crypto/tls: X509KeyPair cannot parse OpenSSL generated ECDSA keys #23591
Comments
odeke-em
changed the title
|
Thank for reporting this issue @chandra-ghub. Seems like the certificate centric version of this bug is #21502, but am not sure. I'll tag some crypto folks @agl @titanous @FiloSottile |
odeke-em
changed the title
bradfitz
added
the
NeedsInvestigation
|
Drop this: It causes OpenSSL to encode P-256 as if it were a random, arbitrary curve rather than specifying P-256 itself. The default ( (For more details, see the OpenSSL documentation.) |
|
As #21502 (comment) says, I looked into making the error message more useful like in #21502 (which is indeed the same issue but with certificates) but What we can do is move certificate parsing, which has more useful error messages, above private key parsing in |
|
Change https://golang.org/cl/90435 mentions this issue: |
|
thanks @agl and @FiloSottile for your time. Can confirm that dropping Appreciate your acute diligence on the error messages, makes life so much easier for |
parsePrivateKey can't return useful error messages because it does trial decoding of multiple formats. Try ParseCertificate first in case it offers a useful error message. Fixes #23591 Change-Id: I380490a5850bee593a7d2f584a27b2a14153d768 Reviewed-on: https://go-review.googlesource.com/90435 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
parsePrivateKey can't return useful error messages because it does trial decoding of multiple formats. Try ParseCertificate first in case it offers a useful error message. Fixes golang#23591 Change-Id: I380490a5850bee593a7d2f584a27b2a14153d768 Reviewed-on: https://go-review.googlesource.com/90435 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
parsePrivateKey can't return useful error messages because it does trial decoding of multiple formats. Try ParseCertificate first in case it offers a useful error message. Fixes golang#23591 Change-Id: I380490a5850bee593a7d2f584a27b2a14153d768 Reviewed-on: https://go-review.googlesource.com/90435 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
Please answer these questions before submitting your issue. Thanks!
I am trying to get go's standard
tlspackage accept my openssl generated keys (Prime 256 curve ECDSA). Generated key and cert using OpenSSL -What version of Go are you using (
go version)?Tested with 1.9 and on play.golang.org too.
https://play.golang.org/p/V9GzXsn1zoG (copied the function X509KeyPair() to be able to debug)
https://play.golang.org/p/22G1XNbU8at (direct call to the library)
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env)?MACOS High Sierra
What did you do?
here you go -
https://play.golang.org/p/V9GzXsn1zoG with the library copied to debug the error
https://play.golang.org/p/22G1XNbU8at (without go's library code)
What did you expect to see?
A
&tls.Certificate{}to have returned.What did you see instead?
failed to parse private keyerror from private function parsePrivateKey() in tls.go library.The text was updated successfully, but these errors were encountered: