yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/kms/umn/dew_01_0472.html
qinweiwei 3e4721c813 KMS UMN 20251111 version 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qinweiwei <qinweiwei@huawei.com>
Co-committed-by: qinweiwei <qinweiwei@huawei.com>
2026-01-19 09:05:54 +00:00

127 lines
7.2 KiB
HTML
Raw Blame History

<a name="dew_01_0472"></a><a name="dew_01_0472"></a>
<h1 class="topictitle1">How Do I Convert an Original EC Private Key into a Private Key in PKCS8 Format?</h1>
<div id="body0000002146209870"><div class="section" id="dew_01_0472__section18381449162918"><h4 class="sectiontitle">Scenario</h4><p id="dew_01_0472__p9219507307">The EC private key is a large integer. However, in the key pair import scenario, the private key must be ASN.1-encoded and then the data must be encoded in binary mode to obtain the DER format, which cannot be obtained by running the OpenSSL command.</p>
<p id="dew_01_0472__p1285003020">This section describes how to convert a 256-bit EC private key into a private key in PKCS8 format.</p>
</div>
<div class="section" id="dew_01_0472__section1521692016114"><h4 class="sectiontitle">Environment Preparations</h4><ul id="dew_01_0472__ul146695424119"><li id="dew_01_0472__li9669242314">Create a Java environment and import bouncy castle 1.78 or later.</li><li id="dew_01_0472__li5669134215118">Install OpenSSL 1.1.1m or later.</li></ul>
</div>
<div class="section" id="dew_01_0472__section477392483520"><h4 class="sectiontitle">Converting a Private Key to a PKCS8 Object</h4><p id="dew_01_0472__p88011747153611">The following uses a secp256k1 private key as an example. The original private key in hexadecimal format is as follows:</p>
<p id="dew_01_0472__p188016477367">```DC23DA6E913444ABADCE2F42A3B7DC3958569948633EE80AEC46ACCA02523495```</p>
<div class="note" id="dew_01_0472__note112361646121415"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0472__p13488142463616">The private key is used as an example only. Do not use it in the actual environment.</p>
</div></div>
<p id="dew_01_0472__p712054144013">Use the following code to convert the private key into a PKCS8 object:</p>
<pre class="screen" id="dew_01_0472__screen016372519499">```java
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPrivateKey;
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
import org.bouncycastle.jce.ECNamedCurveTable;
import org.bouncycastle.jce.interfaces.ECPrivateKey;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec;
import org.bouncycastle.jce.spec.ECPrivateKeySpec;
import org.bouncycastle.jce.spec.ECPublicKeySpec;
import org.bouncycastle.math.ec.ECPoint;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Security;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.util.Base64;
public class RawEcPrivateKeyToPKCS8Object {
public static void main(String[] args)
throws InvalidParameterSpecException, NoSuchAlgorithmException, InvalidKeySpecException {
Security.addProvider(new BouncyCastleProvider());
KeyFactory keyFactory = KeyFactory.getInstance("ECDSA", new BouncyCastleProvider());
ECNamedCurveParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("secp256k1");
BigInteger d = new BigInteger("DC23DA6E913444ABADCE2F42A3B7DC3958569948633EE80AEC46ACCA02523495", 16);
ECPrivateKeySpec ecPrivateKeySpec = new ECPrivateKeySpec(d, ecSpec);
BCECPrivateKey ec = new BCECPrivateKey("EC", ecPrivateKeySpec, BouncyCastleProvider.CONFIGURATION);
ECPoint q = ecSpec.getG().multiply(((ECPrivateKey) ec).getD());
ECPublicKeySpec pubSpec = new ECPublicKeySpec(q, ecSpec);
