iaik.pkcs.pkcs8

Class EncryptedPrivateKeyInfo

java.lang.Object

iaik.pkcs.pkcs8.EncryptedPrivateKeyInfo

All Implemented Interfaces:

ASN1Type, java.io.Serializable, java.security.Key, java.security.PrivateKey, javax.security.auth.Destroyable

public class EncryptedPrivateKeyInfo
extends java.lang.Object
implements java.security.PrivateKey, java.io.Serializable, ASN1Type

This class implements from the Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification Version 1.2 (RFC 5208) the syntax for encrypted private keys.

For encrypting some private key, it is suggested to use a password-based encryption algorithm, as for instance described in PKCS#5 or PKCS#12. Both types of algorithms require a password for creating a secret key to be fed into the en/decryption process. For PKCS#5 this secret key has to be an instance of iaik.security.cipher.PBEKey, for PKCS#12 an iaik.security.cipher.PBEKeyBMP is used, treating the password as a BMPString according to PKCS#12.

PKCS#8 defines EncryptedPrivateKeyInfo as a ASN.1 SEQUENCE containing the following components:

 EncryptedPrivateKeyInfo ::= SEQUENCE {
   encryptionAlgorithm EncryptionAlgorithmIdentifier,
   encryptedData EncryptedData }
 

where:

 encryptionAlgorithmIdentifier ::= AlgorithmIdentifier
                                   -- algorithm for encrypting the private-key information
 EncryptedData ::= OCTET STRING    -- the encrypted private-key information
 

IAIK-JCE implements the PbeWithMD5AndDES_CBC algorithm of the PKCS#5 standard, and the PbeWithSHAAnd3_KeyTripleDES_CBC and PbeWithSHAAnd40BitRC2_CBC algorithms of the PKCS#12 standard, that may be used for password based encrypting some private key according to PKCS#8.

Suppose you have created a RSAPrivateKey rsa_priv_key and are going to protect it with a password according to PKCS#5 and PKCS#8. You therefore will encode a value of type PrivateKeyInfo according to PKCS#8 to represent the private key in an algorithm-independent manner, which subsequently will be encrypted using the PbeWithMD5AndDES_CBC algorithm and encoded as PKCS#8 EncryptedPrivateKeyInfo:

 EncryptedPrivateKeyInfo epki = new EncryptedPrivateKeyInfo(rsa_priv_key);
 epki.encrypt("password", AlgorithmID.pbeWithMD5AndDES_CBC, null);
 

Decrypting goes the reverse way obtaining a PrivateKeyInfo from the EncryptedPrivateKeyInfo and "extracting" RSAPrivateKey:

 RSAPrivateKey rsa_priv_key = (RSAPrivateKey)epki.decrypt("password");
 

See Also:

PbeWithMD5AndDES_CBC, PbeWithSHAAnd3_KeyTripleDES_CBC, PbeWithSHAAnd40BitRC2_CBC, PBEKey, PBEKeyBMP, PrivateKeyInfo, Serialized Form

Field Summary

Fields inherited from interface java.security.PrivateKey

serialVersionUID

Constructor Summary

Constructors

Constructor and Description
EncryptedPrivateKeyInfo(ASN1Object obj) Creates a new EncryptedPrivateKeyInfo from an ASN1Object.
EncryptedPrivateKeyInfo(byte[] arr) Creates a new EncryptedPrivateKeyInfo from a byte array.
EncryptedPrivateKeyInfo(java.io.InputStream is) Creates a new EncryptedPrivateKeyInfo from an InputStream.
EncryptedPrivateKeyInfo(java.security.PrivateKey privateKey) Creates a new EncryptedPrivateKeyInfo from a PrivateKey.

