add multiple key type support

Signed-off-by: nyagamunene <[email protected]>
absmach · Dec 1, 2024 · 8588a8f · 8588a8f
1 parent 5374de7
commit 8588a8f
Show file tree

Hide file tree

Showing 6 changed files with 52 additions and 22 deletions.
diff --git a/api/http/endpoint.go b/api/http/endpoint.go
@@ -335,7 +335,7 @@ func signCSREndpoint(svc certs.Service) endpoint.Endpoint {
 			return signCSRRes{signed: false}, err
 		}
 
-		cert, err := svc.SignCSR(ctx, req.entityID, req.ttl, certs.CSR{CSR: req.CSR})
+		cert, err := svc.SignCSR(ctx, req.entityID, req.ttl, certs.CSR{CSR: []byte(req.CSR), PrivateKey: []byte(req.PrivateKey)})
 		if err != nil {
 			return signCSRRes{signed: false}, err
 		}

diff --git a/api/http/requests.go b/api/http/requests.go
@@ -106,9 +106,10 @@ func (req createCSRReq) validate() error {
 }
 
 type SignCSRReq struct {
-	entityID string
-	ttl      string
-	CSR      []byte `json:"csr"`
+	entityID   string
+	ttl        string
+	CSR        string `json:"csr"`
+	PrivateKey string `json:"private_key"`
 }
 
 func (req SignCSRReq) validate() error {

diff --git a/api/http/transport.go b/api/http/transport.go
@@ -328,8 +328,14 @@ func decodeSignCSR(_ context.Context, r *http.Request) (interface{}, error) {
 		ttl:      t,
 	}
 
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		return nil, err
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		return nil, errors.Wrap(ErrInvalidRequest, errors.New("failed to read request body"))
+	}
+	defer r.Body.Close()
+
+	if err := json.Unmarshal(body, &req); err != nil {
+		return nil, errors.Wrap(ErrInvalidRequest, errors.New("failed to decode JSON"))
 	}
 
 	return req, nil

diff --git a/cli/certs.go b/cli/certs.go
@@ -270,22 +270,28 @@ var cmdCerts = []cobra.Command{
 		},
 	},
 	{
-		Use:   "sign <entity_id> <ttl> <path_to_csr>",
+		Use:   "sign <entity_id> <ttl> <path_to_csr> <private_key_path>",
 		Short: "Sign CSR",
-		Long:  `Signs a CSR for a given csr id.`,
+		Long:  `Signs a CSR for a given csr.`,
 		Run: func(cmd *cobra.Command, args []string) {
-			if len(args) != 3 {
+			if len(args) != 4 {
 				logUsageCmd(*cmd, cmd.Use)
 				return
 			}
 
-			data, err := os.ReadFile(args[2])
+			csrData, err := os.ReadFile(args[2])
 			if err != nil {
 				logErrorCmd(*cmd, err)
 				return
 			}
 
-			cert, err := sdk.SignCSR(args[0], args[1], string(data))
+			privData, err := os.ReadFile(args[3])
+			if err != nil {
+				logErrorCmd(*cmd, err)
+				return
+			}
+
+			cert, err := sdk.SignCSR(args[0], args[1], string(csrData), string(privData))
 			if err != nil {
 				logErrorCmd(*cmd, err)
 				return

diff --git a/sdk/sdk.go b/sdk/sdk.go
@@ -275,9 +275,9 @@ type SDK interface {
 	// SignCSR processes a pending CSR and either signs or rejects it
 	//
 	// example:
-	//	certs, err := sdk.SignCSR( "entityID", "ttl", "csrFile")
+	//	certs, err := sdk.SignCSR( "entityID", "ttl", "csrFile", "privKey")
 	//	fmt.Println(err)
-	SignCSR(entityID, ttl string, csr string) (Certificate, errors.SDKError)
+	SignCSR(entityID, ttl string, csr, privKey string) (Certificate, errors.SDKError)
 }
 
 func (sdk mgSDK) IssueCert(entityID, ttl string, ipAddrs []string, opts Options) (Certificate, errors.SDKError) {
@@ -591,13 +591,14 @@ func (sdk mgSDK) CreateCSR(pm PageMetadata, privKey string) (CSR, errors.SDKErro
 	return csr, nil
 }
 
-func (sdk mgSDK) SignCSR(entityID, ttl string, csr string) (Certificate, errors.SDKError) {
+func (sdk mgSDK) SignCSR(entityID, ttl string, csr, privKey string) (Certificate, errors.SDKError) {
 	pm := PageMetadata{
 		TTL: ttl,
 	}
 
 	r := csrReq{
-		CSR: csr,
+		CSR:        csr,
+		PrivateKey: privKey,
 	}
 
 	d, err := json.Marshal(r)
@@ -731,9 +732,9 @@ type certReq struct {
 }
 
 type csrReq struct {
-	Metadata   meta   `json:"metadata"`
-	PrivateKey string `json:"private_key"`
-	CSR        string `json:"csr"`
+	Metadata   meta   `json:"metadata,omitempty"`
+	PrivateKey string `json:"private_key,omitempty"`
+	CSR        string `json:"csr,omitempty"`
 }
 
 type meta struct {

diff --git a/service.go b/service.go
@@ -829,16 +829,32 @@ func (s *service) loadCACerts(ctx context.Context) error {
 	return nil
 }
 
-func extractPrivateKey(pemKey []byte) (*rsa.PrivateKey, error) {
+func extractPrivateKey(pemKey []byte) (any, error) {
 	block, _ := pem.Decode(pemKey)
 	if block == nil {
 		return nil, errors.New("failed to parse private key PEM")
 	}
 
-	privKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	var (
+		privateKey any
+		err        error
+	)
+
+	switch block.Type {
+	case "RSA PRIVATE KEY":
+		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
+	case "EC PRIVATE KEY":
+		privateKey, err = x509.ParseECPrivateKey(block.Bytes)
+	case "PRIVATE KEY", "PKCS8 PRIVATE KEY":
+		privateKey, err = x509.ParsePKCS8PrivateKey(block.Bytes)
+	case "ED25519 PRIVATE KEY":
+		privateKey, err = x509.ParsePKCS8PrivateKey(block.Bytes)
+	default:
+		err = errors.New("unsupported private key type")
+	}
 	if err != nil {
-		return nil, err
+		return nil, errors.New("failed to parse key")
 	}
 
-	return privKey, nil
+	return privateKey, nil
 }