user3507885
Reputation: 121
Read an encrypted private key with bouncycastle/spongycastle
I have a password protected, encrypted RSA private key, which was created with PyCrypto (2.6.1) and has according to their docs the following format: PrivateKeyInfo, PKCS#8 (DER SEQUENCE), PEM (RFC1423), see
[https://www.dlitz.net/software/pycrypto/api/current/Crypto.PublicKey.RSA._RSAobj-class.html#exportKey].
How can I decrypt this RSA key with Bouncycastle/Spongycastle?
I've searched Google for quite a long time and only came up with results, that either won't work with version 1.50 (because PEMReader was deprecated and got removed) or with examples of PEMParser who seems to could not read this format. BTW: Is there any documentation on Bouncycastle I missed?
This is the header of my encrypted private key:
-----BEGIN PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,68949227DD8A502D
xyz...
I would really be thankful, if anyone could help me out!
Upvotes: 12
Views: 34651
Answers (4)
Stone
Reputation: 11
//https://stackoverflow.com/questions/7216969/getting-rsa-private-key-from-pem-base64-encoded-private-key-file
//https://stackoverflow.com/questions/5271189/how-to-convert-a-pkcs8-encoded-rsa-key-into-pkcs1-in-java
//https://stackoverflow.com/questions/22920131/read-an-encrypted-private-key-with-bouncycastle-spongycastle
private static void decrypt() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
// For JcaPEMKeyConverter().setProvider("BC")
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
String caPrivateKeyFname = "E:\\xxx\\key.pem";
FileInputStream fis = null;
try {
fis = new FileInputStream(caPrivateKeyFname);
} catch (FileNotFoundException e) {
e.printStackTrace();
}
//Load and parse PEM object
PEMParser pemParser = new PEMParser(new InputStreamReader(fis));
Object object = pemParser.readObject();
JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
KeyPair kp;
//password
String pwd = "typePassword";
if (object instanceof PEMEncryptedKeyPair) {
// Encrypted key - we will use provided password
PEMEncryptedKeyPair ckp = (PEMEncryptedKeyPair) object;
PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder().build(pwd.toCharArray());
kp = converter.getKeyPair(ckp.decryptKeyPair(decProv));
} else {
// Unencrypted key - no password needed
PEMKeyPair ukp = (PEMKeyPair) object;
kp = converter.getKeyPair(ukp);
}
// RSA
KeyFactory keyFac = KeyFactory.getInstance("RSA");
RSAPrivateCrtKeySpec privateKey = keyFac.getKeySpec(kp.getPrivate(), RSAPrivateCrtKeySpec.class);
PrivateKey privateKey1 = keyFac.generatePrivate(privateKey);
//This is the same as the output below
Base64Encoder.encode(privateKey1.getEncoded());
PrivateKeyInfo pkInfo = PrivateKeyInfo.getInstance(privateKey1.getEncoded());
ASN1Encodable privateKeyPKCS1ASN1Encodable = pkInfo.parsePrivateKey();
ASN1Primitive privateKeyPKCS1ASN1 = privateKeyPKCS1ASN1Encodable.toASN1Primitive();
SONBASE64Encoder encoder = new SONBASE64Encoder();
System.out.println(encoder.encode(privateKeyPKCS1ASN1.getEncoded()));
}
The above code should solve the decryption problem and put pkcs8 encoded rsa-key into pkcs1
Upvotes: 1
Bludwarf
Reputation: 908
To sum up what I found on this topic here and there :
Here is the final code if you want to get the modulus for example :
import java.io.FileReader;
import java.security.Security;
import java.security.KeyFactory
import org.bouncycastle.jce.provider.BouncyCastleProvider;
// Note that you need to add 'pkix' package. e.g. 'org.bouncycastle:bcpkix-jdk15on'
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.PEMDecryptorProvider;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
// For JcaPEMKeyConverter().setProvider("BC")
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
// Using bcpkix-jdk14-1.48
PEMParser pemParser = new PEMParser(new FileReader(file));
Object object = pemParser.readObject();
JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
KeyPair kp;
if (object instanceof PEMEncryptedKeyPair)
{
// Encrypted key - we will use provided password
PEMEncryptedKeyPair ckp = (PEMEncryptedKeyPair) object;
PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder().build(password.toCharArray());
kp = converter.getKeyPair(ckp.decryptKeyPair(decProv));
}
else
{
// Unencrypted key - no password needed
PEMKeyPair ukp = (PEMKeyPair) object;
kp = converter.getKeyPair(ukp);
}
// RSA
KeyFactory keyFac = KeyFactory.getInstance("RSA");
RSAPrivateCrtKeySpec privateKey = keyFac.getKeySpec(kp.getPrivate(), RSAPrivateCrtKeySpec.class);
return privateKey;
And then you can call for example :
privateKey.getModulus();
Upvotes: 15
Andy Brown
Reputation: 12999
The following static method will handle all the following PEM encoding styles for encrypted private keys:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----
First ensure that you've registered BC as a security provider then you can use this method:
static public PrivateKey stringToPrivateKey(String s, String password)
throws IOException, PKCSException {
PrivateKeyInfo pki;
try (PEMParser pemParser = new PEMParser(new StringReader(s))) {
Object o = pemParser.readObject();
if (o instanceof PKCS8EncryptedPrivateKeyInfo) {
PKCS8EncryptedPrivateKeyInfo epki = (PKCS8EncryptedPrivateKeyInfo) o;
JcePKCSPBEInputDecryptorProviderBuilder builder =
new JcePKCSPBEInputDecryptorProviderBuilder().setProvider(bc);
InputDecryptorProvider idp = builder.build(password.toCharArray());
pki = epki.decryptPrivateKeyInfo(idp);
} else if (o instanceof PEMEncryptedKeyPair) {
PEMEncryptedKeyPair epki = (PEMEncryptedKeyPair) o;
PEMKeyPair pkp = epki.decryptKeyPair(new BcPEMDecryptorProvider(password.toCharArray()));
pki = pkp.getPrivateKeyInfo();
} else {
throw new PKCSException("Invalid encrypted private key class: " + o.getClass().getName());
}
JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(bc);
return converter.getPrivateKey(pki);
}
}
Upvotes: 8
Monim
Reputation: 3577
Using the answer for this question you should do the following
File privateKeyFile = new File(privateKeyFileName); // private key file in PEM format
PEMParser pemParser = new PEMParser(new FileReader(privateKeyFile));
Object object = pemParser.readObject();
PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder().build(password.toCharArray());
JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
KeyPair kp;
if (object instanceof PEMEncryptedKeyPair) {
kp = converter.getKeyPair(((PEMEncryptedKeyPair) object).decryptKeyPair(decProv));
}
Then you can say
PrivateKey key = kp.getPrivateKey();
Upvotes: 1
Related Questions
- How to decrypt a pkcs8 encrypted private key using bouncy castle?
- Read RSA private key of format PKCS1 in JAVA
- How read a PKCS8 encrypted Private key which is also encoded in DER with bouncycastle?
- Read encrypted PKCS8 SpongyCastle Java
- Outputting encrypted PK8 private key from Java BouncyCastle
- Decrypt PEM private (RSA) key with Bouncy Castle
- RSA private Key decryption giving "InvalidCipherTextException" using bouncy castle
- How to read a password encrypted key with java?
- RSA - bouncycastle PEMReader returning PEMKeyPair instead of AsymmetricCipherKeyPair for reading private key
- Bouncycastle: how to create an encrypted PKCS8 representation of an RSA private key?