Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion pkg/chains/signing/x509/x509.go
Original file line number Diff line number Diff line change
Expand Up @@ -180,14 +180,21 @@ func x509Signer(ctx context.Context, privateKey []byte) (*Signer, error) {
logger.Info("Found x509 key...")

p, _ := pem.Decode(privateKey)
if p == nil {
return nil, fmt.Errorf("failed to decode PEM block from x509 private key")
}
if p.Type != "PRIVATE KEY" {
return nil, fmt.Errorf("expected private key, found object of type %s", p.Type)
}
pk, err := cx509.ParsePKCS8PrivateKey(p.Bytes)
if err != nil {
return nil, err
}
signer, err := signature.LoadECDSASignerVerifier(pk.(*ecdsa.PrivateKey), crypto.SHA256)
ecdsaKey, ok := pk.(*ecdsa.PrivateKey)
if !ok {
return nil, fmt.Errorf("unsupported private key type %T, only ECDSA keys are supported", pk)
}
signer, err := signature.LoadECDSASignerVerifier(ecdsaKey, crypto.SHA256)
if err != nil {
return nil, err
}
Expand Down
35 changes: 35 additions & 0 deletions pkg/chains/signing/x509/x509_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -223,3 +223,38 @@ func TestSigner_SignED25519(t *testing.T) {
t.Error("invalid signature")
}
}

func TestNewSignerMalformedX509Key(t *testing.T) {
ctx := logtesting.TestContextWithLogger(t)
d := t.TempDir()
p := filepath.Join(d, "x509.pem")
if err := os.WriteFile(p, []byte("this is not a PEM block"), 0644); err != nil {
t.Fatal(err)
}

_, err := NewSigner(ctx, d, config.Config{})
if err == nil {
t.Fatal("expected an error for a key file without a PEM block, got nil")
}
if !strings.Contains(err.Error(), "failed to decode PEM block") {
t.Fatalf("unexpected error: %v", err)
}
}

func TestNewSignerUnsupportedX509KeyType(t *testing.T) {
ctx := logtesting.TestContextWithLogger(t)
d := t.TempDir()
p := filepath.Join(d, "x509.pem")
// ed25519 keys are a valid PKCS8 key but not supported by the x509 signer.
if err := os.WriteFile(p, []byte(ed25519Priv), 0644); err != nil {
t.Fatal(err)
}

_, err := NewSigner(ctx, d, config.Config{})
if err == nil {
t.Fatal("expected an error for an unsupported key type, got nil")
}
if !strings.Contains(err.Error(), "unsupported private key type") {
t.Fatalf("unexpected error: %v", err)
}
}
Loading