stackoom
  简体   繁体   中英

"No DEK-Info header in block" when attempting to read encrypted private key

 原文  2015-10-07 00:22:18       encryption/ go/ openssl/ cryptography

Question

I'm trying to read an encrypted PKCS8 private key file. I generated the keys like this:

openssl genrsa -out file.pem -passout pass:file -aes256 1024
openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem

And I try reading it in Go this way:

block, _ := pem.Decode(key)
return x509.DecryptPEMBlock(block, password)

But I get an error saying:

x509: no DEK-Info header in block

However, I can't figure out what's going wrong. Am I generating the key wrong or am I using the wrong library? I see libraries specifically for reading unencrypted PKCS8 files but none for encrypted PKCS8 files specifically.

Does anyone have any idea?

2 answers

solution1
 4 ACCPTED  2015-10-07 14:23:22

Go don't have function to decrypt PKCS8 keys in standard library.

You can this package: https://github.com/youmark/pkcs8/blob/master/pkcs8.go#L103

solution2
 1  2020-09-30 08:40:22

A longer explaination for anyone with the same problem.

What would work

Your first command

openssl genrsa -out file.pem -passout pass:file -aes256 1024

generates a PKCS#1 private key file (file.pem):

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,1DA219DB746F88C6DDA0D852A0FD3232

AEf09rGkgGEJ79GgO4dEVsArwv4IbbODlxy95uHhfkdGYmuk6OlTpiCUE0GT68wn
KFJfBcHr8Z3VqiHGsXxM5QlKhgnfptxfbrdKErgBD5LQcrvnqmf43KeD4lGQcpiy
...
...
mAKMCwiU/GKZz8ZwQ4qGkBlVVCOFfgwmfbqguJF2l8yzM8lYI9MZ9NEwKkvEbc
-----END RSA PRIVATE KEY-----

This private key file can be parsed and decrypted by x509.DecryptPEMBlock() alright.

What would not work and why

Your second command

openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem

converts that file into PKCS#8 format (filePKCS8.pem).

The subcommmand genpkey would directly produce a similar result:

openssl genpkey -algorithm RSA -aes256 \
  -pkeyopt rsa_keygen_bits:1024 -out filePKCS8.pem

The generated filePKCS8.pem (either way) would look similar to this:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIISrTBXBgkqhkiG9w0BBQ0wSjKpBgkqhkiG9w0BBQwwHAQIKL+ordsVfqsCAggB
MAwGCCqGSIb3DQIJCQAwHQYJYIZIWAUDBAEqBBCipOAAxWkC0/zkNLNYTSMgBIIS
...
...
zfdxjZ0XmPiwED2azsLMnRrWnRj2UqMtnv9zO/ucik9za
-----END ENCRYPTED PRIVATE KEY-----

x509.DecryptPEMBlock() does not support this format. And as specified in #8860 , the Go's core library has no real plan to support pkcs#8 in the near future.

As mentioned by Gregory , if you want to work with it, you'll have better luck with 3rd party library like github.com/youmark/pkcs8 ( Documentation ).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Read a Private Encrypted Key in Java Java: write and read password based encrypted private key Java load encrypted private key import encrypted private key to jks Read Base64 private key without encapsulation header in OpenSSL How is a private key encrypted in a pem certificate? How to use encrypted RSA private key with PyCrypto? how to export a private key encrypted in a .pem file How to encrypted data with RSA private key in php? Use SSH private key as an RSA private key for decrypting data encrypted with public key
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM