Hi, If I may attempt a slightly better response than my first one! Sorry to openssl-dev people about spamming your list with this. Probably this email is better suited to openssl-users, so I'm cross-posting it. (If anyone decides to reply, please reply to openssl-users!)
1. Dr Stephen N. Henson's link is an excellent document. Very helpful. http://www.openssl.org/docs/crypto/pem.html There is only one small gotchya I would like to add to that document, regarding this: =============================================== The private key (or other data) takes the following form: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89 ...base64 encoded data... -----END RSA PRIVATE KEY----- The line beginning DEK-Info contains two comma separated pieces of information: the encryption algorithm name as used by EVP_get_cipherbyname() and an 8 byte salt encoded as a set of hexadecimal digits. =============================================== The "8 byte salt" also serves as the IV during decryption. So you use it as "salt" for key-derivation, and then you use it again as IV for decryption. It's dual-purpose. ;-) The 8 byte salt will be 16 bytes when using AES: DEK-Info: AES-256-CBC,1876F5A50C9046D504D47B2BF8951875 BUT you only use the first 8 bytes as "Salt" during the key-derivation. I think I spent about 10 hours trying to figure out that little detail! You do use all 16 bytes as the IV during the decryption. 2. Max Weijun Wang recommends using "KeyStore.getInstance("pkcs12")" to load it. That's a great idea, but you probably need to get openssl to output the file in "DER" format first: openssl pkcs12 -in pkcs12.pem -out pkcs12.der -outform DER Java can read PKCS #12 files, but only in DER form. Not in OpenSSL's PEM form. The "PKCS #12" file created by OpenSSL in PEM format is actually just a series of X509 certificates and an encrypted private key (usually using the "Traditional SSLeay Format"). If you have time you can manually split out all those different PEM items (using cut & paste) into separate files. You can then get "openssl" to decrypt the RSA key into unencrypted PKCS #8 DER format (see below). Finally, with all these files on your hard-drive, you can get Java to load them: // Load the certs using this: CertificateFactory.generateCertificate( byte[] pemOrDer ); // Load the RSA private key using this: KeySpec spec = new PKCS8EncodedKeySpe( byte[] derOnly ); 3. What kind of PEM files are you importing? Java can already import X509 certificates in PEM format no problem: keytool -import -file x509.pem Java is a little picky about carriage returns before and after the Base64 section. I'm also not sure what "keytool" does if the PEM file contains more than one certificate. If you're working directly in Java, then newer versions of "CertificateFactory.generateCertificates()" (> Java 5? Java 1.3 definitely had problems) can handle more than one cert in a PEM file just fine. Java's very picky about comments in the PEM. Your PEM files must only contain -----BEGIN THING----- and -----END THING-----. Anything before and after the "BEGIN" and "END" sections will upset Java. X509 certificates in PEM are fine. But if you're trying to deal with RSA or DSA encrypted private keys in Java, things get harder. You need to decrypt them to "unencrypted pkcs8 format" using: openssl pkcs8 -topk8 -nocrypt -outform DER You can load the output of that directly into Java's "java.security.spec.PKCS8EncodedKeySpec" class. ================================== Above is how you can deal with this stuff manually with some help from "openssl". There is a java library which can also do all of these operations in pure java: http://juliusdavies.ca/commons-ssl/ Commons-SSL currently only deals with the "reading" of this stuff. For "writing" you still need openssl. In particular, for RSA, DSA, and PKCS #12 files in PEM, I think you're probably better off with the Commons-SSL library's PKCS8Key class as opposed to messing around on the command line and cutting & pasting and all that. http://juliusdavies.ca/commons-ssl/pkcs8.html :-) yours, Julius On 11/27/06, Julius Davies <[EMAIL PROTECTED]> wrote:
Hi, Isvaran, The Commons-SSL "KeyStoreBuilder" utility might help you. http://juliusdavies.ca/commons-ssl/utilities.html You could also take a look at the PKCS8Key, PEMUtil and PEMItem classes. http://juliusdavies.ca/commons-ssl/javadocs/ Good luck! yours, Julius On 11/27/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > On Mon, Nov 27, 2006, Isvaran Krishnamurthy wrote: > > > Hi, > > > > I have a requirement to read a PEM file and import it in to a java JKS > > store. > > I am looking at a pure java solution (no JNI / library dependancy). > > I need to know the format of the PEM file and the relationship between > > each entry in the PEM file (if any). > > I tried to find documentation of the PEM format on the web to no avail. > > I would greatly appreciate it if any of you fine folks would help me out > > by providing info on the PEM file format. > > > > There is extensive information in the pem manual page describing the main > format, the encoded structures and the various types of encryption used. This > is in every OpenSSL distribution or at: > > http://www.openssl.org/docs/crypto/pem.html > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/
-- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
