cockroach connect join gets confused by CA key file format #64942
Description
I was trying to do QA for #63492 and ran into the following error:
ERROR: failed to initialize host certs after writing CAs to disk:
failed to load or create InterNode certificates:
failed to create Service Cert and Key:
failed to parse valid Private Key from PEM blob:
x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)
This is because this particular ca.key on the existing node is stored indeed as a PKCS#8 package, not PKCS#1. I found out in Go's own tls package that the CA key is customarily loaded like this:
if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
return key, nil
}
if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
switch key := key.(type) {
case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey:
return key, nil
default:
return nil, errors.New("tls: found unknown private key type in PKCS#8 wrapping")
}
}
if key, err := x509.ParseECPrivateKey(der); err == nil {
return key, nil
}
return nil, errors.New("tls: failed to parse private key")Which is why we hadn't noticed this problem before.