From b411cddc8ae795683c76425b8bcb07da8041e1de Mon Sep 17 00:00:00 2001
From: Brad Warren <bmw@users.noreply.github.com>
Date: Thu, 16 Jan 2025 11:04:55 -0800
Subject: [PATCH] fix private key format (#10134)

fixes https://github.com/certbot/certbot/issues/10131

this seems simple enough, but i also requested alex's review as a quick
sanity check if he doesn't mind providing one

i've verified this fixes the problem and that PKCS#8 was used in certbot
3.0.1
---
 certbot/CHANGELOG.md                                | 2 ++
 certbot/certbot/_internal/tests/crypto_util_test.py | 8 ++++++++
 certbot/certbot/crypto_util.py                      | 5 +++--
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md
index 8305679a5..36bcc2d6d 100644
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@@ -16,6 +16,8 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 
 ### Fixed
 
+* Private keys are now saved in PKCS#8 format instead of PKCS#1. Using PKCS#1
+  was a regression introduced in Certbot 3.1.0.
 * Allow nginx plugin to parse non-breaking spaces in nginx configuration files.
 * Honor --reuse-key when --allow-subset-of-names is set
 * Fixed regression in symlink parsing on Windows that was introduced in Certbot
diff --git a/certbot/certbot/_internal/tests/crypto_util_test.py b/certbot/certbot/_internal/tests/crypto_util_test.py
index 44bc63639..9e5fda6ce 100644
--- a/certbot/certbot/_internal/tests/crypto_util_test.py
+++ b/certbot/certbot/_internal/tests/crypto_util_test.py
@@ -207,6 +207,14 @@ class MakeKeyTest(unittest.TestCase):
                            match=re.escape('Invalid key_type specified: unf.  Use [rsa|ecdsa]')):
             make_key(2048, key_type='unf')
 
+    def test_for_pkcs8_format(self):
+        from certbot.crypto_util import make_key
+
+        # PKCS#1 format will instead have text like "BEGIN RSA PRIVATE KEY" or "BEGIN EC PRIVATE
+        # KEY"
+        assert b"BEGIN PRIVATE KEY" in make_key(2048)
+        assert b"BEGIN PRIVATE KEY" in make_key(elliptic_curve='secp256r1', key_type='ecdsa')
+
 
 class VerifyCertSetup(unittest.TestCase):
     """Refactoring for verification tests."""
diff --git a/certbot/certbot/crypto_util.py b/certbot/certbot/crypto_util.py
index fd77d5342..4dd062ab2 100644
--- a/certbot/certbot/crypto_util.py
+++ b/certbot/certbot/crypto_util.py
@@ -216,7 +216,8 @@ def make_key(bits: int = 2048, key_type: str = "rsa",
 
     :returns: new RSA or ECDSA key in PEM form with specified number of bits
               or of type ec_curve when key_type ecdsa is used.
-    :rtype: str
+    :rtype: bytes
+
     """
     key: Union[rsa.RSAPrivateKey, ec.EllipticCurvePrivateKey]
     if key_type == 'rsa':
@@ -247,7 +248,7 @@ def make_key(bits: int = 2048, key_type: str = "rsa",
         raise errors.Error("Invalid key_type specified: {}.  Use [rsa|ecdsa]".format(key_type))
     return key.private_bytes(
         encoding=Encoding.PEM,
-        format=PrivateFormat.TraditionalOpenSSL,
+        format=PrivateFormat.PKCS8,
         encryption_algorithm=NoEncryption()
     )