check for public key type

hashicorp · Jul 4, 2023 · 4ad240e · 4ad240e
1 parent cb28e17
commit 4ad240e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 19 deletions.
diff --git a/test/integration/consul-container/libs/utils/helpers.go b/test/integration/consul-container/libs/utils/helpers.go
@@ -29,35 +29,33 @@ func ApplyDefaultProxySettings(c *api.Client) (bool, error) {
 }
 
 // Generates a private and public key pair that is for signing
-// JWT
+// JWT.
 func GenerateKey() (pub, priv string, err error) {
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 
 	if err != nil {
-		return "", "", fmt.Errorf("error generating private key: %v", err)
+		return "", "", fmt.Errorf("error generating private key: %w", err)
 	}
 
 	{
 		derBytes, err := x509.MarshalECPrivateKey(privateKey)
 		if err != nil {
-			return "", "", fmt.Errorf("error marshaling private key: %v", err)
+			return "", "", fmt.Errorf("error marshaling private key: %w", err)
 		}
-		pemBlock := &pem.Block{
+		priv = string(pem.EncodeToMemory(&pem.Block{
 			Type:  "EC PRIVATE KEY",
 			Bytes: derBytes,
-		}
-		priv = string(pem.EncodeToMemory(pemBlock))
+		}))
 	}
 	{
 		derBytes, err := x509.MarshalPKIXPublicKey(privateKey.Public())
 		if err != nil {
-			return "", "", fmt.Errorf("error marshaling public key: %v", err)
+			return "", "", fmt.Errorf("error marshaling public key: %w", err)
 		}
-		pemBlock := &pem.Block{
+		pub = string(pem.EncodeToMemory(&pem.Block{
 			Type:  "PUBLIC KEY",
 			Bytes: derBytes,
-		}
-		pub = string(pem.EncodeToMemory(pemBlock))
+		}))
 	}
 
 	return pub, priv, nil
@@ -109,12 +107,11 @@ func SignJWT(privKey string, claims jwt.Claims, privateClaims interface{}) (stri
 // verification endpoint response
 func NewJWKS(pubKey string) (*jose.JSONWebKeySet, error) {
 	block, _ := pem.Decode([]byte(pubKey))
-	if block == nil {
+	if block == nil || block.Type != "PUBLIC KEY" {
 		return nil, fmt.Errorf("unable to decode public key")
 	}
-	input := block.Bytes
 
-	pub, err := x509.ParsePKIXPublicKey(input)
+	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
 	if err != nil {
 		return nil, err
 	}

diff --git a/test/integration/consul-container/test/jwtauth/jwt_auth_test.go b/test/integration/consul-container/test/jwtauth/jwt_auth_test.go
@@ -140,8 +140,7 @@ func makeJWKSAndJWT(t *testing.T, claims jwt.Claims) (string, string) {
 
 // configures the protocol to http as this is needed for jwt-auth
 func configureProxyDefaults(t *testing.T, cluster *libcluster.Cluster) {
-	node := cluster.Agents[0]
-	client := node.GetClient()
+	client := cluster.Agents[0].GetClient()
 
 	ok, _, err := client.ConfigEntries().Set(&api.ProxyConfigEntry{
 		Kind: api.ProxyDefaults,
@@ -156,8 +155,7 @@ func configureProxyDefaults(t *testing.T, cluster *libcluster.Cluster) {
 
 // creates a JWT local provider
 func configureJWTProvider(t *testing.T, cluster *libcluster.Cluster, jwks string, claims jwt.Claims) {
-	node := cluster.Agents[0]
-	client := node.GetClient()
+	client := cluster.Agents[0].GetClient()
 
 	jwksB64 := base64.StdEncoding.EncodeToString([]byte(jwks))
 
@@ -178,8 +176,7 @@ func configureJWTProvider(t *testing.T, cluster *libcluster.Cluster, jwks string
 
 // creates an intention referencing the jwt provider
 func configureIntentions(t *testing.T, cluster *libcluster.Cluster) {
-	node := cluster.Agents[0]
-	client := node.GetClient()
+	client := cluster.Agents[0].GetClient()
 
 	ok, _, err := client.ConfigEntries().Set(&api.ServiceIntentionsConfigEntry{
 		Kind: "service-intentions",