Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support PKCS1 and PKCS8 private keys #843

Merged
merged 2 commits into from
Nov 5, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
## UNRELEASED

IMPROVEMENTS:
* Control Plane
* TLS: Support PKCS1 and PKCS8 private keys for Consul certificate authority. [[GH-843](https://github.com/hashicorp/consul-k8s/pull/843)]

BUG FIXES:
* Control Plane
* ACLs: Fix issue where if one or more servers fail to have their ACL tokens set on the initial run of server-acl-init
Expand Down
19 changes: 19 additions & 0 deletions control-plane/helper/cert/tls_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ import (
"time"
)

// NOTE: A lot of this code is taken from
// https://github.com/hashicorp/consul/blob/44c023a3020fdd139c5be330f318a3c12339f08e/agent/connect/parsing.go.

// GenerateCA generates a CA with the provided
// common name valid for 10 years. It returns the private key as
// a crypto.Signer and a PEM string and certificate
Expand Down Expand Up @@ -162,6 +165,22 @@ func ParseSigner(pemValue string) (crypto.Signer, error) {
switch block.Type {
case "EC PRIVATE KEY":
return x509.ParseECPrivateKey(block.Bytes)

case "RSA PRIVATE KEY":
return x509.ParsePKCS1PrivateKey(block.Bytes)

case "PRIVATE KEY":
signer, err := x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
return nil, err
}
pk, ok := signer.(crypto.Signer)
if !ok {
return nil, fmt.Errorf("private key is not a valid format")
}

return pk, nil

default:
return nil, fmt.Errorf("unknown PEM block type for signing key: %s", block.Type)
}
Expand Down
Loading