6 Replies Latest reply: Dec 12, 2011 12:02 PM by 882656 RSS

    Unable to generate private key from password-protected private key

    882656
      I've been writing some code to sign data. So far this is what I have
      public void encryptHash(String hashToEncrypt, String pathOfKey, String Algorithm) {
          FileInputStream fis = null;
          ByteArrayOutputStream baos = new ByteArrayOutputStream();
          int len;
      
              File f = new File(pathOfKey);
      
              fis = new FileInputStream(pathOfKey);
              len = 0;
              while((len = fis.read()) != -1){
                  baos.write(len);
              }
      
              KeyFactory kf = KeyFactory.getInstance(Algorithm); //Algorithm = "RSA"
              KeySpec keySpec = new PKCS8EncodedKeySpec(baos.toByteArray());
              baos.close();
              PrivateKey privateKey = kf.generatePrivate(keySpec);  //Here's the exception thrown
      
              Signature rsaSigner = Signature.getInstance("SHA1withRSA");
              rsaSigner.initSign(privateKey);
      
              fis = new FileInputStream(hashToEncrypt);
              BufferedInputStream bis = new BufferedInputStream(fis);
              byte[] buffer = new byte[1024];
              len = 0;
              while((len = bis.read(buffer)) >= 0){
                  try {
                      rsaSigner.update(buffer, 0, len);
                  } catch (SignatureException ex) {
                      Logger.getLogger(DataEncryptor.class.getName()).log(Level.SEVERE, null, ex);
                  }
              }
              bis.close();
      
              byte[] signature = rsaSigner.sign();
      
              System.out.println(new String(signature));
      }
      The problem is that I'm getting the following exception and I can't find infomation about it.
      dic 09, 2011 12:49:02 PM firmaelectronica.DataEncryptor encryptHash
      Grave: null
      java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : DER input, Integer tag error
          at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
          at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
          at firmaelectronica.DataEncryptor.encryptHash(DataEncryptor.java:40)
          at firmaelectronica.FirmaElectronica.main(FirmaElectronica.java:39)
      Caused by: java.security.InvalidKeyException: IOException : DER input, Integer tag error
          at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:361)
          at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:367)
          at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:91)
          at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:75)
          at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:316)
          at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:213)
      What does DER input, Integer tag error means? How can I read a password-protected PKCS8 DER private key to sign a file?

      Thanks so much in advance !!!!!

      Edited by: 879653 on 09-dic-2011 15:44
        • 1. Re: Unable to generate private key from password-protected private key
          sabre150
          Looks to me like your key file does not contain a PKCS8 encoded RSA private key. Is the key armoured (base64 encoded in an envelope)? What code/software was used to generate the key file ?
          • 2. Re: Unable to generate private key from password-protected private key
            882656
            I was thinking the same. I don't know how was it generated, the government is giving them so the people can pay their taxes over internet. In the page of the government it says that *"the private key is a file with .key extension as defined in the standard PKCS8 and is ciphered by the same specifications of standard PKCS1"*

            It uses RSA as algorithm, that's 100% sure.

            I don't know anything about the envelope so I can't tell you if it has something like that.

            By the way, it has a password that protects the private key, doesn't it has something to do with my problem? Just guessing.

            Finally, is there a way to know what format it is? I have the certificate that belongs to that key and I can read it with OpenSSL, I don't know if that helps though.

            Thanks for answering.
            • 3. Re: Unable to generate private key from password-protected private key
              sabre150
              879653 wrote:
              I was thinking the same. I don't know how was it generated, the government is giving them so the people can pay their taxes over internet. In the page of the government it says that *"the private key is a file with .key extension as defined in the standard PKCS8 and is ciphered by the same specifications of standard PKCS1"*
              That scares me! This means that the government have access to your private key so it is not very private. Only you should have access to your private key; not your government, your cousin, your uncle, your lawyer or even your wife.

              >
              It uses RSA as algorithm, that's 100% sure.

              I don't know anything about the envelope so I can't tell you if it has something like that.
              Open the key file with a text editor. If it is a text file then it should have a header saying something like RSA PRIVATE KEY with a Base64 encoded body (the actual private key). If it is not a text file then I can't help without access to it and it does not make security sense to give me access.

              >
              By the way, it has a password that protects the private key, doesn't it has something to do with my problem? Just guessing.
              Does the government also supply the password? If not then presumably they provide some software for you to use that has the password compiled into it.

              >
              Finally, is there a way to know what format it is? I have the certificate that belongs to that key and I can read it with OpenSSL, I don't know if that helps though.
              Can you read the key file using OpenSSL? That is normally my first line of attack.
              • 4. Re: Unable to generate private key from password-protected private key
                882656
                Sorry! In fact I just have my private key and my password. The government established the technical specifications so I don't know them exactly. Don't be scared anymore !!

                Nop it is not Base64. It doesn't have the --------BEGIN KEY-------- ------------END KEY--------------

                Actually I tried using this

                OpenSSL> pkcs8 -inform DER -in archivo.key -out llave.pem
                Enter Password: password

                OpenSSL> rsa -in llave.pem -out llave.txt -text -noout

                and I can get the private key as you said (Based64).
                • 5. Re: Unable to generate private key from password-protected private key
                  sabre150
                  Maybe this will help -

                  http://stackoverflow.com/questions/2654949/how-to-read-a-password-encrypted-key-with-java
                  • 6. Re: Unable to generate private key from password-protected private key
                    882656
                    Thanks for all your responses. I finally found a way to load the key.

                    The key is password-protected so to be able to load it from java code it shouldn't be password-protected. What I did to achieve this:

                    openssl pkcs8 -inform der -in myDERPassProtectedKey.key -outform pem -out myPEMPassProtectedKey.key
                    it prompts for password and then I have a PEM key but java prefers DER-NoPassProtected format so
                    openssl pkcs8 -topk8 -nocrypt -in myPEMPassProtectedKey.key -outform DER -out myDERNotAnyMorePassProtectedKey.key
                    And then it can be loaded with the code posted previously.