Method Summary

Modifier and Type	Method and Description
void	decode(ASN1Object obj) Decodes the given ASN.1 EncryptedPrivateKeyInfo object for parsing the internal structure.
java.security.PrivateKey	decrypt(char[] password) Decrypts an encrypted PrivateKeyInfo (PKCS#5 and PKCS#8).
java.security.PrivateKey	decrypt(java.lang.String password) Decrypts an encrypted PrivateKeyInfo (PKCS#5 and PKCS#8).
void	encrypt(char[] password, AlgorithmID encryptionAlgorithm, java.security.SecureRandom random) Encrypts the PrivateKeyInfo data structure (PKCS#5 and PKCS#8) password based using the specified PBE algorithm.
void	encrypt(char[] password, AlgorithmID encryptionAlgorithm, java.security.SecureRandom random, int iterationCount) Encrypts the PrivateKeyInfo data structure (PKCS#5 and PKCS#8) password based using the specified PBE algorithm.
void	encrypt(java.lang.String password, AlgorithmID encryptionAlgorithm, java.security.SecureRandom random) Encrypts the PrivateKeyInfo data structure (PKCS#5 and PKCS#8) password based using the specified PBE algorithm.
java.lang.String	getAlgorithm() Returns the name of the algorithm.
byte[]	getEncoded() Returns this EncryptedPrivateKeyInfo as a DER encoded byte array.
java.lang.String	getFormat() Returns the name of the encoding format..
java.security.PrivateKey	getPrivateKeyInfo() Gets the PrivateKey from this EncryptedPrivateKeyInfo.
ASN1Object	toASN1Object() Returns this EncryptedPrivateKeyInfo as ASN1Object.
java.lang.String	toString() Returns a string that represents the contents of this EncryptedPrivateKeyInfo.
void	writeTo(java.io.OutputStream os) Writes this EncryptedPrivateKeyInfo to an output stream.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface javax.security.auth.Destroyable

destroy, isDestroyed

Constructor Detail

EncryptedPrivateKeyInfo

public EncryptedPrivateKeyInfo(java.security.PrivateKey privateKey)

Creates a new EncryptedPrivateKeyInfo from a PrivateKey.

Use this constructor for supplying the private key to be encrypted, e.g.:

 EncryptedPrivateKeyInfo epki = new EncryptedPrivateKeyInfo(rsa_priv_key);
 

Parameters:

privateKey - the PrivateKeyInfo to be used for initializing this EncryptedPrivateKeyInfo

EncryptedPrivateKeyInfo

public EncryptedPrivateKeyInfo(ASN1Object obj)
                        throws java.security.InvalidKeyException

Creates a new EncryptedPrivateKeyInfo from an ASN1Object.

Do not use this constructor for supplying the private key to be encrypted. This constructor may be used for parsing an already exisiting EncryptedPrivateKeyInfo object, supplied as ASN1Object that may have been created by calling toASN1Object.

Use the EncryptedPrivateKeyInfo(PrivateKeyInfo privateKeyInfo) constructor for supplying the private key to be encrypted when creating an EncryptedPrivateKeyInfo object.

Parameters:

obj - the PrivateKeyInfo as ASN1Object

Throws:

java.security.InvalidKeyException - if the object can not be parsed

EncryptedPrivateKeyInfo

public EncryptedPrivateKeyInfo(java.io.InputStream is)
                        throws java.security.InvalidKeyException,
                               java.io.IOException

Creates a new EncryptedPrivateKeyInfo from an InputStream.

This constructor reads an EncryptedPrivateKeyInfo priviously written with method writeTo(OutputStream). This constructor cannot be used to read a serialized object.

Parameters:

is - the input stream from where the EncryptedPrivateKeyInfo shall be read

Throws:

java.security.InvalidKeyException - if the data can not be parsed

java.io.IOException - if an I/O error occurs

EncryptedPrivateKeyInfo

public EncryptedPrivateKeyInfo(byte[] arr)
                        throws java.security.InvalidKeyException

Creates a new EncryptedPrivateKeyInfo from a byte array.

Do not use this constructor for supplying the private key to be encrypted. This constructor may be used for parsing an already exisiting EncryptedPrivateKeyInfo object, supplied as DER encoded ASN.1 structure which may have been created by calling the getEncoded method of this class.

Use the EncryptedPrivateKeyInfo(PrivateKeyInfo privateKeyInfo) constructor for supplying the private key to be encrypted when creating an EncryptedPrivateKeyInfo object.

Parameters:

arr - the array containing the encoded EncryptedPrivateKeyInfo

Throws:

java.security.InvalidKeyException - if the data can not be parsed

Method Detail

decode

public void decode(ASN1Object obj)
            throws CodingException

Decodes the given ASN.1 EncryptedPrivateKeyInfo object for parsing the internal structure.

This method implements the ASN1Type interface and internally is called when creating a PKCS#8 EncryptedPrivateKeyInfo object from an already existing EncryptedPrivateKeyInfo object, supplied as ASN1Object or DER encoded ASN1Object.

