如何以Java本机读取OpenSSH或OpenSSL私钥?
[英]How to read an OpenSSH or OpenSSL private key natively in Java?
问题描述
I'd like to read an OpenSSL private key natively in Java, without using BouncyCastle. 
我想在不使用BouncyCastle的情况下以Java本机读取OpenSSL私钥。
I have searched far and wide for this, but I cannot find an answer. 我已经对此进行了广泛的搜索,但是找不到答案。 When you see a key like: 当您看到类似以下的键时:
-----BEGIN EC PRIVATE KEY-----
...base64 here....
-----END EC PRIVATE KEY-----
What format is that? 那是什么格式? It appears to be the same encoding as OpenSSH keys (I think). 它似乎与OpenSSH密钥具有相同的编码(我认为)。 It is not pkcs8 , although OpenSSL allows you convert it's key format to pkcs8 using the pkcs8 command with -topk8 argument. 它不是 pkcs8 ,尽管OpenSSL允许您使用带有-topk8参数的pkcs8命令将其密钥格式转换为pkcs8 。
I certainly cannot be the only person that has run into this problem, but despite extensive searching, I cannot find an answer. 我当然不是唯一遇到此问题的人,但是尽管进行了广泛的搜索,但我找不到答案。 Thanks! 谢谢!
EDIT: None of the duplicates that were suggested talk about using a pure-java solution (no openssl) and no Bouncy Castle. 编辑:建议的重复项都没有谈论使用纯Java解决方案(没有openssl)和没有充气城堡。 Please don't mark it as a duplicate unless this exact question has been asked. 除非提出了确切的问题,否则请不要将其标记为重复项。
It's easy for western developers to be ignorant of the way business is conducted in Asian countries. 西方开发商很容易不知道在亚洲国家开展业务的方式。 China, as an example, has an entire set of EC curves that are unheard of in OpenSSL and Bouncycastle, that are used in inter-business-commerce, so the two two tools: OpenSSL and Bouncycastle are either very old versions or not available at all. 例如,中国拥有完整的EC曲线集,这些曲线在OpenSSL和Bouncycastle中是闻所未闻的,用于企业间贸易,因此这两个工具(OpenSSL和Bouncycastle)要么是很旧的版本,要么在以下版本中不可用所有。 Answers like "just use openssl" are neither helpful nor constructive. 诸如“ just use openssl”之类的答案既无用,也无建设性。
2 个解决方案
解决方案1
2 已采纳 2018-02-14 17:11:54
https://tools.ietf.org/html/rfc5915 https://tools.ietf.org/html/rfc5915
Elliptic Curve Private Key Format
This section gives the syntax for an EC private key.
ECPrivateKey ::= SEQUENCE {
version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
privateKey OCTET STRING,
parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
publicKey [1] BIT STRING OPTIONAL
}
解决方案2
1 2018-02-14 17:29:23
The Base64-block between the Begin- and End-blocks is the ASN.1 encoded private key data in the format bartonjs described in his answer. 起始块和结束块之间的Base64块是ASN.1编码的私钥数据,格式为他的答案中所述的bartonjs。 Without libraries that take the work from you, you have to do the loading yourself. 如果没有图书馆来接管您的工作,则您必须自己进行加载。 An example how to do that for RSA can eg be found here . 例如,可以在此处找到有关如何为RSA执行此操作的示例。 Other formats can be loaded in a similar way by passing the corresponding algorithm name to KeyFactory.getInstance(...); 通过将相应的算法名称传递给KeyFactory.getInstance(...);可以类似的方式加载其他格式KeyFactory.getInstance(...); . 。 In order to do this you have to parse the text at the begin-block and do a mapping from the name there to the algorithm-name to be used for the creation of the factory (most should be the same as being provided in the block, but I'm not sure for elliptic curves that is used in the example your provided in your question). 为此,您必须在begin-block处解析文本,并从那里的名称到用于创建工厂的算法名称进行映射(大多数应与该块中提供的相同) ,但我不确定问题中提供的示例中使用的椭圆曲线)。
The base64-block needs to be decoded to a byte-array to pass it to the KeySpec . 需要将base64块解码为字节数组,以将其传递给KeySpec 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.