ssh: reject unencrypted keys from ParsePrivateKeyWithPassphrase

The behavior of ParsePrivateKeyWithPassphrase when the key is
unencrypted is unspecified. Currently, it just parses them like
ParsePrivateKey, which is unlikely to be what anyone wants: for us to
ignore a passphrase that they explicitly passed. It also makes the
implementation of encrypted OpenSSH keys in the next CL more confused.

Instead, make ParsePrivateKey return a PassphraseNeededError, so the
application logic can be ParsePrivateKey -> detect encrypted key ->
obtain passphrase -> ParsePrivateKeyWithPassphrase. That error will also
let us return the public key for OpenSSH keys.

Change-Id: Ife4fb2499ae538bef36e353adf9bc8e902662386
Run-TryBot: Filippo Valsorda <>
Run-TryBot: Han-Wen Nienhuys <>
TryBot-Result: Gobot Gobot <>
Reviewed-by: Han-Wen Nienhuys <>
3 files changed
tree: 52bdafe97d3886509ad71575af7fbb8a7efc119b
  1. .gitattributes
  2. .gitignore
  9. acme/
  10. argon2/
  11. bcrypt/
  12. blake2b/
  13. blake2s/
  14. blowfish/
  15. bn256/
  16. cast5/
  17. chacha20/
  18. chacha20poly1305/
  19. codereview.cfg
  20. cryptobyte/
  21. curve25519/
  22. ed25519/
  23. go.mod
  24. go.sum
  25. hkdf/
  26. internal/
  27. md4/
  28. nacl/
  29. ocsp/
  30. openpgp/
  31. otr/
  32. pbkdf2/
  33. pkcs12/
  34. poly1305/
  35. ripemd160/
  36. salsa20/
  37. scrypt/
  38. sha3/
  39. ssh/
  40. tea/
  41. twofish/
  42. xtea/
  43. xts/

Go Cryptography

This repository holds supplementary Go cryptography libraries.


The easiest way to install is to run go get -u You can also manually git clone the repository to $GOPATH/src/

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see

The main issue tracker for the crypto repository is located at Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.

Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.