Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: crypto/x509: add support for PBES2 private keys #39241

Open
shibe2 opened this issue May 25, 2020 · 2 comments
Open

proposal: crypto/x509: add support for PBES2 private keys #39241

shibe2 opened this issue May 25, 2020 · 2 comments

Comments

@shibe2
Copy link

@shibe2 shibe2 commented May 25, 2020

What version of Go are you using (go version)?

1.14.3

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

linux/amd64

What did you do?

I generated ECDSA private key with OpenSSL 1.1.1g using req -newkey. It asked for a password and encrypted the key. However, it didn't add headers like "Proc-Type" and "DEK-Info". If I decrypt the key using OpenSSL, it is usable for Go TLS, but Go itself cannot decrypt it.

https://play.golang.org/p/cU7jBbRIHt9

What did you expect to see?

IsEncryptedPEMBlock: true
key type: *ecdsa.PrivateKey

What did you see instead?

IsEncryptedPEMBlock: false
x509: no DEK-Info header in block

@tklauser tklauser changed the title Cannot decrypt private key generated by OpenSSL 1.1.1g crypto/x509: cannot decrypt private key generated by OpenSSL 1.1.1g May 25, 2020
@shibe2
Copy link
Author

@shibe2 shibe2 commented May 25, 2020

From OpenSSL manual:

Normally a private key is written using standard format: this is PKCS#8 form with the appropriate encryption algorithm (if any). If the -traditional option is specified then the older "traditional" format is used instead.

So my key is encrypted using PBES2. It seems to be default for openssl pkey, openssl req and maybe some other sub-commands.

I wrote quick and dirty function to decrypt PBES2: https://play.golang.org/p/BK9rxDD87ur Feel free to use it if you decide to implement this feature.

EDIT: Added padding handling to my function.

@odeke-em odeke-em changed the title crypto/x509: cannot decrypt private key generated by OpenSSL 1.1.1g crypto/x509: cannot decrypt PBES2 private key generated by OpenSSL 1.1.1g May 29, 2020
@odeke-em
Copy link
Member

@odeke-em odeke-em commented May 29, 2020

Thank you for filing this issue @shibe2 and welcome to the Go project! I shall tag some experts @FiloSottile @katiehockman @retornam to also beware of this change.

@shibe2 if all goes great, perhaps this could be an addition to crypto/x509 or x/crypto/. Thank you.

@FiloSottile FiloSottile changed the title crypto/x509: cannot decrypt PBES2 private key generated by OpenSSL 1.1.1g proposal: crypto/x509: add support for PBES2 private keys Sep 22, 2020
@gopherbot gopherbot added this to the Proposal milestone Sep 22, 2020
@gopherbot gopherbot added the Proposal label Sep 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.