3

I'm writing a program that uses RSA for various tasks.
I know how to generate and write the key pair to file, but I cannot load the encrypted (AES-256-CFB) key pair to a KeyPair object.

So the question is: how do I load/decrypt an encrypted PEM key pair as a java.security.KeyPair object using the BouncyCastle library?

Thanks.

Generation/export code:

public void generateKeyPair(int keysize, File publicKeyFile, File privateKeyFile, String passphrase) throws FileNotFoundException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
    SecureRandom random = new SecureRandom();
    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "BC");

    generator.initialize(keysize, random);

    KeyPair pair = generator.generateKeyPair();
    Key pubKey = pair.getPublic();

    PEMWriter pubWriter = new PEMWriter(new FileWriter(publicKeyFile));
    pubWriter.writeObject(pubKey);
    pubWriter.close();
    PEMWriter privWriter = new PEMWriter(new FileWriter(privateKeyFile));
    if (passphrase == null) {
        privWriter.writeObject(pair);
    } else {
        PEMEncryptor penc = (new JcePEMEncryptorBuilder("AES-256-CFB"))
                .build(passphrase.toCharArray());

        privWriter.writeObject(pair, penc);
    }
    privWriter.close();
}
Improve this question
2
  • Why do you have AES keys for RSA tasks?
    – user207421
    Commented Sep 28, 2020 at 1:42
  • @MarquisofLorne He wants to encrypt an RSA private key for storing it in a file.
    – f9c69e9781fa194211448473495534
    Commented Sep 28, 2020 at 11:24

1 Answer 1

Reset to default
1

I am assuming that you have set BouncyCastle as the security provider, for example with:

Security.addProvider(new BouncyCastleProvider());

The code you provided creates two key files, one for the private key and one for the public key. However, the public key is implicitly contained in the private key, so we only have to read the private key file to reconstruct the key pair.

The main steps then are:

  • Creating a PEMParser to read from the key file.

  • Create a JcePEMDecryptorProvider with the passphrase required to decrypt the key.

  • Create a JcaPEMKeyConverter to convert the decrypted key to a KeyPair.

KeyPair loadEncryptedKeyPair(File privateKeyFile, String passphrase)
      throws FileNotFoundException, IOException {
  FileReader reader = new FileReader(privateKeyFile);
  PEMParser parser = new PEMParser(reader);
  Object o = parser.readObject();

  if (o == null) {
    throw new IllegalArgumentException(
        "Failed to read PEM object from file!");
  }

  JcaPEMKeyConverter converter = new JcaPEMKeyConverter();

  if (o instanceof PEMKeyPair) {
    PEMKeyPair keyPair = (PEMKeyPair)o;
    return converter.getKeyPair(keyPair);
  }

  if (o instanceof PEMEncryptedKeyPair) {
    PEMEncryptedKeyPair encryptedKeyPair = (PEMEncryptedKeyPair)o;

    PEMDecryptorProvider decryptor =
        new JcePEMDecryptorProviderBuilder().build(passphrase.toCharArray());

    return converter.getKeyPair(encryptedKeyPair.decryptKeyPair(decryptor));
  }

  throw new IllegalArgumentException("Invalid object type: " + o.getClass());
}

Example usage:

File privKeyFile = new File("priv.pem");
String passphrase = "abc";

try {
  KeyPair keyPair = loadEncryptedKeyPair(privKeyFile, passphrase);
} catch (IOException ex) {
  System.err.println(ex);
}

Reference: BouncyCastle unit test for key parsing (link).

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.