Bouncycastle encrypted private key PEM output: RSA PRIVATE KEY vs PRIVATE KEY

Question

I'm having difficulties exchanging private keys between a client using Java Bouncycastle and a keyserver using Python RSA libraries. The PEM format is used to transfer the keys via REST. The keyserver can't decrypt the key (needed when the encryption password changes) i'm supplying, it is expecting a PKCS#1 or PKCS#8 key with a PEM as follows:

-----BEGIN PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,ACCB65DDEB20F5AB

EcU3fekuLeUc0viPJ20vAG+Jg1Igkvm+JTjnLmMBE6SwDS/hkf3KP0bFto7Pv6fJ

But bouncycastle's output, using JcePEMEncryptorBuilder and a JcaMiscPEMGenerator has a slightly different BEGIN string:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,ACCB65DDEB20F5AB

EcU3fekuLeUc0viPJ20vAG+Jg1Igkvm+JTjnLmMBE6SwDS/hkf3KP0bFto7Pv6fJ

As I did some research, I learned that a PEM starting BEGIN RSA PRIVATE KEY indicates the key is encoded using PKCS#1.

When I try to get a PKCS#8 encrypted output using JceOpenSSLPKCS8EncryptorBuilder and JcaPKCS8Generator I get a PEM as follows:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICrjAoBgoqhkiG9w0BDAEDMBoEFP+MLFFaKGC6J/37jF7wRgL3coZdAgIIAASC
AoAdWVo4kAQ1S0stQZbzca7wL876nzlKfcOa4BKsCttPnFVPugJOvGDnATgUK5P/

So my question is: is there a way to get bouncycastle to output a PEM with an encrypted private key in the form of BEGIN PRIVATE KEY or is the python library expecting the wrong format?

Next to that I can't get a grip on whether bouncycastle is using PKCS#1 or PKCS#8 in the JcePEMEncryptorBuilder. It's using PrivateKeyInfo#getEncoded but the documentation is not clear about the PKCS format.

Bouncycastle version: bcpkix-jdk15on 1.52

Answer 1

It turned out the Python lib was not handling all standard formats correctly, so we fixed it by using another Python lib which supports the format Bouncycastle is sending.