ssh: signal incorrect private key passwords with x509.IncorrectPasswo…

…rdError Fixes golang/go#20781 Change-Id: Iae42fff3c9b0b9984509e44a92f9bc99a1a12470 Reviewed-on: https://go-review.googlesource.com/46439 Reviewed-by: Han-Wen Nienhuys <[email protected]> Run-TryBot: Han-Wen Nienhuys <[email protected]> TryBot-Result: Gobot Gobot <[email protected]>
golang · Jun 28, 2017 · 84f24df · 84f24df
1 parent adbae1b
commit 84f24df
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/ssh/keys.go b/ssh/keys.go
@@ -802,6 +802,9 @@ func ParseRawPrivateKey(pemBytes []byte) (interface{}, error) {
 	}
 }
 
+// ParseRawPrivateKeyWithPassphrase returns a private key decrypted with
+// passphrase from a PEM encoded private key. If wrong passphrase, return
+// x509.IncorrectPasswordError.
 func ParseRawPrivateKeyWithPassphrase(pemBytes, passPhrase []byte) (interface{}, error) {
 	block, _ := pem.Decode(pemBytes)
 	if block == nil {
@@ -814,6 +817,9 @@ func ParseRawPrivateKeyWithPassphrase(pemBytes, passPhrase []byte) (interface{},
 			var err error
 			buf, err = x509.DecryptPEMBlock(block, passPhrase)
 			if err != nil {
+				if err == x509.IncorrectPasswordError {
+					return nil, err
+				}
 				return nil, fmt.Errorf("ssh: cannot decode encrypted private keys: %v", err)
 			}
 		}

diff --git a/ssh/keys_test.go b/ssh/keys_test.go
@@ -11,6 +11,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/x509"
 	"encoding/base64"
 	"fmt"
 	"reflect"
@@ -165,6 +166,12 @@ func TestParseEncryptedPrivateKeysWithPassphrase(t *testing.T) {
 			t.Errorf("Verify failed: %v", err)
 		}
 	}
+
+	tt := testdata.PEMEncryptedKeys[0]
+	_, err := ParsePrivateKeyWithPassphrase(tt.PEMBytes, []byte("incorrect"))
+	if err != x509.IncorrectPasswordError {
+		t.Fatalf("got %v want IncorrectPasswordError", err)
+	}
 }
 
 func TestParseDSA(t *testing.T) {