in pkg/provider/provider.go [529:581]
func (p *provider) decodePKCS12(value string) (content string, err error) {
pfxRaw, err := base64.StdEncoding.DecodeString(value)
if err != nil {
return "", err
}
// using ToPEM to extract more than one certificate and key in pfxData
pemBlock, err := pkcs12.ToPEM(pfxRaw, "")
if err != nil {
return "", err
}
var pemKeyData, pemCertData, pemData []byte
for _, block := range pemBlock {
// PEM block encoded form contains the headers
// -----BEGIN Type-----
// Headers
// base64-encoded Bytes
// -----END Type-----
// Setting headers to nil to ensure no headers included in the encoded block
block.Headers = make(map[string]string)
if block.Type == types.CertificateType {
pemCertData = append(pemCertData, pem.EncodeToMemory(block)...)
} else {
key, err := parsePrivateKey(block.Bytes)
if err != nil {
return "", err
}
// pkcs1 RSA private key PEM file is specific for RSA keys. RSA is not used exclusively inside X509
// and SSL/TLS, a more generic key format is available in the form of PKCS#8 that identifies the type
// of private key and contains the relevant data.
// Converting to pkcs8 private key as ToPEM uses pkcs1
// The driver determines the key type from the pkcs8 form of the key and marshals appropriately
block.Bytes, err = x509.MarshalPKCS8PrivateKey(key)
if err != nil {
return "", err
}
pemKeyData = append(pemKeyData, pem.EncodeToMemory(block)...)
}
}
// construct the pem chain in the order
// SERVER, INTERMEDIATE, ROOT
if p.constructPEMChain {
pemCertData, err = fetchCertChains(pemCertData)
if err != nil {
return "", err
}
}
pemData = append(pemData, pemKeyData...)
pemData = append(pemData, pemCertData...)
return string(pemData), nil
}