文章/答案/技术大牛

发布

社区首页 >问答首页 >用程序解析加密PKCS#8编码的pem文件

问用程序解析加密PKCS#8编码的pem文件
EN

Stack Overflow用户

提问于 2020-09-10 15:00:06

回答 4查看 5.7K关注 0票数 1

我在弄清楚如何正确读取pem文件的私钥时遇到了困难。我已经讨论过关于堆栈溢出的不同主题，但我无法找到解决方案。我想要实现的是从类路径中读取pkcs#8编码文件中的加密私钥，并将其作为密钥项加载到内存密钥存储库中。下面是一个我试图解析的私钥示例，密码是secret。它纯粹是为在这里共享而创建的，所以它不是生产机器上使用的私钥。

我使用以下命令从一个p12文件创建了它：openssl pkcs12 -in key-pair.p12 -out key-pair.pem

有效示例(丢弃)密钥对

我知道BouncyCastle能够解析它，但我希望避免使用其他库。因此，我想知道是否可以使用普通的jdk或其他一些轻量级库。

我已经能够使用以下页眉/页脚解析私钥：

-----BEGIN PRIVATE KEY-----
           *
-----END PRIVATE KEY-----

和

-----BEGIN RSA PRIVATE KEY-----
           *
-----END RSA PRIVATE KEY-----

我已经使用了以下代码片段来完成这一任务：

import com.hierynomus.asn1.ASN1InputStream;
import com.hierynomus.asn1.encodingrules.der.DERDecoder;
import com.hierynomus.asn1.types.ASN1Object;
import com.hierynomus.asn1.types.constructed.ASN1Sequence;
import com.hierynomus.asn1.types.primitive.ASN1Integer;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.UUID;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

class App {

    private static final String KEYSTORE_TYPE = "PKCS12";
    private static final String KEY_FACTORY_ALGORITHM = "RSA";
    private static final String CERTIFICATE_TYPE = "X.509";

    private static final Pattern CERTIFICATE_PATTERN = Pattern.compile("-----BEGIN CERTIFICATE-----(.*?)-----END CERTIFICATE-----", Pattern.DOTALL);
    private static final Pattern PRIVATE_KEY_PATTERN = Pattern.compile("-----BEGIN PRIVATE KEY-----(.*?)-----END PRIVATE KEY-----", Pattern.DOTALL);
    private static final Pattern ENCRYPTED_PRIVATE_KEY_PATTERN = Pattern.compile("-----BEGIN ENCRYPTED PRIVATE KEY-----(.*?)-----END ENCRYPTED PRIVATE KEY-----", Pattern.DOTALL);
    private static final Pattern RSA_PRIVATE_KEY_PATTERN = Pattern.compile("-----BEGIN RSA PRIVATE KEY-----(.*?)-----END RSA PRIVATE KEY-----", Pattern.DOTALL);

    private static final String NEW_LINE = "\n";
    private static final String EMPTY = "";

    public static void main(String[] args) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, InvalidKeySpecException {
        String privateKeyContent = "";
        String certificateContent = "";

        PrivateKey privateKey = parsePrivateKey(privateKeyContent);
        Certificate[] certificates = parseCertificate(certificateContent).values()
                .toArray(new Certificate[]{});

        KeyStore keyStore = createEmptyKeyStore();
        keyStore.setKeyEntry("client", privateKey, null, certificates);
    }

    private static KeyStore createEmptyKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
        keyStore.load(null, null);
        return keyStore;
    }

    private static PrivateKey parsePrivateKey(String identityContent) throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
        KeySpec keySpec = null;

        Matcher privateKeyMatcher = PRIVATE_KEY_PATTERN.matcher(identityContent);
        if (privateKeyMatcher.find()) {
            String privateKeyContent = privateKeyMatcher.group(1).replace(NEW_LINE, EMPTY).trim();
            byte[] decodedPrivateKeyContent = Base64.getDecoder().decode(privateKeyContent);
            keySpec = new PKCS8EncodedKeySpec(decodedPrivateKeyContent);
        }

        privateKeyMatcher = RSA_PRIVATE_KEY_PATTERN.matcher(identityContent);
        if (privateKeyMatcher.find()) {
            String privateKeyContent = privateKeyMatcher.group(1).replace(NEW_LINE, EMPTY).trim();
            byte[] decodedPrivateKeyContent = Base64.getDecoder().decode(privateKeyContent);
            keySpec = getKeySpecFromAsn1StructuredData(decodedPrivateKeyContent);
        }

        privateKeyMatcher = ENCRYPTED_PRIVATE_KEY_PATTERN.matcher(identityContent);
        if (privateKeyMatcher.find()) {
            String privateKeyContent = privateKeyMatcher.group(1).replace(NEW_LINE, EMPTY).trim();
            byte[] decodedPrivateKeyContent = Base64.getDecoder().decode(privateKeyContent);
            keySpec = null; //TODO
        }

        Objects.requireNonNull(keySpec);

