This is a discussion on Re: OpenSSL newbie Question [Regd: java class to read a PEM file] - Openssl ; Hi, If I may attempt a slightly better response than my first one! Sorry to openssl-dev people about spamming your list with this. Probably this email is better suited to openssl-users, so I'm cross-posting it. (If anyone decides to reply, ...
If I may attempt a slightly better response than my first one! Sorry
to openssl-dev people about spamming your list with this. Probably
this email is better suited to openssl-users, so I'm cross-posting it.
(If anyone decides to reply, please reply to openssl-users!)
1. Dr Stephen N. Henson's link is an excellent document. Very helpful.
There is only one small gotchya I would like to add to that document,
The private key (or other data) takes the following form:
-----BEGIN RSA PRIVATE KEY-----
...base64 encoded data...
-----END RSA PRIVATE KEY-----
The line beginning DEK-Info contains two comma separated pieces of
information: the encryption algorithm name as used by
EVP_get_cipherbyname() and an 8 byte salt encoded as a set of
The "8 byte salt" also serves as the IV during decryption. So you use
it as "salt" for key-derivation, and then you use it again as IV for
decryption. It's dual-purpose. ;-)
The 8 byte salt will be 16 bytes when using AES:
BUT you only use the first 8 bytes as "Salt" during the
key-derivation. I think I spent about 10 hours trying to figure out
that little detail!
You do use all 16 bytes as the IV during the decryption.
2. Max Weijun Wang recommends using "KeyStore.getInstance("pkcs12")"
to load it. That's a great idea, but you probably need to get openssl
to output the file in "DER" format first:
openssl pkcs12 -in pkcs12.pem -out pkcs12.der -outform DER
Java can read PKCS #12 files, but only in DER form. Not in OpenSSL's
PEM form. The "PKCS #12" file created by OpenSSL in PEM format is
actually just a series of X509 certificates and an encrypted private
key (usually using the "Traditional SSLeay Format"). If you have time
you can manually split out all those different PEM items (using cut &
paste) into separate files. You can then get "openssl" to decrypt the
RSA key into unencrypted PKCS #8 DER format (see below). Finally,
with all these files on your hard-drive, you can get Java to load
// Load the certs using this:
CertificateFactory.generateCertificate( byte pemOrDer );
// Load the RSA private key using this:
KeySpec spec = new PKCS8EncodedKeySpe( byte derOnly );
3. What kind of PEM files are you importing? Java can already import
X509 certificates in PEM format no problem:
keytool -import -file x509.pem
Java is a little picky about carriage returns before and after the
Base64 section. I'm also not sure what "keytool" does if the PEM file
contains more than one certificate. If you're working directly in
Java, then newer versions of
"CertificateFactory.generateCertificates()" (> Java 5? Java 1.3
definitely had problems) can handle more than one cert in a PEM file
just fine. Java's very picky about comments in the PEM. Your PEM
files must only contain -----BEGIN THING----- and -----END THING-----.
Anything before and after the "BEGIN" and "END" sections will upset
X509 certificates in PEM are fine. But if you're trying to deal with
RSA or DSA encrypted private keys in Java, things get harder. You
need to decrypt them to "unencrypted pkcs8 format" using:
openssl pkcs8 -topk8 -nocrypt -outform DER
You can load the output of that directly into Java's
Above is how you can deal with this stuff manually with some help from
"openssl". There is a java library which can also do all of these
operations in pure java:
Commons-SSL currently only deals with the "reading" of this stuff.
For "writing" you still need openssl.
In particular, for RSA, DSA, and PKCS #12 files in PEM, I think you're
probably better off with the Commons-SSL library's PKCS8Key class as
opposed to messing around on the command line and cutting & pasting
and all that.
On 11/27/06, Julius Davies
> Hi, Isvaran,
> The Commons-SSL "KeyStoreBuilder" utility might help you.
> You could also take a look at the PKCS8Key, PEMUtil and PEMItem classes.
> Good luck!
> On 11/27/06, Dr. Stephen Henson
> > On Mon, Nov 27, 2006, Isvaran Krishnamurthy wrote:
> > > Hi,
> > >
> > > I have a requirement to read a PEM file and import it in to a java JKS
> > > store.
> > > I am looking at a pure java solution (no JNI / library dependancy).
> > > I need to know the format of the PEM file and the relationship between
> > > each entry in the PEM file (if any).
> > > I tried to find documentation of the PEM format on the web to no avail.
> > > I would greatly appreciate it if any of you fine folks would help me out
> > > by providing info on the PEM file format.
> > >
> > There is extensive information in the pem manual page describing the main
> > format, the encoded structures and the various types of encryption used. This
> > is in every OpenSSL distribution or at:
> > http://www.openssl.org/docs/crypto/pem.html
> > Steve.
> > --
> > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> > OpenSSL project core developer and freelance consultant.
> > Funding needed! Details on homepage.
> > Homepage: http://www.drh-consultancy.demon.co.uk
> > __________________________________________________ ____________________
> > OpenSSL Project http://www.openssl.org
> > Development Mailing List email@example.com
> > Automated List Manager firstname.lastname@example.org
> Julius Davies
OpenSSL Project http://www.openssl.org
Development Mailing List email@example.com
Automated List Manager firstname.lastname@example.org