in transport/tlscommon/tls.go [89:151]
func ReadPEMFile(log *logp.Logger, s, passphrase string) ([]byte, error) {
pass := []byte(passphrase)
var blocks []*pem.Block
r, err := NewPEMReader(s)
if err != nil {
return nil, err
}
defer r.Close()
content, err := io.ReadAll(r)
if err != nil {
return nil, err
}
var errs error
for len(content) > 0 {
var block *pem.Block
block, content = pem.Decode(content)
if block == nil {
if len(blocks) == 0 {
return nil, errors.New("no pem file")
}
break
}
switch {
case x509.IsEncryptedPEMBlock(block): //nolint: staticcheck // deprecated, we have to get rid of it
block, err := decryptPKCS1Key(*block, pass)
if err != nil {
log.Errorf("Dropping encrypted pem block with private key, block type '%s': %s", block.Type, err)
errs = errors.Join(errs, err)
continue
}
blocks = append(blocks, &block)
case block.Type == "ENCRYPTED PRIVATE KEY":
block, err := decryptPKCS8Key(*block, pass)
if err != nil {
log.Errorf("Dropping encrypted pem block with private key, block type '%s', could not decrypt as PKCS8: %s", block.Type, err)
errs = errors.Join(errs, err)
continue
}
blocks = append(blocks, &block)
default:
blocks = append(blocks, block)
}
}
if len(blocks) == 0 {
return nil, errors.Join(errors.New("no PEM blocks"), errs)
}
// re-encode available, decrypted blocks
buffer := bytes.NewBuffer(nil)
for _, block := range blocks {
err := pem.Encode(buffer, block)
if err != nil {
return nil, err
}
}
return buffer.Bytes(), nil
}