On Fri, Aug 11, 2017 at 12:30:56AM -0700, [email protected] wrote: > My private key is generated by "openssl req -new -x509 -keyout a.key -out > a.crt -days 3650" with password. > > And I tried to decrypted it by x509.DecryptPEMBlock(keyBlock, password), > but failure. error message: %!(EXTRA *errors.errorString=x509: no DEK-Info > header in block) > > my privatekey is in below, and password is '123456' > > anyone else can help me ? > > -----BEGIN ENCRYPTED PRIVATE KEY----- > MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIQgjjAaLRMbsCAggA > MBQGCCqGSIb3DQMHBAi4V74SzJ52kwSCBMiZ7gONJxBWnJsqaiyhDBvLrMQW5c/G [...]
As you can see in [1], typically a PEM-encoded encrypted key indeed contains a header block detailing how it was encoded, like this: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,02306CD22AAC94CD ... As you can gather from the accepted answer in [1], `openssl req` uses DES-EDE3-CBC. I don't know what to do but I see two ways to attack this: * Decode the PEM (it's just a base64 encoding of a DER-encoded stream IIRC) and then try decoding it with some API function which allows specifying the encryption type directly. * Try monkey-patching the PEM data by a bogus DEK-Info header. 1. https://security.stackexchange.com/q/93417 -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