Specified by:

decode in interface ASN1Type

Parameters:

obj - the EncryptedPrivateKeyInfo as ASN1Object

Throws:

CodingException - if the ASN1Object could not be parsed

encrypt

public void encrypt(java.lang.String password,
                    AlgorithmID encryptionAlgorithm,
                    java.security.SecureRandom random)
             throws java.security.NoSuchAlgorithmException

Encrypts the PrivateKeyInfo data structure (PKCS#5 and PKCS#8) password based using the specified PBE algorithm.

Parameters:

password - the password to use

encryptionAlgorithm - the AlgorithmID of the encryption algorithm

random - the source or randomness for generating the salt or null if the default SecureRandom() shall be used

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm

encrypt

public void encrypt(char[] password,
                    AlgorithmID encryptionAlgorithm,
                    java.security.SecureRandom random)
             throws java.security.NoSuchAlgorithmException

Encrypts the PrivateKeyInfo data structure (PKCS#5 and PKCS#8) password based using the specified PBE algorithm.

Parameters:

password - the password to use

encryptionAlgorithm - the AlgorithmID of the encryption algorithm

random - the source or randomness for generating the salt or null if the default SecureRandom() shall be used

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm

encrypt

public void encrypt(char[] password,
                    AlgorithmID encryptionAlgorithm,
                    java.security.SecureRandom random,
                    int iterationCount)
             throws java.security.NoSuchAlgorithmException

Encrypts the PrivateKeyInfo data structure (PKCS#5 and PKCS#8) password based using the specified PBE algorithm. This method has an additional parameter: iterationCount. When deriving the symmetric key and the IV a hash is calculated iterationCount times on the password and on the salt thus increasing the cost for breaking the cipher using brute force methods.

Parameters:

password - the password to use

encryptionAlgorithm - the AlgorithmID of the encryption algorithm

random - the source or randomness for generating the salt or null if the default SecureRandom() shall be used

iterationCount - the iteration count for key derivation

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm

decrypt

public java.security.PrivateKey decrypt(java.lang.String password)
                                 throws java.security.NoSuchAlgorithmException,
                                        java.security.GeneralSecurityException

Decrypts an encrypted PrivateKeyInfo (PKCS#5 and PKCS#8).

Parameters:

password - the password to decrypt the key

Returns:

the recovered PrivateKey

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the encryption algorithm

java.security.GeneralSecurityException - if the private key could not be decrypted (password wrong)

decrypt

public java.security.PrivateKey decrypt(char[] password)
                                 throws java.security.NoSuchAlgorithmException,
                                        java.security.GeneralSecurityException

Decrypts an encrypted PrivateKeyInfo (PKCS#5 and PKCS#8).

Parameters:

password - the password to decrypt the key

Returns:

the recovered PrivateKey

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the encryption algorithm

java.security.GeneralSecurityException - if the private key could not be decrypted (password wrong)

getPrivateKeyInfo

public java.security.PrivateKey getPrivateKeyInfo()

Gets the PrivateKey from this EncryptedPrivateKeyInfo.

Returns:

the PrivateKey

toASN1Object

public ASN1Object toASN1Object()

Returns this EncryptedPrivateKeyInfo as ASN1Object.

If the private key is encrypted, an EncryptedPrivateKeyInfo is returned, otherwise a PrivateKeyInfo.

Specified by:

toASN1Object in interface ASN1Type

Returns:

this EncryptedPrivateKeyInfo as ASN1Object

getEncoded

public byte[] getEncoded()

Returns this EncryptedPrivateKeyInfo as a DER encoded byte array.

Specified by:

getEncoded in interface java.security.Key

Returns:

this EncryptedPrivateKeyInfo as DER encoded byte array

getAlgorithm

public java.lang.String getAlgorithm()

Returns the name of the algorithm.

Specified by:

getAlgorithm in interface java.security.Key

Returns:

the string "ENCRYPTED"

getFormat

public java.lang.String getFormat()

Returns the name of the encoding format..

Specified by:

getFormat in interface java.security.Key

Returns:

the string "PKCS#8"

writeTo

public void writeTo(java.io.OutputStream os)
             throws java.io.IOException

Writes this EncryptedPrivateKeyInfo to an output stream.

Parameters:

os - the output stream

Throws:

java.io.IOException - if an I/O error occurs

toString

public java.lang.String toString()

Returns a string that represents the contents of this EncryptedPrivateKeyInfo.

If the private key already has been encrypted, the name of the encryption algorithm is specified.

Overrides:

toString in class java.lang.Object

Returns:

the string representation