Read pkcs#8 private keys encrypted using FIPS-compliant openssl

[ycombinator]

Describe the enhancement:

Currently, the tlscommon.ReadPEMFile function is able to read encrypted PKCS#8 private keys created using a non-FIPS-compliant openssl. Such keys look like this:

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,065B7536137462AFB30E8508CAA2EE88

BASE64 ENCODED DATA
-----END EC PRIVATE KEY-----

However, if the private key is encrypted using a FIPS-compliant openssl, the tlscommon.ReadPEMFile function is unable to parse it. Such keys look like this:

-----BEGIN ENCRYPTED PRIVATE KEY-----
BASE64 ENCODED DATA
-----END ENCRYPTED PRIVATE KEY-----

Describe a specific use case for the enhancement or feature:

To allow FIPS-compliant openssl created PKCS#8 private keys to be used with Beats.

[elasticmachine]

Pinging @elastic/integrations-services (Team:Services)

[ycombinator]

Some notes from @urso:

Unfortunately the go crypto libraries do not support encrypted pkcs#8: golang/go#8860

PKCS#8 itself is just a container format. There is a lib trying to implement decryption (https://github.com/youmark/pkcs8), but not all ciphers might be supported as it is based on dependencies for PKCS#5.

We need to test with certificates and actually figure out which ciphers are supported + documentation.

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jlind23]

Backlog grooming: Closing it until further needs.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)