15 March 2020

Exporting Private RSA SecKey as PKCS #1 PEM

If you have a RSA private key that you want to send somewhere, most likely you would want it in PKCS #1 PEM format to ensure compatibility with other systems.

⚠️ Exporting a private key from its SecKey reference should never be recommended for reasons that it might get compromised by an untrusted entity.

Example SecKey

Example SecKey has following characteristics:

RSA type
2048 bit size

and is created like so:

let attributes: [String: Any] = [
    kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
    kSecAttrKeySizeInBits as String: 2048,
]

var error: Unmanaged<CFError>?

guard let secKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else {
    // Handle error
}

For detailed tutorial around creating cryptographic keys follow the Generating New Cryptographic Keys article by Apple.

Extracting PKCS #1

You extract the PKCS #1 from a RSA SecKey using the SecKeyCopyExternalRepresentation(_:_:) function:

var error: Unmanaged<CFError>?

guard let pkcs1 = SecKeyCopyExternalRepresentation(secKey, &error) as Data? else {
    // Handle error
}

It's worth noting that the SecKey API provides external representations of RSA keys only in PKCS #1.

Creating PEM

To create a valid PEM file, first Base64 encode the PKCS #1 data delimited into 64 character long lines as specified in the Printable Encoding section of RFC 1421. Conveniently enough Data provides an API with Base64 Encoding Options for just that:

let base64EncodedPKCS1 = pkcs1.base64EncodedString(options: [.lineLength64Characters, .endLineWithLineFeed])

Lastly, provide appropriate header and footer boundaries for the encapsulated data:

let pem = [
    "-----BEGIN RSA PRIVATE KEY-----",
    base64EncodedPKCS1,
    "-----END RSA PRIVATE KEY-----"
].joined(separator: "\n")

End result should look something like this (contents between header and footer will differ of course):

Share this article on Twitter. For any questions, comments or feedback reach out to me @hungrxyz.