java 如何使用 JCA 读取 BouncyCastle 私钥 PEM 文件?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14228282/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can I read a BouncyCastle private key PEM file using JCA?
提问by Peter Becker
In one of our applications private keys are stored using BouncyCastle's PEMWriter. At the moment I am investigating if we can get rid of the BouncyCastle dependency since Java 7 seems to have everything we need. The only issue is that I can not read the private keys stored in the database as PEM-encoded strings (the certificates/public keys are fine).
在我们的一个应用程序中,私钥使用 BouncyCastle 的 PEMWriter 存储。目前我正在调查我们是否可以摆脱 BouncyCastle 依赖,因为 Java 7 似乎拥有我们需要的一切。唯一的问题是我无法将存储在数据库中的私钥作为 PEM 编码字符串读取(证书/公钥很好)。
If I save the PEM-encoded string of the private key from the database to a file I can run OpenSSL to convert the key to PKCS#8 format like this:
如果我将私钥的 PEM 编码字符串从数据库保存到文件中,我可以运行 OpenSSL 将密钥转换为 PKCS#8 格式,如下所示:
openssl pkcs8 -topk8 -inform PEM -outform DER \
-in private_key.pem -out private_key.der -nocrypt
The resulting output I can base64 encode and then read using this bit of Java/JCA code:
结果输出我可以使用 base64 编码,然后使用这段 Java/JCA 代码读取:
byte[] privateKeyBytes =
DatatypeConverter.parseBase64Binary(privateKeyDERcontents);
PrivateKey prKey =
KeyFactory.getInstance("RSA").
generatePrivate(new PKCS8EncodedKeySpec(privateKeyBytes));
This private key matches the public key stored as expected, i.e. I can round-trip from plaintext to ciphertext and back.
该私钥与按预期存储的公钥匹配,即我可以从明文到密文来回往返。
The question I have is: can I directly read the original PEM encoding somehow?
我的问题是:我可以以某种方式直接读取原始 PEM 编码吗?
EDIT
编辑
Here is a bit of code that reads the strings in question using BouncyCastle:
下面是一些使用 BouncyCastle 读取相关字符串的代码:
if (Security.getProvider("BC") == null) {
Security.addProvider(new BouncyCastleProvider());
}
PEMReader pemReader = new PEMReader(new StringReader(privateKeyPEM));
KeyPair keyPair = (KeyPair) pemReader.readObject();
PrivateKey key = keyPair.getPrivate();
The "privateKeyPEM" is the PEM encoded string in the database, otherwise this example is self-contained. Interestingly it already uses the JCA KeyPair object as output. To rephrase my original question: can I do the equivalent of the code above without depending on PEMReader (and in turn quite a few other BouncyCastle classes)?
“privateKeyPEM”是数据库中的 PEM 编码字符串,否则这个例子是自包含的。有趣的是,它已经使用 JCA KeyPair 对象作为输出。重新表述我最初的问题:我可以在不依赖 PEMReader(以及其他一些 BouncyCastle 类)的情况下执行上述代码的等效操作吗?
回答by Nickolay Olshevsky
Key inside of PEM file is already stored in PKCS#8 format, so if it is not encrypted with password you can just remove headers (-----BEGIN RSA PRIVATE KEY-----), Base64-decode input, and get the needed bytes.
PEM 文件中的密钥已经以 PKCS#8 格式存储,所以如果它没有用密码加密,你可以只删除标头(-----BEGIN RSA PRIVATE KEY-----),Base64-decode 输入,和获取所需的字节。
