PKCS#8
parse turns a DER or PEM (PRIVATE KEY) key into a structured object: version, the private-key algorithm identifier, the raw private-key bytes, the optional attributes, and — for a v2 OneAsymmetricKey — the optional public key. It composes the same schema engine and shared PKIX sub-schemas (AlgorithmIdentifier, Attribute) the other parsers use.
A PKCS#8 key is a container, not a signed structure: it has no signature, no distinguished name, and no to-be-signed region. The private-key OCTET STRING content is kept raw — the algorithm-specific inner key (an RSAPrivateKey, an ECPrivateKey, a CurvePrivateKey) is decoded by the caller using the surfaced algorithm OID, so an unknown or future key type never fails the parse. An ENCRYPTED PRIVATE KEY (EncryptedPrivateKeyInfo, RFC 5958 §3) is recognized and surfaced with its encryption algorithm and raw ciphertext; decrypting it needs a passphrase and is out of scope for structural parsing.
pki.schema.pkcs8.parse
pki.schema.pkcs8.parse(input) -> privateKey
Parse a DER Buffer or a PEM (PRIVATE KEY) string into a structured PKCS#8 key: { version, privateKeyAlgorithm, privateKey, attributes, publicKey }. The privateKey is the raw OCTET STRING content (the algorithm-specific inner key, decoded by the caller using privateKeyAlgorithm.oid); publicKey is null for a v1 key. A malformed PrivateKeyInfo throws a typed Pkcs8Error (pkcs8/*) and a leaf-level codec fault surfaces as asn1/*.
Example
var key = pki.schema.pkcs8.parse(der);
key.privateKeyAlgorithm.oid; // -> "1.3.101.112" (Ed25519)
key.privateKey; // -> Buffer (the inner key encoding)
References
pki.schema.pkcs8.parseEncrypted
pki.schema.pkcs8.parseEncrypted(input) -> encrypted
Parse a DER Buffer or a PEM (ENCRYPTED PRIVATE KEY) string into an EncryptedPrivateKeyInfo: { encryptionAlgorithm, encryptedData }. The ciphertext is surfaced raw; decrypting it (PBES2/PBKDF2 + a passphrase) is a separate concern from structural validation.
Example
var enc = pki.schema.pkcs8.parseEncrypted(der);
enc.encryptionAlgorithm.oid; // -> "1.2.840.113549.1.5.13" (PBES2)
References
pki.schema.pkcs8.pemDecode
pki.schema.pkcs8.pemDecode(text, label?) -> Buffer
Extract the DER bytes from a PEM private-key block (default label PRIVATE KEY). Throws PemError on a missing / mismatched envelope or a non-base64 body.
Example
var der = pki.schema.pkcs8.pemDecode(pemText);
References
pki.schema.pkcs8.pemEncode
pki.schema.pkcs8.pemEncode(der, label?) -> string
Wrap DER bytes in a PEM private-key envelope (default label PRIVATE KEY).
Example
var pem = pki.schema.pkcs8.pemEncode(der);
References
- spec RFC 7468