consolidate (un)marshalling of keys to/from PEM format

api/utils/keys/publickey.go

@@ -0,0 +1,89 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package keys
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+
+	"github.com/gravitational/trace"
+)
+
+const (
+	// PKCS1PublicKeyType is the PEM encoding type commonly used for PKCS#1, ASN.1 DER form public keys.
+	PKCS1PublicKeyType = "RSA PUBLIC KEY"
+	// PKIXPublicKeyType is the PEM encoding type commonly used for PKIX, ASN.1 DER form public keys.
+	PKIXPublicKeyType = "PUBLIC KEY"
+)
+
+// MarshalPublicKey returns a PEM encoding of the given public key. Encodes RSA keys in PKCS1 format for
+// backward compatibility. Only supports *rsa.PublicKey, *ecdsa.PublicKey, and ed25519.PublicKey.
+func MarshalPublicKey(pub crypto.PublicKey) ([]byte, error) {
+	switch pubKey := pub.(type) {
+	case *rsa.PublicKey:
+		pubPEM := pem.EncodeToMemory(&pem.Block{
+			Type:  PKCS1PublicKeyType,
+			Bytes: x509.MarshalPKCS1PublicKey(pubKey),
+		})
+		return pubPEM, nil
+	case *ecdsa.PublicKey, ed25519.PublicKey:
+		der, err := x509.MarshalPKIXPublicKey(pubKey)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		pubPEM := pem.EncodeToMemory(&pem.Block{
+			Type:  PKIXPublicKeyType,
+			Bytes: der,
+		})
+		return pubPEM, nil
+	default:
+		return nil, trace.BadParameter("unsupported public key type %T", pub)
+	}
+}
+
+// ParsePublicKey parses a PEM-encoded public key. Supports PEM encodings of PKCS#1 or PKIX ASN.1 DER form
+// public keys.
+func ParsePublicKey(keyPEM []byte) (crypto.PublicKey, error) {
+	block, _ := pem.Decode(keyPEM)
+	if block == nil {
+		return nil, trace.BadParameter("failed to decode public key PEM block")
+	}
+
+	switch block.Type {
+	case PKCS1PublicKeyType:
+		pub, pkcs1Err := x509.ParsePKCS1PublicKey(block.Bytes)
+		if pkcs1Err != nil {
+			// Failed to parse as PKCS#1. We have been known to stuff PKIX DER encoded RSA public keys into
+			// "RSA PUBLIC KEY" PEM blocks, so try to parse as PKIX.
+			pub, pkixErr := x509.ParsePKIXPublicKey(block.Bytes)
+			if pkixErr != nil {
+				// Parsing as both formats failed. We really should expect PKCS#1 in this PEM block, so return
+				// that error.
+				return nil, trace.Wrap(pkcs1Err)
+			}
+			return pub, nil
+		}
+		return pub, nil
+	case PKIXPublicKeyType:
+		pub, err := x509.ParsePKIXPublicKey(block.Bytes)
+		return pub, trace.Wrap(err)
+	default:
+		return nil, trace.BadParameter("unsupported public key type %q", block.Type)
+	}
+}

integration/kube/fixtures.go

@@ -27,6 +27,7 @@ import (
 	"k8s.io/client-go/rest"
 
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/integration/helpers"
 	"github.com/gravitational/teleport/lib/auth/native"
 	"github.com/gravitational/teleport/lib/services"
@@ -91,7 +92,7 @@ func ProxyClient(cfg ProxyConfig) (*kubernetes.Clientset, *rest.Config, error) {
 	if err != nil {
 		return nil, nil, trace.Wrap(err)
 	}
-	priv, err := tlsca.ParsePrivateKeyPEM(privPEM)
+	priv, err := keys.ParsePrivateKey(privPEM)
 	if err != nil {
 		return nil, nil, trace.Wrap(err)
 	}

lib/auth/auth.go

@@ -4252,7 +4252,7 @@ func (a *Server) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequ
 	if _, _, _, _, err := ssh.ParseAuthorizedKey(req.PublicSSHKey); err != nil {
 		return nil, trace.BadParameter("failed to parse SSH public key")
 	}
-	cryptoPubKey, err := tlsca.ParsePublicKeyPEM(req.PublicTLSKey)
+	cryptoPubKey, err := keys.ParsePublicKey(req.PublicTLSKey)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

