Do java.security.Key.getEncoded() returns data in DER encoded format?
If not, is there a method that do?
UPDATE: A Key interface holding an RSA private key implementation
+1
A:
Depending on the type of key. Most symmetric keys return raw bytes with no encoding. Most public keys uses ASN.1/DER encoding.
You shouldn't care about how the key is encoded. Treat getEncoded as serialization function. It returns byte-stream representation of the key, which can be saved and converted back into the key later.
For RSA private keys, it's may be encoded as PKCS#1 or PKCS#8. PKCS#1 is the preferred encoding because it contains extra CRT parameters which speed up private key operations.
Sun JCE always generates key pairs in PKCS#1 encoding so the private key is always encoded in this format defined in PKCS#1,
--
-- Representation of RSA private key with information for the CRT algorithm.
--
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER, -- (inverse of q) mod p
otherPrimeInfos OtherPrimeInfos OPTIONAL
}
Version ::= INTEGER { two-prime(0), multi(1) }
(CONSTRAINED BY {-- version must be multi if otherPrimeInfos present --})
OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo
OtherPrimeInfo ::= SEQUENCE {
prime INTEGER, -- ri
exponent INTEGER, -- di
coefficient INTEGER -- ti
}
ZZ Coder
2010-05-28 18:21:02
please, see my update. By the way, I *need* get the data encoded in DER (its a project's specification).
Tom Brito
2010-05-28 18:27:53
If you are dealing with RSA private keys only, getEncoded() always returns DER encoded octet-stream. However, there are 2 different ASN.1 objects are used depending on the source of the key.
ZZ Coder
2010-05-28 18:43:27
Thanks ZZ Coder, but is there any documentation saying that? The javadoc says nothing.. and I will need explain that to my boss, you know? :)
Tom Brito
2010-05-28 19:03:11
No. DER encoding is not in JCE specification so it's not guaranteed every provider will do that. However, all standard format for key storage (X.509, PKCS#12) all uses DER. It's inconceivable that provider will do something different.
ZZ Coder
2010-05-28 19:12:04
by the way, if not asking too much, which are the 2 different ASN.1 objects used? And do you know which is used for `java.security.KeyPairGenerator.getInstance("RSA", "BC").generateKeyPair().getPrivate()`?
Tom Brito
2010-05-28 19:24:21
See my edits. The generated key is always encoded in PKCS#1.
ZZ Coder
2010-05-28 19:44:48
Ran a test with RSAPrivateCrtKey.getEncoded(), looks like PKCS#8 to me.
GregS
2010-05-29 01:17:45