CODEWITHSUNDEEP
javasslssl-certificatebouncycastleprivate-key
Lolly
Lolly

Reputation: 36372

Encrypt a private key with Password using BouncyCastle

I am new to BouncyCastle. I have a private key generated using the below code.

     final CertAndKeyGen keypair = new CertAndKeyGen("RSA", "SHA1WithRSA", null);
     keypair.generate(1024);
     final PrivateKey privKey = keypair.getPrivateKey();

I would to encrypt it with a password using AES or some openssl supported algorithm using BouncyCastle. I am trying to find where to start, since I am not able to find any good tutorial on this.

Upvotes: 4

Views: 8993

Answers (2)

Andy Brown
Andy Brown

Reputation: 12999

If you'd prefer to protect your private keys with AES-256 instead of one of the old DES variants supported by PKCS8, this will work:

public String toPem(String password) throws IOException {

  StringWriter sw = new StringWriter();

  try (JcaPEMWriter pemWriter = new JcaPEMWriter(sw)) {

    PEMEncryptor encryptor =
        new JcePEMEncryptorBuilder("AES-256-CBC").build(password);

    // privateKey is a java.security.PrivateKey
    JcaMiscPEMGenerator gen = new JcaMiscPEMGenerator(privateKey, encryptor);
    pemWriter.writeObject(gen);
  }

  return sw.toString();
}

You can verify the output with openssl. In my case the key is EC so this command is used:

$ openssl ec -in key.txt -passin pass:password -text

Adapt as required for RSA keys.

Upvotes: 5

pjklauser
pjklauser

Reputation: 1156

If you just want to output your private key to a passphrase "12345" protected PEM formatted and file "privatekey.pem" you can use this BC code:

    JceOpenSSLPKCS8EncryptorBuilder encryptorBuilder = new JceOpenSSLPKCS8EncryptorBuilder(PKCS8Generator.PBE_SHA1_3DES);
    encryptorBuilder.setRandom(EntropySource.getSecureRandom());
    encryptorBuilder.setPasssword("12345".toCharArray());
    OutputEncryptor oe = encryptorBuilder.build();
    JcaPKCS8Generator gen = new JcaPKCS8Generator(privKey,oe);
    PemObject obj = gen.generate();

    PEMWriter pemWrt = new PEMWriter( new FileWriter("privatekey.pem"));
    pemWrt.writeObject(obj);
    pemWrt.close();

then afterwards you can get at the private key with openssl with

$ openssl rsa -in privatekey.pem -check
Enter pass phrase for privatekey.pem:
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
.....
-----END RSA PRIVATE KEY-----

The "standard" use of PEMWriter will not passphrase protect your private key:(

Upvotes: 7

Related Questions