使用 bouncycastle 在 java 中导入 PEM 加密密钥对

Question

I'm writing a program that uses RSA for various tasks.
I know how to generate and write the key pair to file, but I cannot load the encrypted (AES-256-CFB) key pair to a KeyPair object.

So the question is: how do I load/decrypt an encrypted PEM key pair as a java.security.KeyPair object using the BouncyCastle library?

Thanks.

Generation/export code:

public void generateKeyPair(int keysize, File publicKeyFile, File privateKeyFile, String passphrase) throws FileNotFoundException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
    SecureRandom random = new SecureRandom();
    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "BC");

    generator.initialize(keysize, random);

    KeyPair pair = generator.generateKeyPair();
    Key pubKey = pair.getPublic();

    PEMWriter pubWriter = new PEMWriter(new FileWriter(publicKeyFile));
    pubWriter.writeObject(pubKey);
    pubWriter.close();
    PEMWriter privWriter = new PEMWriter(new FileWriter(privateKeyFile));
    if (passphrase == null) {
        privWriter.writeObject(pair);
    } else {
        PEMEncryptor penc = (new JcePEMEncryptorBuilder("AES-256-CFB"))
                .build(passphrase.toCharArray());

        privWriter.writeObject(pair, penc);
    }
    privWriter.close();
}

Answer 1

I am assuming that you have set BouncyCastle as the security provider, for example with:

Security.addProvider(new BouncyCastleProvider());

The code you provided creates two key files, one for the private key and one for the public key. However, the public key is implicitly contained in the private key, so we only have to read the private key file to reconstruct the key pair.

The main steps then are:

• Creating a PEMParser to read from the key file.

• Create a JcePEMDecryptorProvider with the passphrase required to decrypt the key.

• Create a JcaPEMKeyConverter to convert the decrypted key to a KeyPair .

KeyPair loadEncryptedKeyPair(File privateKeyFile, String passphrase)
      throws FileNotFoundException, IOException {
  FileReader reader = new FileReader(privateKeyFile);
  PEMParser parser = new PEMParser(reader);
  Object o = parser.readObject();

  if (o == null) {
    throw new IllegalArgumentException(
        "Failed to read PEM object from file!");
  }

  JcaPEMKeyConverter converter = new JcaPEMKeyConverter();

  if (o instanceof PEMKeyPair) {
    PEMKeyPair keyPair = (PEMKeyPair)o;
    return converter.getKeyPair(keyPair);
  }

  if (o instanceof PEMEncryptedKeyPair) {
    PEMEncryptedKeyPair encryptedKeyPair = (PEMEncryptedKeyPair)o;

    PEMDecryptorProvider decryptor =
        new JcePEMDecryptorProviderBuilder().build(passphrase.toCharArray());

    return converter.getKeyPair(encryptedKeyPair.decryptKeyPair(decryptor));
  }

  throw new IllegalArgumentException("Invalid object type: " + o.getClass());
}

Example usage:

File privKeyFile = new File("priv.pem");
String passphrase = "abc";

try {
  KeyPair keyPair = loadEncryptedKeyPair(privKeyFile, passphrase);
} catch (IOException ex) {
  System.err.println(ex);
}

Reference: BouncyCastle unit test for key parsing ( link ).