From 57e00e51474b7d98fea1e4de456fcdbeee75b00f Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Mon, 31 Mar 2025 17:24:18 -0600
Subject: [PATCH 1/2] account for existing pkcs8 header

---
 src/pk.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/pk.c b/src/pk.c
index 25fa65824..8e62ef5a2 100644
--- a/src/pk.c
+++ b/src/pk.c
@@ -16499,7 +16499,8 @@ int pkcs8_encrypt(WOLFSSL_EVP_PKEY* pkey,
 
         if (ret == 0) {
             /* Encrypt private into buffer. */
-            ret = TraditionalEnc((byte*)pkey->pkey.ptr, (word32)pkey->pkey_sz,
+            ret = TraditionalEnc((byte*)pkey->pkey.ptr + pkey->pkcs8HeaderSz,
+                (word32)pkey->pkey_sz - pkey->pkcs8HeaderSz,
                 key, keySz, passwd, passwdSz, PKCS5, PBES2, encAlgId,
                 NULL, 0, WC_PKCS12_ITT_DEFAULT, &rng, NULL);
             if (ret > 0) {
@@ -16580,8 +16581,9 @@ int pkcs8_encode(WOLFSSL_EVP_PKEY* pkey, byte* key, word32* keySz)
 
     if (ret >= 0) {
         /* Encode private key in PKCS#8 format. */
-        ret = wc_CreatePKCS8Key(key, keySz, (byte*)pkey->pkey.ptr,
-            (word32)pkey->pkey_sz, algId, curveOid, oidSz);
+        ret = wc_CreatePKCS8Key(key, keySz, (byte*)pkey->pkey.ptr +
+            pkey->pkcs8HeaderSz, (word32)pkey->pkey_sz - pkey->pkcs8HeaderSz,
+            algId, curveOid, oidSz);
     }
 
     return ret;

From 29ce7166155b54e0d0f908ee93c4f795489d8add Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Tue, 1 Apr 2025 14:07:31 -0700
Subject: [PATCH 2/2] Add test case for parsing PKCS8 key with existing header.

---
 tests/api.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/tests/api.c b/tests/api.c
index 0a0913586..e103f386e 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -33039,6 +33039,21 @@ static int test_wolfSSL_PKCS8_d2i(void)
     evpPkey = NULL;
     BIO_free(bio);
     bio = NULL;
+
+    /* https://github.com/wolfSSL/wolfssl/issues/8610 */
+    bytes = (int)XSTRLEN((void*)pkcs8_buffer);
+    ExpectNotNull(bio = BIO_new_mem_buf((void*)pkcs8_buffer, bytes));
+    ExpectIntEQ(BIO_get_mem_data(bio, &p), bytes);
+    ExpectIntEQ(XMEMCMP(p, pkcs8_buffer, bytes), 0);
+
+    ExpectNotNull(evpPkey = PEM_read_bio_PrivateKey(bio, NULL, NULL,
+            (void*)"yassl123"));
+    ExpectIntEQ(PEM_write_PKCS8PrivateKey(stderr, evpPkey, NULL,
+            NULL, 0, NULL, NULL), bytes);
+    EVP_PKEY_free(evpPkey);
+    evpPkey = NULL;
+    BIO_free(bio);
+    bio = NULL;
 #endif /* OPENSSL_ALL && !NO_BIO && !NO_PWDBASED && HAVE_PKCS8 && HAVE_AES_CBC */
     EVP_PKEY_free(pkey);
     pkey = NULL;