        KeyFactory keyFactory = KeyFactory.getInstance(KEY_FACTORY_ALGORITHM);
        return keyFactory.generatePrivate(keySpec);
    }

    private static KeySpec getKeySpecFromAsn1StructuredData(byte[] decodedPrivateKeyContent) throws IOException {
        try(ByteArrayInputStream privateKeyAsInputStream = new ByteArrayInputStream(decodedPrivateKeyContent)) {
            ASN1InputStream stream = new ASN1InputStream(new DERDecoder(), privateKeyAsInputStream);
            ASN1Sequence asn1Sequence = stream.readObject();

            if (asn1Sequence.getValue().size() < 9) {
                throw new RuntimeException("Parsed key content doesn't have the minimum required sequence size of 9");
            }

            BigInteger modulus = extractIntValueFrom(asn1Sequence.get(1));
            BigInteger publicExponent = extractIntValueFrom(asn1Sequence.get(2));
            BigInteger privateExponent = extractIntValueFrom(asn1Sequence.get(3));
            BigInteger primeP = extractIntValueFrom(asn1Sequence.get(4));
            BigInteger primeQ = extractIntValueFrom(asn1Sequence.get(5));
            BigInteger primeExponentP = extractIntValueFrom(asn1Sequence.get(6));
            BigInteger primeExponentQ = extractIntValueFrom(asn1Sequence.get(7));
            BigInteger crtCoefficient = extractIntValueFrom(asn1Sequence.get(8));

            return new RSAPrivateCrtKeySpec(
                    modulus, publicExponent, privateExponent,
                    primeP, primeQ, primeExponentP, primeExponentQ, crtCoefficient
            );
        }
    }

    private static BigInteger extractIntValueFrom(ASN1Object<?> asn1Object) {
        if (asn1Object instanceof ASN1Integer) {
            return ((ASN1Integer) asn1Object).getValue();
        } else {
            throw new RuntimeException(String.format(
                    "Unable to parse the provided value of the object type [%s]. The type should be an instance of [%s]",
                    asn1Object.getClass().getName(), ASN1Integer.class.getName())
            );
        }
    }

    private static Map<String, Certificate> parseCertificate(String certificateContent) throws IOException, CertificateException {
        Map<String, Certificate> certificates = new HashMap<>();
        Matcher certificateMatcher = CERTIFICATE_PATTERN.matcher(certificateContent);

        while (certificateMatcher.find()) {
            String sanitizedCertificate = certificateMatcher.group(1).replace(NEW_LINE, EMPTY).trim();
            byte[] decodedCertificate = Base64.getDecoder().decode(sanitizedCertificate);
            try(ByteArrayInputStream certificateAsInputStream = new ByteArrayInputStream(decodedCertificate)) {
                CertificateFactory certificateFactory = CertificateFactory.getInstance(CERTIFICATE_TYPE);
                Certificate certificate = certificateFactory.generateCertificate(certificateAsInputStream);
                certificates.put(UUID.randomUUID().toString(), certificate);
            }
        }

        return certificates;
    }

}

我还需要处理asn.1编码的私钥。我可以使用BouncyCastle，但我还是想避免使用它，因为我对替代方案很好奇。我受到了这个主题的启发：https://stackoverflow.com/a/42733858/6777695，但是从jdk 11开始，DerInputStream和DerValue就不再可以访问了。太阳包裹应该避免..。所以我发现了asn-一个java库来解析asn.1编码的私钥，它运行得很好。

我已经分享了处理其他案件的全部片段，所以当有人想要帮助我时，更容易尝试。

从以下文章：ASN.1 DER和PEM中的关键结构，我了解到具有以下页眉/页脚的私钥：-----BEGIN ENCRYPTED PRIVATE KEY----- * -----END ENCRYPTED PRIVATE KEY-----也是一个asn.1编码的私钥，其结构如下：

EncryptedPrivateKeyInfo ::= SEQUENCE {
  encryptionAlgorithm  EncryptionAlgorithmIdentifier,
  encryptedData        EncryptedData
}

EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier

EncryptedData ::= OCTET STRING

我也尝试了这里提供的答案，如何用java读取密码加密密钥？，但这些也不起作用。但是，我不太清楚如何正确地将其解析为java对象并将其作为KeySpec加载。所以欢迎任何帮助！

======>根据dave_thompson_085的输入在12-09-2020年更新进展

Matcher privateKeyMatcher = Pattern.compile("-----BEGIN ENCRYPTED PRIVATE KEY-----(.*?)-----END ENCRYPTED PRIVATE KEY-----", Pattern.DOTALL)
        .matcher(identityContent);

if (privateKeyMatcher.find()) {
    String privateKeyContent = privateKeyMatcher.group(1).replace(NEW_LINE, EMPTY).trim();
    byte[] decodedPrivateKeyContent = Base64.getDecoder().decode(privateKeyContent);
    try (ByteArrayInputStream privateKeyAsInputStream = new ByteArrayInputStream(decodedPrivateKeyContent)) {
        ASN1InputStream stream = new ASN1InputStream(new DERDecoder(), privateKeyAsInputStream);
        ASN1Sequence asn1Sequence = stream.readObject();

