fix: try parse private key instead of checking for error

x/cert/utils/key_pair_manager.go

@@ -264,29 +264,34 @@
 	}
 
 	var privKeyPlaintext []byte
+	var privKeyI interface{}
 
 	// PKCS#8 header defined in RFC7468 section 11
 	// nolint: gocritic
 	if block.Type == "ENCRYPTED PRIVATE KEY" {
 		privKeyPlaintext, err = pemutil.DecryptPKCS8PrivateKey(block.Bytes, kpm.passwordBytes)
 	} else if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
 		// nolint: staticcheck
-		privKeyPlaintext, err = x509.DecryptPEMBlock(block, kpm.passwordBytes)
-		if errors.Is(err, x509.IncorrectPasswordError) {
+		privKeyPlaintext, _ = x509.DecryptPEMBlock(block, kpm.passwordBytes)
+
+		// DecryptPEMBlock may not return IncorrectPasswordError.
+		// Try parse private key instead and if it fails give another try with legacy password
+		privKeyI, err = x509.ParsePKCS8PrivateKey(privKeyPlaintext)
+		if err != nil {
 			// nolint: staticcheck
 			privKeyPlaintext, err = x509.DecryptPEMBlock(block, kpm.passwordLegacy)
 		}
 	} else {
 		return nil, nil, nil, errUnsupportedEncryptedPEM
 	}
-
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("%w: failed decrypting x509 block with private key", err)
 	}
 
-	var privKeyI interface{}
-	if privKeyI, err = x509.ParsePKCS8PrivateKey(privKeyPlaintext); err != nil {
-		return nil, nil, nil, fmt.Errorf("%w: failed parsing private key data", err)
+	if privKeyI == nil {
+		if privKeyI, err = x509.ParsePKCS8PrivateKey(privKeyPlaintext); err != nil {
+			return nil, nil, nil, fmt.Errorf("%w: failed parsing private key data", err)
+		}
 	}
 
 	eckey, valid := privKeyI.(*ecdsa.PrivateKey)