From 4c970a6672af9b2c99c3908840abe4fa0a3df3f1 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Sun, 28 Jan 2018 23:30:48 +0100 Subject: [PATCH] crypto/tls: parse certificate first in X509KeyPair to get better errors parsePrivateKey can't return useful error messages because it does trial decoding of multiple formats. Try ParseCertificate first in case it offers a useful error message. Fixes #23591 Change-Id: I380490a5850bee593a7d2f584a27b2a14153d768 Reviewed-on: https://go-review.googlesource.com/90435 Run-TryBot: Filippo Valsorda TryBot-Result: Gobot Gobot Reviewed-by: Adam Langley --- tls.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tls.go b/tls.go index 615d1e5..8fd4294 100644 --- a/tls.go +++ b/tls.go @@ -237,15 +237,14 @@ func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) { skippedBlockTypes = append(skippedBlockTypes, keyDERBlock.Type) } - var err error - cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes) + // We don't need to parse the public key for TLS, but we so do anyway + // to check that it looks sane and matches the private key. + x509Cert, err := x509.ParseCertificate(cert.Certificate[0]) if err != nil { return fail(err) } - // We don't need to parse the public key for TLS, but we so do anyway - // to check that it looks sane and matches the private key. - x509Cert, err := x509.ParseCertificate(cert.Certificate[0]) + cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes) if err != nil { return fail(err) }