "key-pass2" certs)

;; cert must be an X509 certificate
(pkcs12-keystore-set-certificate! keystore "cert-name2" cert)

(store-pkcs12-keystore-to-file keystore "keystore2.p12" "pass2")

PKCS#12 keystore class.

Returns #t if given obj is PKCS#12 keystore object, otherwise #f.

Returns newly created PKCS#12 keystore object.

Loads PKCS#12 keystore from given input-port or file and returns newly created keystore object.

The load-pkcs12-keystore loads from given binary input port.

The load-pkcs12-keystore-file loads from given file.

storepass must be a string and a password for given keystore.

Retrives a private key associated with alias from keystore. If there is no key entry associated with alias then #f is returned.

alias must be a string.

keypass must be a string. It is used to decrypt the private key and it is not allowed to pass empty password.

Retrives a certificate associated with alias from keystore. If there is no certificate entry associated with alias then #f is returned.

alias must be a string.

Retrives certificate chain associated with given key alias _alias_from keystore. If there is no certificate chain then '() is returned.

alias must be a string.

Returns #t if keystore contains alias. Otherwise #f.

Writes given keystore to output-port or file.

The store-pkcs12-keystore writes to given binary output port output-port.

The store-pkcs12-keystore-to-file writes to given file file.

storepass must be a string and is used to encrypt whole contents.

alias must be a string represents the name of private-key in the keystore.

private-key must be an RSA private key.

key-pass must be a string and is used to encrypt given private-key.

certs must be a list of X509 certificates which associated with private-key.

Stores given private-key to keystore.

The implementation allows users to set separate password from storepass. Be aware that current implementation of Bouncy Castle JCE uses the same password as storepass to encrypt a private key. Thus if you use different password, then it is not compatible with Bouncy Castle.

alias must be a string represents the name of cert in keystore.

cert must be an X509 certificate.

Stores given cert to keystore.

alias must be a string.

Removes the entry associated with alias in keystore.

Returns all defined names in keystore.