Skip to content

Instantly share code, notes, and snippets.

Last active July 24, 2024 08:34
Show Gist options
  • Save miguelmota/3ea9286bd1d3c2a985b67cac4ba2130a to your computer and use it in GitHub Desktop.
Save miguelmota/3ea9286bd1d3c2a985b67cac4ba2130a to your computer and use it in GitHub Desktop.
Golang RSA encrypt and decrypt example
package ciphers
import (
// GenerateKeyPair generates a new key pair
func GenerateKeyPair(bits int) (*rsa.PrivateKey, *rsa.PublicKey) {
privkey, err := rsa.GenerateKey(rand.Reader, bits)
if err != nil {
return privkey, &privkey.PublicKey
// PrivateKeyToBytes private key to bytes
func PrivateKeyToBytes(priv *rsa.PrivateKey) []byte {
privBytes := pem.EncodeToMemory(
Bytes: x509.MarshalPKCS1PrivateKey(priv),
return privBytes
// PublicKeyToBytes public key to bytes
func PublicKeyToBytes(pub *rsa.PublicKey) []byte {
pubASN1, err := x509.MarshalPKIXPublicKey(pub)
if err != nil {
pubBytes := pem.EncodeToMemory(&pem.Block{
Bytes: pubASN1,
return pubBytes
// BytesToPrivateKey bytes to private key
func BytesToPrivateKey(priv []byte) *rsa.PrivateKey {
block, _ := pem.Decode(priv)
enc := x509.IsEncryptedPEMBlock(block)
b := block.Bytes
var err error
if enc {
log.Println("is encrypted pem block")
b, err = x509.DecryptPEMBlock(block, nil)
if err != nil {
key, err := x509.ParsePKCS1PrivateKey(b)
if err != nil {
return key
// BytesToPublicKey bytes to public key
func BytesToPublicKey(pub []byte) *rsa.PublicKey {
block, _ := pem.Decode(pub)
enc := x509.IsEncryptedPEMBlock(block)
b := block.Bytes
var err error
if enc {
log.Println("is encrypted pem block")
b, err = x509.DecryptPEMBlock(block, nil)
if err != nil {
ifc, err := x509.ParsePKIXPublicKey(b)
if err != nil {
key, ok := ifc.(*rsa.PublicKey)
if !ok {
log.Error("not ok")
return key
// EncryptWithPublicKey encrypts data with public key
func EncryptWithPublicKey(msg []byte, pub *rsa.PublicKey) []byte {
hash := sha512.New()
ciphertext, err := rsa.EncryptOAEP(hash, rand.Reader, pub, msg, nil)
if err != nil {
return ciphertext
// DecryptWithPrivateKey decrypts data with private key
func DecryptWithPrivateKey(ciphertext []byte, priv *rsa.PrivateKey) []byte {
hash := sha512.New()
plaintext, err := rsa.DecryptOAEP(hash, rand.Reader, priv, ciphertext, nil)
if err != nil {
return plaintext
Copy link

do u know why golang not provide public key decrypt and private key encrypt ?

The end result of creating an RSA key is to produce the tuple of numbers (n,d,e). The private key is (n,d), and the public key is (n,e). Even though e is called "encrypt", and d is called "decrypt"; that is just a shorthand. More accurately...

  • (n,e) - public operations ... Verify, Encrypt, because neither of these things require a secret.
  • (n,d) - private operations ... Sign, Decrypt, because both of these require a secret.
  • Sign is the inverse of Verify
  • Decrypt is the inverse of Verify

And be really careful to note that e isn't just "public". It's a small, well-known constant! This is not obvious when you read algebra that explains what RSA does. But somebody needs to tell you what n is to use it with e. Once you have the *big.Int values of (n,d,e), it really is as simple as:

ciphertext = mod_n(plaintext^e)
plaintext = mod_n(ciphertext^d)

msghash = Hash(message)
signature = mod_n(msghash^d)
msghash = mod_n(signature^e)

It is just a matter of whether you apply e or d first. You can't RSA encrypt anything large, so you usually only encrypt keys, or sign hashes. The values being signed or encrypted need to be smaller than n, because in the end they are taken mod_n.

Copy link

If I put the private and public key string into a flat file and read from there, I always get unable to parse private key: asn1: syntax error: data truncated while calling BytesToPrivateKey - x509.ParsePKCS1PrivateKey(). However, if I just keep them in a variable, it works file. Any reason why would this happen?

pubBytes, err := ioutil.ReadFile("./certs/public.key") // This is fine with Encryption
enc := pkg.Encrypt(msg, pkg.ConvertBytesToPublicKey(pubBytes))

priBytes, err := ioutil.ReadFile("./certs/private.key") // This fails for Dencryption
dec := pkg.Decrypt(enc, pkg.ConvertBytesToPrivateKey(priBytes))

Copy link

Haven't tested it - (about to) but this site shows import and export of keys

Copy link

Haven't tested it - (about to) but this site shows import and export of keys

👍 Nice one!

Copy link

IzioDev commented Oct 14, 2021

Do note that: x509.IsEncryptedPEMBlock and x509.DecryptPEMBlock has both been flagged as insecured by design.

If you have any secure alternative, I'm in!

Copy link

Great work! 👍

Copy link

I created a new gist that works with chunks and replaced deprecated methods:

Copy link

sonvirgo commented Jul 7, 2024

Do note that: x509.IsEncryptedPEMBlock and x509.DecryptPEMBlock has both been flagged as insecured by design.

If you have any secure alternative, I'm in!

Just remove the -----BEGIN PRIVATE KEY-----
and -----END PRIVATE KEY------
People are so lazy to read and to understand

Copy link

sonvirgo commented Jul 7, 2024

@susarlanikhilesh the common way of signature solution is sign by private key and verify by public key. But I want sign by public key and verify by private key. Through the public key is visible to every one , but appid/appsecret is private, so I think it's security too.

Keys are pair
Whichever exposed to the public is called PUBLIC KEY
Do you understand?

Copy link

IzioDev commented Jul 9, 2024

Do note that: x509.IsEncryptedPEMBlock and x509.DecryptPEMBlock has both been flagged as insecured by design.
If you have any secure alternative, I'm in!

Just remove the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY------ People are so lazy to read and to understand

lol you cleary don't understand shit.

Copy link

IzioDev commented Jul 9, 2024

Do note that: x509.IsEncryptedPEMBlock and x509.DecryptPEMBlock has both been flagged as insecured by design.
If you have any secure alternative, I'm in!

Just remove the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY------ People are so lazy to read and to understand


read this, get educated, newbie.

Copy link

Do note that: x509.IsEncryptedPEMBlock and x509.DecryptPEMBlock has both been flagged as insecured by design.
If you have any secure alternative, I'm in!

Just remove the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY------ People are so lazy to read and to understand


read this, get educated, newbie.

It is just a check shit
I do Crypto cross language c++ java go .... since you are in kindergarten
Do yourselves an algorithm lol

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment