FIXIT: Generate a better error for incorrectly generated private keys. …

…Fixes #354
ampproject · Jun 8, 2020 · 1dac104 · 1dac104
1 parent 72682de
commit 1dac104
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/packager/util/util.go b/packager/util/util.go
@@ -52,7 +52,7 @@ func ParsePrivateKey(keyPem []byte) (crypto.PrivateKey, error) {
 		var pemBlock *pem.Block
 		pemBlock, keyPem = pem.Decode(keyPem)
 		if pemBlock == nil {
-			return nil, errors.New("invalid PEM block in private key file")
+			return nil, errors.New("invalid PEM block in private key file, make sure to use the right key type. Generate the key using: openssl ecparam -out priv.key -name prime256v1 -genkey")
 		}
 
 		var err error

diff --git a/packager/util/util_test.go b/packager/util/util_test.go
@@ -3,6 +3,9 @@ package util_test
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
 	"testing"
 	"time"
 
@@ -56,6 +59,15 @@ func TestParsePrivateKey(t *testing.T) {
 	assert.Equal(t, elliptic.P256(), pkgt.B3Key.(*ecdsa.PrivateKey).PublicKey.Curve)
 }
 
+func TestParsePrivateKeyWithInvalidType(t *testing.T) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err, "Could not generate test key")
+
+	key, err := util.ParsePrivateKey(x509.MarshalPKCS1PrivateKey(privateKey))
+	assert.Nil(t, key)
+	assert.EqualError(t, err, "invalid PEM block in private key file, make sure to use the right key type. Generate the key using: openssl ecparam -out priv.key -name prime256v1 -genkey")
+}
+
 func TestCanSignHttpExchangesExtension(t *testing.T) {
 	// Leaf node has the extension.
 	assert.Nil(t, util.CanSignHttpExchanges(pkgt.B3Certs[0]))