PKCS #8/OpenSSL Encrypted Keys

3268 단어 JAVA정보 보안

Commons-SSL includes support for extracting private keys from PKCS #8 files. We also support the OpenSSL formats ("traditional SSLeay"). The private keys can be in PEM (base64) or DER (raw ASN.1 - a binary format).
The code works with Java 1.3 (+JCE), 1.4, 5.0, 6.0, but not all of the ciphers and hashes are available until Java 5.0 (unless you use BouncyCastle). Fortunately the most common formats [OpenSSL MD5 with 3DES], [PKCS #8 V1.5 MD5 with DES], [PKCS #8 V2.0 HmacSHA1 with 3DES] work with all versions of Java, including Java 1.3.
pkcs8 example:

FileInputStream in = new FileInputStream( "/path/to/pkcs8_private_key.der" );

// If the provided InputStream is encrypted, we need a password to decrypt
// it. If the InputStream is not encrypted, then the password is ignored
// (can be null).  The InputStream can be DER (raw ASN.1) or PEM (base64).
PKCS8Key pkcs8 = new PKCS8Key( in, "changeit".toCharArray() );

// If an unencrypted PKCS8 key was provided, then this actually returns
// exactly what was originally passed in (with no changes).  If an OpenSSL
// key was provided, it gets reformatted as PKCS #8 first, and so these
// bytes will still be PKCS #8, not OpenSSL.
byte[] decrypted = pkcs8.getDecryptedBytes();
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec( decrypted );

// A Java PrivateKey object is born.
PrivateKey pk = null;
if ( pkcs8.isDSA() )
{
  pk = KeyFactory.getInstance( "DSA" ).generatePrivate( spec );
}
else if ( pkcs8.isRSA() )
{
  pk = KeyFactory.getInstance( "RSA" ).generatePrivate( spec );
}

// For lazier types (like me):
pk = pkcs8.getPrivateKey();

Both RSA and DSA keys are supported. Here is a list of supported formats:
OpenSSL "Traditional SSLeay Compatible Format"
  • Unencrypted PEM or DER
  • Encrypted PEM:
  • des
  • des2
  • des3
  • blowfish
  • aes128
  • aes192
  • aes256
  • rc2-40
  • rc2-64
  • rc2-128

  • Note:
    OpenSSL "traditional SSLeay"format does not allow encrypted keys to be encoded in DER. Only unencrypted keys can be encoded in DER.


    PKCS #8 (Unencrypted)
  • PEM or DER


  • PKCS #8 with PKCS #5 Version 1.5 Encryption
  • PEM or DER:
  • MD2 with DES
  • MD2 with RC2-64
  • MD5 with DES
  • MD5 with RC2-64
  • SHA1 with DES
  • SHA1 with RC2-64



  • PKCS #8 with PKCS #5 Version 1.5 Encryption and PKCS #12 Key Derivation
  • PEM or DER:
  • SHA1 with 3DES
  • SHA1 with 2DES
  • SHA1 with RC2-128
  • SHA1 with RC2-40
  • SHA1 with RC4-128
  • SHA1 with RC4-40



  • PKCS #8 with PKCS #5 Version 2.0 Encryption and HmacSHA1
  • PEM or DER:
  • DES
  • 3DES
  • Blowfish
  • AES-128
  • AES-192
  • AES-256
  • RC2-40
  • RC2-64
  • RC2-128


  • 좋은 웹페이지 즐겨찾기