gnutls_x509_privkey_import_openssl

[MK]

Hi gang!

I just started using gnuTLS, and one of the first things I needed to do
was incorporate a certificate with encrypted key generated by openSSL.
This seemed like a very simple task, here's a minimal reproduction of
the technique I used to decrypt the original key:

void usage (const char *name) {
        fprintf(stderr, 
                "Usage: %s [password] < keyfile.in > keyfile.out\n",
                name
        );
        exit(0);
}

int main (int argc, const char *argv[]) {
        if (argc != 2) usage(argv[0]);

        unsigned char buffer[4096] = { 0 };
        int i = 0,
                c = fgetc(stdin);

        while (c != EOF) {
                buffer[i++] = c;
                c = fgetc(stdin);
        }

        const gnutls_datum_t raw = {
                .data = buffer,
                .size = i
        };

        gnutls_x509_privkey_t decrypted;
        int check = gnutls_x509_privkey_import_openssl(decrypted, &raw,
                argv[1]);
        if (check) fatal("Import error", check);     

Feeding in the key file resulted in GNUTLS_E_DECRYPTION_FAILED.  Since
the key can be decrypted other ways (eg, via "openssl -rsa") and used
successfully, I realized perhaps I should just use the encrypted data
in the file sans header*, but this led to GNUTLS_E_PARSING_ERROR.
Glancing at the gnutls source, that bail appears to happen before
DECRYPTION_FAILED, so I presume I am correct to feed in the entire file.

So I'm at a loss -- what am I doing wrong?  I'm using 3.1.2 built from
source.

* the header being:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC

Thanks -- Mark

-- 
"Enthusiasm is not the enemy of the intellect." (said of Irving Howe)
"The angel of history[...]is turned toward the past." (Walter Benjamin)