Java 11 - 椭圆曲线私钥 - java.security.InvalidKeyException：IOException：DER 输入，Integer 标签错误

Question

Small question regarding how to use an elliptic curve private key with java 11 please.

I have a those commands:

openssl pkcs12 -in file.p12 -out output.txt
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

then, I can run cat on the output:

cat output.txt
Bag Attributes
    friendlyName: 
    localKeyID: 
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MI[...]0=
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
    friendlyName: 
    localKeyID: 
subject=/CN=
issuer=/CN=
-----BEGIN CERTIFICATE-----
MII[...]Z
-----END CERTIFICATE-----

Note, I use [...] to redact the actual content.

And I just want to use this private key, the one in the -----BEGIN ENCRYPTED PRIVATE KEY----- -----END ENCRYPTED PRIVATE KEY----- block

Therefore, I tried the following: I first removed the BEGIN ENCRYPTED PRIVATE, the line breaks, the END ENCRYPTED PRIVATE KEY

        String privateKeyPEM = "MI[...]0="; //the same private key as above
        byte[] keyData = Base64.getDecoder().decode(privateKeyPEM);
        EncodedKeySpec privKeySpec = new PKCS8EncodedKeySpec(keyData);
        KeyFactory kf = KeyFactory.getInstance("EC");
        PrivateKey privKey = kf.generatePrivate(privKeySpec);

However, I am getting this error:

aused by: java.security.InvalidKeyException: IOException : DER input, Integer tag error
    at java.base/sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:350)
    at java.base/sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:355)
    at jdk.crypto.ec/sun.security.ec.ECPrivateKeyImpl.<init>(ECPrivateKeyImpl.java:74)
    at jdk.crypto.ec/sun.security.ec.ECKeyFactory.implGeneratePrivate(ECKeyFactory.java:237)
    at jdk.crypto.ec/sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:165)

May I ask what is the issue please? Also, may I ask how to fix it?

Thank you

Answer 1

There is no issue, but the (EC) key you try to read is an encrypted one - pure Java is not able to read this kind of keys.

You could write a lot of code to parse and decrypt the key or you use Bouncy Castle to do the job for you.

Add this line to the top of your program:

Security.addProvider(new BouncyCastleProvider());

then use this function, where String s takes the encrypted key including the "-- Begin -- / end strings:

static public PrivateKey stringToPrivateKey(String s, String password)
        throws IOException, PKCSException {
    PrivateKeyInfo pki;
    try (PEMParser pemParser = new PEMParser(new StringReader(s))) {
        Object o = pemParser.readObject();
        if (o instanceof PKCS8EncryptedPrivateKeyInfo) { // encrypted private key in pkcs8-format
            System.out.println("key in pkcs8 encoding");
            PKCS8EncryptedPrivateKeyInfo epki = (PKCS8EncryptedPrivateKeyInfo) o;
            System.out.println("epki:" + epki.getEncryptionAlgorithm().getAlgorithm());
            JcePKCSPBEInputDecryptorProviderBuilder builder =
                    new JcePKCSPBEInputDecryptorProviderBuilder().setProvider("BC");
            InputDecryptorProvider idp = builder.build(password.toCharArray());
            pki = epki.decryptPrivateKeyInfo(idp);
        } else if (o instanceof PEMEncryptedKeyPair) { // encrypted private key in pkcs8-format
            System.out.println("key in pkcs1 encoding");
            PEMEncryptedKeyPair epki = (PEMEncryptedKeyPair) o;
            PEMKeyPair pkp = epki.decryptKeyPair(new BcPEMDecryptorProvider(password.toCharArray()));
            pki = pkp.getPrivateKeyInfo();
        } else if (o instanceof PEMKeyPair) { // unencrypted private key
            System.out.println("key unencrypted");
            PEMKeyPair pkp = (PEMKeyPair) o;
            pki = pkp.getPrivateKeyInfo();
        } else {
            throw new PKCSException("Invalid encrypted private key class: " + o.getClass().getName());
        }
        JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
        return converter.getPrivateKey(pki);
    }
}