How to load public certificate from pem file?

Asked 10/6, 2014 at 9:28 Answered 5/12, 2021 at 0:19

Solved java ssl cryptography bouncycastle public-key

I was trying to extract RES public key from the file below

Here is the code i did..

public static PublicKey loadPublicKeyFromFile(File publicKeyFile) throws Exception {

    FileReader file = new FileReader(publicKeyFile);
    PemReader reader = new PemReader(file);
    X509EncodedKeySpec caKeySpec = new X509EncodedKeySpec(reader.readPemObject().getContent());
    KeyFactory kf = KeyFactory.getInstance("RSA");
    PublicKey caKey = kf.generatePublic(caKeySpec);
    return caKey;
}

But It throws out

java.security.InvalidKeyException: IOException: ObjectIdentifier() -- data isn't an object ID

What's the appropriate way to extract RES Public key from a file..

Dysthymia answered 10/6, 2014 at 9:28 Comment(1)

It's a certificate, not a key. Load it as a certificate and then call getPublicKey(). – Protectionist 1/4, 2021 at 3:43

122

An X.509 certificate and an X509EncodedKeySpec are quite different structures, and trying to parse a cert as a key won't work. Java's X509EncodedKeySpec is actually SubjectPublicKeyInfo from X.509 or equivalent and more convenient PKIX also linked from Key, which is only a small part of a certificate.

What you need to do is read and parse the cert and then extract the pubkey from the cert. Standard SunJCE CertificateFactory can do it (and can read either PEM or DER to boot) like this:

CertificateFactory fact = CertificateFactory.getInstance("X.509");
FileInputStream is = new FileInputStream (args[0]);
X509Certificate cer = (X509Certificate) fact.generateCertificate(is);
PublicKey key = cer.getPublicKey();
is.close();
// add error handling as appropriate, try-with-resources is often good

If you have BouncyCastle you can use its provider the same way (just add a second argument to .getInstance or set the default provider list order), or you can use PEMParser with JcaX509CertificateConverter -- which effectively does the same thing, internally running the data through a CertificateFactory.

Mclaurin answered 10/6, 2014 at 11:14 Comment(3)

the input stream should be closed – Quickman 1/4, 2021 at 0:17

@ch271828n: I originally meant that to be included in 'to taste', but I might as well be explicit, and found other useful updates as well -- thanks. – Mclaurin 1/4, 2021 at 3:23

by the way, close it in finally{} or use the try(...){} – Quickman 1/4, 2021 at 3:30

With Sun JVM it is also possible with

import java.security.cert.X509Certificate;
import sun.security.x509.X509CertImpl;

InputStream is = ...
X509Certificate crt = new X509CertImpl(is);

, although I'd prefer the accepted answer as JVM implementation-independent one.

Under the hood, in Sun JVM, CertificateFactory(more precisely, X509Factory) does instantiate X509CertImpl , but there is very subtle difference between the two approaches: CertificateFactory caches X509 Certificate instances by binary content of the input stream, the one that can be retrieved by cer.getEncoded().

The cache can be cleared by

fact.generateCertificate(null);

Stallfeed answered 5/12, 2021 at 0:19 Comment(2)

It's 2022 by now, and 2021 in the given answer; we know we should not be using Sun internal classes by now. – Verism 9/6, 2022 at 9:41

@MaartenBodewes, I never said we should use this way. Like I said, I'd prefer the accepted answer's way. Just wanted to look a little bit "under the hood" and point out that in most popular Sun JVM there is a caching in place. – Stallfeed 21/6, 2022 at 13:20

Recommended topics

Hot tags