Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2026-06-27 19:30:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

crypto/tls: surface private key parsing error from X509KeyPair

Browse source 
This can include e.g. an error that mentiones that ML-DSA is not
available due to the FIPS 140-3 module version.

Change-Id: I6f505d9baff80fee23edf6f8e995dd846a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/777881
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Filippo Valsorda 2026-05-14 10:03:27 -04:00 committed by Gopher Robot
parent 18f72b3842
commit 1debc9f0ce
1 changed files with 15 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

29
src/crypto/tls/tls.go
View file

@ -357,20 +357,21 @@ func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
// PKCS #1 private keys by default, while OpenSSL 1.0.0 generates PKCS #8 keys.
// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
func parsePrivateKey(der []byte) (crypto.PrivateKey, error) {
if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
key, err := x509.ParsePKCS8PrivateKey(der)
pkcs8Err := err // Return the PKCS#8 error if all parsing attempts fail.
if err != nil {
key, err = x509.ParsePKCS1PrivateKey(der)
}
if err != nil {
key, err = x509.ParseECPrivateKey(der)
}
if err != nil {
return nil, fmt.Errorf("tls: failed to parse private key: %w", pkcs8Err)
}
switch key := key.(type) {
case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey, *mldsa.PrivateKey:
return key, nil
default:
return nil, errors.New("tls: found unknown private key type in PKCS#8 wrapping")
}
if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
switch key := key.(type) {
case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey, *mldsa.PrivateKey:
return key, nil
default:
return nil, errors.New("tls: found unknown private key type in PKCS#8 wrapping")
}
}
if key, err := x509.ParseECPrivateKey(der); err == nil {
return key, nil
}
return nil, errors.New("tls: failed to parse private key")
}