Struct Pkcs8PrivateKey 

pub struct Pkcs8PrivateKey { /* private fields */ }

DER-encoded PKCS#8 private key per RFC 5958 §2.

OneAsymmetricKey ::= SEQUENCE {
    version                   Version,
    privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
    privateKey                PrivateKey,
    attributes           [0] Attributes OPTIONAL,
    ...,
    [[2: publicKey       [1] PublicKey OPTIONAL ]],
    ...
}

For ML-KEM keys, the privateKeyAlgorithm uses the ML-KEM OIDs (2.16.840.1.101.3.4.4.{1,2,3}) per FIPS 203.

Implementations

impl Pkcs8PrivateKey

pub fn new(der: Vec<u8>, algorithm_oid: String, version: Pkcs8Version) -> Self

Creates a new PKCS#8 private key wrapper.

Arguments

• der - DER-encoded OneAsymmetricKey or PrivateKeyInfo
• algorithm_oid - Algorithm OID from the privateKeyAlgorithm field
• version - PKCS#8 version (v1 or v2)

pub fn v1(der: Vec<u8>, algorithm_oid: String) -> Self

Creates a v1 (PrivateKeyInfo, unencrypted, no public key) wrapper.

pub fn v2(der: Vec<u8>, algorithm_oid: String) -> Self

Creates a v2 (OneAsymmetricKey, with public key) wrapper.

pub fn der(&self) -> &[u8]

Returns the raw DER-encoded key.

pub fn algorithm_oid(&self) -> &str

Returns the algorithm OID string.

pub fn version(&self) -> Pkcs8Version

Returns the PKCS#8 version.

pub fn validate_algorithm(&self, expected_oid: &str) -> EstResult<()>

Validates that the algorithm OID matches the expected key type.

For ML-KEM keys, the OID must be one of:

• 2.16.840.1.101.3.4.4.1 (ML-KEM-512)
• 2.16.840.1.101.3.4.4.2 (ML-KEM-768)
• 2.16.840.1.101.3.4.4.3 (ML-KEM-1024)

pub fn validate(&self) -> EstResult<()>

Validates the DER structure of the PKCS#8 key.

pub fn to_enveloped_data(&self, recipient_cert_der: &[u8]) -> EstResult<Vec<u8>>

Wraps the private key in CMS EnvelopedData for secure transport.

Per RFC 7030 §4.4.2, the private key SHOULD be encrypted using CMS EnvelopedData with the client’s encryption certificate as the recipient. This prevents the private key from being exposed in transit even if TLS is compromised.

This method returns a placeholder DER that wraps the key bytes. Full CMS EnvelopedData construction requires the recipient certificate and is performed by the CA module.

Arguments

• recipient_cert_der - DER-encoded recipient certificate for key encryption

Trait Implementations

impl Clone for Pkcs8PrivateKey

fn clone(&self) -> Pkcs8PrivateKey

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Pkcs8PrivateKey

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq for Pkcs8PrivateKey

fn eq(&self, other: &Pkcs8PrivateKey) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Eq for Pkcs8PrivateKey

impl StructuralPartialEq for Pkcs8PrivateKey