There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

ShortFuse , (edited )

Yeah, except for the first few bytes. PKCS8 has some initial header information, but most of it is the OCTET_STRING of the private key itself.

The PEM (human “readable”) version is Base64, so you can craft up a string and make that your key. DER is that converted to binary again:


<span style="font-style:italic;color:#969896;">/**
</span><span style="font-style:italic;color:#969896;"> * @see https://datatracker.ietf.org/doc/html/rfc5208#section-5
</span><span style="font-style:italic;color:#969896;"> * @see https://datatracker.ietf.org/doc/html/rfc2313#section-11
</span><span style="font-style:italic;color:#969896;"> * Unwraps PKCS8 Container for internal key (RSA or EC)
</span><span style="font-style:italic;color:#969896;"> * @param {string|Uint8Array} pkcs8
</span><span style="font-style:italic;color:#969896;"> * @param {string} [checkOID]
</span><span style="font-style:italic;color:#969896;"> * @return {Uint8Array} DER
</span><span style="font-style:italic;color:#969896;"> */
</span><span style="font-weight:bold;color:#a71d5d;">export </span><span style="color:#323232;">function privateKeyFromPrivateKeyInformation(pkcs8, checkOID) {
</span><span style="color:#323232;">  </span><span style="font-weight:bold;color:#a71d5d;">const </span><span style="color:#323232;">der </span><span style="font-weight:bold;color:#a71d5d;">= </span><span style="color:#323232;">derFromPrivateKeyInformation(pkcs8);
</span><span style="color:#323232;">  </span><span style="font-weight:bold;color:#a71d5d;">const </span><span style="color:#323232;">[
</span><span style="color:#323232;">    [privateKeyInfoType, [
</span><span style="color:#323232;">      [versionType, version],
</span><span style="color:#323232;">      algorithmIdentifierTuple,
</span><span style="color:#323232;">      privateKeyTuple,
</span><span style="color:#323232;">    ]],
</span><span style="color:#323232;">  ] </span><span style="font-weight:bold;color:#a71d5d;">= </span><span style="color:#323232;">decodeDER(der);
</span><span style="color:#323232;">  </span><span style="font-weight:bold;color:#a71d5d;">if </span><span style="color:#323232;">(privateKeyInfoType </span><span style="font-weight:bold;color:#a71d5d;">!== </span><span style="color:#183691;">'SEQUENCE'</span><span style="color:#323232;">) </span><span style="font-weight:bold;color:#a71d5d;">throw new </span><span style="color:#0086b3;">Error</span><span style="color:#323232;">(</span><span style="color:#183691;">'Invalid PKCS8'</span><span style="color:#323232;">);
</span><span style="color:#323232;">  </span><span style="font-weight:bold;color:#a71d5d;">if </span><span style="color:#323232;">(versionType </span><span style="font-weight:bold;color:#a71d5d;">!== </span><span style="color:#183691;">'INTEGER'</span><span style="color:#323232;">) </span><span style="font-weight:bold;color:#a71d5d;">throw new </span><span style="color:#0086b3;">Error</span><span style="color:#323232;">(</span><span style="color:#183691;">'Invalid PKCS8'</span><span style="color:#323232;">);
</span><span style="color:#323232;">  </span><span style="font-weight:bold;color:#a71d5d;">if </span><span style="color:#323232;">(version </span><span style="font-weight:bold;color:#a71d5d;">!== </span><span style="color:#0086b3;">0</span><span style="color:#323232;">) </span><span style="font-weight:bold;color:#a71d5d;">throw new </span><span style="color:#0086b3;">Error</span><span style="color:#323232;">(</span><span style="color:#183691;">'Unsupported PKCS8 Version'</span><span style="color:#323232;">);
</span><span style="color:#323232;">  </span><span style="font-weight:bold;color:#a71d5d;">const </span><span style="color:#323232;">[algorithmIdentifierType, algorithmIdentifierValues] </span><span style="font-weight:bold;color:#a71d5d;">= </span><span style="color:#323232;">algorithmIdentifierTuple;
</span><span style="color:#323232;">  </span><span style="font-weight:bold;color:#a71d5d;">if </span><span style="color:#323232;">(algorithmIdentifierType </span><span style="font-weight:bold;color:#a71d5d;">!== </span><span style="color:#183691;">'SEQUENCE'</span><span style="color:#323232;">) </span><span style="font-weight:bold;color:#a71d5d;">throw new </span><span style="color:#0086b3;">Error</span><span style="color:#323232;">(</span><span style="color:#183691;">'Invalid PKCS8'</span><span style="color:#323232;">);
</span><span style="color:#323232;">  </span><span style="font-weight:bold;color:#a71d5d;">const </span><span style="color:#323232;">[privateKeyType, privateKey] </span><span style="font-weight:bold;color:#a71d5d;">= </span><span style="color:#323232;">privateKeyTuple;
</span><span style="color:#323232;">  </span><span style="font-weight:bold;color:#a71d5d;">if </span><span style="color:#323232;">(privateKeyType </span><span style="font-weight:bold;color:#a71d5d;">!== </span><span style="color:#183691;">'OCTET_STRING'</span><span style="color:#323232;">) </span><span style="font-weight:bold;color:#a71d5d;">throw new </span><span style="color:#0086b3;">Error</span><span style="color:#323232;">(</span><span style="color:#183691;">'Invalid PKCS8'</span><span style="color:#323232;">);
</span><span style="color:#323232;">  </span><span style="font-weight:bold;color:#a71d5d;">if </span><span style="color:#323232;">(checkOID) {
</span><span style="color:#323232;">    </span><span style="font-weight:bold;color:#a71d5d;">for </span><span style="color:#323232;">(</span><span style="font-weight:bold;color:#a71d5d;">const </span><span style="color:#323232;">[type, value] </span><span style="font-weight:bold;color:#a71d5d;">of </span><span style="color:#323232;">algorithmIdentifierValues) {
</span><span style="color:#323232;">      </span><span style="font-weight:bold;color:#a71d5d;">if </span><span style="color:#323232;">(type </span><span style="font-weight:bold;color:#a71d5d;">=== </span><span style="color:#183691;">'OBJECT_IDENTIFIER' </span><span style="font-weight:bold;color:#a71d5d;">&& </span><span style="color:#323232;">value </span><span style="font-weight:bold;color:#a71d5d;">=== </span><span style="color:#323232;">checkOID) {
</span><span style="color:#323232;">        </span><span style="font-weight:bold;color:#a71d5d;">return </span><span style="color:#323232;">privateKey;
</span><span style="color:#323232;">      }
</span><span style="color:#323232;">    }
</span><span style="color:#323232;">    </span><span style="font-weight:bold;color:#a71d5d;">return </span><span style="color:#0086b3;">null</span><span style="color:#323232;">; </span><span style="font-style:italic;color:#969896;">// Not an error, just doesn't match
</span><span style="color:#323232;">  }
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="font-weight:bold;color:#a71d5d;">return </span><span style="color:#323232;">privateKey;
</span><span style="color:#323232;">}
</span>

I wrote a “plain English” library in Javascript to demystify all the magic of Let’s Encrypt, ACME, and all those certificates. (Also to spin up my own certs in NodeJS/Chrome).

github.com/…/privateKeyInformation.js#L40

Edit: To be specific, PKCS8 is usually a PKCS1 (RSA) key with some wrapping to identify it (the OID). The integers (BigInts) you pick for RSA would have to line up in some way, but I would think it’s doable. At worst there is maybe a character or two of garbage at the breakpoints for the RSA integers. And if you account for which ones are absent in the public key, then anybody reading it could get a kick out of reading your public certificate.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •