Add a PKCS#8 DER property to private keys (#372)

### Motivation

PKCS#8 is pretty widely used. Currently getting a key in PKCS#8 DER
representations requires going through a PKCS8 PEM document and then get
its DER bytes.

### Modifications

Add a computed property to RSA private keys that calls into BoringSSL or
Security.framework to get the PKCS8 DER representation of the key.

ECDH keys use the existing `derRepresentation` property to provide a
property of the same name.

A small ASN1 encoder adds the functionality to ed25519/x25519 keys.

### Result

The representation can be accessed directly.

*The identifiers for MLKEM are [still a
draft](https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/).
As such MLKEM is not included in the PR.*

---------

Co-authored-by: Cory Benfield <lukasa@apple.com>

Author: josephnoir

Sources/_CryptoExtras/CMakeLists.txt

@@ -32,6 +32,10 @@ add_library(_CryptoExtras
   "ARC/ARCServer.swift"
   "ChaCha20CTR/BoringSSL/ChaCha20CTR_boring.swift"
   "ChaCha20CTR/ChaCha20CTR.swift"
+  "EC/ObjectIdentifier.swift"
+  "EC/PKCS8DERRepresentation.swift"
+  "EC/PKCS8PrivateKey.swift"
+  "EC/RFC8410AlgorithmIdentifier.swift"
   "ECToolbox/BoringSSL/ECToolbox_boring.swift"
   "ECToolbox/ECToolbox.swift"
   "H2G/HashToField.swift"

Sources/_CryptoExtras/EC/ObjectIdentifier.swift

@@ -0,0 +1,37 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the SwiftCrypto open source project
+//
+// Copyright (c) 2025 Apple Inc. and the SwiftCrypto project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of SwiftCrypto project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import SwiftASN1
+
+extension ASN1ObjectIdentifier.AlgorithmIdentifier {
+    // Identifies the key agreement algorithm X25519.
+    //
+    // This identifier is defined in RFC 8410
+    static let idX25519: ASN1ObjectIdentifier = [1, 3, 101, 110]
+
+    // Identifies the key agreement algorithm X448.
+    //
+    // This identifier is defined in RFC 8410
+    static let idX448: ASN1ObjectIdentifier = [1, 3, 101, 111]
+
+    // Identifies the signature algorithm Ed25519.
+    //
+    // This identifier is defined in RFC 8410
+    static let idEd25519: ASN1ObjectIdentifier = [1, 3, 101, 112]
+
+    // Identifies the signature algorithm Ed448.
+    //
+    // This identifier is defined in RFC 8410
+    static let idEd448: ASN1ObjectIdentifier = [1, 3, 101, 113]
+}

Sources/_CryptoExtras/EC/PKCS8DERRepresentation.swift

@@ -0,0 +1,76 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the SwiftCrypto open source project
+//
+// Copyright (c) 2025 Apple Inc. and the SwiftCrypto project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of SwiftCrypto project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import Crypto
+import Foundation
+import SwiftASN1
+
+@available(iOS 14.0, macOS 11.0, watchOS 7.0, tvOS 14.0, *)
+extension Curve25519.Signing.PrivateKey {
+    /// A Distinguished Encoding Rules (DER) encoded representation of the private key in PKCS#8 format.
+    public var pkcs8DERRepresentation: Data {
+        let pkey = ASN1.PKCS8PrivateKey(algorithm: .ed25519, privateKey: Array(self.rawRepresentation))
+        var serializer = DER.Serializer()
+
+        // Serializing this key can't throw
+        try! serializer.serialize(pkey)
+        return Data(serializer.serializedBytes)
+    }
+}
+
+@available(iOS 14.0, macOS 11.0, watchOS 7.0, tvOS 14.0, *)
+extension Curve25519.KeyAgreement.PrivateKey {
+    /// A Distinguished Encoding Rules (DER) encoded representation of the private key in PKCS#8 format.
+    public var pkcs8DERRepresentation: Data {
+        let pkey = ASN1.PKCS8PrivateKey(algorithm: .x25519, privateKey: Array(self.rawRepresentation))
+        var serializer = DER.Serializer()
+
+        // Serializing this key can't throw
+        try! serializer.serialize(pkey)
+        return Data(serializer.serializedBytes)
+    }
+}
+
+@available(iOS 14.0, macOS 11.0, watchOS 7.0, tvOS 14.0, *)
+extension P256.Signing.PrivateKey {
+    /// A Distinguished Encoding Rules (DER) encoded representation of the private key in PKCS#8 format.
+    ///
+    /// This property provides the same output as the existing `derRepresentation` property,
+    /// which already conforms to the PKCS#8 standard.
+    public var pkcs8DERRepresentation: Data {
+        self.derRepresentation
+    }
+}
+
+@available(iOS 14.0, macOS 11.0, watchOS 7.0, tvOS 14.0, *)
+extension P384.Signing.PrivateKey {
+    /// A Distinguished Encoding Rules (DER) encoded representation of the private key in PKCS#8 format.
+    ///
+    /// This property provides the same output as the existing `derRepresentation` property,
+    /// which already conforms to the PKCS#8 standard.
+    public var pkcs8DERRepresentation: Data {
+        self.derRepresentation
+    }
+}
+
+@available(iOS 14.0, macOS 11.0, watchOS 7.0, tvOS 14.0, *)
+extension P521.Signing.PrivateKey {
+    /// A Distinguished Encoding Rules (DER) encoded representation of the private key in PKCS#8 format.
+    ///
+    /// This property provides the same output as the existing `derRepresentation` property,
+    /// which already conforms to the PKCS#8 standard.
+    public var pkcs8DERRepresentation: Data {
+        self.derRepresentation
+    }
+}

