Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

"No DEK-Info header in block" when attempting to read encrypted private key

Tags:

openssl

cryptography

go

encryption

I'm trying to read an encrypted PKCS8 private key file. I generated the keys like this:

openssl genrsa -out file.pem -passout pass:file -aes256 1024
openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem

And I try reading it in Go this way:

block, _ := pem.Decode(key)
return x509.DecryptPEMBlock(block, password)

But I get an error saying:

x509: no DEK-Info header in block

However, I can't figure out what's going wrong. Am I generating the key wrong or am I using the wrong library? I see libraries specifically for reading unencrypted PKCS8 files but none for encrypted PKCS8 files specifically.

Does anyone have any idea?

like image 710
Gakho Avatar asked Oct 07 '15 00:10

Gakho

2 Answers

Go don't have function to decrypt PKCS8 keys in standard library.

You can this package: https://github.com/youmark/pkcs8/blob/master/pkcs8.go#L103

like image 159
Gregory Man Avatar answered Nov 02 '22 04:11

Gregory Man

A longer explaination for anyone with the same problem.

What would work

Your first command

openssl genrsa -out file.pem -passout pass:file -aes256 1024

generates a PKCS#1 private key file (file.pem):

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,1DA219DB746F88C6DDA0D852A0FD3232

AEf09rGkgGEJ79GgO4dEVsArwv4IbbODlxy95uHhfkdGYmuk6OlTpiCUE0GT68wn
KFJfBcHr8Z3VqiHGsXxM5QlKhgnfptxfbrdKErgBD5LQcrvnqmf43KeD4lGQcpiy
...
...
mAKMCwiU/GKZz8ZwQ4qGkBlVVCOFfgwmfbqguJF2l8yzM8lYI9MZ9NEwKkvEbc
-----END RSA PRIVATE KEY-----

This private key file can be parsed and decrypted by x509.DecryptPEMBlock() alright.

What would not work and why

Your second command

openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem

converts that file into PKCS#8 format (filePKCS8.pem).

The subcommmand genpkey would directly produce a similar result:

openssl genpkey -algorithm RSA -aes256 \
  -pkeyopt rsa_keygen_bits:1024 -out filePKCS8.pem

The generated filePKCS8.pem (either way) would look similar to this:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIISrTBXBgkqhkiG9w0BBQ0wSjKpBgkqhkiG9w0BBQwwHAQIKL+ordsVfqsCAggB
MAwGCCqGSIb3DQIJCQAwHQYJYIZIWAUDBAEqBBCipOAAxWkC0/zkNLNYTSMgBIIS
...
...
zfdxjZ0XmPiwED2azsLMnRrWnRj2UqMtnv9zO/ucik9za
-----END ENCRYPTED PRIVATE KEY-----

x509.DecryptPEMBlock() does not support this format. And as specified in #8860, the Go's core library has no real plan to support pkcs#8 in the near future.

As mentioned by Gregory, if you want to work with it, you'll have better luck with 3rd party library like github.com/youmark/pkcs8 (Documentation).

like image 24
Koala Yeung Avatar answered Nov 02 '22 04:11

Koala Yeung
Sign in to Comment

Related questions

Using node-jose, how do I decrypt the data I just encrypted?
Decode(Base64) and Decrypt(AES/CBC/PKCS5PADDING) with CryptoJS - React
Using a previously generated RSA public/private key with the .net framework
UDP security and identifying incoming data
Can I encrypt web.config with a custom protection provider who's assembly is not in the GAC?
Is my VIEWSTATE encrypted?
XML encryption and decryption for multiple recipients with X509 certificates
Making RSA keys from a password in python
Java to JS and JS to Java encryption using cryptojs
Change cipher in Laravel encryption
Encrypt Existing Database with SQLCipher in Android
Using ColdFusion to sign data for single sign-on
Triple DES decryption in iOS
iOS CryptoKit in Java
What to do when you can not save a password as a hash
Secure password encryption/decryption of strings in PHP
IDTECH credit card reader data decrypting
Encrypt a custom section in app/web.config file
AES 256 on the client side (JS) and in the server (PHP)
Output is different every time when the same text is encrypted with CryptoJS

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!