Convert elliptic curve private key to (unencrypted) PKCS#8 format

Question

I am trying to convert EC private key

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIE2tzb8O0gBVw2IFOB/B8l1Ztjax3ut4DeNtuC3UMmZ6oAoGCCqGSM49
AwEHoUQDQgAEayT6Tv8zZlpIUOKHEYnmsKZyTaqOHajL0InS4c5tK4fhkHZDSWUa
3tPl1ibIXt0LvaxHk47h0Tc4SGr3Ex8Bhg==
-----END EC PRIVATE KEY----- 

to Private Key

 -----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgTa3Nvw7SAFXDYgU4
H8HyXVm2NrHe63gN4224LdQyZnqhRANCAARrJPpO/zNmWkhQ4ocRieawpnJNqo4d
qMvQidLhzm0rh+GQdkNJZRre0+XWJshe3Qu9rEeTjuHRNzhIavcTHwGG
-----END PRIVATE KEY-----

It's very easy when you execute openSsl command like this:

openssl pkcs8 -topk8 -nocrypt -in ec1.pem -out ec2.pem

But i want to do this in Java way and didn't find any solution (tried so many from stackoverflow). So i have for now following class:

        ECNamedCurveParameterSpec ecNamedCurveParameterSpec = ECNamedCurveTable.getParameterSpec("prime256v1");
        KeyPairGenerator keyPair = KeyPairGenerator.getInstance("ECDSA", "BC");

        // Create a secure random number generator using the SHA1PRNG algorithm
        SecureRandom secureRandomGenerator = SecureRandom.getInstance("SHA1PRNG");
        keyPair.initialize(ecNamedCurveParameterSpec, secureRandomGenerator);
    

Then i generate KeyPair and get PrivateKey in ECPrivateKey Object:

KeyPair pair =keyPair.generateKeyPair();
ECPrivateKey privateKey = (ECPrivateKey) pair.getPrivate();
StringWriter sw = new StringWriter();

        try (JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(sw);) {
            jcaPEMWriter.writeObject(privateKey);
        }

String pemFormat = sw.toString();

This string pemFormat is actually PEM format that starts with BEGIN EC PRIVATE KEY

How can i convert it just to BEGIN PRIVATE KEY?

I assume that should be a way if openSsl can do it.

Answer 1

A conversion from the SEC1/PEM (-----BEGIN EC PRIVATE KEY-----...) to the PKCS#8/PEM format (-----BEGIN PRIVATE KEY-----...) is not needed at all, because privateKey.getEncoded() returns the key already in PKCS#8 format. So it only needs to be exported as PEM e.g. with a PemWriter:

import org.bouncycastle.util.io.pem.PemWriter;

...

// Your code
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
...
ECPrivateKey privateKey = (ECPrivateKey)pair.getPrivate();
System.out.println(privateKey.getFormat()); // PKCS#8

// Export as PKCS#8 PEM encoded key via PemWriter
StringWriter stringWriter = new StringWriter();
try (PemWriter pemWriter = new PemWriter(stringWriter)){
    pemWriter.writeObject((PemObjectGenerator)new PemObject("PRIVATE KEY", privateKey.getEncoded()));
}
String pkcs8PEM = stringWriter.toString();
System.out.println(pkcs8PEM); // -----BEGIN PRIVATE KEY-----MIGTAg...-----END PRIVATE KEY-----

You can check the format in an ASN.1 parser, e.g. https://lapo.it/asn1js.

---

However, if you are really looking for an explicit conversion of a SEC1/PEM key into a PKCS#8/PEM key, then the import of a SEC1/PEM key is described e.g. here. The imported key can then be exported as a PKCS#8/PEM key using a PemWriter as in the example above.