PKCS #8 / OpenSSL Encrypted Keys

 

Commons-SSL includes support for extracting private keys from PKCS #8 files. We also support the OpenSSL formats ("traditional SSLeay"). The private keys can be in PEM (base64) or DER (raw ASN.1 - a binary format).

The code works with Java 1.3 (+JCE), 1.4, 5.0, 6.0, but not all of the ciphers and hashes are available until Java 5.0 (unless you use BouncyCastle). Fortunately the most common formats [OpenSSL MD5 with 3DES], [PKCS #8 V1.5 MD5 with DES], [PKCS #8 V2.0 HmacSHA1 with 3DES] work with all versions of Java, including Java 1.3.

pkcs8 example:

FileInputStream in = new FileInputStream( "/path/to/pkcs8_private_key.der" );

// If the provided InputStream is encrypted, we need a password to decrypt
// it. If the InputStream is not encrypted, then the password is ignored
// (can be null).  The InputStream can be DER (raw ASN.1) or PEM (base64).
PKCS8Key pkcs8 = new PKCS8Key( in, "changeit".toCharArray() );

// If an unencrypted PKCS8 key was provided, then this actually returns
// exactly what was originally passed in (with no changes).  If an OpenSSL
// key was provided, it gets reformatted as PKCS #8 first, and so these
// bytes will still be PKCS #8, not OpenSSL.
byte[] decrypted = pkcs8.getDecryptedBytes();
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec( decrypted );

// A Java PrivateKey object is born.
PrivateKey pk = null;
if ( pkcs8.isDSA() )
{
  pk = KeyFactory.getInstance( "DSA" ).generatePrivate( spec );
}
else if ( pkcs8.isRSA() )
{
  pk = KeyFactory.getInstance( "RSA" ).generatePrivate( spec );
}

// For lazier types (like me):
pk = pkcs8.getPrivateKey();

Both RSA and DSA keys are supported. Here is a list of supported formats:

• OpenSSL "Traditional SSLeay Compatible Format"
  • Unencrypted PEM or DER
  • Encrypted PEM:
    
    • des
    • des2
    • des3
    • blowfish
    • aes128
    • aes192
    • aes256
    • rc2-40
    • rc2-64
    • rc2-128
    
    

    Note:

    OpenSSL "traditional SSLeay" format does not allow encrypted keys to be encoded in DER. Only unencrypted keys can be encoded in DER.

• PKCS #8 (Unencrypted)
  • PEM or DER
• PKCS #8 with PKCS #5 Version 1.5 Encryption
  • PEM or DER:
    • MD2 with DES
    • MD2 with RC2-64
    • MD5 with DES
    • MD5 with RC2-64
    • SHA1 with DES
    • SHA1 with RC2-64
    
    
• PKCS #8 with PKCS #5 Version 1.5 Encryption and PKCS #12 Key Derivation
  • PEM or DER:
    • SHA1 with 3DES
    • SHA1 with 2DES
    • SHA1 with RC2-128
    • SHA1 with RC2-40
    • SHA1 with RC4-128
    • SHA1 with RC4-40
    
    
• PKCS #8 with PKCS #5 Version 2.0 Encryption and HmacSHA1
  • PEM or DER:
    • DES
    • 3DES
    • Blowfish
    • AES-128
    • AES-192
    • AES-256
    • RC2-40
    • RC2-64
    • RC2-128