crypto/tls: parse certificate first in X509KeyPair to get better errors

parsePrivateKey can't return useful error messages because it does trial decoding of multiple formats. Try ParseCertificate first in case it offers a useful error message. Fixes #23591 Change-Id: I380490a5850bee593a7d2f584a27b2a14153d768 Reviewed-on: https://go-review.googlesource.com/90435 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>

crypto/tls: parse certificate first in X509KeyPair to get better errors
parsePrivateKey can't return useful error messages because it does trial decoding of multiple formats. Try ParseCertificate first in case it offers a useful error message. Fixes #23591 Change-Id: I380490a5850bee593a7d2f584a27b2a14153d768 Reviewed-on: https://go-review.googlesource.com/90435 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
bd18c090 · Filippo Valsorda · Filippo Valsorda · a25d0d8f · bd18c090
Commit bd18c090 authored Jan 28, 2018 by Filippo Valsorda Committed by Filippo Valsorda Mar 27, 2018
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 5 deletions

src/crypto/tls/tls.go src/crypto/tls/tls.go +4 -5

No files found.
--- a/src/crypto/tls/tls.go
+++ b/src/crypto/tls/tls.go
@@ -237,15 +237,14 @@ func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
 		skippedBlockTypes = append(skippedBlockTypes, keyDERBlock.Type)
 	}

-	var err error
-	cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes)
+	// We don't need to parse the public key for TLS, but we so do anyway
+	// to check that it looks sane and matches the private key.
+	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
 	if err != nil {
 		return fail(err)
 	}

-	// We don't need to parse the public key for TLS, but we so do anyway
-	// to check that it looks sane and matches the private key.
-	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
+	cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes)
 	if err != nil {
 		return fail(err)
 	}