Allow PKCS8 encoded private keys (open-policy-agent#3117)

Fixes open-policy-agent#3116 Signed-off-by: Anders Eknert <anders@eknert.com>
pcaruana · Feb 3, 2021 · fe97f33 · fe97f33
1 parent 01d2554
commit fe97f33
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 1 deletion.
diff --git a/bundle/keys_test.go b/bundle/keys_test.go
@@ -164,8 +164,38 @@ zTj3rbKGqKWYIxFHsQCY5+3bHZVQyXTwS+N+n1zetBd5Jhhf/lT6CWyuNyfh2M1Z
 EXrJfkELSzO66/ZSjyyWEczXHLyr+Q719BsaGsxie117zSNF6B6UXiitjCr/qQ==
 -----END RSA PRIVATE KEY-----`
 
+	pkcs8privateKey := `-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDa6aUuhBZnXWnm
+Cfy8ZIMchsnabGGatVW5LjEQnwHjREArZ49Y/THMcZdnhZ1cn5WuyRyCoUqXd9uv
+IOyMH2M2fFPwR1np4ylDpS+AIJbpGIHuqmcvBfMrD1ADn6HoNCwdARyziot+9js+
+A6brtDSbuw+kvTqsndF97rLvzBCxiM1vMGlQ91u6Qcwxrw6eydisRpzXRkSTeJB2
+rR54sVNbV8PY5/LVtjqF5VJ1ZzIgByU1gKuVz7ngX/CLSqM2O4C1mKAet3Ib1+Ws
+r9wc0b5EGx1kdKumtfqBSFc78ShuhV1URlbYxs8GpNOcD8szI5hRlLYhb4zq3Viz
+OxKjOKmBAgMBAAECggEBAK+DJCxnOo8lFgKZf0iMTZJRfwTgYGDpghE2N6Bb2+ea
+kNg773IpjgOcDwew2LmqORgppfIV3vgR4NBIVV8Cy0ij5ah/jFc5CZxyk+LmPhgk
+zgfMF25cFtovLLe7BNRm//dBLQHF0pG4WUcfJnVTxdoV4DT0glZjMdMFzfD0a23q
+BS+Eu68mItCy6Mll7ys+Z9F1+iTwMCVAxKi7/bavqa5tifhk+i9/9ioGBKo+gbHz
+fbOrWGrlfSn1eJX539ekVTA3TnWe+IMHjBSIYJcUtHFa5ngdnG2p0vFSVGwcoQPP
+1Sbd1A1qbe6lz25V+Km+QFvYMXC3WBSMykOeFFCweQECgYEA7iQzaU81VUruw3ZQ
+3tfbyu79hQZV9WNTJhMi8dlPU7BnAxtZeAXzYf0eTokquphq1KVdtie5IjVg7djO
+AaKIXCOB9GdL+l+wwbmgn0iHXbpVrWZCYXd+SC99xdUQs+m28pgt/IF1Dp78bv4G
+KFZSDUSmOj0i//AFm72r8aOYe5sCgYEA61RLXewT8eZU784BTVDXgpe4+l/bANFt
+jWv0oK7AofoHPZfo+K9cYxZcJazsHc2Cg4KHTeCI1VUAFujO//i1G22Lm5hUKyy3
+v7hWsjruBhUT5hQA7EXzGCaUSMGwD1UsJs3umC56nzr42cL2HRhrX+SWfMipHepy
+3y3NED6WxxMCgYAz3vi/0Hv6dxboxmW5FGWQn1vjVMz2ZUsgOPzclwv7W6okeBmV
+1h38Uwj97Ey9ViO268osuhxOQjg5toawvnlbMHTHCpT3FU7H86nz5/VsSgENgv+k
+gUWlbYrEw7MerSKnVtR1crFPnPu5JWWr9ZlrwG9Asj5kZyChmr/QI2U8TwKBgQDN
+BA/w0EYD/T1L+bXKrL5D6Hhfr/i0ur9tcHqbLgNmWdPLBjgRx3x+WrGGpSLDSBIH
+DkVgRFgROs8sJkCIYh0tuv7gXBIf1wJyBV+KQKqzI9PFIvI25S3GgX238P24LeSc
+HdZaQEvVwuOfmykc6fRJg3TTW2FyTZkr89Pt7gkffwKBgHGeJkFc6LFeHIwa3SbS
+qAVebnCAfNo9hHxz3xYA0PaCF3Kr1X9z4X2tF2Za7nWfVbfWViAncLrJgjnHRdrs
+f10hbJEuLFhD1c2dNjwqflANV5OanG1syqYqil5TgWm1AaRFj+PbRPk0FRfF9y+e
+tKaHBn4eyNlKjQaEn16ZxKJm
+-----END PRIVATE KEY-----`
+
 	files := map[string]string{
 		"private.pem": privateKey,
+		"pkcs8.pem":   pkcs8privateKey,
 	}
 
