How to work with OPENSSH PRIVATE KEY in Java?

Question

I am generating a DSA key with the below command:

ssh-keygen -t dsa

Then I try to sign data using bouncycastle API like that:

    KeyFactory keyFactory = KeyFactory.getInstance("DSA");
    String privateKeyContent = // the content of the generated file

    //init privateKey
    byte[] pemContent = null;
    PEMParser pemParser = new PEMParser(new StringReader(privateKeyContent));
    Object pemObject = pemParser.readObject(); // throws

And getting this exception

java.io.IOException: unrecognised object: OPENSSH PRIVATE KEY

So I have been trying to convert the key file to PEM, using this example, and executing:

ssh-keygen -e -f key -m PEM > key.pem

But I am getting an error:

do_convert_to_pem: unsupported key type DSA

Any ideas on how to solve this?

Answer 1

There are a few things going on here.

1. You are generating keys using a pretty recent version of OpenSSH (which is good). These are now output in OpenSSH's new key format which the BouncyCastle API does not recognise as its a custom format.

2. You are generating a DSA key. OpenSSH deprecated use of DSA as it's not considered as secure as the other private key types provided like RSA, ECDSA, ED25519 etc. So whilst its letting you generate the key; its not letting you convert it.

I would recommend that you change the key type to an RSA key with 2048 bits (minimum). That will, however, not stop the BouncyCastle API error because it will still be in the new OpenSSH format.

It really depends on what you are doing with the key. If you not using it within an SSH API to authenticate to remote servers and simply want to sign data with BouncyCastle API then you would be better off generating the key using OpenSSL with the command

openssl genrsa -out private.pem 2048

This key should then be recognised by the BouncyCastle API.