Parsing certs/keys from Strings in Scala

I found it surprisingly difficult to get a straight answer online about how to parse the text of an RSA key-pair or certificate into their corresponding Java objects. Here's a basic step-by-step of how to do that. (All of this should basically apply to Java as well). A full example is at the bottom.

Create a factory what you're trying to decode.

// For X.509 certificates
val x509CertFactory: CertificateFactory = CertificateFactory.getInstance("X.509")

// For RSA keys
val rsaKeyFactory: KeyFactory = KeyFactory.getInstance("RSA")
def stripCertText(certText: String): String =
  certText
    .stripMargin
    .replace("\n", "")
    .replace("-----BEGIN CERTIFICATE-----", "")
    .replace("-----END CERTIFICATE-----", "")

def stripPrivateKeyText(keyText: String): String =
  keyText
    .stripMargin
    .replace("\n", "")
    .replace("-----BEGIN PRIVATE KEY-----", "")
    .replace("-----END PRIVATE KEY-----", "")

def stripPublicKeyText(keyText: String): String =
  keyText
    .stripMargin
    .replace("\n", "")
    .replace("-----BEGIN PUBLIC KEY-----", "")
    .replace("-----END PUBLIC KEY-----", "")

The header/footer tag text may be different depending on what type of key you're decoding.

Decode base-64

val bytes = Base64.getDecoder.decode(strippedKeyText)

Generate certificate/key

val x509Cert: X509Certificate = x509CertFactory
      .generateCertificate(new ByteArrayInputStream(certBytes))
      .asInstanceOf[X509Certificate] // Needs to get cast because CertificateFactory is lame

val rsaPublicKey: PublicKey = rsaKeyFactory.generatePublic(new X509EncodedKeySpec(bytes))
val rsaPrivateKey: PrivateKey = rsaKeyFactory.generatePrivate(new PKCS8EncodedKeySpec(bytes))

Use the EncodedKeySpec based on the type of your keys. In this example, I used X509EncodedKeySpec for the public key and PKCS8EncodedKeySpec for the private key.

The certificate factory just takes in a ByteArrayInputStream.

Full example for parsing a certificate:

import java.io.ByteArrayInputStream
import java.security.cert.{ CertificateFactory, X509Certificate }
import java.util.Base64

val certText: String = "-----BEGIN CERTIFICATE-----\nMIIDHDCCAgSgAwIBAgIIW <...> IeilJ1C7Xtj+hKJEsk=-----END CERTIFICATE-----\n"
val factory: CertificateFactory = CertificateFactory.getInstance("X.509")
val strippedCertText: String = certText
  .stripMargin
  .replace("\n", "")
  .replace("-----BEGIN CERTIFICATE-----", "")
  .replace("-----END CERTIFICATE-----", "")
val certBytes: Array[Byte] = Base64.getDecoder.decode(strippedCertText)
val certByteArrayInputStream: ByteArrayInputStream = new ByteArrayInputStream(certBytes)
val x509Cert: X509Certificate = factory.generateCertificate(certByteArrayInputStream).asInstanceOf[X509Certificate]

Last updated