Skip to content

Commit 2d52bbc

Browse files
committed
feat: support ECDSA private keys
1 parent 21c299b commit 2d52bbc

File tree

1 file changed

+19
-8
lines changed

1 file changed

+19
-8
lines changed

internal/crypto/crypto.go

+19-8
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ package crypto
55

66
import (
77
"bytes"
8+
"crypto"
89
cryptorand "crypto/rand"
910
"crypto/rsa"
1011
"crypto/x509"
@@ -36,7 +37,7 @@ func CheckPublicAndPrivateKeyValidity(publicKey []byte, privateKey []byte) (bool
3637
return false, err
3738
}
3839

39-
return checkPublicKeys(privKey.PublicKey, *pubKey), nil
40+
return checkPublicKeys(pubKey, privKey), nil
4041
}
4142

4243
// CheckCertificateSAN checks if the Kubernetes API Server certificate matches the SAN stored in the kubeadm:
@@ -114,12 +115,21 @@ func ParseCertificateBytes(content []byte) (*x509.Certificate, error) {
114115
}
115116

116117
// ParsePrivateKeyBytes takes the private key bytes returning an RSA private key by parsing it.
117-
func ParsePrivateKeyBytes(content []byte) (*rsa.PrivateKey, error) {
118+
func ParsePrivateKeyBytes(content []byte) (crypto.Signer, error) {
118119
pemContent, _ := pem.Decode(content)
119120
if pemContent == nil {
120121
return nil, fmt.Errorf("no right PEM block")
121122
}
122123

124+
if pemContent.Type == "EC PRIVATE KEY" {
125+
privateKey, err := x509.ParseECPrivateKey(pemContent.Bytes)
126+
if err != nil {
127+
return nil, errors.Wrap(err, "cannot parse EC Private Key")
128+
}
129+
130+
return privateKey, nil
131+
}
132+
123133
privateKey, err := x509.ParsePKCS1PrivateKey(pemContent.Bytes)
124134
if err != nil {
125135
return nil, errors.Wrap(err, "cannot parse PKCS1 Private Key")
@@ -163,7 +173,7 @@ func IsValidCertificateKeyPairBytes(certificateBytes []byte, privateKeyBytes []b
163173
switch {
164174
case !checkCertificateValidity(*crt):
165175
return false, nil
166-
case !checkPublicKeys(*crt.PublicKey.(*rsa.PublicKey), key.PublicKey): //nolint:forcetypeassert
176+
case !checkPublicKeys(crt.PublicKey, key):
167177
return false, nil
168178
default:
169179
return true, nil
@@ -196,7 +206,7 @@ func VerifyCertificate(cert, ca []byte, usages ...x509.ExtKeyUsage) (bool, error
196206
return len(chains) > 0, err
197207
}
198208

199-
func generateCertificateKeyPairBytes(template *x509.Certificate, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*bytes.Buffer, *bytes.Buffer, error) {
209+
func generateCertificateKeyPairBytes(template *x509.Certificate, caCert *x509.Certificate, caKey crypto.Signer) (*bytes.Buffer, *bytes.Buffer, error) {
200210
certPrivKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)
201211
if err != nil {
202212
return nil, nil, errors.Wrap(err, "cannot generate an RSA key")
@@ -236,11 +246,12 @@ func checkCertificateValidity(cert x509.Certificate) bool {
236246
return notAfter && notBefore
237247
}
238248

239-
func checkPublicKeys(a rsa.PublicKey, b rsa.PublicKey) bool {
240-
isN := a.N.Cmp(b.N) == 0
241-
isE := a.E == b.E
249+
func checkPublicKeys(ka crypto.PublicKey, b crypto.Signer) bool {
250+
if eq, ok := ka.(interface{ Equal(k crypto.PublicKey) bool }); ok {
251+
return eq.Equal(b.Public())
252+
}
242253

243-
return isN && isE
254+
return false
244255
}
245256

246257
// NewCertificateTemplate returns the template that must be used to generate a certificate,

0 commit comments

Comments
 (0)