Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions crypto/spiffe/spiffe.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ package spiffe
import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
Expand Down Expand Up @@ -58,6 +60,11 @@ const (
// certificates are consumed by systems that do not accept Ed25519, such
// as the Kubernetes API server when calling admission webhooks.
KeyAlgorithmRSA

// KeyAlgorithmECDSA generates an ECDSA P-256 private key. Used by workloads
// whose certificates are consumed by systems that accept neither Ed25519
// nor RSA-only paths and require ECDSA, such as AWS IAM Roles Anywhere.
KeyAlgorithmECDSA
)

// SVIDResponse represents the response from the SVID request function,
Expand Down Expand Up @@ -373,6 +380,8 @@ func generatePrivateKey(alg KeyAlgorithm) (crypto.Signer, error) {
switch alg {
case KeyAlgorithmRSA:
return rsa.GenerateKey(rand.Reader, rsaKeyBits)
case KeyAlgorithmECDSA:
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
case KeyAlgorithmEd25519:
_, key, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
Expand Down
11 changes: 11 additions & 0 deletions crypto/spiffe/spiffe_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ package spiffe

import (
"context"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rsa"
"crypto/x509"
"errors"
Expand Down Expand Up @@ -138,6 +140,7 @@ func Test_fetchIdentity_keyAlgorithm(t *testing.T) {

rsaAlg := KeyAlgorithmRSA
edAlg := KeyAlgorithmEd25519
ecdsaAlg := KeyAlgorithmECDSA

tests := map[string]struct {
alg *KeyAlgorithm
Expand All @@ -163,6 +166,14 @@ func Test_fetchIdentity_keyAlgorithm(t *testing.T) {
assert.Equal(t, rsaKeyBits, rsaKey.N.BitLen())
},
},
"ECDSA generates an ECDSA P-256 private key": {
alg: &ecdsaAlg,
assert: func(t *testing.T, key any) {
ecKey, ok := key.(*ecdsa.PrivateKey)
require.True(t, ok, "expected *ecdsa.PrivateKey, got %T", key)
assert.Equal(t, elliptic.P256(), ecKey.Curve)
},
},
}

for name, tc := range tests {
Expand Down
Loading