crypto/tls: parse certificate first in X509KeyPair to get better errors

parsePrivateKey can't return useful error messages because it does trial decoding of multiple formats. Try ParseCertificate first in case it offers a useful error message. Fixes #23591 Change-Id: I380490a5850bee593a7d2f584a27b2a14153d768 Reviewed-on: https://go-review.googlesource.com/90435 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
6 лет назад · 4c970a6672
--- a/tls.go
+++ b/tls.go
@@ -237,15 +237,14 @@ func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
 		skippedBlockTypes = append(skippedBlockTypes, keyDERBlock.Type)
 	}

 	var err error
 	cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes)
 	// We don't need to parse the public key for TLS, but we so do anyway
 	// to check that it looks sane and matches the private key.
 	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
 	if err != nil {
 		return fail(err)
 	}

 	// We don't need to parse the public key for TLS, but we so do anyway
 	// to check that it looks sane and matches the private key.
 	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
 	cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes)
 	if err != nil {
 		return fail(err)
 	}