Key Storage Format (RSA)
- By default RSA keys are created in binary DER-encoded files with the format
RSAPublicKey
as per PKCS#1 for public keys
EncryptedPrivateKeyInfo
as per PKCS#8 for private keys.
- The base64 "PEM" and "OpenSSL" formats
and the unencrypted
PrivateKeyInfo
format for private keys are also supported.
- The default action is to save private keys encrypted with a password. Save as the unencrypted
PrivateKeyInfo
form at your own risk.
- Public keys can be extracted from an X.509 certificate.
- Private keys can be extracted from a PFX (PKCS#12) file, but only if it has been created using algorithms we support
(no guarantees with these beasts).
- Functions that might be expected to use the key frequently require the key to be read into an internal string first.
The internal key string is an "ephemeral" string of base64 characters valid only for the current session.
- Treat the internal key strings as "blobs" of data. As of version 3.0, they are encrypted with an internal session key.
See Internal key strings.
- Be careful with these internal private key strings - use
WIPE_Data
to erase them when no longer needed.
- Use the
RSA_ToXMLString
and
RSA_FromXMLString
functions to convert back and forth
between XML and the toolkit's internal string format. Be very careful as the XML private key data is not encrypted.
-
[New in v12.2] Plaintext RSA keys represented in JSON Web Key (JWK) format can be read in using the functions
RSA_ReadAnyPrivateKey
and
RSA_ReadAnyPublicKey
.
(.NET Rsa.ReadPrivateKey Method
and Rsa.ReadPublicKey Method
).
The key may be provided either in a JSON file or as a JSON string. No password is required.