crypto/tls: populate Leaf in X509KeyPair

Fixes #67065 Change-Id: I189e194de8aa94523eb64e1dd294a70cb81cbdf6 Reviewed-on: https://go-review.googlesource.com/c/go/+/585856 Auto-Submit: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Damien Neil <dneil@google.com>
2025-04-04 04:27:36 +03:00 · 2024-05-15 13:46:38 -07:00 · 2024-05-15 13:46:38 -07:00 · 5bf846b35c
commit 5bf846b35c
parent 5578206479
2 changed files with 79 additions and 7 deletions
--- a/tls_test.go
+++ b/tls_test.go
@ -8,13 +8,19 @@ import (
 	"bytes"
 	"context"
 	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"internal/testenv"
 	"io"
 	"math"
+	"math/big"
 	"net"
 	"os"
 	"reflect"
@ -1945,3 +1951,54 @@ func TestHandshakeKyber(t *testing.T) {
 		})
 	}
 }
+
+func TestX509KeyPairPopulateCertificate(t *testing.T) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keyDER, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: keyDER})
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{CommonName: "test"},
+	}
+	certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+
+	t.Run("x509keypairleaf=0", func(t *testing.T) {
+		t.Setenv("GODEBUG", "x509keypairleaf=0")
+		cert, err := X509KeyPair(certPEM, keyPEM)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if cert.Leaf != nil {
+			t.Fatal("Leaf should not be populated")
+		}
+	})
+	t.Run("x509keypairleaf=1", func(t *testing.T) {
+		t.Setenv("GODEBUG", "x509keypairleaf=1")
+		cert, err := X509KeyPair(certPEM, keyPEM)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if cert.Leaf == nil {
+			t.Fatal("Leaf should be populated")
+		}
+	})
+	t.Run("GODEBUG unset", func(t *testing.T) {
+		cert, err := X509KeyPair(certPEM, keyPEM)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if cert.Leaf == nil {
+			t.Fatal("Leaf should be populated")
+		}
+	})
+}