Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: no support for parsing encrypted PKCS8 private keys #8860

Open
gopherbot opened this issue Oct 3, 2014 · 16 comments
Open

crypto/x509: no support for parsing encrypted PKCS8 private keys #8860

gopherbot opened this issue Oct 3, 2014 · 16 comments
Labels
FeatureRequest Issues asking for a new feature that does not need a proposal.
Milestone
Unplanned

Comments

@gopherbot
Copy link
Contributor

by alex.gaynor:

Right now only un-encrypted keys are supported, it would be good if encrypted ones were
as well.
@ianlancetaylor
Copy link
Member

Comment 1:

Labels changed: added repo-main, release-none.

@agl
Copy link
Contributor

agl commented Oct 6, 2014

Comment 2:

No plans to implement this. If it's encrypted at the PEM layer, you can use
http://godoc.org/crypto/x509#DecryptPEMBlock. If it's actually the PKCS#5/PKCS#8
encryption then you're correct that there's no Go support.

Status changed to LongTerm.

@gopherbot
Copy link
Contributor Author

Comment 3 by alex.gaynor:

Yes, I'm talking about a case that really uses the EncryptedPrivateKeyInfo ASN.1
structure.

@rsc rsc added this to the Unplanned milestone Apr 10, 2015
@mikioh mikioh mentioned this issue Aug 22, 2015
Closed
@odeke-em
Copy link
Member

Related bug #6722 that when solved could help close this one.

@aead aead mentioned this issue Jan 26, 2018
Closed
@hekmon
Copy link

hekmon commented Apr 11, 2018

This lib worked for me:
https://github.com/youmark/pkcs8

@briansan
Copy link

given that OpenSSL defaults to using pkcs#8 for encrypting private keys, don't you feel that supporting the decryption of these keys should be high priority item for Go?
cc @ken @robpike

@robpike
Copy link
Contributor

robpike commented May 10, 2018

I have no opinion on the subject. Not a domain expert.

@FiloSottile FiloSottile added FeatureRequest Issues asking for a new feature that does not need a proposal. and removed LongTerm labels May 17, 2018
@ralimi ralimi mentioned this issue Nov 23, 2018
Closed
@justincormack justincormack mentioned this issue Jun 3, 2019
Closed
2 tasks
@patilpankaj212 patilpankaj212 mentioned this issue Aug 6, 2019
Closed
@FiloSottile FiloSottile mentioned this issue Oct 27, 2019
Closed
Closed
@gopherbot
Copy link
Contributor Author

Change https://golang.org/cl/264159 mentions this issue: crypto/x509: deprecate legacy PEM encryption

gopherbot pushed a commit that referenced this issue Oct 24, 2020
@FiloSottile
crypto/x509: deprecate legacy PEM encryption
57af974 
It's unfortunate that we don't implement PKCS#8 encryption (#8860)
so we can't recommend an alternative but PEM encryption is so broken
that it's worth deprecating outright.

Fixes #41949
Fixes #32777

Change-Id: Ieb46444662adec108d0de3550b693a50545c2344
Reviewed-on: https://go-review.googlesource.com/c/go/+/264159
Trust: Filippo Valsorda <[email protected]>
Trust: Roland Shoemaker <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Go Bot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
@HarikrishnanBalagopal
Copy link

HarikrishnanBalagopal commented Oct 24, 2020
edited
Loading

@FiloSottile should this issue be closed as well? SincePKCS8 encryption uses PBKDF2 and other advanced key derivation functions that are not part of the standard library (they are implemented as extensions https://pkg.go.dev/golang.org/x/crypto/pbkdf2).
Not sure we can ever support PKCS 8 encryption and decryption in the standard library packages.

@yookoala
Copy link

I believe the "golang.org/x/" packages have a chance to be included in the standard library in the future. Its still valid to ask for standard library support even if there are 3rd party or "golang.org/x/" pacakge(s) for it. If something is essential enough, a standard library support is usually better.

@FiloSottile
Copy link
Contributor

We can and do vendor packages from x/crypto to implement the standard library, that's not a problem.

The hard part here as always is figuring out a good API and deciding where to expose it.

@ycombinator ycombinator mentioned this issue Dec 30, 2020
Open
@tr1ck3r tr1ck3r mentioned this issue Jan 4, 2021
Closed
@FiloSottile FiloSottile mentioned this issue Jan 5, 2021
Open
@oxisto
Copy link
Contributor

oxisto commented Jul 31, 2021
edited
Loading

Is there any progress on this? We offer legacy PEM encryption in golang-jwt (formerly https://github.com/dgrijalva/jwt-go), but want/need to deprecate it as well (see golang-jwt/jwt#45). Since we are very keen on only relying to the Go stdlib, we are a little bit stuck with regards to alternatives.

@maraino
Copy link

maraino commented Sep 3, 2021

@oxisto here is one implementation that I created that imitates the deprecated APIs, but work with PKCS#8 encrypted keys:

func DecryptPKCS8PrivateKey(data, password []byte) ([]byte, error)
func EncryptPKCS8PrivateKey(rand io.Reader, data, password []byte, alg x509.PEMCipher) (*pem.Block, error)

@FiloSottile: I'm open to creating a PR and add it to crypto/x509 or any other x/crypto package. I believe cosign created its own PEM format using NaCl's secretbox + scrypt on a JSON envelope to encrypt the PKCS#8 encoded private key because the standard packages did not provide a valid solution.

@jorygeerts
Copy link

@maraino I'm looking into using your implementation, but it seems to lack password verification (x509.DecryptPEMBlock will return x509.IncorrectPasswordError in those cases). Is there a way you could add this?

@maraino maraino mentioned this issue Sep 28, 2021
Closed
@maraino
Copy link

maraino commented Sep 28, 2021

@jorygeerts just added an issue to implement it.

@jdtw jdtw mentioned this issue Dec 1, 2021
Merged
@schomatis schomatis mentioned this issue Dec 22, 2021
Merged
beppler added a commit to beppler/simpleca that referenced this issue Jan 8, 2022
@beppler
Utilizar a biblioteca go.step.sm/crypto/pemutil para criptografar os …
3a83be3 
…certificados.

Referência para a biblioteca obtida em:
golang/go#8860 (comment).
@A-UNDERSCORE-D
Copy link

Is this still a no we dont want to implement it? Im using an external lib currently but I'd love to not need it.

@Gabrielopesantos Gabrielopesantos mentioned this issue Mar 31, 2022
Closed
@vaikas vaikas mentioned this issue Apr 12, 2022
Closed
@ngarratt ngarratt mentioned this issue May 3, 2022
Closed
@machi1990 machi1990 mentioned this issue Aug 5, 2022
Merged
10 tasks
@nevzatseferoglu nevzatseferoglu mentioned this issue Aug 9, 2022
Closed
@mihaitodor mihaitodor mentioned this issue Nov 21, 2022
Merged
@na-- na-- mentioned this issue Jan 3, 2023
Closed
@rolandshoemaker rolandshoemaker mentioned this issue Mar 29, 2023
Closed
@rajiv-k rajiv-k mentioned this issue May 10, 2023
Merged
3 tasks
@bernhardreiter bernhardreiter mentioned this issue Aug 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FeatureRequest Issues asking for a new feature that does not need a proposal.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests