stackoom
  简体   繁体   中英

How do I format an exported Vault private key for use?

 原文  2020-01-20 16:16:18       java/ public-key-encryption/ private-key/ hashicorp-vault

Question

I am running Vault locally, using the transit secret engine. Running locally in-memory, I have created an exportable private key that I can retrieve with the following information:

{
    "request_id": "ad4401f3-b88b-19f1-0bec-ce710dc647ee",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "keys": {
            "1": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAnLs+5HqCJzJBcdLU+m5hO70ELEBdh2Iy/dp4hGwR2dZiHYGD\nD7jUyTkjDAOpjqsCcqK/bAqCFS/1781s7n37IzVwtu4wU7fXjGdW7582QxfEpUms\n9IYFvzWfIhPDE5VmeXJb7yKiW8rySAbyqQ/ctmOUZtZi/PbHQgS3rmcLvOidp8kJ\nGLb7LYjsZB9tS+Hk4YWKo/3LEyyEkeWtUTQVKzkOOlOZtBmlSkkpz0nV0af/yqkT\nVvvh+RarwlrVwiJvgB8bpSq/gl68Fv28TKa7j0lsHINLgEy1W69KKXg8BVfZvxKn\nwwdtkhlnLN+qtuqk3uO4EOxzZojKdLTXEpp1QwIDAQABAoIBACfoKXBlnSQ70JwZ\n0a7eUhWy4BAgZ3AkWdV3Pj6Bgd4UjzDyHBvxtQRzbvANMqwn8Nydgd4RouOgLZ/c\nj4L+QubJIaUCav22DsUqPuGOiXN15tUrOEWepnH0RkuX+pDO9qOvsabnC64Rs7UR\nR9IyPsGWA2BX8CZ2829k4hwfEscLkae5KHd9bDvIRBH8XnafcUgf6cB3V3GVwZsU\nGuT1UUGcuubRXTrsOger9Rb0L3lgTXwpIXeOqAjeOEtjL6+bVOpMdiequmJf5VfK\nQ0If9gW6XHMQoPdx3+fBzC0/UU6BBNzfojZ9itHp1kQX3h7zilJbPJpm33Jgzg1J\nAUSPZtECgYEAzTmZwF0Mjb/FUZR884HZ23sVn81oW0mPDmgc3NtmY2YsRhyvd2nc\nsCAuQjDgmXyraEZ8IKoGQxHJn7t1yxpxISaGMCDQ1XvfHdSJxxQHGJW+/JjANN/F\nBGyMhCD3rQA8MIiDbe7PyfIhb2dOgza34e19V/5JwaCSd+nP4N10rXkCgYEAw4Ix\nTmY/RdhZABsPn0CymkJZ+y+rTKRNUNclNxuUAgVkOBlHt6ILa+B7gzI0bKX9+YZQ\nXIEsbREl6KvaJe9d5x/JHYcRhJJoHqPoJuvGlfxH7azEoyrdZcR57ayldhfVsvjJ\nsLD7b2lX9JzNnGtipx2PE4ppuB7oN5oU1VpulZsCgYAJHzNPUpN5RXney2vWYwIs\n+EaYyMeHrzhVmpkV1Aa0ClmTcDj4ZNMzXOrRdFy3VcxEoUVpKkWG+6ZrnCh7M5yt\nrYmvX/YIVy4upEDPgXtjQ1yu25dHgl6+eJiyUsjPfsAuJBM7cq73ufR0gDIEMQ1x\nVF4K6DmdCqcX/2OHCjDieQKBgQC7XtYUVgfDz5GUeVrifGXvUzHbexcHz9tNY7QF\n+YdC3Jns7cV+521cyPp2hTIbAobCkogH78B9EtcrAzCB9MMhE6RyiRUv4gSpgNqo\nGoTrD6p7zX1zB0zCEKfuMe0tnbAv4yGhFi0S3HnwNCsWAxC8KqcJyjiBvhU93Iyk\n4RNkiwKBgF8YeD0lrrD8C+gddQrhblTRA8mGvMKEfh992hG8bPpiac0n4uBe3bmH\nUvf66mHBScq/77bF4gMZpafWoTX7AAHS1NpIdg46WWUKQZTW593awCsjKByqxP0I\nFIsGZZNvdK2iw7iVAzIj1TqUdnpKjGw85iO0n2GsLTupy3qR7IdH\n-----END RSA PRIVATE KEY-----\n"
        },
        "name": "testkey",
        "type": "rsa-2048"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

