Return error when creating public keys from invalid PEM

* pem.Decode will return nil in this case, and passing that to x509.IsEncryptedBlock will cause it to panic

Signed-off-by: Mark DeLillo <github.med@delillo.org>

2 files changed, 9 insertions, 0 deletions

diff --git a/plumbing/transport/ssh/auth_method.go b/plumbing/transport/ssh/auth_method.go
index 0cdf2b7..84cfab2 100644
--- a/plumbing/transport/ssh/auth_method.go
+++ b/plumbing/transport/ssh/auth_method.go
@@ -124,6 +124,9 @@ type PublicKeys struct {
 // (PKCS#1), DSA (OpenSSL), and ECDSA private keys.
 func NewPublicKeys(user string, pemBytes []byte, password string) (*PublicKeys, error) {
 	block, _ := pem.Decode(pemBytes)
+	if block == nil {
+		return nil, errors.New("invalid PEM data")
+	}
 	if x509.IsEncryptedPEMBlock(block) {
 		key, err := x509.DecryptPEMBlock(block, []byte(password))
 		if err != nil {
diff --git a/plumbing/transport/ssh/auth_method_test.go b/plumbing/transport/ssh/auth_method_test.go
index 1e77ca0..0025669 100644
--- a/plumbing/transport/ssh/auth_method_test.go
+++ b/plumbing/transport/ssh/auth_method_test.go
@@ -143,3 +143,9 @@ func (*SuiteCommon) TestNewPublicKeysFromFile(c *C) {
 	c.Assert(err, IsNil)
 	c.Assert(auth, NotNil)
 }
+
+func (*SuiteCommon) TestNewPublicKeysWithInvalidPEM(c *C) {
+	auth, err := NewPublicKeys("foo", []byte("bar"), "")
+	c.Assert(err, NotNil)
+	c.Assert(auth, IsNil)
+}