private key recovery from PEM file

[turnriver]

I have some bitcoin that is supposedly held in a wallet, but I am not sure if the private keys associated with them are real or correctly generated. I have the public addresses and what should be the private keys in PEM format (-----BEGIN EC PRIVATE KEY-----).

I'm looking for someone who can validate one of the private keys and explain to me how it was generated (if possible), and how to import it into a bitcoin core wallet.

The example I have is BTC 0.001, and if anyone thinks they can help, they're welcome to it if they can help me understand what the PEM key is doing and how to import it.

[whanau]

this is a good explanation with some code for you to play with

https://medium.com/@yashschandra/anatomy-of-a-pem-file-727f1690df18

decoding is petty much the reverse. Happy to try of you want to pm me your PEM format key.

[ABCbits]

Do you remember how did you obtain or generate that PEM file? AFAIK most software/script which does that was created in 2012 or before that. Anyway, for now you could try solution mentioned on Extracting Privat Key from PEM File.

[turnriver]

Thanks, I'll try that Python code to see if I can get it to work. Also looks like Electrum may be able to import these, so I'll try that too.

I don't know how these were created, I know they're pretty old.

Edit: Looks like my main requirement here is just to convert the private key from PEM to WIF so that it can be imported and see if it's even real.

[BitMaxz]

I don't know how you created this wallet before but according to your statement, the PEM file have this format at the beginning "(-----BEGIN EC PRIVATE KEY-----)"
For me, it looks like a SSH private key that you created from an Amazon EC2 instance. The PEM key can be opened on Putty to access the instance.
Are you sure the PEM file you have is your wallet or WIF key? Or are you doing some experiments trying to import PEM file?
I don't know there's a Bitcoin wallet that exists that support PEM file.

[turnriver]

...Are you sure the PEM file you have is your wallet or WIF key?...

No, I am not sure, but I am sure it is supposed to be. Could be corrupted, could be who knows. At this point, I just want to understand the process to validate it.

If I can convert this to a WIF key, I'll know for sure. I'll post my working code later, but at the moment I'm having difficulty getting the python correct, as it produces an invalid length so something isn't correct based on the information I have.

Edit: to restate this, I have a PEM private key that should point to a bitcoin address, but maybe it doesn't. I want to find out how to validate a yes or no on this.

[ABCbits]

I don't know there's a Bitcoin wallet that exists that support PEM file.

Not exactly wallet, but there are some software/script which seems to create such output. Here are few examples,
100 BTC for a key extracting program
Re: [PULL] 52-line patch supporting offline key generation
Re: how to bury some bitcoins without even installing the client
Bitcoin Off-The-Grid (BOTG): secure savings script v0.1.1

[PowerGlove]

Edit: to restate this, I have a PEM private key that should point to a bitcoin address, but maybe it doesn't. I want to find out how to validate a yes or no on this.

Run the below command on (to be safe: a copy of) your file (I'm on a Debian-derived Linux distro, with the openssl package pre-installed):

Code:

$ openssl ec -in key.pem -noout -text

Based on your description of what you have, I'm guessing you'll either see output like this:

Code:

read EC key
Private-Key: (256 bit)
priv:
    1f:42:88:fb:f0:73:e4:25:c0:76:14:ff:9b:8a:2a:
    a8:c2:3c:a4:10:49:4d:83:31:36:f8:1c:25:be:f0:
    44:86
pub:
    04:f2:72:85:d6:91:9a:db:da:5d:7a:b5:33:1a:bb:
    86:a3:e9:b5:52:4f:d3:b0:30:e8:82:1e:c9:0d:a9:
    f3:57:04:1e:1f:0f:fd:5f:7e:2b:11:af:09:1a:24:
    5e:cf:18:80:05:4f:8e:37:64:1b:e2:e2:77:ee:74:
    ea:93:29:77:88
ASN1 OID: secp256k1

Or something a little more detailed, like this:

