Already burning hours figuring out why I cannot get the certificate using
cert, err := tls.X509KeyPair(blockCrt.Bytes, blockPEM)
A bit of research history I did
- Able to read Understanding PKCS1, PKCS8 and PEM
- Similar issue "No DEK-Info header in block" when attempting to read encrypted private key
I have the similar error if I use "x509.DecryptPEMBlock"
x509: no DEK-Info header in block
So, I changed it and have used the following code with combination of x509.DecrpyPEMBlock and https://github.com/youmark/pkcs8
package main
import (
"crypto/tls"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
)
func main() {
New()
}
func New() error {
certPem := []byte(`
-----BEGIN CERTIFICATE-----
... -----END CERTIFICATE----- `)
keyPem := []byte(`
-----BEGIN ENCRYPTED PRIVATE KEY-----
... -----END ENCRYPTED PRIVATE KEY----- `)
// DECODE CRT PEM block
blockCrt, _ := pem.Decode([]byte(certPem))
// DECODE KEY PEM block
blockKey, _ := pem.Decode([]byte(keyPem))
// CHECK ENCRYPTION ON CRT/KEY PEM block
isKeyEncryptedPem := x509.IsEncryptedPEMBlock(blockKey)
isCrtyEncryptedPem := x509.IsEncryptedPEMBlock(blockCrt)
if blockKey == nil || blockCrt == nil {
fmt.Println("Error: Failed to decode PEM block")
return errors.New("Error: Failed to decode PEM block")
}
// DECRYPT KEY PEM BLOCK WITH PASSPHRASE
// Using private key
// decryptPKCS8, err := pkcs8.ParsePKCS8PrivateKey(blockKey.Bytes, []byte(PassPhrase))
// blockPKCS8, err := x509.MarshalPKCS8PrivateKey(decryptPKCS8)
// keyPEM := pem.EncodeToMemory(blockPKCS8)
// Using rsa
// decryptPKCS8, err := pkcs8.ParsePKCS8PrivateKeyRSA(blockKey.Bytes, []byte(PassPhrase))
// blockPEM := x509.MarshalPKCS1PrivateKey(decryptPKCS8)
// blockPEM, err := x509.DecryptPEMBlock(keyPEM, []byte(PassPhrase))
blockPEM, err := x509.DecryptPEMBlock(blockKey, []byte("password"))
// decrypedPemBlock, err := x509.DecryptPEMBlock(decryptPKCS8, []byte(PassPhrase))
// derFmt, err := pkcs8.MarshalPrivateKey(decryptPKCS8, []byte(PassPhrase))
// fmt.Println("=== decryptPKCS8:", decryptPKCS8)
fmt.Println("=== isKeyEncryptedPem: ", isKeyEncryptedPem)
fmt.Println("=== isCrtyEncryptedPem: ", isCrtyEncryptedPem)
fmt.Println("=== blockCrt: ", blockCrt)
fmt.Println("=== blockKey: ", blockKey)
fmt.Println("=== blockPEM: ", blockPEM)
if err != nil {
fmt.Println("Error: Decrypt Key Error - ", err)
return err
}
// cert, err := tls.X509KeyPair(certPem, decrypedPemBlock)
// cert, err := tls.X509KeyPair(certPem, decrypedPemBlock)
cert, err := tls.X509KeyPair(blockCrt.Bytes, blockPEM)
// cert, err := tls.X509KeyPair(blockCrt.Bytes, keyPEM)
// cert, err := tls.X509KeyPair(blockCrt.Bytes, blockKey.Bytes)
fmt.Println("=== cert: ", cert)
if err != nil {
fmt.Println("Error: ", err)
return err
}
return nil
}
However, I still keep hitting a wall and would like to ask if someone know if I missed something?