 	test.WithTempFS(files, func(rootDir string) {
@@ -182,6 +212,18 @@ EXrJfkELSzO66/ZSjyyWEczXHLyr+Q719BsaGsxie117zSNF6B6UXiitjCr/qQ==
 			t.Fatalf("Expected key type *rsa.PrivateKey but got %T", result)
 		}
 
+		sc = NewSigningConfig(filepath.Join(rootDir, "pkcs8.pem"), "", "")
+
+		result, err = sc.GetPrivateKey()
+		if err != nil {
+			t.Fatalf("Unexpected error %v", err)
+		}
+
+		_, ok = result.(*rsa.PrivateKey)
+		if !ok {
+			t.Fatalf("Expected key type *rsa.PrivateKey but got %T", result)
+		}
+
 		// key file does not exist, check that error generated with RS56 as the signing algorithm
 		sc = NewSigningConfig("private.pem", "", "")
 		_, err = sc.GetPrivateKey()

diff --git a/internal/jwx/jws/sign/sign.go b/internal/jwx/jws/sign/sign.go
@@ -37,7 +37,11 @@ func GetSigningKey(key string, alg jwa.SignatureAlgorithm) (interface{}, error)
 
 		priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
-			return nil, err
+			pkcs8priv, err2 := x509.ParsePKCS8PrivateKey(block.Bytes)
+			if err2 != nil {
+				return nil, fmt.Errorf("error parsing private key (%v), (%v)", err, err2)
+			}
+			return pkcs8priv, nil
 		}
 		return priv, nil
 	case jwa.ES256, jwa.ES384, jwa.ES512:

diff --git a/plugins/rest/rest_test.go b/plugins/rest/rest_test.go
@@ -1123,7 +1123,47 @@ func TestOauth2JwtBearerGrantType(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Unexpected error %v", err)
 	}
+}
+
+func TestOauth2JwtBearerGrantTypePKCS8EncodedPrivateKey(t *testing.T) {
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("Unexpected error %v", err)
+	}
+
+	privateKey, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		t.Fatalf("Unexpected error %v", err)
+	}
 
+	keyPem := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: privateKey})
+	keys := map[string]*keys.Config{
+		"key1": {
+			PrivateKey: string(keyPem),
+			Algorithm:  "RS256",
+		},
+	}
+
+	ts := testServer{t: t, expBearerToken: "token_1"}
+	ts.start()
+	defer ts.stop()
+
+	ots := oauth2TestServer{
+		t:                t,
+		tokenTTL:         300,
+		expGrantType:     "urn:ietf:params:oauth:grant-type:jwt-bearer",
+		expScope:         &[]string{"scope1", "scope2"},
+		expJwtCredential: true,
+		expAlgorithm:     jwa.RS256,
+		verificationKey:  &key.PublicKey,
+	}
+	ots.start()
+	defer ots.stop()
+
+	client := newOauth2JwtBearerTestClient(t, keys, &ts, &ots, func(c *Config) {
+		c.Credentials.OAuth2.SigningKeyID = "key1"
+	})
+	ctx := context.Background()
 	_, err = client.Do(ctx, "GET", "test")
 	if err != nil {
 		t.Fatalf("Unexpected error %v", err)