        ASN1OctetString privateKeyAsOctetString = (ASN1OctetString) asn1Sequence.get(1);
        ASN1OctetString saltAsOctetString = (ASN1OctetString) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) asn1Sequence.get(0)).get(1)).get(0)).get(1)).get(0);
        ASN1OctetString initializationVectorAsOctec = ((ASN1OctetString) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) asn1Sequence.get(0)).get(1)).get(1)).get(1));
        ASN1Integer iterationCount = (ASN1Integer) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) asn1Sequence.get(0)).get(1)).get(0)).get(1)).get(1);

        IvParameterSpec ivParameterSpec = new IvParameterSpec(initializationVectorAsOctec.getValue());

        SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2withHmacSHA1");
        EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(secretKeyFactory.getAlgorithm(), privateKeyAsOctetString.getValue());

        int keyLength = encryptedPrivateKeyInfo.getEncoded().length;
        PBEKeySpec pbeKeySpec = new PBEKeySpec(keyPassword, saltAsOctetString.getValue(), iterationCount.getValue().intValue(), keyLength);

        Cipher cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding/");

        SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec);

        cipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameterSpec);
        PKCS8EncodedKeySpec keySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
    }
}

结果出现以下异常：java.security.InvalidKeyException: Wrong algorithm: DESede or TripleDES required on语句cipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameterSpec);

======>根据Michael Fehr的输入在13-09-2020年更新进展

Matcher privateKeyMatcher = Pattern.compile("-----BEGIN ENCRYPTED PRIVATE KEY-----(.*?)-----END ENCRYPTED PRIVATE KEY-----", Pattern.DOTALL)
        .matcher(identityContent);

if (privateKeyMatcher.find()) {
    String privateKeyContent = privateKeyMatcher.group(1).replace(NEW_LINE, EMPTY).trim();
    byte[] decodedPrivateKeyContent = Base64.getDecoder().decode(privateKeyContent);
    try (ByteArrayInputStream privateKeyAsInputStream = new ByteArrayInputStream(decodedPrivateKeyContent)) {
        ASN1InputStream stream = new ASN1InputStream(new DERDecoder(), privateKeyAsInputStream);
        ASN1Sequence asn1Sequence = stream.readObject();

        ASN1OctetString privateKeyAsOctetString = (ASN1OctetString) asn1Sequence.get(1);
        ASN1OctetString saltAsOctetString = (ASN1OctetString) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) asn1Sequence.get(0)).get(1)).get(0)).get(1)).get(0);
        ASN1OctetString initializationVectorAsOctec = ((ASN1OctetString) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) asn1Sequence.get(0)).get(1)).get(1)).get(1));
        ASN1Integer iterationCount = (ASN1Integer) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) asn1Sequence.get(0)).get(1)).get(0)).get(1)).get(1);

        IvParameterSpec ivParameterSpec = new IvParameterSpec(initializationVectorAsOctec.getValue());

        SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2withHmacSHA1");
        EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(secretKeyFactory.getAlgorithm(), privateKeyAsOctetString.getValue());

        int keyLength = 24 * 8;
        PBEKeySpec pbeKeySpec = new PBEKeySpec(keyPassword, saltAsOctetString.getValue(), iterationCount.getValue().intValue(), keyLength);

        Cipher cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding/");

        SecretKey secretKeyPbkdf = secretKeyFactory.generateSecret(pbeKeySpec);
        SecretKey secretKey = new SecretKeySpec(secretKeyPbkdf.getEncoded(), "DESede");

        cipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameterSpec);
        PKCS8EncodedKeySpec keySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
    }
}

java

ssl

encryption

keystore

pem

回答 4

Stack Overflow用户

发布于 2020-09-12 21:06:13

您所编辑的代码出现了一个错误"java.security.InvalidKeyException:错误的键大小“，这是因为您用以下行”读取“了keyLength：

int keyLength = encryptedPrivateKeyInfo.getEncoded().length;

对于给定的私钥，长度为1247位，这是不允许的TripleDES长度。您可以将其修复为(硬编码)：

int keyLength = 24 * 8;

现在我们得到了一个192位= 24字节的keyLength，这对于TripleDES键来说是可以的，但是我们收到了一个新的错误：

java.security.InvalidKeyException: Wrong algorithm: DESede or TripleDES required

造成这种行为的原因是下面的行(注释掉了)，这些行可以用两个额外的行来修复：

// SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec); // ### old routine
SecretKey secretKeyPbkdf = secretKeyFactory.generateSecret(pbeKeySpec); // ### new
SecretKey secretKey = new SecretKeySpec(secretKeyPbkdf.getEncoded(), "DESede"); // ### new

