If I may attempt a slightly better response than my first one! Sorry
to openssl-dev people about spamming your list with this. Probably
this email is better suited to openssl-users, so I'm cross-posting it.
(If anyone decides to reply, please reply to openssl-users!)

1. Dr Stephen N. Henson's link is an excellent document. Very helpful.

There is only one small gotchya I would like to add to that document,
regarding this:

The private key (or other data) takes the following form:

Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89

...base64 encoded data...

The line beginning DEK-Info contains two comma separated pieces of
information: the encryption algorithm name as used by
EVP_get_cipherbyname() and an 8 byte salt encoded as a set of
hexadecimal digits.

The "8 byte salt" also serves as the IV during decryption. So you use
it as "salt" for key-derivation, and then you use it again as IV for
decryption. It's dual-purpose. ;-)

The 8 byte salt will be 16 bytes when using AES:

DEK-Info: AES-256-CBC,1876F5A50C9046D504D47B2BF8951875

BUT you only use the first 8 bytes as "Salt" during the
key-derivation. I think I spent about 10 hours trying to figure out
that little detail!

You do use all 16 bytes as the IV during the decryption.

2. Max Weijun Wang recommends using "KeyStore.getInstance("pkcs12")"
to load it. That's a great idea, but you probably need to get openssl
to output the file in "DER" format first:

openssl pkcs12 -in pkcs12.pem -out pkcs12.der -outform DER

Java can read PKCS #12 files, but only in DER form. Not in OpenSSL's
PEM form. The "PKCS #12" file created by OpenSSL in PEM format is
actually just a series of X509 certificates and an encrypted private
key (usually using the "Traditional SSLeay Format"). If you have time
you can manually split out all those different PEM items (using cut &
paste) into separate files. You can then get "openssl" to decrypt the
RSA key into unencrypted PKCS #8 DER format (see below). Finally,
with all these files on your hard-drive, you can get Java to load

// Load the certs using this:
CertificateFactory.generateCertificate( byte[] pemOrDer );

// Load the RSA private key using this:
KeySpec spec = new PKCS8EncodedKeySpe( byte[] derOnly );

3. What kind of PEM files are you importing? Java can already import
X509 certificates in PEM format no problem:

keytool -import -file x509.pem

Java is a little picky about carriage returns before and after the
Base64 section. I'm also not sure what "keytool" does if the PEM file
contains more than one certificate. If you're working directly in
Java, then newer versions of
"CertificateFactory.generateCertificates()" (> Java 5? Java 1.3
definitely had problems) can handle more than one cert in a PEM file
just fine. Java's very picky about comments in the PEM. Your PEM
files must only contain -----BEGIN THING----- and -----END THING-----.
Anything before and after the "BEGIN" and "END" sections will upset

X509 certificates in PEM are fine. But if you're trying to deal with
RSA or DSA encrypted private keys in Java, things get harder. You
need to decrypt them to "unencrypted pkcs8 format" using:

openssl pkcs8 -topk8 -nocrypt -outform DER

You can load the output of that directly into Java's
"java.security.spec.PKCS8EncodedKeySpec" class.

Above is how you can deal with this stuff manually with some help from
"openssl". There is a java library which can also do all of these
operations in pure java:


Commons-SSL currently only deals with the "reading" of this stuff.
For "writing" you still need openssl.

In particular, for RSA, DSA, and PKCS #12 files in PEM, I think you're
probably better off with the Commons-SSL library's PKCS8Key class as
opposed to messing around on the command line and cutting & pasting
and all that.





On 11/27/06, Julius Davies wrote:
> Hi, Isvaran,
> The Commons-SSL "KeyStoreBuilder" utility might help you.
> http://juliusdavies.ca/commons-ssl/utilities.html
> You could also take a look at the PKCS8Key, PEMUtil and PEMItem classes.
> http://juliusdavies.ca/commons-ssl/javadocs/
> Good luck!
> yours,
> Julius
> On 11/27/06, Dr. Stephen Henson wrote:
> > On Mon, Nov 27, 2006, Isvaran Krishnamurthy wrote:
> >
> > > Hi,
> > >
> > > I have a requirement to read a PEM file and import it in to a java JKS
> > > store.
> > > I am looking at a pure java solution (no JNI / library dependancy).
> > > I need to know the format of the PEM file and the relationship between
> > > each entry in the PEM file (if any).
> > > I tried to find documentation of the PEM format on the web to no avail.
> > > I would greatly appreciate it if any of you fine folks would help me out
> > > by providing info on the PEM file format.
> > >

> >
> > There is extensive information in the pem manual page describing the main
> > format, the encoded structures and the various types of encryption used. This
> > is in every OpenSSL distribution or at:
> >
> > http://www.openssl.org/docs/crypto/pem.html
> >
> > Steve.
> > --
> > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> > OpenSSL project core developer and freelance consultant.
> > Funding needed! Details on homepage.
> > Homepage: http://www.drh-consultancy.demon.co.uk
> > __________________________________________________ ____________________
> > OpenSSL Project http://www.openssl.org
> > Development Mailing List openssl-dev@openssl.org
> > Automated List Manager majordomo@openssl.org
> >

> --
> yours,
> Julius Davies
> 416-652-0183
> http://juliusdavies.ca/


Julius Davies
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org