Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add loaders for pkcs8 keys in cloudfront/sign #2313

Merged
merged 1 commit into from
Oct 13, 2023
Merged

feat: add loaders for pkcs8 keys in cloudfront/sign #2313

merged 1 commit into from
Oct 13, 2023

Conversation

lucix-aws
Copy link
Contributor

Closes #2270.

Add the following APIs:

// LoadPEMPrivKeyPKCS8 reads a PEM-encoded RSA private key in PKCS8 format from
// the given reader.
//
// [x509.ParsePKCS8PrivateKey] can return multiple key types and this API does
// not discern between them. Callers in need of the underlying value must
// obtain it via type assertion:
//
//  key, err := sign.LoadPEMPrivKeyPKCS8(r)
//  if err != nil { /* ... */ }
//
//  switch key.(type) {
//  case *rsa.PrivateKey:
//      // ...
//  case *ecdsa.PrivateKey:
//      // ...
//  case ed25519.PrivateKey:
//      // ...
//  default:
//      panic("unrecognized private key type")
//  }
//
// See aforementioned API docs for a full list of possible key types.
//
// If calling code can opaquely handle the returned key as a [crypto.Signer],
// use [LoadPEMPrivKeyPKCS8AsSigner] instead.
func LoadPEMPrivKeyPKCS8(reader io.Reader) (interface{}, error)

// LoadPEMPrivKeyPKCS8AsSigner wraps [LoadPEMPrivKeyPKCS8] to expect a
// [crypto.Signer].
func LoadPEMPrivKeyPKCS8AsSigner(reader io.Reader) (crypto.Signer, error)

Additionally--

  • improve package documentation
  • deprecate LoadEncryptedPEMPrivKey

@lucix-aws lucix-aws requested a review from a team as a code owner October 12, 2023 17:29
@isaiahvita
Copy link
Contributor

@lucix-aws LGTM, just one question though: why create a new API LoadPEMPrivKeyPKCS8 rather than amending LoadEncryptedPEMPrivKey? is it to avoid an unexpected behavioral change? that way its better to explicitly deprecate and add rather than replace?

@lucix-aws lucix-aws merged commit 6e4fae3 into main Oct 13, 2023
18 of 19 checks passed
@lucix-aws lucix-aws deleted the feat-cloudfrontpkcs8 branch October 13, 2023 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@isaiahvita isaiahvita isaiahvita approved these changes

@wty-Bryant wty-Bryant wty-Bryant approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support PKCS#8PrivateKey Parsing in CloudFront Signed URL Signer
3 participants
@lucix-aws @isaiahvita @wty-Bryant