Code:

read EC key
Private-Key: (256 bit)
priv:
    1f:42:88:fb:f0:73:e4:25:c0:76:14:ff:9b:8a:2a:
    a8:c2:3c:a4:10:49:4d:83:31:36:f8:1c:25:be:f0:
    44:86
pub:
    04:f2:72:85:d6:91:9a:db:da:5d:7a:b5:33:1a:bb:
    86:a3:e9:b5:52:4f:d3:b0:30:e8:82:1e:c9:0d:a9:
    f3:57:04:1e:1f:0f:fd:5f:7e:2b:11:af:09:1a:24:
    5e:cf:18:80:05:4f:8e:37:64:1b:e2:e2:77:ee:74:
    ea:93:29:77:88
Field Type: prime-field
Prime:
    00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:fe:ff:
    ff:fc:2f
A:    0
B:    7 (0x7)
Generator (uncompressed):
    04:79:be:66:7e:f9:dc:bb:ac:55:a0:62:95:ce:87:
    0b:07:02:9b:fc:db:2d:ce:28:d9:59:f2:81:5b:16:
    f8:17:98:48:3a:da:77:26:a3:c4:65:5d:a4:fb:fc:
    0e:11:08:a8:fd:17:b4:48:a6:85:54:19:9c:47:d0:
    8f:fb:10:d4:b8
Order:
    00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:fe:ba:ae:dc:e6:af:48:a0:3b:bf:d2:5e:8c:d0:
    36:41:41
Cofactor:  1 (0x1)

In either case, there's enough information to tell whether it's a key on Bitcoin's curve (secp256k1) or not. Assuming that it is, then you can just take what's in the priv section, remove the colons, combine what remains into a single line, prepend a 0x, and feed that to the script I posted here, like this:

Code:

$ python3 make_address.py 0x1f4288fbf073e425c07614ff9b8a2aa8c23ca410494d833136f81c25bef04486

(Before running the above command, I'd edit make_address.py and change show_p2pkh_uncompressed near the top of the script from False to True.)

That'll give you a set of three addresses, along with their WIFs:

Code:

       +------+----------------------+
       | Type | Legacy, Uncompressed |
    +--+------+----------------------+-------------+
    | Address | 178WCczMcyUWWbkTnWnL5xwFBmyRk3dVAA |
+---+---------+------------------------------------+----------------+
| Private Key | 5J445EQqLav3H5M8RsGgBHkJphHUXiQSJeNAiewQ8HJ68wVdpfi |
+-------------+-----------------------------------------------------+
       +------+--------------------+
       | Type | Legacy, Compressed |
    +--+------+--------------------+---------------+
    | Address | 1GV7eRheoT9RXEpEoSpL7yzSh5Wx9sCkBE |
+---+---------+------------------------------------+-----------------------+
| Private Key | p2pkh:KxGUZgCCMSh73xBqnktBvQv9fWoiWZkSgsvRtrT758vRg1GKywgA |
+-------------+------------------------------------------------------------+
       +------+---------------+
       | Type | Native SegWit |
    +--+------+---------------+----------------------------+
    | Address | bc1q48d3fd9dkrf237ldfa6d2qdpkaax5r72lqxqay |
+---+---------+--------------------------------------------+----------------+
| Private Key | p2wpkh:KxGUZgCCMSh73xBqnktBvQv9fWoiWZkSgsvRtrT758vRg1GKywgA |
+-------------+-------------------------------------------------------------+

(I know your example file isn't meant to lead to much balance, but, in general, you should obviously not share any of the above output, and you should try to do all of the above in a security-conscious way: offline, and in something amnesic like Tails.)

[turnriver]

...Run the below command on (to be safe: a copy of) your file...

The output matches your first format.

Code:

read EC key
Private-Key: (256 bit)
priv:
	...
pub:
	...
ASN1 OID: secp256k1

I'll have to run your python script on an an air-gaped system for more details.

The code I have for converting from PEM to WIF appears to work too, but the resulting public BTC addresses aren't expected, so the keys I have may well be useless but it is an interesting exercise anyway.


Here's my code to convert a PEM private key into WIF. It seems to work, but I don't really have any examples to test it against for proof.

Code:

import sys, base64, binascii, hashlib, base58

# Default to an example PEM key (from https://bitcointalk.org/index.php?topic=5309706.0)
pem_raw = """-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIDzQVg9bJ1kZFsZDoLeqadA4OTgKc40ukSmQ3MVzcV0soAcGBSuBBAAK
oUQDQgAEvzUNKCE3UVimCLUePomOUH/kfy0ujHdN5Kmn7ez3TtokJDy5ksVnOgf6
WzpmzY46zvKAnQ44Cgx5Kdqx5dVDiw==
-----END EC PRIVATE KEY-----"""

# If a file is provided, use that instead
if len(sys.argv) == 2:
    with open(sys.argv[1], 'r') as f:
        pem_raw = f.read()
else:
    print("USING EXAMPLE KEY!")

