Support PKCS1 and PKCS8 private keys (#843)

* Support PKCS1 and PKCS8 private keys for server ca cert
hashicorp · Nov 5, 2021 · a3d023d · a3d023d
1 parent f5042fd
commit a3d023d
Show file tree

Hide file tree

Showing 3 changed files with 184 additions and 54 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## UNRELEASED
 
+IMPROVEMENTS:
+* Control Plane
+  * TLS: Support PKCS1 and PKCS8 private keys for Consul certificate authority. [[GH-843](https://github.com/hashicorp/consul-k8s/pull/843)]
+
 BUG FIXES:
 * Control Plane
   * ACLs: Fix issue where if one or more servers fail to have their ACL tokens set on the initial run of server-acl-init

diff --git a/control-plane/helper/cert/tls_util.go b/control-plane/helper/cert/tls_util.go
@@ -17,6 +17,9 @@ import (
 	"time"
 )
 
+// NOTE: A lot of this code is taken from
+// https://github.com/hashicorp/consul/blob/44c023a3020fdd139c5be330f318a3c12339f08e/agent/connect/parsing.go.
+
 // GenerateCA generates a CA with the provided
 // common name valid for 10 years. It returns the private key as
 // a crypto.Signer and a PEM string and certificate
@@ -162,6 +165,22 @@ func ParseSigner(pemValue string) (crypto.Signer, error) {
 	switch block.Type {
 	case "EC PRIVATE KEY":
 		return x509.ParseECPrivateKey(block.Bytes)
+
+	case "RSA PRIVATE KEY":
+		return x509.ParsePKCS1PrivateKey(block.Bytes)
+
+	case "PRIVATE KEY":
+		signer, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, err
+		}
+		pk, ok := signer.(crypto.Signer)
+		if !ok {
+			return nil, fmt.Errorf("private key is not a valid format")
+		}
+
+		return pk, nil
+
 	default:
 		return nil, fmt.Errorf("unknown PEM block type for signing key: %s", block.Type)
 	}