I remove the newline characters and the header / footer, and get the following Base64 encoded string:

val privKeystring = "MIIEowIBAAKCAQEAnLs+5HqCJzJBcdLU+m5hO70ELEBdh2Iy/dp4hGwR2dZiHYGDD7jUyTkjDAOpjqsCcqK/bAqCFS/1781s7n37IzVwtu4wU7fXjGdW7582QxfEpUms9IYFvzWfIhPDE5VmeXJb7yKiW8rySAbyqQ/ctmOUZtZi/PbHQgS3rmcLvOidp8kJGLb7LYjsZB9tS+Hk4YWKo/3LEyyEkeWtUTQVKzkOOlOZtBmlSkkpz0nV0af/yqkTVvvh+RarwlrVwiJvgB8bpSq/gl68Fv28TKa7j0lsHINLgEy1W69KKXg8BVfZvxKnwwdtkhlnLN+qtuqk3uO4EOxzZojKdLTXEpp1QwIDAQABAoIBACfoKXBlnSQ70JwZ0a7eUhWy4BAgZ3AkWdV3Pj6Bgd4UjzDyHBvxtQRzbvANMqwn8Nydgd4RouOgLZ/cj4L+QubJIaUCav22DsUqPuGOiXN15tUrOEWepnH0RkuX+pDO9qOvsabnC64Rs7URR9IyPsGWA2BX8CZ2829k4hwfEscLkae5KHd9bDvIRBH8XnafcUgf6cB3V3GVwZsUGuT1UUGcuubRXTrsOger9Rb0L3lgTXwpIXeOqAjeOEtjL6+bVOpMdiequmJf5VfKQ0If9gW6XHMQoPdx3+fBzC0/UU6BBNzfojZ9itHp1kQX3h7zilJbPJpm33Jgzg1JAUSPZtECgYEAzTmZwF0Mjb/FUZR884HZ23sVn81oW0mPDmgc3NtmY2YsRhyvd2ncsCAuQjDgmXyraEZ8IKoGQxHJn7t1yxpxISaGMCDQ1XvfHdSJxxQHGJW+/JjANN/FBGyMhCD3rQA8MIiDbe7PyfIhb2dOgza34e19V/5JwaCSd+nP4N10rXkCgYEAw4IxTmY/RdhZABsPn0CymkJZ+y+rTKRNUNclNxuUAgVkOBlHt6ILa+B7gzI0bKX9+YZQXIEsbREl6KvaJe9d5x/JHYcRhJJoHqPoJuvGlfxH7azEoyrdZcR57ayldhfVsvjJsLD7b2lX9JzNnGtipx2PE4ppuB7oN5oU1VpulZsCgYAJHzNPUpN5RXney2vWYwIs+EaYyMeHrzhVmpkV1Aa0ClmTcDj4ZNMzXOrRdFy3VcxEoUVpKkWG+6ZrnCh7M5ytrYmvX/YIVy4upEDPgXtjQ1yu25dHgl6+eJiyUsjPfsAuJBM7cq73ufR0gDIEMQ1xVF4K6DmdCqcX/2OHCjDieQKBgQC7XtYUVgfDz5GUeVrifGXvUzHbexcHz9tNY7QF+YdC3Jns7cV+521cyPp2hTIbAobCkogH78B9EtcrAzCB9MMhE6RyiRUv4gSpgNqoGoTrD6p7zX1zB0zCEKfuMe0tnbAv4yGhFi0S3HnwNCsWAxC8KqcJyjiBvhU93Iyk4RNkiwKBgF8YeD0lrrD8C+gddQrhblTRA8mGvMKEfh992hG8bPpiac0n4uBe3bmHUvf66mHBScq/77bF4gMZpafWoTX7AAHS1NpIdg46WWUKQZTW593awCsjKByqxP0IFIsGZZNvdK2iw7iVAzIj1TqUdnpKjGw85iO0n2GsLTupy3qR7IdH"

But when I try to instantiate a PrivateKey object in Java (Kotlin), I get an "InvalidKeyException: algid parse error, not a sequence".

val privByteKey = Base64.getDecoder().decode(privKeystring)
val privKey = PKCS8EncodedKeySpec(privByteKey)
val privateKey = KeyFactory.getInstance("RSA").generatePrivate(privKey) // throws an exception

Am I missing some other step to format Vault's output before I can use the private key?

Edit : Stack trace, as requested:

java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : algid parse error, not a sequence
    at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:251) ~[na:na]
    at java.base/java.security.KeyFactory.generatePrivate(KeyFactory.java:390) ~[na:na]
    at com.mycompany.testClass.service.MyService.testMethod(MyService.kt:83) ~[classes/:na]

1 answers

solution1
 2 ACCPTED  2020-01-20 18:45:02

Vault exports RSA keys in PKCS1 format by default. So you can consider converting PKCS1 format to PKCS8 format using openssl :

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in PKCS1_KEY.key -out PKCS8_KEY.key

and then use your code to ready it as you do.

Or use BouncyCastle and it's PEMReader to read this key :

Security.addProvider(new BouncyCastleProvider());
FileReader fileReader = new FileReader("path/to/your/key/key.key");
PEMReader pemReader = new PEMReader(fileReader);
KeyPair keyPair = (KeyPair) pemReader.readObject();
PrivateKey aPrivate = keyPair.getPrivate();

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I use scrypt to encrypt a private key with a password How do you convert RSA private key to openssh format in Java? How do I use use openssl to encrypt (not sign) using the private key, as is possible in Java? How to use private key How do I use an bean exported from a directory below? How do I use our private key to make a web service call? Store private key generated by KeyStoreGenerator in text format (for eg. vault store) - Java How do you use service-to-service authentication for local development to Azure Key Vault using Java? Do I need to add new public key to the server after converting private key from PuTTY to OpenSSH format? InvalidKeySpecException: How do I extract a private key from a .der file?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM