Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

PKCS#8 Private Key Structures

synta.pkcs8 provides OneAsymmetricKey (also exported as PrivateKeyInfo) for parsing DER-encoded private key envelopes produced by OpenSSL and other PKI tools (RFC 5958 / PKCS#8).

import synta.pkcs8 as pkcs8

OneAsymmetricKey

class OneAsymmetricKey:
    @staticmethod
    def from_der(data: bytes) -> OneAsymmetricKey: ...
    def to_der(self) -> bytes: ...

    version: int                          # 0 = v1 (PrivateKeyInfo), 1 = v2 (RFC 5958)
    private_key_algorithm: ObjectIdentifier  # the private-key algorithm OID
    private_key: bytes                    # raw key material (OCTET STRING value)
    attributes_der: bytes | None          # raw DER of [0] IMPLICIT attributes bag
    public_key_der: bytes | None          # raw DER of [1] IMPLICIT public key BIT STRING
    alg_parameters_der: bytes | None      # algorithm parameters DER, or None

PrivateKeyInfo = OneAsymmetricKey  # RFC 5958 / PKCS#8 alias

Usage

import synta.pkcs8 as pkcs8

# Parse a PKCS#8 key from DER bytes
with open("key.der", "rb") as f:
    key = pkcs8.OneAsymmetricKey.from_der(f.read())

print(f"version: {key.version}")
print(f"algorithm: {key.private_key_algorithm}")
print(f"key bytes: {key.private_key.hex()}")

# Algorithm parameters (e.g. curve OID for EC keys)
if key.alg_parameters_der:
    import synta.pkixalgs as pa
    ec_params = pa.ECParameters.from_der(key.alg_parameters_der)
    if ec_params.arm == "namedCurve":
        print(f"curve: {ec_params.named_curve_oid}")

# Check for optional public key component (v2 / RFC 5958)
if key.public_key_der:
    print(f"public key DER: {len(key.public_key_der)} bytes")

# Use the PrivateKeyInfo alias
key2 = pkcs8.PrivateKeyInfo.from_der(key_der)

For cryptographic operations (signing, decryption, key generation), use synta.PrivateKey which wraps an OpenSSL key. OneAsymmetricKey is a pure ASN.1 parser that does not invoke any cryptographic backend.

See also PKCS#9 OIDs for id-friendlyName and id-localKeyId bag attributes used in PKCS#12 archives, and PKCS Loaders for extracting raw PKCS#8 DER bytes from PKCS#12 archives via load_pkcs12_keys.