000018963 - How to store a RSA private key in PKCS#8 format

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018963
Applies ToRSA BSAFE Crypto-J
IssueHow to store a RSA private key in PKCS#8 format
ResolutionIf your keys are in a JSAFE_KeyPair object, start with step 1, otherwise, if your key is in a JSAFE_PrivateKey object, start with step 2.  If you want your key to be encrypted, start at step 1 and skip to step 4.

1. To extract keys from a JSAFE_KeyPair object, you must call the JSAFE_KeyPair member function getPrivateKey().  This returns a JSAFE_PrivateKey object.  NOTE: If you want to encrypt your private key, you must skip steps 2 & 3 and go to step 4.  Otherwise, follow steps 2 & 3.

2. You must now call JSAFE_Key member function getKeyData() on the JSAFE_PrivateKeyObject.  This is because the JSAFE_Key class is the generic key interface.  The getKeyData() function takes in an argument that specifies which format to return the key in.

3. For the RSA private key, you must pass in the value ?RSAPrivateKeyBER?.  This will return a 2 dimensional byte array with the private key in PKCS#8 format.  You can now take the unencrypted private key data from the byte array and write it to a file or a smart card.

The following steps show how you would encrypt the private key before you store it.

4. At this point, you must have extracted the private key from the key pair object and received a JSAFE_PrivateKey object.  You must begin by calling encryptInit before you call the wrapPrivateKey() method.  This method takes in the JSAFE_PrivateKey object as its first argument and true or false boolean value depending on whether you want the output to be in PKCS#8 format or not.  The output is a byte array containing the private key in the PKCS#8 EncryptedPrivateKeyInfo format (if the boolean value was set to TRUE).

5. You can now write the encrypted private key from the byte array to disk or to a smart card.
Legacy Article IDa4614