PublicKey publicKey = keyFactory.generatePublic(pubSpec);
BCECPrivateKey ec2 = new BCECPrivateKey("EC", ec.engineGetKeyParameters(), (BCECPublicKey) publicKey,
ecPrivateKeySpec.getParams(), BouncyCastleProvider.CONFIGURATION);
System.out.println(Base64.getEncoder().encodeToString(ec2.getEncoded()));
}
}
```</pre>
<p id="dew_01_0472__p1712019434018">The output is as follows:</p>
<pre class="screen" id="dew_01_0472__screen187371354164010">```ignorelang
MIGNAgEAMBAGByqGSM49AgEGBSuBBAAKBHYwdAIBAQQg3CPabpE0RKutzi9Co7fcOVhWmUhjPugK7EasygJSNJWgBwYFK4EEAAqhRANCAAQWiYvQT8cyVJx3wN85fXw0c2Ppv3SEsgnDaB96rWlz6G2bf2WhBJVD/jF5zb+5/oxgVIOYDe8EwqYtBwhIJ3Yh
```</pre>
<p id="dew_01_0472__p1312010464018">Use the ASN.1 decoding tool:</p>
<pre class="screen" id="dew_01_0472__screen1118514399401">```
&lt;SEQUENCE&gt;
&lt;INTEGER/&gt;
&lt;SEQUENCE&gt;
&lt;OBJECT_IDENTIFIER Comment="ANSI X9.62 public key type" Description="ecPublicKey"&gt;1.2.840.10045.2.1&lt;/OBJECT_IDENTIFIER&gt;
&lt;OBJECT_IDENTIFIER Comment="SECG (Certicom) named elliptic curve" Description="secp256k1"&gt;1.3.132.0.10&lt;/OBJECT_IDENTIFIER&gt;
&lt;/SEQUENCE&gt;
&lt;OCTET_STRING&gt;
&lt;SEQUENCE&gt;
&lt;INTEGER&gt;1&lt;/INTEGER&gt;
&lt;OCTET_STRING&gt;0xDC23DA6E913444ABADCE2F42A3B7DC3958569948633EE80AEC46ACCA02523495&lt;/OCTET_STRING&gt;
&lt;NODE Sign="a0"&gt;
&lt;OBJECT_IDENTIFIER Comment="SECG (Certicom) named elliptic curve" Description="secp256k1"&gt;1.3.132.0.10&lt;/OBJECT_IDENTIFIER&gt;
&lt;/NODE&gt;
&lt;NODE Sign="a1"&gt;
&lt;BIT_STRING Bits="520"&gt;0x000416898BD04FC732549C77C0DF397D7C347363E9BF7484B209C3681F7AAD6973E86D9B7F65A1049543FE3179CDBFB9FE8C605483980DEF04C2A62D070848277621&lt;/BIT_STRING&gt;
&lt;/NODE&gt;
&lt;/SEQUENCE&gt;
&lt;/OCTET_STRING&gt;
&lt;/SEQUENCE&gt;
```</pre>
<p id="dew_01_0472__p212034154015">Add the following content to the <span class="parmvalue" id="dew_01_0472__parmvalue15376111214416"><b>ec_private_key.pem</b></span> file:</p>
<pre class="screen" id="dew_01_0472__screen14833111919416">```ignorelang
-----BEGIN PRIVATE KEY-----
MIGNAgEAMBAGByqGSM49AgEGBSuBBAAKBHYwdAIBAQQg3CPabpE0RKutzi9Co7fcOVhWmUhjPugK7EasygJSNJWgBwYFK4EEAAqhRANCAAQWiYvQT8cyVJx3wN85fXw0c2Ppv3SEsgnDaB96rWlz6G2bf2WhBJVD/jF5zb+5/oxgVIOYDe8EwqYtBwhIJ3Yh
-----END PRIVATE KEY-----
```</pre>
<p id="dew_01_0472__p141201142402">Run the following commands to view the EC key information:</p>
<pre class="screen" id="dew_01_0472__screen2052214306419">```shell
openssl ec -in ec_private_key.pem -text
```
```ignorelang
read EC key
Private-Key: (256 bit)
priv:
dc:23:da:6e:91:34:44:ab:ad:ce:2f:42:a3:b7:dc:
39:58:56:99:48:63:3e:e8:0a:ec:46:ac:ca:02:52:
34:95
pub:
04:16:89:8b:d0:4f:c7:32:54:9c:77:c0:df:39:7d:
7c:34:73:63:e9:bf:74:84:b2:09:c3:68:1f:7a:ad:
69:73:e8:6d:9b:7f:65:a1:04:95:43:fe:31:79:cd:
bf:b9:fe:8c:60:54:83:98:0d:ef:04:c2:a6:2d:07:
08:48:27:76:21
ASN1 OID: secp256k1
writing EC key
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEINwj2m6RNESrrc4vQqO33DlYVplIYz7oCuxGrMoCUjSVoAcGBSuBBAAK
oUQDQgAEFomL0E/HMlScd8DfOX18NHNj6b90hLIJw2gfeq1pc+htm39loQSVQ/4x
ec2/uf6MYFSDmA3vBMKmLQcISCd2IQ==
-----END EC PRIVATE KEY-----
```</pre>
<p id="dew_01_0472__p112010412402">If the commands can be executed properly, the following <strong id="dew_01_0472__b18997154313595">DER</strong> command is generated:</p>
<pre class="screen" id="dew_01_0472__screen1845854313410">```shell
openssl pkcs8 -topk8 -inform PEM -outform DER -in ec_private_key.pem -out ec_private_key.der -nocrypt```</pre>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>
View Git Blame Copy Permalink