From d0688dce8c090bab6b729f94a48491f8ce7b71a8 Mon Sep 17 00:00:00 2001
From: Ian Chin Wang <ian.chin.wang@oracle.com>
Date: Wed, 25 Mar 2026 14:19:25 -0700
Subject: [PATCH] Fixed key pair generation issue

tdx.GenerateKeyPair hard-codes the PEM block type as "PRIVATE KEY"
while serializing the bytes with x509.MarshalPKCS1PrivateKey, the output
is indeed PKCS#1 data wrapped in a PKCS#8-style label. This causes the
error to load the private key generated by trustauthority-cli. PKCS#1
should use Type: "RSA PRIVATE KEY" wheras PKCS#8 should use Type:
"PRIVATE KEY". Align the header with the payload without changing the
logic.

Signed-off-by: Ian Chin Wang <ian.chin.wang@oracle.com>
---
 go-tdx/crypto.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go-tdx/crypto.go b/go-tdx/crypto.go
index 4055e2c..46f33f5 100644
--- a/go-tdx/crypto.go
+++ b/go-tdx/crypto.go
@@ -48,7 +48,7 @@ func GenerateKeyPair(km *KeyMetadata) ([]byte, []byte, error) {
 	defer ZeroizeRSAPrivateKey(keyPair)
 
 	privateKey := &pem.Block{
-		Type:  "PRIVATE KEY",
+		Type:  "RSA PRIVATE KEY",
 		Bytes: x509.MarshalPKCS1PrivateKey(keyPair),
 	}
 	defer ZeroizeByteArray(privateKey.Bytes)