views:

194

answers:

1

Do java.security.Key.getEncoded() returns data in DER encoded format?

If not, is there a method that do?

UPDATE: A Key interface holding an RSA private key implementation

+1  A: 

Depending on the type of key. Most symmetric keys return raw bytes with no encoding. Most public keys uses ASN.1/DER encoding.

You shouldn't care about how the key is encoded. Treat getEncoded as serialization function. It returns byte-stream representation of the key, which can be saved and converted back into the key later.

For RSA private keys, it's may be encoded as PKCS#1 or PKCS#8. PKCS#1 is the preferred encoding because it contains extra CRT parameters which speed up private key operations.

Sun JCE always generates key pairs in PKCS#1 encoding so the private key is always encoded in this format defined in PKCS#1,

-- 
-- Representation of RSA private key with information for the CRT algorithm.
--
RSAPrivateKey ::= SEQUENCE {
    version           Version, 
    modulus           INTEGER,  -- n
    publicExponent    INTEGER,  -- e
    privateExponent   INTEGER,  -- d
    prime1            INTEGER,  -- p
    prime2            INTEGER,  -- q
    exponent1         INTEGER,  -- d mod (p-1)
    exponent2         INTEGER,  -- d mod (q-1) 
    coefficient       INTEGER,  -- (inverse of q) mod p
    otherPrimeInfos   OtherPrimeInfos OPTIONAL 
}

Version ::= INTEGER { two-prime(0), multi(1) }
    (CONSTRAINED BY {-- version must be multi if otherPrimeInfos present --})

OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo


OtherPrimeInfo ::= SEQUENCE {
    prime             INTEGER,  -- ri
    exponent          INTEGER,  -- di
    coefficient       INTEGER   -- ti
}
ZZ Coder
please, see my update. By the way, I *need* get the data encoded in DER (its a project's specification).
Tom Brito
If you are dealing with RSA private keys only, getEncoded() always returns DER encoded octet-stream. However, there are 2 different ASN.1 objects are used depending on the source of the key.
ZZ Coder
Thanks ZZ Coder, but is there any documentation saying that? The javadoc says nothing.. and I will need explain that to my boss, you know? :)
Tom Brito
No. DER encoding is not in JCE specification so it's not guaranteed every provider will do that. However, all standard format for key storage (X.509, PKCS#12) all uses DER. It's inconceivable that provider will do something different.
ZZ Coder
by the way, if not asking too much, which are the 2 different ASN.1 objects used? And do you know which is used for `java.security.KeyPairGenerator.getInstance("RSA", "BC").generateKeyPair().getPrivate()`?
Tom Brito
See my edits. The generated key is always encoded in PKCS#1.
ZZ Coder
Ran a test with RSAPrivateCrtKey.getEncoded(), looks like PKCS#8 to me.
GregS