[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bouncycastle-crypto-dev
Subject:    Re: [dev-crypto] Writing PKCS#8 key file encrypted with PKCS#5v2
From:       David Hook <dgh () lockboxlabs ! com>
Date:       2010-02-06 23:57:51
Message-ID: 1265500671.2199.95.camel () echidna
[Download RAW message or body]


The javax.crypto.EncryptedPrivateKeyInfo object produces the DER
encoding for the PKCS#8 format. This is actually different to what the
PEMWriter produces as it's for dealing with the OpenSSL format, but at
any rate base64 encoding the output and adding a PEM header and footer
will give you something close to what you want.

There may be an issue with having the correct algorithm parameters for
the other end - I think the BC PBE algorithms are all either PKCS5
scheme 1 or PKCS12 based although we provide lightweight support for
PKCS#5 scheme 2. So while the basic approach will allow you to break
free of the OpenSSL constraint, there may still be some internal BC work
required.

It would be useful if you could get a key in format that's acceptable
and attach it to the jira issue.

Regards,

David

On Sat, 2010-02-06 at 18:09 +1100, Peter Dettman wrote:
> Hi Armen,
> Your summary is correct: all the underlying formats and functionality 
> are there, but there a couple of things missing that would make your 
> life a lot easier.
> 
> I've opened a JIRA to track this: 
> http://www.bouncycastle.org/jira/browse/BJA-243
> 
> Cheers,
> Pete.
> 
> 
> Hamstra, Armen wrote:
> > Hello all,
> > 
> > In the 1.45 version of Bouncy Castle for Java, I'm attempting to take a generated \
> > RSA PrivateKey and write it out in PEM format. Previously, we did this \
> > successfully with PEMWriter. So far, so good. However, due to needing to comply \
> > with FIPS 140-2, the format is not acceptable anymore. We now need to encode in \
> > PKCS#8 format with PKCS#5v2 encryption. It must be in PEM format, not the binary \
> > DER. 
> > I'm attempting to figure out how to do this with BC. Is there a straight-forward \
> > way to get this format? I'm expecting my file to start with "-----BEGIN ENCRYPTED \
> > PRIVATE KEY-----". The current PEMWriter doesn't seem to be able to produce this \
> > version of the file. 
> > I've done a search of the lists, and didn't find an answer to this question. If \
> > it's a repeat, I apologize; I'm happy to be linked to the existing discussion. \
> > I've also searched the code for the "ENCRYPTED PRIVATE KEY" text and failed to \
> > find it. I'm hoping I'm missing something! Other searches seem to indicate each \
> > piece of this puzzle exists, but can they be done together? 
> > Armen Hamstra
> > Software Engineer
> > Hewlett-Packard Company
> > 
> > 
> 
> 


[prev in list] [next in list] [prev in thread] [next in thread]