Expand description
§RustCrypto: PKCS#8 (Private Keys)
Pure Rust implementation of Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification (RFC 5208).
§About PKCS#8
PKCS#8 is a format for cryptographic private keys, often containing pairs of private and public keys.
You can identify a PKCS#8 private key encoded as PEM (i.e. text) by the following:
-----BEGIN PRIVATE KEY-----
PKCS#8 private keys can optionally be encrypted under a password using key derivation algorithms like PBKDF2 and scrypt, and encrypted with ciphers like AES-CBC. When a PKCS#8 private key has been encrypted, it starts with the following:
-----BEGIN ENCRYPTED PRIVATE KEY-----
PKCS#8 private keys can also be serialized in an ASN.1-based binary format. The PEM text encoding is a Base64 representation of this format.
§Supported Algorithms
This crate is implemented in an algorithm-agnostic manner with the goal of enabling PKCS#8 support for any algorithm.
That said, it has been tested for interoperability against keys generated by OpenSSL for the following algorithms:
- ECC (
id-ecPublicKey
) - Ed25519 (
id-Ed25519
) - RSA (
id-rsaEncryption
) - X25519 (
id-X25519
)
Please open an issue if you encounter trouble using it with a particular algorithm, including the ones listed above or other algorithms.
§Minimum Supported Rust Version
This crate requires Rust 1.57 at a minimum.
We may change the MSRV in the future, but it will be accompanied by a minor version bump.
§License
Licensed under either of:
at your option.
§Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
§About this crate
This library provides generalized PKCS#8 support designed to work with a
number of different algorithms. It supports no_std
platforms including
ones without a heap (albeit with reduced functionality).
It supports decoding/encoding the following types:
- [
EncryptedPrivateKeyInfo
]: (withpkcs5
feature) encrypted key. PrivateKeyInfo
: algorithm identifier and data representing a private key. Optionally also includes public key data for asymmetric keys.SubjectPublicKeyInfo
: algorithm identifier and data representing a public key (re-exported from the [spki
] crate)
When the pem
feature is enabled, it also supports decoding/encoding
documents from “PEM encoding” format as defined in RFC 7468.
§Encrypted Private Key Support
[EncryptedPrivateKeyInfo
] supports decoding/encoding encrypted PKCS#8
private keys and is gated under the pkcs5
feature.
When the encryption
feature of this crate is enabled, it provides
[EncryptedPrivateKeyInfo::decrypt
] and [PrivateKeyInfo::encrypt
]
functions which are able to decrypt/encrypt keys using the following
algorithms:
- PKCS#5v2 Password Based Encryption Scheme 2 (RFC 8018)
- Key derivation functions:
- Symmetric encryption: AES-128-CBC, AES-192-CBC, or AES-256-CBC (best available options for PKCS#5v2)
§Legacy DES-CBC and DES-EDE3-CBC (3DES) support (optional)
When the des-insecure
and/or 3des
features are enabled this crate provides support for
private keys encrypted with with DES-CBC and DES-EDE3-CBC (3DES or Triple DES) symmetric
encryption, respectively.
⚠️ WARNING ⚠️
DES support (gated behind the des-insecure
feature) is implemented to
allow for decryption of legacy PKCS#8 files only.
Such PKCS#8 documents should be considered INSECURE due to the short 56-bit key size of DES.
New keys should use AES instead.
Re-exports§
pub use der;
pub use spki;
Structs§
- X.509
AlgorithmIdentifier
as defined in RFC 5280 Section 4.1.1.2. - ASN.1 DER-encoded document.
- Object identifier (OID).
- PKCS#8
PrivateKeyInfo
. - Secret
Document
type. - X.509
SubjectPublicKeyInfo
(SPKI) as defined in RFC 5280 § 4.1.2.7.
Enums§
- Error type
- Line endings: variants of newline characters that can be used with Base64.
- Version identifier for PKCS#8 documents.
Traits§
- A trait which associates an OID with a type.
- Parse a private key object from a PKCS#8 encoded document.
- Parse a public key object from an encoded SPKI document.
- Serialize a private key object to a PKCS#8 encoded document.
- Serialize a public key object to a SPKI-encoded document.
Type Aliases§
- Result type