Merge pull request #5561 from mohamedawnallah/validateKeyAndHandleErrors

operator/pkg/certs: validate X509 Cert key types and improve error handling
karmada-io · Oct 19, 2024 · 4294e60 · 4294e60
2 parents 645fbe9 + ad7a70b
commit 4294e60
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 11 deletions.
diff --git a/operator/pkg/certs/certs.go b/operator/pkg/certs/certs.go
@@ -25,7 +25,6 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"math"
 	"math/big"
@@ -247,14 +246,20 @@ func (cert *KarmadaCert) KeyName() string {
 	return pair + keyExtension
 }
 
-// GeneratePrivateKey generates cert key with default size if 1024. it supports
-// ECDSA and RAS algorithm.
+// GeneratePrivateKey generates a certificate key. It supports both
+// ECDSA (using the P-256 elliptic curve) and RSA algorithms. For RSA,
+// the key is generated with a size of 3072 bits. If the keyType is
+// x509.UnknownPublicKeyAlgorithm, the function defaults to generating
+// an RSA key.
 func GeneratePrivateKey(keyType x509.PublicKeyAlgorithm) (crypto.Signer, error) {
-	if keyType == x509.ECDSA {
+	switch keyType {
+	case x509.ECDSA:
 		return ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
+	case x509.RSA, x509.UnknownPublicKeyAlgorithm:
+		return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
+	default:
+		return nil, fmt.Errorf("unsupported key type: %T, supported key types are RSA and ECDSA", keyType)
 	}
-
-	return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
 }
 
 // NewCertificateAuthority creates new certificate and private key for the certificate authority
@@ -428,7 +433,7 @@ func ParsePrivateKeyPEM(keyData []byte) (crypto.Signer, error) {
 	case *ecdsa.PrivateKey:
 		key = k
 	default:
-		return nil, errors.New("the private key is neither in RSA nor ECDSA format")
+		return nil, fmt.Errorf("the private key is in an unsupported format: %s, supported formats are RSA and ECDSA", caPrivateKey)
 	}
 
 	return key, nil

diff --git a/pkg/karmadactl/cmdinit/cert/cert.go b/pkg/karmadactl/cmdinit/cert/cert.go
@@ -54,13 +54,20 @@ const (
 // NewPrivateKey returns a new private key.
 var NewPrivateKey = GeneratePrivateKey
 
-// GeneratePrivateKey Generate CA Private Key
+// GeneratePrivateKey generates a certificate key. It supports both
+// ECDSA (using the P-256 elliptic curve) and RSA algorithms. For RSA,
+// the key is generated with a size of 3072 bits. If the keyType is
+// x509.UnknownPublicKeyAlgorithm, the function defaults to generating
+// an RSA key.
 func GeneratePrivateKey(keyType x509.PublicKeyAlgorithm) (crypto.Signer, error) {
-	if keyType == x509.ECDSA {
+	switch keyType {
+	case x509.ECDSA:
 		return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	case x509.RSA, x509.UnknownPublicKeyAlgorithm:
+		return rsa.GenerateKey(rand.Reader, rsaKeySize)
+	default:
+		return nil, fmt.Errorf("unsupported key type: %T, supported key types are RSA and ECDSA", keyType)
 	}
-
-	return rsa.GenerateKey(rand.Reader, rsaKeySize)
 }
 
 // CertsConfig is a wrapper around certutil.Config extending it with PublicKeyAlgorithm.