[英]"No DEK-Info header in block" when attempting to read encrypted private key
I'm trying to read an encrypted PKCS8 private key file.我正在尝试读取加密的 PKCS8 私钥文件。 I generated the keys like this:我生成了这样的密钥:
openssl genrsa -out file.pem -passout pass:file -aes256 1024
openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem
And I try reading it in Go this way:我尝试以这种方式在 Go 中阅读它:
block, _ := pem.Decode(key)
return x509.DecryptPEMBlock(block, password)
But I get an error saying:但我收到一条错误消息:
x509: no DEK-Info header in block
However, I can't figure out what's going wrong.但是,我无法弄清楚出了什么问题。 Am I generating the key wrong or am I using the wrong library?我生成的密钥错误还是使用了错误的库? I see libraries specifically for reading unencrypted PKCS8 files but none for encrypted PKCS8 files specifically.我看到专门用于读取未加密 PKCS8 文件的库,但没有专门用于加密 PKCS8 文件的库。
Does anyone have any idea?有谁有想法吗?
Go don't have function to decrypt PKCS8 keys in standard library. Go 没有在标准库中解密 PKCS8 密钥的功能。
You can this package: https://github.com/youmark/pkcs8/blob/master/pkcs8.go#L103你可以这个包: https : //github.com/youmark/pkcs8/blob/master/pkcs8.go#L103
A longer explaination for anyone with the same problem.为遇到相同问题的任何人提供更长的解释。
Your first command你的第一个命令
openssl genrsa -out file.pem -passout pass:file -aes256 1024
generates a PKCS#1 private key file (file.pem):生成一个 PKCS#1 私钥文件(file.pem):
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,1DA219DB746F88C6DDA0D852A0FD3232
AEf09rGkgGEJ79GgO4dEVsArwv4IbbODlxy95uHhfkdGYmuk6OlTpiCUE0GT68wn
KFJfBcHr8Z3VqiHGsXxM5QlKhgnfptxfbrdKErgBD5LQcrvnqmf43KeD4lGQcpiy
...
...
mAKMCwiU/GKZz8ZwQ4qGkBlVVCOFfgwmfbqguJF2l8yzM8lYI9MZ9NEwKkvEbc
-----END RSA PRIVATE KEY-----
This private key file can be parsed and decrypted by x509.DecryptPEMBlock() alright.这个私钥文件可以被x509.DecryptPEMBlock()解析和解密。
Your second command你的第二个命令
openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem
converts that file into PKCS#8 format (filePKCS8.pem).将该文件转换为 PKCS#8 格式 (filePKCS8.pem)。
The subcommmand genpkey
would directly produce a similar result:子命令genpkey
将直接产生类似的结果:
openssl genpkey -algorithm RSA -aes256 \
-pkeyopt rsa_keygen_bits:1024 -out filePKCS8.pem
The generated filePKCS8.pem (either way) would look similar to this:生成的 filePKCS8.pem(无论哪种方式)都类似于:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIISrTBXBgkqhkiG9w0BBQ0wSjKpBgkqhkiG9w0BBQwwHAQIKL+ordsVfqsCAggB
MAwGCCqGSIb3DQIJCQAwHQYJYIZIWAUDBAEqBBCipOAAxWkC0/zkNLNYTSMgBIIS
...
...
zfdxjZ0XmPiwED2azsLMnRrWnRj2UqMtnv9zO/ucik9za
-----END ENCRYPTED PRIVATE KEY-----
x509.DecryptPEMBlock() does not support this format. x509.DecryptPEMBlock()不支持这种格式。 And as specified in #8860 , the Go's core library has no real plan to support pkcs#8 in the near future.正如#8860所指定的,Go 的核心库在不久的将来没有真正支持 pkcs#8 的计划。
As mentioned by Gregory , if you want to work with it, you'll have better luck with 3rd party library like github.com/youmark/pkcs8 ( Documentation ).正如Gregory所提到的,如果您想使用它,那么使用github.com/youmark/pkcs8 (文档)等 3rd 方库会更好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.