pkcs12: document that we use the wrong PEM type

Fixes golang/go#28018

Change-Id: I2daf99789328ef476de834c3cc703e01b468b3ee
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/241337
Reviewed-by: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
diff --git a/pkcs12/pkcs12.go b/pkcs12/pkcs12.go
index 3e2ce69..22182c7 100644
--- a/pkcs12/pkcs12.go
+++ b/pkcs12/pkcs12.go
@@ -104,6 +104,10 @@
 }
 
 // ToPEM converts all "safe bags" contained in pfxData to PEM blocks.
+//
+// Note that although the returned PEM blocks for private keys have type
+// "PRIVATE KEY", the bytes are not encoded according to PKCS #8, but according
+// to PKCS #1 for RSA keys and SEC 1 for ECDSA keys.
 func ToPEM(pfxData []byte, password string) ([]*pem.Block, error) {
 	encodedPassword, err := bmpString(password)
 	if err != nil {