@@ -5,6 +5,7 @@ package crypto
5
5
6
6
import (
7
7
"bytes"
8
+ "crypto"
8
9
cryptorand "crypto/rand"
9
10
"crypto/rsa"
10
11
"crypto/x509"
@@ -36,7 +37,7 @@ func CheckPublicAndPrivateKeyValidity(publicKey []byte, privateKey []byte) (bool
36
37
return false , err
37
38
}
38
39
39
- return checkPublicKeys (privKey . PublicKey , * pubKey ), nil
40
+ return checkPublicKeys (pubKey , privKey ), nil
40
41
}
41
42
42
43
// CheckCertificateSAN checks if the Kubernetes API Server certificate matches the SAN stored in the kubeadm:
@@ -114,12 +115,21 @@ func ParseCertificateBytes(content []byte) (*x509.Certificate, error) {
114
115
}
115
116
116
117
// ParsePrivateKeyBytes takes the private key bytes returning an RSA private key by parsing it.
117
- func ParsePrivateKeyBytes (content []byte ) (* rsa. PrivateKey , error ) {
118
+ func ParsePrivateKeyBytes (content []byte ) (crypto. Signer , error ) {
118
119
pemContent , _ := pem .Decode (content )
119
120
if pemContent == nil {
120
121
return nil , fmt .Errorf ("no right PEM block" )
121
122
}
122
123
124
+ if pemContent .Type == "EC PRIVATE KEY" {
125
+ privateKey , err := x509 .ParseECPrivateKey (pemContent .Bytes )
126
+ if err != nil {
127
+ return nil , errors .Wrap (err , "cannot parse EC Private Key" )
128
+ }
129
+
130
+ return privateKey , nil
131
+ }
132
+
123
133
privateKey , err := x509 .ParsePKCS1PrivateKey (pemContent .Bytes )
124
134
if err != nil {
125
135
return nil , errors .Wrap (err , "cannot parse PKCS1 Private Key" )
@@ -163,7 +173,7 @@ func IsValidCertificateKeyPairBytes(certificateBytes []byte, privateKeyBytes []b
163
173
switch {
164
174
case ! checkCertificateValidity (* crt ):
165
175
return false , nil
166
- case ! checkPublicKeys (* crt .PublicKey .( * rsa. PublicKey ) , key . PublicKey ): //nolint:forcetypeassert
176
+ case ! checkPublicKeys (crt .PublicKey , key ):
167
177
return false , nil
168
178
default :
169
179
return true , nil
@@ -196,7 +206,7 @@ func VerifyCertificate(cert, ca []byte, usages ...x509.ExtKeyUsage) (bool, error
196
206
return len (chains ) > 0 , err
197
207
}
198
208
199
- func generateCertificateKeyPairBytes (template * x509.Certificate , caCert * x509.Certificate , caKey * rsa. PrivateKey ) (* bytes.Buffer , * bytes.Buffer , error ) {
209
+ func generateCertificateKeyPairBytes (template * x509.Certificate , caCert * x509.Certificate , caKey crypto. Signer ) (* bytes.Buffer , * bytes.Buffer , error ) {
200
210
certPrivKey , err := rsa .GenerateKey (cryptorand .Reader , 2048 )
201
211
if err != nil {
202
212
return nil , nil , errors .Wrap (err , "cannot generate an RSA key" )
@@ -236,11 +246,12 @@ func checkCertificateValidity(cert x509.Certificate) bool {
236
246
return notAfter && notBefore
237
247
}
238
248
239
- func checkPublicKeys (a rsa.PublicKey , b rsa.PublicKey ) bool {
240
- isN := a .N .Cmp (b .N ) == 0
241
- isE := a .E == b .E
249
+ func checkPublicKeys (ka crypto.PublicKey , b crypto.Signer ) bool {
250
+ if eq , ok := ka .(interface { Equal (k crypto.PublicKey ) bool }); ok {
251
+ return eq .Equal (b .Public ())
252
+ }
242
253
243
- return isN && isE
254
+ return false
244
255
}
245
256
246
257
// NewCertificateTemplate returns the template that must be used to generate a certificate,
0 commit comments