Allow private key export in PEM format

Fuzzo commented 1 year ago

Please add the capability to export private keys in PEM format, could be a entry in key context menù. Thanks.

kaikramer commented 1 year ago

Is this feature so hard to find?

https://keystore-explorer.org/doc/5.5/keyPairs.html#export-a-key-pairs-private-key

grafik

Fuzzo commented 1 year ago

Sorry @kaikramer, I mean the keys of this type: It's not a private (that implies also a public one) as I said, better call it secret key. Thanks

kaikramer commented 1 year ago

Ok, the issue with secret keys is that there is no PEM label defined for them.

The PEM header and footer looks like this:

-----BEGIN <label>-----
...
-----END <label>-----

And in RFC 7468 are the following possible labels and content types defined:

Sec. Label                  ASN.1 Type              Reference Module
----+----------------------+-----------------------+---------+----------
  5  CERTIFICATE            Certificate             [[RFC5280](https://www.rfc-editor.org/rfc/rfc5280)] id-pkix1-e
  6  X509 CRL               CertificateList         [[RFC5280](https://www.rfc-editor.org/rfc/rfc5280)] id-pkix1-e
  7  CERTIFICATE REQUEST    CertificationRequest    [[RFC2986](https://www.rfc-editor.org/rfc/rfc2986)] id-pkcs10
  8  PKCS7                  ContentInfo             [[RFC2315](https://www.rfc-editor.org/rfc/rfc2315)] id-pkcs7*
  9  CMS                    ContentInfo             [[RFC5652](https://www.rfc-editor.org/rfc/rfc5652)] id-cms2004
 10  PRIVATE KEY            PrivateKeyInfo ::=      [[RFC5208](https://www.rfc-editor.org/rfc/rfc5208)] id-pkcs8
                            OneAsymmetricKey        [[RFC5958](https://www.rfc-editor.org/rfc/rfc5958)] id-aKPV1
 11  ENCRYPTED PRIVATE KEY  EncryptedPrivateKeyInfo [[RFC5958](https://www.rfc-editor.org/rfc/rfc5958)] id-aKPV1
 12  ATTRIBUTE CERTIFICATE  AttributeCertificate    [[RFC5755](https://www.rfc-editor.org/rfc/rfc5755)] id-acv2
 13  PUBLIC KEY             SubjectPublicKeyInfo    [[RFC5280](https://www.rfc-editor.org/rfc/rfc5280)] id-pkix1-e

As you can see, there is a label "PRIVATE KEY" for asymmetric keys, but nothing for symmetric ones.

Less formal, but not less relevant are the labels that OpenSSL supports:

# define PEM_STRING_X509_OLD     "X509 CERTIFICATE"
# define PEM_STRING_X509         "CERTIFICATE"
# define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE"
# define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST"
# define PEM_STRING_X509_REQ     "CERTIFICATE REQUEST"
# define PEM_STRING_X509_CRL     "X509 CRL"
# define PEM_STRING_EVP_PKEY     "ANY PRIVATE KEY"
# define PEM_STRING_PUBLIC       "PUBLIC KEY"
# define PEM_STRING_RSA          "RSA PRIVATE KEY"
# define PEM_STRING_RSA_PUBLIC   "RSA PUBLIC KEY"
# define PEM_STRING_DSA          "DSA PRIVATE KEY"
# define PEM_STRING_DSA_PUBLIC   "DSA PUBLIC KEY"
# define PEM_STRING_PKCS7        "PKCS7"
# define PEM_STRING_PKCS7_SIGNED "PKCS #7 SIGNED DATA"
# define PEM_STRING_PKCS8        "ENCRYPTED PRIVATE KEY"
# define PEM_STRING_PKCS8INF     "PRIVATE KEY"
# define PEM_STRING_DHPARAMS     "DH PARAMETERS"
# define PEM_STRING_DHXPARAMS    "X9.42 DH PARAMETERS"
# define PEM_STRING_SSL_SESSION  "SSL SESSION PARAMETERS"
# define PEM_STRING_DSAPARAMS    "DSA PARAMETERS"
# define PEM_STRING_ECDSA_PUBLIC "ECDSA PUBLIC KEY"
# define PEM_STRING_ECPARAMETERS "EC PARAMETERS"
# define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY"
# define PEM_STRING_PARAMETERS   "PARAMETERS"
# define PEM_STRING_CMS          "CMS"
# define PEM_STRING_SM2PARAMETERS "SM2 PARAMETERS"

Again, only labels for private keys.

If you can point me to a specification for symmetric keys in PEM format, then it is no problem to implement this, but otherwise it just makes no sense.

Fuzzo commented 1 year ago

Thanks for the documented reply. Makes no sense as you said.

kaikramer / keystore-explorer

Allow private key export in PEM format #431