Sources/_CryptoExtras/EC/PKCS8PrivateKey.swift

@@ -0,0 +1,93 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the SwiftCrypto open source project
+//
+// Copyright (c) 2025 Apple Inc. and the SwiftCrypto project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of SwiftCrypto project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import Crypto
+import SwiftASN1
+
+@available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, macCatalyst 13, visionOS 1.0, *)
+extension ASN1 {
+    // A PKCS#8 private key is one of two formats, depending on the version:
+    //
+    // For PKCS#8 we need the following for the private key:
+    //
+    // PrivateKeyInfo ::= SEQUENCE {
+    //   version                   Version,
+    //   privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
+    //   privateKey                PrivateKey,
+    //   attributes           [0]  IMPLICIT Attributes OPTIONAL }
+    //
+    // Version ::= INTEGER
+    //
+    // PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
+    //
+    // PrivateKey ::= OCTET STRING
+    //
+    // Attributes ::= SET OF Attribute
+    //
+    // We disregard the attributes because we don't support them anyway.
+    @available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, macCatalyst 13, visionOS 1.0, *)
+    struct PKCS8PrivateKey: DERImplicitlyTaggable {
+        static var defaultIdentifier: ASN1Identifier {
+            .sequence
+        }
+
+        var algorithm: RFC8410AlgorithmIdentifier
+
+        var privateKey: ASN1OctetString
+
+        init(derEncoded rootNode: ASN1Node, withIdentifier identifier: ASN1Identifier) throws {
+            self = try DER.sequence(rootNode, identifier: identifier) { nodes in
+                let version = try Int(derEncoded: &nodes)
+                guard version == 0 || version == 1 else {
+                    throw ASN1Error.invalidASN1Object(reason: "Version number mismatch")
+                }
+
+                let algorithm = try ASN1.RFC8410AlgorithmIdentifier(derEncoded: &nodes)
+                let privateKeyBytes = try ASN1OctetString(derEncoded: &nodes)
+
+                // We ignore the attributes
+                _ = try DER.optionalExplicitlyTagged(&nodes, tagNumber: 0, tagClass: .contextSpecific) { _ in }
+
+                let privateKeyNode = try DER.parse(privateKeyBytes.bytes)
+                let privateKey = try ASN1OctetString(derEncoded: privateKeyNode)
+
+                return try .init(algorithm: algorithm, privateKey: privateKey)
+            }
+        }
+
+        private init(algorithm: ASN1.RFC8410AlgorithmIdentifier, privateKey: ASN1OctetString) throws {
+            self.privateKey = privateKey
+            self.algorithm = algorithm
+        }
+
+        init(algorithm: ASN1.RFC8410AlgorithmIdentifier, privateKey: [UInt8]) {
+            self.algorithm = algorithm
+            self.privateKey = ASN1OctetString(contentBytes: privateKey[...])
+        }
+
+        func serialize(into coder: inout DER.Serializer, withIdentifier identifier: ASN1Identifier) throws {
+            try coder.appendConstructedNode(identifier: identifier) { coder in
+                try coder.serialize(0)
+                try coder.serialize(self.algorithm)
+
+                // Here's a weird one: we recursively serialize the private key, and then turn the bytes into an octet string.
+                var subCoder = DER.Serializer()
+                try subCoder.serialize(self.privateKey)
+                let serializedKey = ASN1OctetString(contentBytes: subCoder.serializedBytes[...])
+
+                try coder.serialize(serializedKey)
+            }
+        }
+    }
+}