lib/auth/integration/integrationv1/awsoidc_test.go

@@ -26,12 +26,12 @@ import (
 
 	integrationv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/integration/v1"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/authz"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/integrations/awsoidc"
 	"github.com/gravitational/teleport/lib/jwt"
 	"github.com/gravitational/teleport/lib/tlsca"
-	"github.com/gravitational/teleport/lib/utils"
 )
 
 func TestGenerateAWSOIDCToken(t *testing.T) {
@@ -114,7 +114,7 @@ func TestGenerateAWSOIDCToken(t *testing.T) {
 	require.NotEmpty(t, ca.GetActiveKeys().JWT)
 	jwtPubKey := ca.GetActiveKeys().JWT[0].PublicKey
 
-	publicKey, err := utils.ParsePublicKey(jwtPubKey)
+	publicKey, err := keys.ParsePublicKey(jwtPubKey)
 	require.NoError(t, err)
 
 	// Validate JWT against public key

lib/auth/keystore/aws_kms_test.go

@@ -40,10 +40,10 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/cloud"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/services"
-	"github.com/gravitational/teleport/lib/utils"
 )
 
 // TestAWSKMS_deleteUnusedKeys tests the AWS KMS keystore's deleteUnusedKeys
@@ -298,7 +298,7 @@ func (f *fakeAWSKMSService) Sign(input *kms.SignInput) (*kms.SignOutput, error)
 	default:
 		return nil, trace.BadParameter("unsupported SigningAlgorithm %q", aws.StringValue(input.SigningAlgorithm))
 	}
-	signer, err := utils.ParsePrivateKeyPEM(testRawPrivateKey)
+	signer, err := keys.ParsePrivateKey(testRawPrivateKey)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

lib/auth/keystore/gcp_kms_test.go

@@ -46,14 +46,14 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	apiutils "github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/api/utils/grpc/interceptors"
+	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/auth/keystore/internal/faketime"
 	"github.com/gravitational/teleport/lib/auth/testauthority"
 	"github.com/gravitational/teleport/lib/cloud"
 	"github.com/gravitational/teleport/lib/jwt"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/tlsca"
-	"github.com/gravitational/teleport/lib/utils"
 )
 
 const (
@@ -160,7 +160,7 @@ func (f *fakeGCPKMSServer) GetPublicKey(ctx context.Context, req *kmspb.GetPubli
 		return nil, trace.BadParameter("cannot fetch public key, state has value %s", keyState.cryptoKeyVersion.State)
 	}
 
-	signer, err := utils.ParsePrivateKeyPEM([]byte(keyState.pem))
+	signer, err := keys.ParsePrivateKey([]byte(keyState.pem))
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -192,7 +192,7 @@ func (f *fakeGCPKMSServer) AsymmetricSign(ctx context.Context, req *kmspb.Asymme
 		return nil, trace.BadParameter("cannot fetch key, state has value %s", keyState.cryptoKeyVersion.State)
 	}
 
-	signer, err := utils.ParsePrivateKeyPEM([]byte(keyState.pem))
+	signer, err := keys.ParsePrivateKey([]byte(keyState.pem))
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

lib/auth/keystore/keystore_test.go

@@ -35,6 +35,7 @@ import (
 	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/cloud"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/services"
@@ -188,7 +189,7 @@ func TestBackends(t *testing.T) {
 				var err error
 				rawPrivateKeys[i], signer, err = backend.generateRSA(ctx)
 				require.NoError(t, err)
-				rawPublicKeys[i], err = utils.MarshalPublicKey(signer)
+				rawPublicKeys[i], err = keys.MarshalPublicKey(signer.Public())
 				require.NoError(t, err)
 			}
 
@@ -307,7 +308,7 @@ func TestManager(t *testing.T) {
 
 			jwtSigner, err := manager.GetJWTSigner(ctx, ca)
 			require.NoError(t, err, trace.DebugReport(err))
-			pubkeyPem, err := utils.MarshalPublicKey(jwtSigner)
+			pubkeyPem, err := keys.MarshalPublicKey(jwtSigner.Public())
 			require.NoError(t, err)
 			require.Equal(t, jwtKeyPair.PublicKey, pubkeyPem)
 

lib/auth/keystore/manager.go

@@ -35,11 +35,11 @@ import (
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/auth/keystore/internal/faketime"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/tlsca"
-	"github.com/gravitational/teleport/lib/utils"
 )
 
