Write private keys in PKCS#1

2 files changed, 15 insertions, 3 deletions

diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java
index 563cae80da2..c2be1a40893 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java
@@ -2,6 +2,8 @@
 package com.yahoo.vespa.athenz.tls;
 
 import com.yahoo.athenz.auth.util.Crypto;
+import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.bouncycastle.openssl.PEMKeyPair;
 import org.bouncycastle.openssl.PEMParser;
@@ -70,11 +72,21 @@ public class KeyUtils {
 
     public static String toPem(PrivateKey privateKey) {
         try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) {
-            pemWriter.writeObject(new PemObject("PRIVATE KEY", privateKey.getEncoded()));
+            // Note: Encoding using PKCS#1 as this is to be read by tools only supporting PKCS#1
+            pemWriter.writeObject(new PemObject("RSA PRIVATE KEY", getPkcs1Bytes(privateKey)));
             pemWriter.flush();
             return stringWriter.toString();
         } catch (IOException e) {
             throw new UncheckedIOException(e);
         }
     }
+
+    private static byte[] getPkcs1Bytes(PrivateKey privateKey) throws IOException{
+
+        byte[] privBytes = privateKey.getEncoded();
+        PrivateKeyInfo pkInfo = PrivateKeyInfo.getInstance(privBytes);
+        ASN1Encodable encodable = pkInfo.parsePrivateKey();
+        ASN1Primitive primitive = encodable.toASN1Primitive();
+        return primitive.getEncoded();
+    }
 }
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/KeyUtilsTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/KeyUtilsTest.java
index fca4353d400..fbdc6f1e3bd 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/KeyUtilsTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/KeyUtilsTest.java
@@ -27,8 +27,8 @@ public class KeyUtilsTest {
     public void can_serialize_deserialize_pem() {
         KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
         String pem = KeyUtils.toPem(keyPair.getPrivate());
-        assertThat(pem, containsString("BEGIN PRIVATE KEY"));
-        assertThat(pem, containsString("END PRIVATE KEY"));
+        assertThat(pem, containsString("BEGIN RSA PRIVATE KEY"));
+        assertThat(pem, containsString("END RSA PRIVATE KEY"));
         PrivateKey deserializedKey = KeyUtils.fromPemEncodedPrivateKey(pem);
         assertEquals(keyPair.getPrivate(), deserializedKey);
     }