1

That is, would you ever find a PEM file which starts:

-----BEGIN DH PRIVATE KEY-----

or:

-----BEGIN DH PUBLIC KEY-----

?

And if so, what is its structure?

I know static DH keys are an oddity, and perhaps even extinct. And i know you can put a DH private key inside a PKCS#8 wrapper, and that you can put a DH public key in an X.509 certificate, or have it as a loose X.509-style public key - or at least, than OpenSSL knows how to do it! But i can't find any reference to anyone ever using the older format for static DH keys.

The reason i ask is that i'm writing some code that takes keys as input, and i'd like to support a wide a range of keys as possible. I can handle keys for the RSA, DSA, EC and DH algorithms. As for formats, i support:

  • PKCS#8 format for private keys
  • X.509 PublicKeyInfo format (as produced by openssl pkey) for public keys
  • PKCS#1 for RSA private keys
  • PKCS#1-like for DSA private keys (as produced by openssl dsaparam -genkey)
  • PKCS#1-like for EC private keys (as produced by openssl ecparam -genkey)

I'm trying to work out of there's a PKCS#1-like format for DH private keys as well, because if there is, i should support it.

Tom Anderson
  • 111
  • 4

1 Answers1

1

Short version:

  • Yes, PKCS#8 is a PKCS#1 style wrapper which can contain a DH key.
  • PKCS#1 is an RSA-specific format, so no, you won't find a DH key in it.

Medium version:

Once upon a time, RSA invented some crypto. And they wanted to wrap it in a usable format, so they invented PKCS#1. That's why it's, you know, #1 - because it came first. But it really only handled RSA keys, as reflected by the use of "RSA" in the wrapper.

Somewhat further along the road, they said "Wait a minute! We should be able to do the same thing with DH keys, and Elliptic Curve keys, and... Let's create a new PKCS that's flexible by design and can handle different types of keys. And, um, while we're doing it, let's take the algorithm name OUT of the wrapper and encode it as part of the data." And that's how PKCS#8 was born.

Long version:

There's a question on Stack Overflow that triggered some great answers in this space. This answer talks about the PKCS#1 / PKCS#8 distinction. And this answer, which is bear-like in its awesomeness, goes into the details of the design history that I've tried to sum up in the Medium version above.

Footnote: the "Long version" I've provided is actually longer once you've read the two referenced SO answers, so don't be snarky.

Community
  • 1
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 1
    This doesn't quite answer my question. As i mentioned, i know that PKCS#8 exists, and that you can put DH keys in it. What i would like to know is whether there is any kind of non-PKCS#8 legacy format that i should be prepared for. I guess it won't strictly be PKCS#1, since as you say, that's for RSA, but then nor is the output of `openssl ecparam -name prime256v1 -genkey -noout -out service_ec.key`, and that exists (and isn't PKCS#8). I'll try to clarify my question. – Tom Anderson Jun 23 '16 at 10:26
  • @TomAnderson I'm not aware of any, but of course absence of evidence doesn't mean evidence of absence. It's hard to prove something never existed, especially if the hypothetical something would have been supplanted by a known standard (in a niche where standards actually mean something, I mean, we're not talking RFCs here). – gowenfawr Jun 23 '16 at 12:40