home: imp code

internal/home/tls.go

@@ -525,9 +525,10 @@ func validateCertChain(chain []byte, srvName string) (main *x509.Certificate, ok
 		Intermediates: pool,
 	}
 	_, err = main.Verify(opts)
+	err = errors.Annotate(err, "certificate does not verify: %w")
 
 	// Let self-signed certs through and don't return this error.
-	return main, true, errors.Annotate(err, "certificate does not verify: %w")
+	return main, true, err
 }
 
 // parsePEMCerts parses multiple PEM-encoded certificates.
@@ -549,7 +550,8 @@ func parsePEMCerts(certs []*pem.Block) (parsedCerts []*x509.Certificate, err err
 	return parsedCerts, nil
 }
 
-// validatePKey validates the private key, returning its type.
+// validatePKey validates the private key, returning its type.  It returns an
+// empty string if error occurs.
 func validatePKey(pkey []byte) (keyType string, err error) {
 	var key *pem.Block
 
@@ -620,21 +622,21 @@ func validateCertificates(
 
 	// Validate the private key by parsing it.
 	if len(pkey) > 0 {
-		var verr error
-		status.KeyType, verr = validatePKey(pkey)
-		if verr != nil {
+		var keyErr error
+		status.KeyType, keyErr = validatePKey(pkey)
+		if keyErr != nil {
 			// Don't wrap the error, since it's informative enough as is.
-			return verr
+			return keyErr
 		}
 
 		status.ValidKey = true
 	}
 
 	// If both are set, validate together.
 	if len(certChain) > 0 && len(pkey) > 0 {
-		_, verr := tls.X509KeyPair(certChain, pkey)
-		if verr != nil {
-			return fmt.Errorf("certificate-key pair: %w", verr)
+		_, pairErr := tls.X509KeyPair(certChain, pkey)
+		if pairErr != nil {
+			return fmt.Errorf("certificate-key pair: %w", pairErr)
 		}
 
 		status.ValidPair = true