Go: crypto/x509: no support for parsing encrypted PKCS8 private keys

Comment 1:

_Labels changed: added repo-main, release-none._

Comment 2:

No plans to implement this. If it's encrypted at the PEM layer, you can use
http://godoc.org/crypto/x509#DecryptPEMBlock. If it's actually the PKCS#5/PKCS#8
encryption then you're correct that there's no Go support.

_Status changed to LongTerm._

Comment 3 by alex.gaynor:

Yes, I'm talking about a case that really uses the EncryptedPrivateKeyInfo ASN.1
structure.

Related bug https://github.com/golang/go/issues/6722 that when solved could help close this one.

This lib worked for me:
https://github.com/youmark/pkcs8

given that OpenSSL defaults to using pkcs#8 for encrypting private keys, don't you feel that supporting the decryption of these keys should be high priority item for Go?
cc @ken @robpike

I have no opinion on the subject. Not a domain expert.

Change https://golang.org/cl/264159 mentions this issue: crypto/x509: deprecate legacy PEM encryption

@FiloSottile should this issue be closed as well? SincePKCS8 encryption uses PBKDF2 and other advanced key derivation functions that are not part of the standard library (they are implemented as extensions https://pkg.go.dev/golang.org/x/crypto/pbkdf2).
Not sure we can ever support PKCS 8 encryption and decryption in the standard library packages.

I believe the "golang.org/x/" packages have a chance to be included in the standard library in the future. Its still valid to ask for standard library support even if there are 3rd party or "golang.org/x/" pacakge(s) for it. If something is essential enough, a standard library support is usually better.

We can and do vendor packages from x/crypto to implement the standard library, that's not a problem.

The hard part here as always is figuring out a good API and deciding where to expose it.