Loading ECC PKCS8 keys generated by go

[wbl]

We have been having lots of problems and have been unable to get ECC to work. First off the PEM lines are subtly different: go includes EC PRIVATE KEY, but rustls expects only PRIVATE KEY. I don't think it pays to be pedantic about that. But after changing that by hand we get errors about the private key being invalid due to ASN.1 issues. I'm not sure which part actually has the bug between go and this project but I am not an ASN.1 expert enough to figure that out.

[briansmith]

Please generate a dummy PKCS#8 key from Go that fails to parse in Rustls and post the PEM here.

[briansmith]

Also, read the documentation here at https://briansmith.org/rustdoc/ring/signature/struct.EcdsaKeyPair.html#method.from_pkcs8 and see if that narrows down the issue. For example, does the PKCS#8 document contain the public key? Is it using named curve AlgorithmIdentifiers or the other kind?

[wbl]

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIMY4Javm8p/EUEj8Vqp970VhlqcXTbQR4xS+Pg+wMZlEoAoGCCqGSM49
AwEHoUQDQgAE2OiErbskHuuNPRJWorVRXuVG4lsoZIUNxgke5ahna6d/+iWB9V6k
NYDCfkRFQ2rpBoSSefGNafhumEOmkuVnrQ==
-----END EC PRIVATE KEY-----

[ctz]

First off the PEM lines are subtly different: go includes EC PRIVATE KEY, but rustls expects only PRIVATE KEY

"EC PRIVATE KEY" introduces a SEC1-style private key (its the encoding ECPrivateKey in SEC1v2 section C.4 -- http://www.secg.org/sec1-v2.pdf )

You can convert these to PKCS#8 with openssl pkcs8 -topk8 -nocrypt -in sec1.pem -out pkcs8.pem

[wbl]

Ah, thank you!