gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:51:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
21aeed4f4e46c08a3c53a202ace54fd642a9b85f
certctl/internal/crypto/signer/parse.go
T
shankar0123 21aeed4f4e legal: addlicense headers + normalize legacy variants (Phase 0 RED-4) 
Phase 0 closure (Path B2, post-rewrite):

addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:

  // Copyright 2026 certctl LLC. All rights reserved.
  // SPDX-License-Identifier: BUSL-1.1

Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).

Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.

Generated via:
  addlicense -c "certctl LLC" -y 2026 \
    -f cowork/legal/copyright-header.tpl \
    -ignore '**/testdata/**' -ignore '**/*_test.go' \
    cmd/ internal/

Verification:
  find cmd internal -name '*.go' -not -name '*_test.go' \
    -not -path '*/testdata/*' \
    -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l

  Returns: 0

gofmt clean. Header additions are comments only, no compile impact.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4
2026-05-13 21:23:35 +00:00

72 lines
2.8 KiB
Go
Raw Blame History

// Copyright 2026 certctl LLC. All rights reserved.
// SPDX-License-Identifier: BUSL-1.1
package signer
import (
"crypto"
"encoding/pem"
"fmt"
"crypto/x509"
)
// parsePrivateKey parses a PEM block into a crypto.Signer. Recognises the
// three PEM block types historically produced and consumed by certctl's
// local CA:
//
// - "RSA PRIVATE KEY" (PKCS#1 / RFC 3447, openssl genrsa default)
// - "EC PRIVATE KEY" (SEC 1 / RFC 5915, openssl ecparam default)
// - "PRIVATE KEY" (PKCS#8 / RFC 5208 — wraps RSA, ECDSA, others)
//
// This function is the single source of truth for PEM private-key parsing
// inside certctl. It was moved here from
// internal/connector/issuer/local/local.go as part of the Signer
// abstraction work; the local package now calls into here. Do not
// reintroduce a parallel implementation elsewhere.
//
// Behavior preserved exactly across the move:
// - Block type matching is case-sensitive (PEM convention).
// - PKCS#8 blocks that contain a non-Signer key (e.g., a Diffie-Hellman
// key, an Ed25519 key absent stdlib Signer support) return an error
// rather than a panic.
// - The error wrapping format is intentionally stable so existing test
// assertions in internal/connector/issuer/local/local_test.go and
// bundle9_coverage_test.go continue to match without modification.
func parsePrivateKey(block *pem.Block) (crypto.Signer, error) {
switch block.Type {
case "RSA PRIVATE KEY":
return x509.ParsePKCS1PrivateKey(block.Bytes)
case "EC PRIVATE KEY":
return x509.ParseECPrivateKey(block.Bytes)
case "PRIVATE KEY":
// PKCS#8 — can contain RSA or ECDSA
key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse PKCS#8 key: %w", err)
}
signer, ok := key.(crypto.Signer)
if !ok {
return nil, fmt.Errorf("PKCS#8 key is not a signing key")
}
return signer, nil
default:
return nil, fmt.Errorf("unsupported private key type: %s (expected RSA PRIVATE KEY, EC PRIVATE KEY, or PRIVATE KEY)", block.Type)
}
}
// ParsePrivateKey is the exported wrapper used by callers outside this
// package. It exists so that internal/connector/issuer/local/ (and any
// future caller that needs to load a PEM private key without going
// through a Driver — e.g., a one-off tool, a migration helper) can
// share the parser without re-implementing the block-type dispatch.
//
// Most callers should use a Driver instead — Driver.Load handles the
// file-read + PEM decode + key parse + Signer wrap in one call.
// ParsePrivateKey is exposed for the corner cases where a caller
// already holds the *pem.Block (e.g., the block was extracted from a
// multi-block PEM bundle).
func ParsePrivateKey(block *pem.Block) (crypto.Signer, error) {
return parsePrivateKey(block)
}
Reference in New Issue View Git Blame Copy Permalink