certtool: print a PKCS #8 key even if it is not encrypted.

2 files changed, 13 insertions, 4 deletions

diff --git a/NEWS b/NEWS
index 6e98628f59..d3276da2ba 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ See the end for copying conditions.
 
 * Version 2.7.1 (unreleased)
 
+** certtool: print a PKCS #8 key even if it is not encrypted.
+
 ** API and ABI modifications:
 No changes since last version.
 
diff --git a/src/certtool.c b/src/certtool.c
index 4c01a9cbc8..ccafb1ab85 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1478,13 +1478,20 @@ privkey_info (void)
   /* If we failed to import the certificate previously try PKCS #8 */
   if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
     {
-      if (info.pass)
-	pass = info.pass;
-      else
-	pass = get_pass ();
+      /* first try to import the key without asking any password */
       ret =
 	gnutls_x509_privkey_import_pkcs8 (key, &pem, info.incert_format,
+					  NULL, GNUTLS_PKCS_PLAIN);
+      if (ret < 0) 
+        {
+	  if (info.pass)
+	    pass = info.pass;
+	  else
+	    pass = get_pass ();
+          ret = 
+	    gnutls_x509_privkey_import_pkcs8 (key, &pem, info.incert_format, 
 					  pass, 0);
+	}
     }
   if (ret < 0)
     error (EXIT_FAILURE, 0, "Import error: %s", gnutls_strerror (ret));