Tcl Library Source Code

Bounty program for improvements to Tcl and certain Tcl packages.

[ Main Table Of Contents | Table Of Contents | Keyword Index | Categories | Modules | Applications ]


pki - Implementation of the public key cipher

Table Of Contents


package require Tcl 8.5
package require pki ?0.10?

::pki::encrypt ?-binary? ?-hex? ?-pad? ?-nopad? ?-priv? ?-pub? ?--? input key
::pki::decrypt ?-binary? ?-hex? ?-unpad? ?-nounpad? ?-priv? ?-pub? ?--? input key
::pki::sign input key ?algo?
::pki::verify signedmessage plaintext key ?algo?
::pki::key key ?password? ?encodePem?
::pki::pkcs::parse_key key ?password?
::pki::x509::parse_cert cert
::pki::rsa::generate bitlength ?exponent?
::pki::x509::verify_cert cert trustedcerts ?intermediatecerts?
::pki::x509::validate_cert cert ?-sign_message dn_of_signer? ?-encrypt_message dn_of_signer? ?-sign_cert dn_to_be_signed ca_depth? ?-ssl dn?
::pki::pkcs::create_csr keylist namelist ?encodePem? ?algo?
::pki::pkcs::parse_csr csr
::pki::x509::create_cert signreqlist cakeylist serial_number notBefore notAfter isCA extensions ?encodePem? ?algo?




The example below retrieves a certificate from using the TLS extension and dumps its content.

% set so [tls::socket 443]
% tls::handshake $so
% set status [tls::status $so]
...output not shown...
% set cert_pem [dict get $status certificate]
...output not shown...
% set cert [::pki::x509::parse_cert $cert_pem]
...output not shown...
% dict get $cert subject
C=US, ST=California, L=Los Angeles, O=Internet Corporation for Assigned Names and Numbers,
% dict get $cert issuer
C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1
% clock format [dict get $cert notAfter]
Sun Dec 26 05:29:59 +0530 2021
% set extensions [dict get $cert extensions]
...output not shown...
% dict keys $extensions
authorityKeyIdentifier subjectKeyIdentifier subjectAltName keyUsage extKeyUsage cRLDistributionPoints certificatePolicies authorityInfoAccess id-ce-basicConstraints basicConstraints
dict get $extensions basicConstraints
1 {0 -1}
% dict get $extensions keyUsage
1 {5 digitalSignature keyEncipherment}
% dict get $extensions extKeyUsage
0 {serverAuth clientAuth}
% dict get $extensions subjectAltName
0 {dNSName dNSName dNSName dNSName dNSName dNSName dNSName dNSName}
% dict get $extensions basicConstraints
1 {0 -1}
% dict get $extensions keyUsage
1 {5 digitalSignature keyEncipherment}
% dict get $extensions extKeyUsage
0 {serverAuth clientAuth}


  1. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

  2. New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)

  3. PKCS #10: Certification Request Syntax Specification


Roy Keene, Ashok P. Nadkarni

Bugs, Ideas, Feedback

This document, and the package it describes, will undoubtedly contain bugs and other problems. Please report such in the category rsa of the Tcllib Trackers. Please also report any ideas for enhancements you may have for either package and/or documentation.

When proposing code changes, please provide unified diffs, i.e the output of diff -u.

Note further that attachments are strongly preferred over inlined patches. Attachments can be made by going to the Edit form of the ticket immediately after its creation, and then using the left-most button in the secondary navigation bar.


aes(n), blowfish(n), des(n), md5(n), sha1(n)


cipher, data integrity, encryption, public key cipher, rsa, security


Hashes, checksums, and encryption


Copyright © 2010, 2011, 2012, 2013, 2021 Roy Keene, Andreas Kupries, Ashok P. Nadkarni