现在，您的代码正在成功运行并打印出私钥和证书：

original keyLength:  1247
fixed keyLength(bit): 192

privateKey:
SunRsaSign RSA private CRT key, 2048 bits
  params: null
  modulus: 18998199686208613730227071552042680566660281525162377778227794768879762338654464000476266705180956908841709177555966832423085875590556580445428066261332223955361646420713402269532603328557674453787190302285379571808527818182992417461094551685532849252957724361115461909983939654809533488667032982867230996411860328826589806804115764031480737011900431983025490936659008858316889367140757195359233313370592669605576636360123189540118611655293825465309125578750878878980002346272931570343463549347548711194000065166346537274382220211242975801253306067862461345994215674963367480607539333468674983712264803816027753559737
  private exponent: 2470690692670644289832084636740463653655882622624760758103597888447170520657826825702415751838767348735186037205082706146786714644526202528897926495648786865000645626802269367582073915029633022103975204027927584273373553784482725392082470421529769049284506228997163157587212073758970565083984956787424047216319298607371397767542633302071090323391531162434678662485530085857362259661656308472034152915312425224731842425134593468185574918070451135641322780271191791839285884885643517240131520070881951542294552185519522325857178404160441369354693465035929601010771762928436963178293113507661955562266846499005032897533

number of certificates: 1

certificate: 0 data:
[
[
  Version: V3
  Subject: CN=Hakan, OU=Amsterdam, O=Thunderberry, C=NL
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 18998199686208613730227071552042680566660281525162377778227794768879762338654464000476266705180956908841709177555966832423085875590556580445428066261332223955361646420713402269532603328557674453787190302285379571808527818182992417461094551685532849252957724361115461909983939654809533488667032982867230996411860328826589806804115764031480737011900431983025490936659008858316889367140757195359233313370592669605576636360123189540118611655293825465309125578750878878980002346272931570343463549347548711194000065166346537274382220211242975801253306067862461345994215674963367480607539333468674983712264803816027753559737
  public exponent: 65537
  Validity: [From: Mon Aug 31 10:07:39 CEST 2020,
               To: Thu Aug 29 10:07:39 CEST 2030]
  Issuer: CN=Hakan, OU=Amsterdam, O=Thunderberry, C=NL
  SerialNumber: [    5671c8dd]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.17 Criticality=true
SubjectAlternativeName [
  DNSName: localhost
  IPAddress: 127.0.0.1
]

[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 78 53 EC 04 E0 A1 55 45   22 C8 25 C4 3F F5 89 40  xS....UE".%.?..@
0010: 51 07 A8 03                                        Q...
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 85 55 87 FC 28 19 D1 93   66 4D F8 85 00 E9 D6 75  .U..(...fM.....u
0010: A6 55 69 AE EF 00 53 D3   D9 86 D7 BA F9 58 60 84  .Ui...S......X`.
0020: 65 AE ED 01 FF 39 F6 31   FC 26 9F 95 B6 A3 50 AA  e....9.1.&....P.
0030: A0 1B A1 C9 F1 2B 92 41   78 69 13 35 BD DB 88 8A  .....+.Axi.5....
0040: B5 23 95 C1 F8 F9 C1 57   AD 5D A0 B6 59 DF 79 64  .#.....W.]..Y.yd
0050: E0 FE C2 49 99 8C E4 25   31 9E 38 8A 91 94 1D 47  ...I...%1.8....G
0060: 28 2A A8 78 D0 AB CA 49   1C B2 29 04 09 0D 67 0A  (*.x...I..)...g.
0070: AA F5 A8 B8 7D 0D 7B 14   81 65 56 E7 B6 16 AA F3  .........eV.....
0080: F5 3F CC 4E 3B 6F C9 F6   C8 4C 07 A9 4E 85 FB 69  .?.N;o...L..N..i
0090: 6B 0A EA 67 68 4D 1B C7   EA 30 A8 D5 56 E5 29 14  k..ghM...0..V.).
00A0: 13 51 F9 63 83 43 FA D1   46 DA 9A EA E5 36 57 C6  .Q.c.C..F....6W.
00B0: 8E 39 9C 75 40 95 24 4D   D3 7B E9 83 82 B8 61 13  .9.u@.$M......a.
00C0: ED E7 5E BE 3A 5D 6D 15   DD 7B E1 D0 37 A9 9B 4F  ..^.:]m.....7..O
00D0: D3 8B C5 26 47 3B 46 90   AC 3C 83 98 D8 69 69 51  ...&G;F..<...iiQ
00E0: EE 42 7F CA B5 83 56 09   9E FC 5C A2 BC C2 D5 67  .B....V...\....g
00F0: 7E 59 9F A8 4F DC F7 13   B5 9F F1 1C 56 F2 C2 76  .Y..O.......V..v

]

