-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support parse PKCS8 private key #5600
base: master
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Welcome @biningo! It looks like this is your first PR to kubeedge/kubeedge 🎉 |
cbba52b
to
26ae2a2
Compare
Signed-off-by: biningo <biningo.cn@gmail.com>
26ae2a2
to
59076dd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain in detail under what circumstances you need to parse other types of private keys? If we use ECPrivateKey by default, seems we don't need to parse other types?
Hi @wbc6080 KubeEdge supports users to generate CA private key and CA certificate by themselves, if users use PKCS1 format or PKCS8 format private key, it will fail to parse. kubeedge/cloud/pkg/cloudhub/servers/httpserver/server.go Lines 265 to 301 in 58bf767
|
93855f4
to
4304020
Compare
Signed-off-by: biningo <biningo.cn@gmail.com>
Signed-off-by: biningo <biningo.cn@gmail.com>
4304020
to
48f1db4
Compare
caKeyEc, ecErr := x509.ParseECPrivateKey(der) | ||
if ecErr == nil { | ||
return caKeyEc, nil | ||
} | ||
|
||
caKeyPKCS1, pkcs1Err := x509.ParsePKCS1PrivateKey(der) | ||
if pkcs1Err == nil { | ||
return caKeyPKCS1, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way to distinguish the encryption type of the key that needs to be parsed? Or to put it another way, if the PKCS1 secret key calls the ParseECPrivateKey method, an error will be reported, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah
If the private key is not in the correct format, it will return err.
Parsing the private key format is the same as parsing the private key.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can distinguish the encryption type of the key from caCert.PublicKey type.
If provided PrivateKey doesn't match parent's PublicKey, CreateCertificate will fail
https://github.com/golang/go/blob/go1.22.3/src/crypto/x509/x509.go#L1648
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tls.X509KeyPair is better. but look at here
What type of PR is this?
/kind feature
What this PR does / why we need it:
PKCS8 private key cannot be parsed
Which issue(s) this PR fixes:
Fixes #5599
Special notes for your reviewer:
Does this PR introduce a user-facing change?: