I have a ASN.1 encoded RSA private key in a pem file in this format:
-----BEGIN RSA PRIVATE KEY-----
base64 encoded pkcs8 key
-----END RSA PRIVATE KEY-----
Now, to import it into my RSACng
object I neeed to follow these steps:
Read the file and extract the encoded key
Convert
base64
to bytes to get thebyte[]
for pkcs8 keyDecode the
byte[]
from ASN.1 (DER) to key information (modulus, exponent etc.)Load these parameters into the
RSACng
object
I have two following questions:
1. Why doesn't the CngKeyBlobFormat.Pkcs8PrivateBlob
allow you to automatically import the PKCS8 byte[]
key into the RSACng
object?
For instance, why couldn't it work in this way:
var keyData = GetBytesFromPEM(pemstring); // Get the bytes for key that is ASN.1 DER encoded
CngKey cngKey = CngKey.Import(keyData, CngKeyBlobFormat.Pkcs8PrivateBlob);
CngKeyBlobFormat clearly specifies that it is a PKCS8 private blob.
2. What is the ASN.1 encoding format of the RSACng.Key.Export(CngKeyBlobFormat.Pkcs8PrivateBlob)
?
I noticed that if I load the key into the RSACng
as I described above and I then export the same key using the above code, I get the BLOB which is encoded in a different ASN.1 format, and which INSIDE it contains the ASN.1 DER encoded key. Basically, to get information from this exported key I would need to DECODE it from this ASN.1 format again to get the original key parameters stored inside it which are AGAIN encoded in ASN.1 DER.
Why is it such a mess? And is the reason why you cannot import the ASN.1 DER encoded key into the RSACng
that CngKeyBlobFormat.Pkcs8PrivateBlob
has a different ASN.1 encoding format and it is not DER? Would the potential workaround then be to encode the original RSA private key to that another ASN.1 format, since this is exactly how the key is exported?
EDIT: apparently, RSACng.Key.Export(CngKeyBlobFormat.Pkcs8PrivateBlob)
uses Object Identifiers (I'm not yet familiar with that), but it seems to still be in DER format