下面是在Open 11上运行的完整代码：

import com.hierynomus.asn1.ASN1InputStream;
import com.hierynomus.asn1.encodingrules.der.DERDecoder;
import com.hierynomus.asn1.types.ASN1Object;
import com.hierynomus.asn1.types.constructed.ASN1Sequence;
import com.hierynomus.asn1.types.primitive.ASN1Integer;
import com.hierynomus.asn1.types.string.ASN1OctetString;

import javax.crypto.*;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.*;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.util.*;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
// https://mvnrepository.com/artifact/com.hierynomus/asn-one/0.4.0
// additionally you need https://mvnrepository.com/artifact/org.slf4j/slf4j-api/1.7.30
// and https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.30
// https://mvnrepository.com/artifact/org.eclipse.equinox/org.apache.log4j/1.2.13.v200706111418

class MainOrg3 {

    private static final String KEYSTORE_TYPE = "PKCS12";
    private static final String KEY_FACTORY_ALGORITHM = "RSA";
    private static final String CERTIFICATE_TYPE = "X.509";

    private static final Pattern CERTIFICATE_PATTERN = Pattern.compile("-----BEGIN CERTIFICATE-----(.*?)-----END CERTIFICATE-----", Pattern.DOTALL);
    private static final Pattern PRIVATE_KEY_PATTERN = Pattern.compile("-----BEGIN PRIVATE KEY-----(.*?)-----END PRIVATE KEY-----", Pattern.DOTALL);
    private static final Pattern ENCRYPTED_PRIVATE_KEY_PATTERN = Pattern.compile("-----BEGIN ENCRYPTED PRIVATE KEY-----(.*?)-----END ENCRYPTED PRIVATE KEY-----", Pattern.DOTALL);
    private static final Pattern RSA_PRIVATE_KEY_PATTERN = Pattern.compile("-----BEGIN RSA PRIVATE KEY-----(.*?)-----END RSA PRIVATE KEY-----", Pattern.DOTALL);

    private static final String NEW_LINE = "\n";
    private static final String EMPTY = "";

    static char[] keyPassword = "secret".toCharArray();

    public static void main(String[] args) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, InvalidKeySpecException {
        String privateKeyContent = "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" +
                "MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI9/FSBonUacYCAggA\n" +
                "MBQGCCqGSIb3DQMHBAidGkS8wYhOpwSCBMi8JaSYOKudMNNFRpzL7QMIZgFtzDay\n" +
                "MmOroy3lW34dOa7dusqDl4d2gklKcHCpbEaTYxm5aQJ1LuiOdGtFy7HwxOvKU5xz\n" +
                "4qsJoeBIpE0eCTKjQW7/I38DzLXx2wUURqhMWOtFsWZEyR5Dqok3N9mIKKKBXAFG\n" +
                "AwNjlTRW2LyPSttiIUGN01lthjifMWoLTWB1aSGOmGeJRBdSZeqZ15xKneR4H5ja\n" +
                "yE88YcpOHCDKMIxi6ZVoKs7jDQhu8bBKqS8NsYyh1AlP9QkvWNal36jWSzhqYNzk\n" +
                "NRWUOZngfkdbMALVfRtbrC215jHGWVwosPIIs8rkoarRv8s6QWS1Rg3YfQ3qgcRf\n" +
                "s7hkDFKJf3TUXr+askfamV5hc300ZG64+ldX1YxWXY8Vd/wIvHAc/YE/lTyCgYrY\n" +
                "19Am6MNBfp8/kXvzKj+PizB8oNDO4S8sSShEEzOQ5a/+MTC6bqB0DLWYGUqRbjLc\n" +
                "PyYTC2C4i9Agx/GeGVE3c1UdtXiwwnt2XUn7Y1YGqABk0xGIY4J1NFTbSOxKl9hO\n" +
                "arwopAFrZU5nsjjFzv1DJvhfQWnYX18kPSKNHDlia019M118qZ8ERwD9tH8ix9Fa\n" +
                "R2tQdxn1aRGmvXSw+zFkbWD8aWs9n/B+QN1yllJqVoWypOld1yj+fVYYnYOtV1gK\n" +
                "eiygrtrh3JJCvLbEQl4nOgJM3PlEtfBHSaunehIXQMD1z/NDUqgBYjuDPyqRxJeH\n" +
                "Va5k72Nds5PeySKJJnICB3nZKjqgfLhNUrXa1SAQ4vqr0Ik/Lu9P7T+B1XiYwuUT\n" +
                "a20+bxi/x89ZZqwp3jnDuHup7XcO1MtqsoOKP/JgkjVMesb8Q1W8i2dXzg+l4gkk\n" +
                "l1ipreEGtT1YfFTq0DFelz6CjZFLDlGGeGWob94sW94DWTW0nsLPhQWEnwW1CcyJ\n" +
                "oJbJdDEgdiIbRJoABDkTuVXLwTlgzHSHh6zeJvNvcojI7UI3nWYCVYvD3kwghXiP\n" +
                "67sKGL3ug7PFDqLia46AudGY7CFh4+wpxyH+fidLC3FMdkDBA6xR6mGgEjRLXR9M\n" +
                "TnJ/eSYP7eqYZeKn9EarcI7v1zM2IG0/PDQCetiI0ABiHpdKyRQuuiEavp3xC5Vi\n" +
                "h7UmJNYt8Zsz3rwqAQ4FR2+Su5R34OOdRmxTaYLe96PXTpLcLef5TkYixSY7Tzgd\n" +
                "PMyRxRPrywklUEFe4KK/KOcdolxybfsIsxQnupLAMEsO7/Cs7mouNHISK51haDRc\n" +
                "vNbKQ5E4xOq1U4ThW5dHR29cGZillfmMzj05ZQh3ZX2TQJP45ahFET3v9kInWCwQ\n" +
                "8atqclVPOSnASsJZ0PxjYgKZuY8QWYM6zpfWyWnfu/CHhWbRS/qX8T1ow2SMyPBL\n" +
                "CQbZ+MhcdP0IrjoXhDFQsns16i/BPK5TTVqtEC2ywDf5P4/BOEZkySG9YNOd6THp\n" +
                "VA/dVPafzmLy3ltqH+jG8ZH2+RtWx7kwBjiDWs5cF33BFrPS7AZlzMzZoCHLXD/r\n" +
                "T/SmisybUKHMqri0x0RHeIByW0hogSByWiyIn8POabDzJV6Df9nQPziDGcSsvWfG\n" +
                "7q+hizh6+nnXOY+GZx3ptwg9mA9R4QyCiFNQradOaXSPxyEL2IC77/srFfVEIaU4\n" +
                "SRo=\n" +
                "-----END ENCRYPTED PRIVATE KEY-----";

