The PEM standard (rfc 1113-1116, is there an update?) specifies how encrypted mail may be sent from one user to another.
First, the message body is converted to ASCII or some standard character set.
Then it is encrypted using some symmetric cipher.
This then is base-64 encoded.
It is then packaged up in a message with headers:
Proc-Type,4:ENCRYPTED
DEK-Info: cipher-name, ivec
where ivec is the base64-encoded ivec used during encryption of the message. See DES encryption if you are not sure what an ivec is.
The message and its headers are all prefaced by
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
and followed by
-----END PRIVACY-ENHANCED MESSAGE-----
Now if you have read the PEM rfcs you will notice that all the stuff about message integrity (MICs) is missing from this library. It's not needed for SSL or the X509 handling, but if you had to have it, you could implement it pretty fast (see PEM library routines for some comments on this).
Here is an example of a PEM-encoded object as SSLeay knows it:
-----BEGIN DSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F80EEEBEEA7386C4 GZ9zgFcHOlnhPoiSbVi/yXc9mGoj44A6IveD4UlpSEUt6Xbse3Fr0KHIUyQ3oGnS mClKoAp/eOTb5Frhto85SzdsxYtac+X1v5XwdzAMy2KowHVk1N8A5jmE2OlkNPNt of132MNlo2cyIRYaa35PPYBGNCmUm7YcYS8O90YtkrQZZTf4+2C4kllhMcdkQwkr FWSWC8YOQ7w0LHb4cX1FejHHom9Nd/0PN3vn3UyySvfOqoR7nbXkrpHXmPIr0hxX RcF0aXcV/CzZ1/nfXWQf4o3+oD0T22SDoVcZY60IzI0oIc3pNCbDV3uKNmgekrFd qOUJ+QW8oWp7oefRx62iBfIeC8DZunohMXaWAQCU0sLQOR4yEdeUCnzCSywe0bG1 diD0KYaEe+Yub1BQH4aLsBgDjardgpJRTQLq0DUvw0/QGO1irKTJzegEDNVBKrVn V4AHOKT1CUKqvGNRP1UnccUDTF6miOAtaj/qpzra7sSk7dkGBvIEeFoAg84kfh9h hVvF1YyzC9bwZepruoqoUwke/WdNIR5ymOVZ/4Liw0JdIOcq+atbdRX08niqIRkf dsZrUj4leo3zdefYUQ7w4N2Ns37yDFq7 -----END DSA PRIVATE KEY-----
Sometimes 'PEM' is used in these documents (and on the ssl-users list and other forums) to designated a non-encrypted message that has just been base4-encoded with BEGIN and END headers around it. Certificates, requests, and non-encrypted keys can be written out in this form and often are.
Here is one such example (which won't be very illuminating to look at, but nonbetheless:
-----BEGIN CERTIFICATE REQUEST----- MIICVTCCAhMCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAxMDUENB MIIBtTCCASkGBSsOAwIMMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2G lrMV4FMuj+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7O Zq5riDb77Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR 5HCVW1DNSQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnl aG8w42nh5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6 kQmdtvFNnFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15Als QReVkusBtXOlan7YMu0OArgDgYUAAoGBAKbtuR5AdW+ICjCFe2ixjUiJJzM2IKwe 6NZEMXg39+HQ1UTPTmfLZLps+rZfolHDXuRKMXbGFdSF0nXYzotPCzi7GauwEJTZ yr27ZZjA1C6apGSQ9GzuwNvZ4rCXystVEagAS8OQ4H3D4dWS17Zg31ICb5o4E5r0 z09o/Uz46u0VoAAwCQYFKw4DAhsFAAMxADAuAhUArRubTxsbIXy3AhtjQ943AbNB nSICFQCu+g1iW3jwF+gOcbroD4S/ZcvB3w== -----END CERTIFICATE REQUEST-----