Use Ed25519 keys encoded as JWK for signing data (#43)

* Use Ed25519 keys encoded as JWK for signing data * Don't use ed25519 pointer as pointed out during review
dnstapir · Feb 19, 2025 · 3520372 · 3520372
1 parent 853ee60
commit 3520372
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 17 deletions.
diff --git a/pkg/runner/aggregate_sender.go b/pkg/runner/aggregate_sender.go
@@ -2,7 +2,7 @@ package runner
 
 import (
 	"bufio"
-	"crypto/ecdsa"
+	"crypto/ed25519"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -22,12 +22,12 @@ import (
 type aggregateSender struct {
 	edm               *dnstapMinimiser
 	aggrecURL         *url.URL
-	signingKey        *ecdsa.PrivateKey
+	signingKey        ed25519.PrivateKey
 	caCertPool        *x509.CertPool
 	signingHTTPClient *httpsign.Client
 }
 
-func (edm *dnstapMinimiser) newAggregateSender(aggrecURL *url.URL, signingKeyName string, signingKey *ecdsa.PrivateKey, caCertPool *x509.CertPool, clientCertStore *certStore) aggregateSender {
+func (edm *dnstapMinimiser) newAggregateSender(aggrecURL *url.URL, signingKeyName string, signingKey ed25519.PrivateKey, caCertPool *x509.CertPool, clientCertStore *certStore) aggregateSender {
 	// Create HTTP handler for sending aggregate files to aggrec
 	httpClient := http.Client{
 		Transport: &http.Transport{
@@ -46,9 +46,10 @@ func (edm *dnstapMinimiser) newAggregateSender(aggrecURL *url.URL, signingKeyNam
 	}
 
 	// Create signer and wrapped HTTP client
-	signer, _ := httpsign.NewP256Signer(*signingKey,
+	signer, _ := httpsign.NewEd25519Signer(signingKey,
 		httpsign.NewSignConfig().SetKeyID(signingKeyName),
 		httpsign.Headers("content-type", "content-length", "content-digest")) // The Content-Digest header will be auto-generated, headers selected by https://github.com/dnstapir/aggregate-receiver/blob/main/aggrec/openapi.yaml
+
 	client := httpsign.NewClient(httpClient, httpsign.NewClientConfig().SetSignatureName("sig1").SetSigner(signer)) // sign requests, don't verify responses
 
 	return aggregateSender{

diff --git a/pkg/runner/runner.go b/pkg/runner/runner.go
@@ -3,12 +3,11 @@ package runner
 import (
 	"bufio"
 	"context"
-	"crypto/ecdsa"
+	"crypto/ed25519"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/binary"
 	"encoding/json"
-	"encoding/pem"
 	"errors"
 	"fmt"
 	"io/fs"
@@ -440,7 +439,7 @@ func (edm *dnstapMinimiser) setupHistogramSender(httpClientCertStore *certStore)
 		os.Exit(1)
 	}
 
-	httpSigningKey, err := ecdsaPrivateKeyFromFile(viper.GetString("http-signing-key-file"))
+	httpSigningKey, err := ed25519PrivateKeyFromFile(viper.GetString("http-signing-key-file"))
 	if err != nil {
 		edm.log.Error("unable to parse key material from 'http-signing-key-file'", "error", err)
 		os.Exit(1)
@@ -462,7 +461,7 @@ func (edm *dnstapMinimiser) setupHistogramSender(httpClientCertStore *certStore)
 }
 
 func (edm *dnstapMinimiser) setupMQTT(mqttClientCertStore *certStore) {
-	mqttSigningKey, err := ecdsaPrivateKeyFromFile(viper.GetString("mqtt-signing-key-file"))
+	mqttSigningKey, err := ed25519PrivateKeyFromFile(viper.GetString("mqtt-signing-key-file"))
 	if err != nil {
 		edm.log.Error("unable to parse key material from 'mqtt-signing-key-file'", "error", err)
 		os.Exit(1)
@@ -2176,23 +2175,27 @@ func (edm *dnstapMinimiser) writeHistogramParquet(prevWellKnownDomainsData *well
 	return nil
 }
 
-func ecdsaPrivateKeyFromFile(fileName string) (*ecdsa.PrivateKey, error) {
+func ed25519PrivateKeyFromFile(fileName string) (ed25519.PrivateKey, error) {
+	var rawKey ed25519.PrivateKey
+
 	fileName = filepath.Clean(fileName)
-	keyBytes, err := os.ReadFile(fileName)
+
+	keyFile, err := os.ReadFile(fileName)
 	if err != nil {
-		return nil, fmt.Errorf("ecdsaPrivateKeyFromFile: unable to read ECDSA private key file: %w", err)
+		return nil, fmt.Errorf("error reading signing key file")
 	}
 
-	pemBlock, _ := pem.Decode(keyBytes)
-	if pemBlock == nil || pemBlock.Type != "EC PRIVATE KEY" {
-		return nil, fmt.Errorf("ecdsaPrivateKeyFromFile: failed to decode PEM block containing ECDSA private key")
+	keyParsed, err := jwk.ParseKey(keyFile)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing signing key file")
 	}
-	privateKey, err := x509.ParseECPrivateKey(pemBlock.Bytes)
+
+	err = keyParsed.Raw(&rawKey)
 	if err != nil {
-		return nil, fmt.Errorf("unable to parse key material from: %w", err)
+		return nil, fmt.Errorf("error getting raw key from jwk")
 	}
 
-	return privateKey, nil
+	return rawKey, nil
 }
 
 func certPoolFromFile(fileName string) (*x509.CertPool, error) {