summaryrefslogtreecommitdiff
path: root/vendor/golang.org/x/crypto/ssh/keys.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/golang.org/x/crypto/ssh/keys.go')
-rw-r--r--vendor/golang.org/x/crypto/ssh/keys.go19
1 files changed, 15 insertions, 4 deletions
diff --git a/vendor/golang.org/x/crypto/ssh/keys.go b/vendor/golang.org/x/crypto/ssh/keys.go
index ef1bad731..df4ebdada 100644
--- a/vendor/golang.org/x/crypto/ssh/keys.go
+++ b/vendor/golang.org/x/crypto/ssh/keys.go
@@ -1232,16 +1232,27 @@ func ParseRawPrivateKeyWithPassphrase(pemBytes, passphrase []byte) (interface{},
return nil, fmt.Errorf("ssh: cannot decode encrypted private keys: %v", err)
}
+ var result interface{}
+
switch block.Type {
case "RSA PRIVATE KEY":
- return x509.ParsePKCS1PrivateKey(buf)
+ result, err = x509.ParsePKCS1PrivateKey(buf)
case "EC PRIVATE KEY":
- return x509.ParseECPrivateKey(buf)
+ result, err = x509.ParseECPrivateKey(buf)
case "DSA PRIVATE KEY":
- return ParseDSAPrivateKey(buf)
+ result, err = ParseDSAPrivateKey(buf)
default:
- return nil, fmt.Errorf("ssh: unsupported key type %q", block.Type)
+ err = fmt.Errorf("ssh: unsupported key type %q", block.Type)
}
+ // Because of deficiencies in the format, DecryptPEMBlock does not always
+ // detect an incorrect password. In these cases decrypted DER bytes is
+ // random noise. If the parsing of the key returns an asn1.StructuralError
+ // we return x509.IncorrectPasswordError.
+ if _, ok := err.(asn1.StructuralError); ok {
+ return nil, x509.IncorrectPasswordError
+ }
+
+ return result, err
}
// ParseDSAPrivateKey returns a DSA private key from its ASN.1 DER encoding, as
generated by cgit v1.2.3 (git 2.46.0) at 2025-07-13 18:55:23 +0000