Pure Rust implementation of Public-Key Cryptography Standards (PKCS) #8:

Private-Key Information Syntax Specification (as defined in RFC 5208).

About

This is a minimalistic library targeting no_std platforms and small code size. It supports decoding/encoding of the following types without the use of a heap:

• EncryptedPrivateKeyInfo: (with pkcs5 feature) encrypted key.
• PrivateKeyInfo: algorithm identifier and data representing a private key.
• SubjectPublicKeyInfo: algorithm identifier and data representing a public key (re-exported from the spki crate)

When the alloc feature is enabled, the following additional types are available which provide more convenient decoding/encoding support:

• EncryptedPrivateKeyDocument: (with pkcs5 feature) heap-backed encrypted key.
• PrivateKeyDocument: heap-backed storage for serialized PrivateKeyInfo.
• PublicKeyDocument: heap-backed storage for serialized SubjectPublicKeyInfo.

When the pem feature is enabled, it also supports decoding/encoding documents from "PEM encoding" format as defined in RFC 7468.

Supported Algorithms

This crate has been tested against keys generated by OpenSSL for the following algorithms:

• ECC (id-ecPublicKey)
• Ed25519 (Ed25519)
• RSA (rsaEncryption)

It may work with other algorithms which use an optional OID for AlgorithmIdentifier parameters.

Encrypted Private Key Support

EncryptedPrivateKeyInfo supports decoding/encoding encrypted PKCS#8 private keys and is gated under the pkcs5 feature. The corresponding EncryptedPrivateKeyDocument type provides heap-backed storage (alloc feature required).

When the encryption feature of this crate is enabled, it provides a EncryptedPrivateKeyInfo::decrypt function which is able to decrypt keys encrypted with the following algorithms:

• PKCS#5v2 Password Based Encryption Scheme 2 (RFC 8018)
  • Key derivation function: PBKDF2 with HMAC-SHA256 as the PRF
  • Symmetric encryption: AES-128-CBC or AES-256-CBC

Minimum Supported Rust Version

This crate requires Rust 1.47 at a minimum.