3

I'm writing a program that uses RSA for various tasks.
I know how to generate and write the key pair to file, but I cannot load the encrypted (AES-256-CFB) key pair to a KeyPair object.

So the question is: how do I load/decrypt an encrypted PEM key pair as a java.security.KeyPair object using the BouncyCastle library?

Thanks.

Generation/export code:

public void generateKeyPair(int keysize, File publicKeyFile, File privateKeyFile, String passphrase) throws FileNotFoundException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
    SecureRandom random = new SecureRandom();
    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "BC");

    generator.initialize(keysize, random);

    KeyPair pair = generator.generateKeyPair();
    Key pubKey = pair.getPublic();

    PEMWriter pubWriter = new PEMWriter(new FileWriter(publicKeyFile));
    pubWriter.writeObject(pubKey);
    pubWriter.close();
    PEMWriter privWriter = new PEMWriter(new FileWriter(privateKeyFile));
    if (passphrase == null) {
        privWriter.writeObject(pair);
    } else {
        PEMEncryptor penc = (new JcePEMEncryptorBuilder("AES-256-CFB"))
                .build(passphrase.toCharArray());

        privWriter.writeObject(pair, penc);
    }
    privWriter.close();
}
Improve this question
2
  • Why do you have AES keys for RSA tasks? Commented Sep 28, 2020 at 1:42
  • @MarquisofLorne He wants to encrypt an RSA private key for storing it in a file. Commented Sep 28, 2020 at 11:24

1 Answer 1

Reset to default
1

I am assuming that you have set BouncyCastle as the security provider, for example with:

Security.addProvider(new BouncyCastleProvider());

The code you provided creates two key files, one for the private key and one for the public key. However, the public key is implicitly contained in the private key, so we only have to read the private key file to reconstruct the key pair.

The main steps then are:

  • Creating a PEMParser to read from the key file.

  • Create a JcePEMDecryptorProvider with the passphrase required to decrypt the key.

  • Create a JcaPEMKeyConverter to convert the decrypted key to a KeyPair.

KeyPair loadEncryptedKeyPair(File privateKeyFile, String passphrase)
      throws FileNotFoundException, IOException {
  FileReader reader = new FileReader(privateKeyFile);
  PEMParser parser = new PEMParser(reader);
  Object o = parser.readObject();

  if (o == null) {
    throw new IllegalArgumentException(
        "Failed to read PEM object from file!");
  }

  JcaPEMKeyConverter converter = new JcaPEMKeyConverter();

  if (o instanceof PEMKeyPair) {
    PEMKeyPair keyPair = (PEMKeyPair)o;
    return converter.getKeyPair(keyPair);
  }

  if (o instanceof PEMEncryptedKeyPair) {
    PEMEncryptedKeyPair encryptedKeyPair = (PEMEncryptedKeyPair)o;

    PEMDecryptorProvider decryptor =
        new JcePEMDecryptorProviderBuilder().build(passphrase.toCharArray());

    return converter.getKeyPair(encryptedKeyPair.decryptKeyPair(decryptor));
  }

  throw new IllegalArgumentException("Invalid object type: " + o.getClass());
}

Example usage:

File privKeyFile = new File("priv.pem");
String passphrase = "abc";

try {
  KeyPair keyPair = loadEncryptedKeyPair(privKeyFile, passphrase);
} catch (IOException ex) {
  System.err.println(ex);
}

Reference: BouncyCastle unit test for key parsing (link).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.