PKCS#8

PKCS#8 private-key handling per RFC 5208 §5 (PrivateKeyInfo) and RFC 5958 §2 (OneAsymmetricKey). parse turns a DER or PEM (PRIVATE KEY) key into a structured object: version, the private-key algorithm identifier, the raw private-key bytes, the optional attributes, and — for a v2 OneAsymmetricKey — the optional public key. It composes the same schema engine and shared PKIX sub-schemas (AlgorithmIdentifier, Attribute) the other parsers use.

A PKCS#8 key is a container, not a signed structure: it has no signature, no distinguished name, and no to-be-signed region. The private-key OCTET STRING content is kept raw — the algorithm-specific inner key (an RSAPrivateKey, an ECPrivateKey, a CurvePrivateKey) is decoded by the caller using the surfaced algorithm OID, so an unknown or future key type never fails the parse. An ENCRYPTED PRIVATE KEY (EncryptedPrivateKeyInfo, RFC 5958 §3) is recognized and surfaced with its encryption algorithm and raw ciphertext; decrypting it needs a passphrase and is out of scope for structural parsing.

pki.schema.pkcs8.parse

since 0.1.9 experimental
pki.schema.pkcs8.parse(input) -> privateKey

Parse a DER Buffer or a PEM (PRIVATE KEY) string into a structured PKCS#8 key: { version, privateKeyAlgorithm, privateKey, attributes, publicKey }. The privateKey is the raw OCTET STRING content (the algorithm-specific inner key, decoded by the caller using privateKeyAlgorithm.oid); publicKey is null for a v1 key. A malformed PrivateKeyInfo throws a typed Pkcs8Error (pkcs8/*) and a leaf-level codec fault surfaces as asn1/*.

Example

var key = pki.schema.pkcs8.parse(der);
key.privateKeyAlgorithm.oid;   // -> "1.3.101.112" (Ed25519)
key.privateKey;                // -> Buffer (the inner key encoding)

References

pki.schema.pkcs8.parseEncrypted

since 0.1.9 experimental
pki.schema.pkcs8.parseEncrypted(input) -> encrypted

Parse a DER Buffer or a PEM (ENCRYPTED PRIVATE KEY) string into an EncryptedPrivateKeyInfo: { encryptionAlgorithm, encryptedData }. The ciphertext is surfaced raw; decrypting it (PBES2/PBKDF2 + a passphrase) is a separate concern from structural validation.

Example

var enc = pki.schema.pkcs8.parseEncrypted(der);
enc.encryptionAlgorithm.oid;   // -> "1.2.840.113549.1.5.13" (PBES2)

References

pki.schema.pkcs8.pemDecode

since 0.1.9 experimental
pki.schema.pkcs8.pemDecode(text, label?) -> Buffer

Extract the DER bytes from a PEM private-key block (default label PRIVATE KEY). Throws PemError on a missing / mismatched envelope or a non-base64 body.

Example

var der = pki.schema.pkcs8.pemDecode(pemText);

References

pki.schema.pkcs8.pemEncode

since 0.1.9 experimental
pki.schema.pkcs8.pemEncode(der, label?) -> string

Wrap DER bytes in a PEM private-key envelope (default label PRIVATE KEY).

Example

var pem = pki.schema.pkcs8.pemEncode(der);

References