Sources/_CryptoExtras/EC/RFC8410AlgorithmIdentifier.swift

@@ -0,0 +1,74 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the SwiftCrypto open source project
+//
+// Copyright (c) 2025 Apple Inc. and the SwiftCrypto project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of SwiftCrypto project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import SwiftASN1
+
+@available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, macCatalyst 13, visionOS 1.0, *)
+extension ASN1 {
+    @available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, macCatalyst 13, visionOS 1.0, *)
+    struct RFC8410AlgorithmIdentifier: DERImplicitlyTaggable, Hashable {
+        static var defaultIdentifier: ASN1Identifier {
+            .sequence
+        }
+
+        var algorithm: ASN1ObjectIdentifier
+
+        // RFC 8410: For all of these OIDs, the parameters MUST be absent.
+        // They are still part of the identifer block.
+        var parameters: ASN1Any?
+
+        init(algorithm: ASN1ObjectIdentifier, parameters: ASN1Any?) {
+            self.algorithm = algorithm
+            self.parameters = parameters
+        }
+
+        init(derEncoded rootNode: ASN1Node, withIdentifier identifier: ASN1Identifier) throws {
+            // The AlgorithmIdentifier block looks like this.
+            //
+            // AlgorithmIdentifier  ::=  SEQUENCE  {
+            //   algorithm   OBJECT IDENTIFIER,
+            //   parameters  ANY DEFINED BY algorithm OPTIONAL
+            // }
+            //
+            // We don't bother with helpers: we just try to decode it directly.
+            self = try DER.sequence(rootNode, identifier: identifier) { nodes in
+                let algorithmOID = try ASN1ObjectIdentifier(berEncoded: &nodes)
+
+                let parameters = nodes.next().map { ASN1Any(berEncoded: $0) }
+
+                return .init(algorithm: algorithmOID, parameters: parameters)
+            }
+        }
+
+        func serialize(into coder: inout DER.Serializer, withIdentifier identifier: ASN1Identifier) throws {
+            try coder.appendConstructedNode(identifier: identifier) { coder in
+                try coder.serialize(self.algorithm)
+                if let parameters = self.parameters {
+                    try coder.serialize(parameters)
+                }
+            }
+        }
+    }
+}
+
+@available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, macCatalyst 13, visionOS 1.0, *)
+extension ASN1.RFC8410AlgorithmIdentifier {
+    static let x25519 = ASN1.RFC8410AlgorithmIdentifier(algorithm: .AlgorithmIdentifier.idX25519, parameters: nil)
+
+    static let x448 = ASN1.RFC8410AlgorithmIdentifier(algorithm: .AlgorithmIdentifier.idX448, parameters: nil)
+
+    static let ed25519 = ASN1.RFC8410AlgorithmIdentifier(algorithm: .AlgorithmIdentifier.idEd25519, parameters: nil)
+
+    static let ed448 = ASN1.RFC8410AlgorithmIdentifier(algorithm: .AlgorithmIdentifier.idEd448, parameters: nil)
+}

Sources/_CryptoExtras/RSA/RSA.swift

@@ -259,6 +259,11 @@ extension _RSA.Signing {
             self.backing.pemRepresentation
         }
 
+        /// A Distinguished Encoding Rules (DER) encoded representation of the private key in PKCS#8 format.
+        public var pkcs8DERRepresentation: Data {
+            self.backing.pkcs8DERRepresentation
+        }
+
         public var pkcs8PEMRepresentation: String {
             self.backing.pkcs8PEMRepresentation
         }

Sources/_CryptoExtras/RSA/RSA_boring.swift

@@ -106,6 +106,10 @@ internal struct BoringSSLRSAPrivateKey: Sendable {
         self.backing.pemRepresentation
     }
 
+    var pkcs8DERRepresentation: Data {
+        self.backing.pkcs8DERRepresentation
+    }
+
     var pkcs8PEMRepresentation: String {
         self.backing.pkcs8PEMRepresentation
     }
@@ -737,6 +741,15 @@ extension BoringSSLRSAPrivateKey {
             }
         }
 
+        fileprivate var pkcs8DERRepresentation: Data {
+            BIOHelper.withWritableMemoryBIO { bio in
+                let rc = CCryptoBoringSSL_i2d_PKCS8PrivateKeyInfo_bio(bio, self.pointer)
+                precondition(rc == 1, "Exporting PKCS8 DER key failed")
+
+                return try! Data(copyingMemoryBIO: bio)
+            }
+        }
+
         fileprivate var pkcs8PEMRepresentation: String {
             BIOHelper.withWritableMemoryBIO { bio in
                 let evp = CCryptoBoringSSL_EVP_PKEY_new()

Sources/_CryptoExtras/RSA/RSA_security.swift

@@ -169,6 +169,12 @@ internal struct SecurityRSAPrivateKey: @unchecked Sendable {
         return pemString.appending("\n")
     }
 
+    var pkcs8DERRepresentation: Data {
+        let pkcs1Bytes = self.derRepresentation
+        let pkcs8Bytes = Data(privateKeyPKCS8BytesForPKCS1Bytes: pkcs1Bytes)
+        return pkcs8Bytes
+    }
+
     var keySizeInBits: Int {
         SecKeyGetBlockSize(self.backing) * 8
     }