crypto/x509: document that DecryptPEMBlock cannot detect all cases of incorrect password

Fixes #10171. Change-Id: I1b2e30ebbb2b9d66680008674baa96e550efe1f2 Reviewed-on: https://go-review.googlesource.com/7603Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org>

crypto/x509: document that DecryptPEMBlock cannot detect all cases of incorrect password
Fixes #10171. Change-Id: I1b2e30ebbb2b9d66680008674baa96e550efe1f2 Reviewed-on: https://go-review.googlesource.com/7603Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org>
20b3a9b6 · Shenghou Ma · Minux Ma · fc28fd1e · 20b3a9b6
Commit 20b3a9b6 authored Mar 15, 2015 by Shenghou Ma Committed by Minux Ma Mar 20, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

pem_decrypt.go src/crypto/x509/pem_decrypt.go +4 -1

No files found.
--- a/src/crypto/x509/pem_decrypt.go
+++ b/src/crypto/x509/pem_decrypt.go
@@ -108,7 +108,10 @@ var IncorrectPasswordError = errors.New("x509: decryption password incorrect")
 // encrypt it and returns a slice of decrypted DER encoded bytes. It inspects
 // the DEK-Info header to determine the algorithm used for decryption. If no
 // DEK-Info header is present, an error is returned. If an incorrect password
-// is detected an IncorrectPasswordError is returned.
+// is detected an IncorrectPasswordError is returned. Because of deficiencies
+// in the encrypted-PEM format, it's not always possible to detect an incorrect
+// password. In these cases no error will be returned but the decrypted DER
+// bytes will be random noise.
 func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error) {
 	dek, ok := b.Headers["DEK-Info"]
 	if !ok {