尝试读取加密的私钥时“块中没有 DEK-Info 标头”
[英]"No DEK-Info header in block" when attempting to read encrypted private key
问题描述
I'm trying to read an encrypted PKCS8 private key file.
我正在尝试读取加密的 PKCS8 私钥文件。 I generated the keys like this:我生成了这样的密钥:
openssl genrsa -out file.pem -passout pass:file -aes256 1024
openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem
And I try reading it in Go this way:我尝试以这种方式在 Go 中阅读它:
block, _ := pem.Decode(key)
return x509.DecryptPEMBlock(block, password)
But I get an error saying:但我收到一条错误消息:
x509: no DEK-Info header in block
However, I can't figure out what's going wrong.但是,我无法弄清楚出了什么问题。 Am I generating the key wrong or am I using the wrong library?我生成的密钥错误还是使用了错误的库? I see libraries specifically for reading unencrypted PKCS8 files but none for encrypted PKCS8 files specifically.我看到专门用于读取未加密 PKCS8 文件的库,但没有专门用于加密 PKCS8 文件的库。
Does anyone have any idea?有谁有想法吗?
2 个解决方案
解决方案1
4 已采纳 2015-10-07 14:23:22
Go don't have function to decrypt PKCS8 keys in standard library. Go 没有在标准库中解密 PKCS8 密钥的功能。
You can this package: https://github.com/youmark/pkcs8/blob/master/pkcs8.go#L103你可以这个包: https : //github.com/youmark/pkcs8/blob/master/pkcs8.go#L103
解决方案2
1 2020-09-30 08:40:22
A longer explaination for anyone with the same problem.为遇到相同问题的任何人提供更长的解释。
What would work什么会起作用
Your first command你的第一个命令
openssl genrsa -out file.pem -passout pass:file -aes256 1024
generates a PKCS#1 private key file (file.pem):生成一个 PKCS#1 私钥文件(file.pem):
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,1DA219DB746F88C6DDA0D852A0FD3232
AEf09rGkgGEJ79GgO4dEVsArwv4IbbODlxy95uHhfkdGYmuk6OlTpiCUE0GT68wn
KFJfBcHr8Z3VqiHGsXxM5QlKhgnfptxfbrdKErgBD5LQcrvnqmf43KeD4lGQcpiy
...
...
mAKMCwiU/GKZz8ZwQ4qGkBlVVCOFfgwmfbqguJF2l8yzM8lYI9MZ9NEwKkvEbc
-----END RSA PRIVATE KEY-----
This private key file can be parsed and decrypted by x509.DecryptPEMBlock() alright.这个私钥文件可以被x509.DecryptPEMBlock()解析和解密。
What would not work and why什么行不通,为什么
Your second command你的第二个命令
openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem
converts that file into PKCS#8 format (filePKCS8.pem).将该文件转换为 PKCS#8 格式 (filePKCS8.pem)。
The subcommmand genpkey would directly produce a similar result:子命令genpkey将直接产生类似的结果:
openssl genpkey -algorithm RSA -aes256 \
-pkeyopt rsa_keygen_bits:1024 -out filePKCS8.pem
The generated filePKCS8.pem (either way) would look similar to this:生成的 filePKCS8.pem(无论哪种方式)都类似于:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIISrTBXBgkqhkiG9w0BBQ0wSjKpBgkqhkiG9w0BBQwwHAQIKL+ordsVfqsCAggB
MAwGCCqGSIb3DQIJCQAwHQYJYIZIWAUDBAEqBBCipOAAxWkC0/zkNLNYTSMgBIIS
...
...
zfdxjZ0XmPiwED2azsLMnRrWnRj2UqMtnv9zO/ucik9za
-----END ENCRYPTED PRIVATE KEY-----
x509.DecryptPEMBlock() does not support this format. x509.DecryptPEMBlock()不支持这种格式。 And as specified in #8860 , the Go's core library has no real plan to support pkcs#8 in the near future.正如#8860所指定的,Go 的核心库在不久的将来没有真正支持 pkcs#8 的计划。
As mentioned by Gregory , if you want to work with it, you'll have better luck with 3rd party library like github.com/youmark/pkcs8 ( Documentation ).正如Gregory所提到的,如果您想使用它,那么使用github.com/youmark/pkcs8 (文档)等 3rd 方库会更好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.