From d078f6ff87adfd576e49c8e8dcf6d84447eaafe8 Mon Sep 17 00:00:00 2001 From: Artur Troian Date: Thu, 23 Mar 2023 11:51:38 -0400 Subject: [PATCH] fix: try decode PKCS8 private key first (#1790) Signed-off-by: Artur Troian --- x/cert/utils/key_pair_manager.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/x/cert/utils/key_pair_manager.go b/x/cert/utils/key_pair_manager.go index 218d4a7c99..e7892e8790 100644 --- a/x/cert/utils/key_pair_manager.go +++ b/x/cert/utils/key_pair_manager.go @@ -265,17 +265,17 @@ func (kpm *keyPairManager) readImpl(fin io.Reader) ([]byte, []byte, []byte, erro var privKeyPlaintext []byte + // PKCS#8 header defined in RFC7468 section 11 // nolint: gocritic - if block.Headers["Proc-Type"] == "4,ENCRYPTED" { + if block.Type == "ENCRYPTED PRIVATE KEY" { + privKeyPlaintext, err = pemutil.DecryptPKCS8PrivateKey(block.Bytes, kpm.passwordBytes) + } else if block.Headers["Proc-Type"] == "4,ENCRYPTED" { // nolint: staticcheck privKeyPlaintext, err = x509.DecryptPEMBlock(block, kpm.passwordBytes) if errors.Is(err, x509.IncorrectPasswordError) { // nolint: staticcheck privKeyPlaintext, err = x509.DecryptPEMBlock(block, kpm.passwordLegacy) } - // PKCS#8 header defined in RFC7468 section 11 - } else if block.Type == "ENCRYPTED PRIVATE KEY" { - privKeyPlaintext, err = pemutil.DecryptPKCS8PrivateKey(block.Bytes, kpm.passwordBytes) } else { return nil, nil, nil, errUnsupportedEncryptedPEM }