# Display the PEM
print("PEM:")
print(pem_raw)
print("")

# Pull out the key between the markers
pem_marker_start = '-----BEGIN EC PRIVATE KEY-----'
pem_marker_end = '-----END EC PRIVATE KEY-----'
pem_key_start = pem_raw.find(pem_marker_start) + len(pem_marker_start)
pem_key_end = pem_raw.find(pem_marker_end)
pem_key_base64 = pem_raw[pem_key_start:pem_key_end]

# Decode the PEM file from base64 to HEX
pem_binary = base64.b64decode(pem_key_base64)
pem_hex = binascii.hexlify(pem_binary).decode('ascii')
print(f"PEM HEX: {pem_hex}")

# Verify the prefix
pem_prefix = pem_hex[:14]
if pem_prefix != "30740201010420":
    raise Exception(f"Prefix is unknown: {pem_prefix}") 

# Extract the private key portion of the pem
pk_hex = pem_hex[14:][:64]
print(f"PK HEX: {pk_hex}")

pk_with_80 = "80" + pk_hex
pk_with_80_binary = binascii.unhexlify(pk_with_80)

checksum_step_1 = hashlib.sha256(pk_with_80_binary)
checksum_step_2 = hashlib.sha256(checksum_step_1.digest())
checksum = checksum_step_2.hexdigest()[:8]
print(f'WIF CHK: {checksum}')

wif_hex = pk_with_80 + checksum
print(f'WIF HEX: {wif_hex}')

wif_binary = binascii.unhexlify(wif_hex)
wif = base58.b58encode(wif_binary).decode('ascii')
print(f'WIF: {wif}')

print("")

# Some basic verification
if len(wif) != 51:
    print("INCORRECT LENGTH!!!!!!")
if wif[0] != '5' and wif[0] != 'L' and wif[0] != 'K':
    print("INCORRECT PREFIX!!!!!!")

...In either case, there's enough information to tell whether it's a key on Bitcoin's curve (secp256k1) or not. Assuming that it is, then you can just take what's in the priv section, remove the colons, combine what remains into a single line, prepend a 0x, and feed that to the script I posted here, like this:...

Okay, I ran your script and it appears to get the same result, which is good, but also means my private keys don't point to the bitcoin addresses they are supposed to.

Nice script BTW, thanks for that!

Edit:

Since it seems the private key isn't real, I'll go ahead and post this here publicly to see if anyone can derive the BTC 0.001 from it.

BTC this private key was supposed to point to:
https://blockchain.info/address/1G4Qu6nHQfKCFXGoxyWCjEyZwEnVY4egkU

Code:

-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIKJoRAiUfJMU2txqQRbaauMGydTcPXhcA5Qol6InSqI0oAcGBSuBBAAK
oUQDQgAEhSsqJe0cJ+31MCFZQkOqG4p+Xx9iyOANhP/Zc0sXrBJlobwdj66BNO4l
q9cjwdbLnh3HoH5xaHONV+jP8EDnPw==
-----END EC PRIVATE KEY-----

Code:

WIF    : 5K3p4JPe41T8PxDW95S79zRpLZW36SMdsNy4mku2UsZtoMr33RF

[PowerGlove]

Nice script BTW, thanks for that!

No problem.

Here's my code to convert a PEM private key into WIF. It seems to work, but I don't really have any examples to test it against for proof.

Looking at your code, it seems like you're not clear on the difference between compressed and uncompressed WIFs (for example, the logic at the end of your script isn't quite right: an ordinary WIF will either start with a 'K' or an 'L' and be 52 characters long, or it will start with a '5' and be 51 characters long).

I do remember the whole compressed vs. uncompressed thing confusing me, too, especially because a "compressed" WIF is actually one character longer than an "uncompressed" one. The thing to be aware of, is that these two kinds of WIF are just signaling whether or not the 2D point that results from multiplying the encoded scalar with secp256k1's generator point should be in one-coordinate-with-parity form, or in two-coordinate form (this distinction then has an effect on the calculated address).

I took a crack at a PEM-to-WIF script myself, which I'll include here in case you or anyone else finds it useful:

Code:

#!/usr/bin/env python3

# pem_to_wif.py v2024.11.17 (https://bitcointalk.org/index.php?topic=5517903.msg64750246#msg64750246)

import sys, base64, hashlib

def wif_from_scalar(scalar: int, *, uncompressed: bool = False) -> str:

    assert scalar > 0 and scalar < 2**256 - 0x14551231950b75fc4402da1732fc9bebf

    versioned: int = (0x80 << 256 | scalar) if uncompressed else (0x80 << 264 | scalar << 8 | 1)

    checksum: int = int.from_bytes(hashlib.sha256(hashlib.sha256(versioned.to_bytes(33 if uncompressed else 34, 'big')).digest()).digest()[:4], 'big')

    combined: int = versioned << 32 | checksum

    alphabet: str = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'

    return ''.join(alphabet[scale % 58] for scale in (combined // 58**index for index in range(51 if uncompressed else 52)))[::-1]

def main(args: list[str]) -> None:

    try:

        with open(args[0], 'rb') as file:

            data: bytes = file.read()

            decoded: bytes = base64.b64decode(data[data.index(b'-----BEGIN EC PRIVATE KEY-----')+30:data.index(b'-----END EC PRIVATE KEY-----')])

    except:

        sys.exit('Gimme a suitable PEM file.')

    # No need to be too picky about the pattern: the first thing that looks like an ASN.1 octet string with a length of 32 will do...

    offset: int = decoded.find(b'\x04\x20')

    key: bytes = decoded[offset+2:offset+34]

    if offset >= 0 and len(key) == 32:

        scalar: int = int.from_bytes(key, 'big')

        print(f'Private key: {scalar:064X}')

        print(f'Compressed WIF: {wif_from_scalar(scalar)}')

        print(f'Uncompressed WIF: {wif_from_scalar(scalar, uncompressed=True)}')

    else:

        sys.exit('Came up empty. Sorry.')

if __name__ == '__main__':

    main(sys.argv[1:])

Since it seems the private key isn't real, I'll go ahead and post this here publicly to see if anyone can derive the BTC 0.001 from it.

If I run the above script on your posted example, like this:

Code:

$ python3 pem_to_wif.py example.pem

I get the following:

Code:

Private key: A2684408947C9314DADC6A4116DA6AE306C9D4DC3D785C03942897A2274AA234
Compressed WIF: L2fQhZkvYGzKeJiBceZpAgUXwLTAEzv5jMxTeYkdY2CBdYRUJZnP
Uncompressed WIF: 5K3p4JPe41T8PxDW95S79zRpLZW36SMdsNy4mku2UsZtoMr33RF

And if I run openssl on your file, like this:

Code:

$ openssl ec -in example.pem -noout -text -check

I get:

Code:

read EC key
Private-Key: (256 bit)
priv:
    a2:68:44:08:94:7c:93:14:da:dc:6a:41:16:da:6a:
    e3:06:c9:d4:dc:3d:78:5c:03:94:28:97:a2:27:4a:
    a2:34
pub:
    04:85:2b:2a:25:ed:1c:27:ed:f5:30:21:59:42:43:
    aa:1b:8a:7e:5f:1f:62:c8:e0:0d:84:ff:d9:73:4b:
    17:ac:12:65:a1:bc:1d:8f:ae:81:34:ee:25:ab:d7:
    23:c1:d6:cb:9e:1d:c7:a0:7e:71:68:73:8d:57:e8:
    cf:f0:40:e7:3f
ASN1 OID: secp256k1
EC Key valid.

(The above should be enough for someone with more time on their hands than I have at the moment to see if they can find a link between what's in your PEM file and the address that you were led to believe it should correspond to.)

[turnriver]

(The above should be enough for someone with more time on their hands than I have at the moment to see if they can find a link between what's in your PEM file and the address that you were led to believe it should correspond to.)

Good stuff. I don't have any "merits" that it looks like this forum uses, but I'd give you some if I did.

Hopefully this will all be useful to someone else in the future too.

[Cricktor]

I don't have any "merits" that it looks like this forum uses, but I'd give you some if I did.

I gave you one merit, so that you now have one sMerit that you can give to PowerGlove for his excellent contribution.

[turnriver]

I gave you one merit, so that you now have one sMerit that you can give to PowerGlove for his excellent contribution.

Done, thanks!