Cannot revoke cert if CA key protected by passphrase

[zoomequipd]

Error

When attempted to revoke a certificate that was signed with a CA that is protected by passphrase, the following error is generated

/tmp # /usr/bin/certstrap revoke --CN Alice --CA CertAuth
could not get "CertAuth" private key: unmatched type or headers

Desc and Quick Analysis

It would seem that an error condition within revoke.go - Lines 115-118 is hit.

certstrap/cmd/revoke.go

Lines 115 to 118 in 1eaeef9

	priv, err := depot.GetPrivateKey(d, c.ca)
	if err != nil {
	return fmt.Errorf("could not get %q private key: %v", c.ca, err)
	}

I believe this stems from a direct call to depot.GetPrivateKey without a retry logic for depot.GetEncryptedPrivateKey

I'm not 100% sure, but I think the revoke.go should probably re-use logic similar to the sign.go - Lines 126-138

certstrap/cmd/sign.go

Lines 126 to 138 in ec28c5a

	key, err := depot.GetPrivateKey(d, formattedCAName)
	if err != nil {
	pass, err := getPassPhrase(c, "CA key")
	if err != nil {
	fmt.Fprintln(os.Stderr, "Get CA key error: ", err)
	os.Exit(1)
	}
	key, err = depot.GetEncryptedPrivateKey(d, formattedCAName, pass)
	if err != nil {
	fmt.Fprintln(os.Stderr, "Get CA key error: ", err)
	os.Exit(1)
	}
	}

Step to reproduce

/tmp # /usr/bin/certstrap init --common-name "CertAuth"
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Created out/CertAuth.key (encrypted by passphrase)
Created out/CertAuth.crt
Created out/CertAuth.crl

/tmp # /usr/bin/certstrap request-cert --common-name Alice
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Created out/Alice.key
Created out/Alice.csr

/tmp # /usr/bin/certstrap sign Alice --CA CertAuth
Enter passphrase for CA key (empty for no passphrase): 
Created out/Alice.crt from out/Alice.csr signed by out/CertAuth.key

/tmp # /usr/bin/certstrap revoke --CN Alice --CA CertAuth
could not get "CertAuth" private key: unmatched type or headers

[isemaya-square]

We fixed this issue in #165