commit 4684f4e9796bcff81837c7179eef10a38cd1dba0
author Suharsh Sivakumar <suharshs@google.com> Fri Oct 24 13:42:06 2014 -0700
committer Suharsh Sivakumar <suharshs@google.com> Fri Oct 24 13:42:08 2014 -0700
tree bf3f0f74cdcaf8654ba310cf2c51360e6cf59309
parent f8d4c2bfd279b4a47ac41f9790772c7c208d852b

veyron/security: make loadPEMKey support nil encrypted passwords.

Backward compatibility for nil encrypted passwords from old loadPEMKey
function.

Change-Id: Ic0eb4fb082dea33cc1b408ce5b2233668f101da7

security/util.go

diff --git a/security/util.go b/security/util.go
index 175d49f..b33d7fd 100644
--- a/security/util.go
+++ b/security/util.go
@@ -28,10 +28,9 @@
 	return acl
 }
 
-var MissingPassphraseErr = errors.New("passphrase required for decrypting private key")
+var PassphraseErr = errors.New("passphrase incorrect for decrypting private key")
 
-// loadPEMKey loads a key from 'r'. passphrase should be non-nil if the key held in 'r' is
-// encrypted, otherwise a MissingPassphraseErr will be returned.
+// loadPEMKey loads a key from 'r'. returns PassphraseErr for incorrect Passphrase.
 // If the key held in 'r' is unencrypted, 'passphrase' will be ignored.
 func loadPEMKey(r io.Reader, passphrase []byte) (interface{}, error) {
 	pemBlockBytes, err := ioutil.ReadAll(r)
@@ -44,12 +43,9 @@
 	}
 	var data []byte
 	if x509.IsEncryptedPEMBlock(pemBlock) {
-		if passphrase == nil {
-			return nil, MissingPassphraseErr
-		}
 		data, err = x509.DecryptPEMBlock(pemBlock, passphrase)
 		if err != nil {
-			return nil, err
+			return nil, PassphraseErr
 		}
 	} else {
 		data = pemBlock.Bytes
@@ -57,7 +53,11 @@
 
 	switch pemBlock.Type {
 	case ecPrivateKeyPEMType:
-		return x509.ParseECPrivateKey(data)
+		key, err := x509.ParseECPrivateKey(data)
+		if err != nil {
+			return nil, PassphraseErr
+		}
+		return key, nil
 	}
 	return nil, fmt.Errorf("PEM key block has an unrecognized type: %v", pemBlock.Type)
 }