        String certificateContent = "-----BEGIN CERTIFICATE-----\n" +
                "MIIDTjCCAjagAwIBAgIEVnHI3TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJO\n" +
                "TDEVMBMGA1UEChMMVGh1bmRlcmJlcnJ5MRIwEAYDVQQLEwlBbXN0ZXJkYW0xDjAM\n" +
                "BgNVBAMTBUhha2FuMB4XDTIwMDgzMTA4MDczOVoXDTMwMDgyOTA4MDczOVowSDEL\n" +
                "MAkGA1UEBhMCTkwxFTATBgNVBAoTDFRodW5kZXJiZXJyeTESMBAGA1UECxMJQW1z\n" +
                "dGVyZGFtMQ4wDAYDVQQDEwVIYWthbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\n" +
                "AQoCggEBAJZ+pqirEqEk4k1ow8vryld79oCO4P/1y+v60CkLpS2MpeHE3BogTr7g\n" +
                "WWP5HdHBMU5l8yT5tXuyVZZqgyzo0q2Sdm7GGrNunHf6Z8vPQFu69sQC1utDM9u8\n" +
                "ZFKiKsTNJ+5QS6KsOtlACyhaLoaPAWVjtvueMjVwmM9hfv/Gq6VyyuBm2x1C4HTj\n" +
                "zPCLHE2G1D13EJaWsvyZLGSbl0GGXZGPhaDd/vnw5TW36mvNTWW+37ZIEk4kXANa\n" +
                "FUNsJemm8HjB/PzHs3/SXGxuD8NKobg3+cNXYwAz2s2DI0W6Xw2g5bbrMQAdBRvn\n" +
                "9/kNftMymDORw3RGwDM2ld4zQfIkNrkCAwEAAaNAMD4wHQYDVR0OBBYEFHhT7ATg\n" +
                "oVVFIsglxD/1iUBRB6gDMB0GA1UdEQEB/wQTMBGCCWxvY2FsaG9zdIcEfwAAATAN\n" +
                "BgkqhkiG9w0BAQsFAAOCAQEAhVWH/CgZ0ZNmTfiFAOnWdaZVaa7vAFPT2YbXuvlY\n" +
                "YIRlru0B/zn2Mfwmn5W2o1CqoBuhyfErkkF4aRM1vduIirUjlcH4+cFXrV2gtlnf\n" +
                "eWTg/sJJmYzkJTGeOIqRlB1HKCqoeNCrykkcsikECQ1nCqr1qLh9DXsUgWVW57YW\n" +
                "qvP1P8xOO2/J9shMB6lOhftpawrqZ2hNG8fqMKjVVuUpFBNR+WODQ/rRRtqa6uU2\n" +
                "V8aOOZx1QJUkTdN76YOCuGET7edevjpdbRXde+HQN6mbT9OLxSZHO0aQrDyDmNhp\n" +
                "aVHuQn/KtYNWCZ78XKK8wtVnflmfqE/c9xO1n/EcVvLCdg==\n" +
                "-----END CERTIFICATE-----";

        PrivateKey privateKey = parsePrivateKey(privateKeyContent);
        Certificate[] certificates = parseCertificate(certificateContent).values()
                .toArray(new Certificate[]{});

        KeyStore keyStore = createEmptyKeyStore();
        keyStore.setKeyEntry("client", privateKey, null, certificates);
        System.out.println("\nprivateKey:\n" + privateKey);
        int certificatesLength = certificates.length;
        System.out.println("\nnumber of certificates: " + certificatesLength);
        for (int i = 0; i < certificatesLength; i++) {
            System.out.println("\ncertificate: " + i + " data:\n" + certificates[i]);
        }
    }

    private static KeyStore createEmptyKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
        keyStore.load(null, null);
        return keyStore;
    }

    private static PrivateKey parsePrivateKey(String identityContent) throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
        KeySpec keySpec = null;

        Matcher privateKeyMatcher = PRIVATE_KEY_PATTERN.matcher(identityContent);
        if (privateKeyMatcher.find()) {
            String privateKeyContent = privateKeyMatcher.group(1).replace(NEW_LINE, EMPTY).trim();
            byte[] decodedPrivateKeyContent = Base64.getDecoder().decode(privateKeyContent);
            keySpec = new PKCS8EncodedKeySpec(decodedPrivateKeyContent);
        }

        privateKeyMatcher = RSA_PRIVATE_KEY_PATTERN.matcher(identityContent);
        if (privateKeyMatcher.find()) {
            String privateKeyContent = privateKeyMatcher.group(1).replace(NEW_LINE, EMPTY).trim();
            byte[] decodedPrivateKeyContent = Base64.getDecoder().decode(privateKeyContent);
            keySpec = getKeySpecFromAsn1StructuredData(decodedPrivateKeyContent);
        }

        privateKeyMatcher = ENCRYPTED_PRIVATE_KEY_PATTERN.matcher(identityContent);
        if (privateKeyMatcher.find()) {
            String privateKeyContent = privateKeyMatcher.group(1).replace(NEW_LINE, EMPTY).trim();
            byte[] decodedPrivateKeyContent = Base64.getDecoder().decode(privateKeyContent);
            try (ByteArrayInputStream privateKeyAsInputStream = new ByteArrayInputStream(decodedPrivateKeyContent)) {
                ASN1InputStream stream = new ASN1InputStream(new DERDecoder(), privateKeyAsInputStream);
                ASN1Sequence asn1Sequence = stream.readObject();
                ASN1OctetString privateKeyAsOctetString = (ASN1OctetString) asn1Sequence.get(1);
                ASN1OctetString saltAsOctetString = (ASN1OctetString) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) asn1Sequence.get(0)).get(1)).get(0)).get(1)).get(0);
                ASN1OctetString initializationVectorAsOctec = ((ASN1OctetString) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) asn1Sequence.get(0)).get(1)).get(1)).get(1));
                ASN1Integer iterationCount = (ASN1Integer) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) ((ASN1Sequence) asn1Sequence.get(0)).get(1)).get(0)).get(1)).get(1);
                IvParameterSpec ivParameterSpec = new IvParameterSpec(initializationVectorAsOctec.getValue());
                SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2withHmacSHA1");
                EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(secretKeyFactory.getAlgorithm(), privateKeyAsOctetString.getValue());
                int keyLength = encryptedPrivateKeyInfo.getEncoded().length;
                System.out.println("original keyLength:  " + keyLength);
                keyLength = 24 * 8; // ### fixed
                System.out.println("fixed keyLength(bit): " + keyLength);
                PBEKeySpec pbeKeySpec = new PBEKeySpec(keyPassword, saltAsOctetString.getValue(), iterationCount.getValue().intValue(), keyLength);
                Cipher cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding/");

                // SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec); // ### old routine
                SecretKey secretKeyPbkdf = secretKeyFactory.generateSecret(pbeKeySpec); // ### new
                SecretKey secretKey = new SecretKeySpec(secretKeyPbkdf.getEncoded(), "DESede"); // ### new

                cipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameterSpec);
                keySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
                //PKCS8EncodedKeySpec keySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
            } catch (NoSuchPaddingException | InvalidKeyException | InvalidAlgorithmParameterException e) {
                e.printStackTrace();
            }
        }

        Objects.requireNonNull(keySpec);

        KeyFactory keyFactory = KeyFactory.getInstance(KEY_FACTORY_ALGORITHM);
        return keyFactory.generatePrivate(keySpec);
    }

    private static KeySpec getKeySpecFromAsn1StructuredData(byte[] decodedPrivateKeyContent) throws IOException {
        try(ByteArrayInputStream privateKeyAsInputStream = new ByteArrayInputStream(decodedPrivateKeyContent)) {
            ASN1InputStream stream = new ASN1InputStream(new DERDecoder(), privateKeyAsInputStream);
            ASN1Sequence asn1Sequence = stream.readObject();

            if (asn1Sequence.getValue().size() < 9) {
                throw new RuntimeException("Parsed key content doesn't have the minimum required sequence size of 9");
            }

            BigInteger modulus = extractIntValueFrom(asn1Sequence.get(1));
            BigInteger publicExponent = extractIntValueFrom(asn1Sequence.get(2));
            BigInteger privateExponent = extractIntValueFrom(asn1Sequence.get(3));
            BigInteger primeP = extractIntValueFrom(asn1Sequence.get(4));
            BigInteger primeQ = extractIntValueFrom(asn1Sequence.get(5));
            BigInteger primeExponentP = extractIntValueFrom(asn1Sequence.get(6));
            BigInteger primeExponentQ = extractIntValueFrom(asn1Sequence.get(7));
            BigInteger crtCoefficient = extractIntValueFrom(asn1Sequence.get(8));

            return new RSAPrivateCrtKeySpec(
                    modulus, publicExponent, privateExponent,
                    primeP, primeQ, primeExponentP, primeExponentQ, crtCoefficient
            );
        }
    }

