I have generated a private key and encrypted it with a password. Now I

Question

0

Asked: June 18, 20262026-06-18T00:44:03+00:00 2026-06-18T00:44:03+00:00

I have generated a private key and encrypted it with a password. Now I

0

I have generated a private key and encrypted it with a password. Now I want to load it to EncryptedPrivateKeyInfo, so that I can construct and export it into a PEM format file. Below is the code I use,

final CertAndKeyGen keypair = new CertAndKeyGen("RSA", "SHA1WithRSA", null);
final X500Name x500Name =
    new X500Name("IN", "AP", "HYD", "TEST", "TEST_ORG", "test@xyz.com");
keypair.generate(1024);
final PrivateKey privKey = keypair.getPrivateKey();
final X509Certificate[] chain = new X509Certificate[1];
long validity = 123;
chain[0] = keypair.getSelfCertificate(x500Name, new Date(), 
    validity * 24 * 60 * 60);
Key key =  new SecretKeySpec(password.getBytes(), ALGO);
Cipher c = Cipher.getInstance(ALGO);
c.init(Cipher.ENCRYPT_MODE, key);
byte[] encVal = c.doFinal(privKey.getEncoded());
AlgorithmParameters params = AlgorithmParameters.getInstance("DES");
params.init(encVal); // <--- exception thrown here
EncryptedPrivateKeyInfo encinfo = new EncryptedPrivateKeyInfo(params, encVal);

// displaying encrypting value
String encryptedValue = Base64.encodeBase64String(encinfo.getEncoded());
System.out.println(encryptedValue);

But while executing the above code, I get the below exception

java.io.IOException: DER input not an octet string
  at sun.security.util.DerInputStream.getOctetString(DerInputStream.java:233)
  at com.sun.crypto.provider.SunJCE_t.a(DashoA13*..)
  at com.sun.crypto.provider.DESParameters.engineInit(DashoA13*..)
  at java.security.AlgorithmParameters.init(AlgorithmParameters.java:260)

in the line params.init(encVal);. I don’t get what’s going wrong from the exception. Any help or suggestion will be really appreciated. Thanks in advance.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-18T00:44:04+00:00

A PKCS #8 file containing an encrypted private key has the following ASN.1 structure:

EncryptedPrivateKeyInfo ::= SEQUENCE {
  encryptionAlgorithm EncryptionAlgorithmIdentifier,
  encryptedData EncryptedData }

Notice how the encrypted data is only part of the total data package. You need to include this data in a sequence along with the encryption algorithm identifier. Your code above produces only the encryptedData part.

I would suggest you consider using BouncyCastle. It looks like they may have improved support for PKCS#8 recently. Here’s some sample code:

KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = generator.generateKeyPair();

final PrivateKey privKey = keyPair.getPrivate();

JceOpenSSLPKCS8EncryptorBuilder builder =
    new JceOpenSSLPKCS8EncryptorBuilder(PKCS8Generator.PBE_SHA1_3DES);

builder.setIterationCount(10000);
builder.setPasssword("Hello, World!".toCharArray());

OutputEncryptor outputEncryptor = builder.build();    
PKCS8Generator pkcs8Generator =
    new JcaPKCS8Generator(privKey, outputEncryptor);

try (PemWriter writer = new PemWriter(new PrintWriter(System.out))) {
  writer.writeObject(pkcs8Generator);
}

This will output an encrypted private key:

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have generated a private key and encrypted it with a password. Now I

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply