feat: support --private-key with a PKCS#8 keypair (#2653)

2026-03-14 14:35:48 +01:00 · 2025-09-22 14:33:24 -07:00 · 2025-09-22 14:33:24 -07:00 · ba156d5344
commit ba156d5344
parent bb33817a61
2 changed files with 7 additions and 33 deletions
--- a/cmd/accounts_storage.go
+++ b/cmd/accounts_storage.go
@ -2,10 +2,8 @@ package cmd

 import (
 	"crypto"
-	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
-	"errors"
 	"net/url"
 	"os"
 	"path/filepath"
@ -209,16 +207,11 @@ func loadPrivateKey(file string) (crypto.PrivateKey, error) {
 		return nil, err
 	}

-	keyBlock, _ := pem.Decode(keyBytes)
-
-	switch keyBlock.Type {
-	case "RSA PRIVATE KEY":
-		return x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
-	case "EC PRIVATE KEY":
-		return x509.ParseECPrivateKey(keyBlock.Bytes)
+	privateKey, err := certcrypto.ParsePEMPrivateKey(keyBytes)
+	if err != nil {
+		return nil, err
 	}
-
-	return nil, errors.New("unknown private key type")
+	return privateKey, nil
 }

 func tryRecoverRegistration(ctx *cli.Context, privateKey crypto.PrivateKey) (*registration.Resource, error) {
--- a/cmd/certs_storage.go
+++ b/cmd/certs_storage.go
@ -2,7 +2,6 @@ package cmd

 import (
 	"bytes"
-	"crypto"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
@ -233,27 +232,9 @@ func (s *CertificatesStorage) WritePFXFile(domain string, certRes *certificate.R
 		return fmt.Errorf("unable to get certificate chain for domain %s: %w", domain, err)
 	}

-	keyPemBlock, _ := pem.Decode(certRes.PrivateKey)
-	if keyPemBlock == nil {
-		return fmt.Errorf("unable to parse PrivateKey for domain %s", domain)
-	}
-
-	var privateKey crypto.Signer
-	var keyErr error
-
-	switch keyPemBlock.Type {
-	case "RSA PRIVATE KEY":
-		privateKey, keyErr = x509.ParsePKCS1PrivateKey(keyPemBlock.Bytes)
-		if keyErr != nil {
-			return fmt.Errorf("unable to load RSA PrivateKey for domain %s: %w", domain, keyErr)
-		}
-	case "EC PRIVATE KEY":
-		privateKey, keyErr = x509.ParseECPrivateKey(keyPemBlock.Bytes)
-		if keyErr != nil {
-			return fmt.Errorf("unable to load EC PrivateKey for domain %s: %w", domain, keyErr)
-		}
-	default:
-		return fmt.Errorf("unsupported PrivateKey type '%s' for domain %s", keyPemBlock.Type, domain)
+	privateKey, err := certcrypto.ParsePEMPrivateKey(certRes.PrivateKey)
+	if err != nil {
+		return fmt.Errorf("unable to parse PrivateKey for domain %s: %w", domain, err)
 	}

 	encoder, err := getPFXEncoder(s.pfxFormat)