Converting RSA XML key to PEM

Converting RSA XML key to PEM

Quite surprisingly it turned out out lately that I cannot find any utility that would help me convert a private RSA key in the XML format to the usual PEM format.

The XML format is mostly used for digitally signing XML documents according the the W3C recommendation, but Microsoft jumped on this format, too, and uses it in its .NET 1.1 platform. It is thus quite probable that, time-to-time, someone needs to convert this XML “beast” back to normal PEM format. But it seems that no suitable utility is to be found on the whole internet!

Luckily I came across the great little utility called PvkConvert, by Michel Gallant, which among other things does exactly that kind of conversion, unfortunately the other-way-round — from PEM to the XML format. But after being inspired by this, writing a small program that would do the right conversion turned into a piece of cake.

XMLSec2PEM

The XMLSec2PEM program converts a private or public RSA key from the XML format to the „traditional“ PEM format. The program tries to guess whether it is working with a private or a public key according to the input XML file structure.

Installation and running

You will need any decent version of Java JDK installed to compile and run the program. Grab the program XMLSec2PEM.java.txt and remove the .txt suffix. Compile it simply by:

javac XMLSec2PEM.java

And run it by:

java XMLSec2PEM <XML_keyfile>

Conversion to PKCS#8

If your freshly converted private key is not working, maybe you need a private key in the “full” PKCS#8 format. The utility returns the private keys only in the older “traditional” format, that allows no encryption for the keys, etc. If you need a full PKCS#8 format private key, use e.g. the openssl program with the -topk8 parameter:

openssl pkcs8 -topk8 -in key_rsa.pem -out key.pem

Example

Suppose we have the following private key in the XML format, saved in the key.xml.txt file:

<RSAKeyValue>
  <Modulus>wzZYQpFhIItfo5...3CZXgAyOc+w==</Modulus>
  <Exponent>AQAB</Exponent>
  <P>+hhxh9KjXvS...vWL47IlE=</P>
  <Q>x9IxFrOIpj...z3eGi4s=</Q>
  <DP>Dp2bFOr0...26/SWOE=</DP>
  <DQ>oAKxTHx3...zMbn+Tq9gw==</DQ>
  <InverseQ>RapfQxpRbPa...q80Vcl9Pc=</InverseQ>
  <D>A9q412ejcU8PL...WJ1xnKcUWzwQ==</D>
</RSAKeyValue>

Run the utility and you will get the following output:

$ java XMLSec2PEM key.xml
Determining the key type: seems to be a private XML Security key
Checking the XML file structure: OK
Outputting the resulting key:

-----BEGIN PRIVATE KEY-----
MIIBTwIBADANBgkqh...
...
...dDVavNFXJfT3
-----END PRIVATE KEY-----

If you need the “full” PKCS#8 format, save the program output (only the lines between and including the BEGIN and END lines) into a file, say key.pem and convert it using openssl:

$ openssl pkcs8 -topk8 -in a.out.pem  -nocrypt
-----BEGIN PRIVATE KEY-----
MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAwzZYQpFhIItfo5Z9
Ns7HHYWzqRel/OUK2XGyv8qBoZBWxd3DOiPbczbwDtOZDy8c0NejmEcbmk+3CZXg
AyOc+wIDAQABAkAD2rjXZ6NxTw8uXbRPNrn7vT4U4qCmY6dZL8OFwevZUsVhpsNM
wmH62l/5Le4zd66atsRohK1+hYnXGcpxRbPBAiEA+hhxh9KjXvS6x1SyB6C2QHrI
gVyxWmmIVJdvWL47IlECIQDH0jEWs4imMNzvcViwab9GsZVwt5x6hgoufILPd4aL
iwIgDp2bFOr0bTo0KC4E8Xks7Xu/d//oxXXhZ8Ap26/SWOECIACgArFMfHfwnTBO
jXV3zzZcZdhFasLjWnLMxuf5Or2DAiBFql9DGlFs9o3f/06UNlFAbQcERTnv13Q1
WrzRVyX09w==
-----END PRIVATE KEY-----

Enjoy!

Note: this is one of the few blog entries that I consider still valuable and that thus survived the web revamp in August 2011. Other older entries ended up in the digital trash.

Heading image by Thinkgeek.com

tags: security, java, en