    private static BigInteger extractIntValueFrom(ASN1Object<?> asn1Object) {
        if (asn1Object instanceof ASN1Integer) {
            return ((ASN1Integer) asn1Object).getValue();
        } else {
            throw new RuntimeException(String.format(
                    "Unable to parse the provided value of the object type [%s]. The type should be an instance of [%s]",
                    asn1Object.getClass().getName(), ASN1Integer.class.getName())
            );
        }
    }

    private static Map<String, Certificate> parseCertificate(String certificateContent) throws IOException, CertificateException {
        Map<String, Certificate> certificates = new HashMap<>();
        Matcher certificateMatcher = CERTIFICATE_PATTERN.matcher(certificateContent);

        while (certificateMatcher.find()) {
            String sanitizedCertificate = certificateMatcher.group(1).replace(NEW_LINE, EMPTY).trim();
            byte[] decodedCertificate = Base64.getDecoder().decode(sanitizedCertificate);
            try(ByteArrayInputStream certificateAsInputStream = new ByteArrayInputStream(decodedCertificate)) {
                CertificateFactory certificateFactory = CertificateFactory.getInstance(CERTIFICATE_TYPE);
                Certificate certificate = certificateFactory.generateCertificate(certificateAsInputStream);
                certificates.put(UUID.randomUUID().toString(), certificate);
            }
        }
        return certificates;
    }
}

票数 1

Stack Overflow用户

发布于 2020-09-10 22:02:28

如果您不羞于在使用openssl之前转换给定的加密私钥，则可以使用示例代码进行简单的解析。

为了运行我的示例，我将您的加密私钥保存到一个文件‘so_privatekey_secil.pem’。

使用openssl中的comand行，我将(已经)加密的密钥转换为另一个密码，并生成(新的)密钥文件‘so_privatekey_3des_sec.pem’：

openssl pkcs8 -v1 PBE-SHA1-3DES -topk8 -in so_privatekey_secret.pem -out so_privatekey_3des_secret.pem

加密的私钥如下所示：

运行我的示例程序(没有异常处理的)提供了一个输出：

pkInfo.getAlgName: PBEWithSHA1AndDESede
decryptedPrivateKey: SunRsaSign RSA private CRT key, 2048 bits
  params: null
  modulus: 18998199686208613730227071552042680566660281525162377778227794768879762338654464000476266705180956908841709177555966832423085875590556580445428066261332223955361646420713402269532603328557674453787190302285379571808527818182992417461094551685532849252957724361115461909983939654809533488667032982867230996411860328826589806804115764031480737011900431983025490936659008858316889367140757195359233313370592669605576636360123189540118611655293825465309125578750878878980002346272931570343463549347548711194000065166346537274382220211242975801253306067862461345994215674963367480607539333468674983712264803816027753559737
  private exponent: 2470690692670644289832084636740463653655882622624760758103597888447170520657826825702415751838767348735186037205082706146786714644526202528897926495648786865000645626802269367582073915029633022103975204027927584273373553784482725392082470421529769049284506228997163157587212073758970565083984956787424047216319298607371397767542633302071090323391531162434678662485530085857362259661656308472034152915312425224731842425134593468185574918070451135641322780271191791839285884885643517240131520070881951542294552185519522325857178404160441369354693465035929601010771762928436963178293113507661955562266846499005032897533

代码：

import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;

public class ReadPkcs8PrivateKeysSo {
    public static void main(String[] args) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {

        String encrypted = new String(Files.readAllBytes(Paths.get("so_privatekey_3des_secret.pem")));
        String password = "secret";

        //Create object from encrypted private key
        encrypted = encrypted.replace("-----BEGIN ENCRYPTED PRIVATE KEY-----", "");
        encrypted = encrypted.replace("-----END ENCRYPTED PRIVATE KEY-----", "");
        EncryptedPrivateKeyInfo pkInfo = new EncryptedPrivateKeyInfo(Base64.getMimeDecoder().decode(encrypted));
        PBEKeySpec keySpec = new PBEKeySpec(password.toCharArray()); // password
        System.out.println("pkInfo.getAlgName: " + pkInfo.getAlgName());
        SecretKeyFactory pbeKeyFactory = SecretKeyFactory.getInstance(pkInfo.getAlgName());
        SecretKey secretKey = pbeKeyFactory.generateSecret(keySpec);
        PKCS8EncodedKeySpec encodedKeySpec = pkInfo.getKeySpec(secretKey);
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        PrivateKey decryptedPrivateKey = keyFactory.generatePrivate(encodedKeySpec);
        System.out.println("decryptedPrivateKey: " + decryptedPrivateKey);
    }
}

票数 0

Stack Overflow用户

发布于 2022-05-03 21:24:09

我花了几个星期的时间在GitHub上做我的GitHub项目，现在我有了纯Java代码，没有外部库可以加载我抛出的任何东西。

我希望这有助于原来的海报(从18个月前！)以及任何跟随我们脚步的人。

票数 0

页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持

原文链接：

https://stackoverflow.com/questions/63832456

复制

相似问题

问用程序解析加密PKCS#8编码的pem文件
EN

回答 4

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问用程序解析加密PKCS#8编码的pem文件EN

回答 4

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问用程序解析加密PKCS#8编码的pem文件
EN