 // Manager provides an interface to interact with teleport CA private keys,
@@ -309,7 +309,7 @@ func (m *Manager) GetJWTSigner(ctx context.Context, ca types.CertAuthority) (cry
 			if !canSign {
 				continue
 			}
-			pub, err := utils.ParsePublicKey(keyPair.PublicKey)
+			pub, err := keys.ParsePublicKey(keyPair.PublicKey)
 			if err != nil {
 				return nil, trace.Wrap(err)
 			}
@@ -368,7 +368,7 @@ func (m *Manager) NewJWTKeyPair(ctx context.Context) (*types.JWTKeyPair, error)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
-	publicKey, err := utils.MarshalPublicKey(signer)
+	publicKey, err := keys.MarshalPublicKey(signer.Public())
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

lib/auth/keystore/software.go

@@ -25,8 +25,8 @@ import (
 	"github.com/gravitational/trace"
 
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/auth/native"
-	"github.com/gravitational/teleport/lib/utils"
 )
 
 type softwareKeyStore struct {
@@ -81,7 +81,7 @@ func (s *softwareKeyStore) getSigner(ctx context.Context, rawKey []byte, publicK
 }
 
 func (s *softwareKeyStore) getSignerWithoutPublicKey(ctx context.Context, rawKey []byte) (crypto.Signer, error) {
-	signer, err := utils.ParsePrivateKeyPEM(rawKey)
+	signer, err := keys.ParsePrivateKey(rawKey)
 	return signer, trace.Wrap(err)
 }
 

lib/auth/rotate.go

@@ -20,7 +20,6 @@ package auth
 
 import (
 	"context"
-	"crypto/rsa"
 	"crypto/x509/pkix"
 	"fmt"
 	"time"
@@ -32,11 +31,11 @@ import (
 	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/auth/keystore"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/tlsca"
-	"github.com/gravitational/teleport/lib/utils"
 )
 
 // RotateRequest is a request to start rotation of the certificate authority.
@@ -373,17 +372,17 @@ func (a *Server) startNewRotation(ctx context.Context, req rotationReq, ca types
 	if len(req.privateKey) != 0 {
 		log.Infof("Generating CA, using pregenerated test private key.")
 
-		rsaKey, err := ssh.ParseRawPrivateKey(req.privateKey)
+		signer, err := keys.ParsePrivateKey(req.privateKey)
 		if err != nil {
 			return trace.Wrap(err)
 		}
 
 		if len(activeKeys.SSH) > 0 {
-			signer, err := ssh.NewSignerFromKey(rsaKey)
+			sshSigner, err := ssh.NewSignerFromKey(signer)
 			if err != nil {
 				return trace.Wrap(err)
 			}
-			sshPublicKey := ssh.MarshalAuthorizedKey(signer.PublicKey())
+			sshPublicKey := ssh.MarshalAuthorizedKey(sshSigner.PublicKey())
 			newKeys.SSH = append(newKeys.SSH, &types.SSHKeyPair{
 				PublicKey:      sshPublicKey,
 				PrivateKey:     req.privateKey,
@@ -393,7 +392,7 @@ func (a *Server) startNewRotation(ctx context.Context, req rotationReq, ca types
 
 		if len(activeKeys.TLS) > 0 {
 			tlsCert, err := tlsca.GenerateSelfSignedCAWithConfig(tlsca.GenerateCAConfig{
-				Signer: rsaKey.(*rsa.PrivateKey),
+				Signer: signer,
 				Entity: pkix.Name{
 					CommonName:   ca.GetClusterName(),
 					Organization: []string{ca.GetClusterName()},
@@ -412,7 +411,11 @@ func (a *Server) startNewRotation(ctx context.Context, req rotationReq, ca types
 		}
 
 		if len(activeKeys.JWT) > 0 {
-			jwtPublicKey, jwtPrivateKey, err := utils.MarshalPrivateKey(rsaKey.(*rsa.PrivateKey))
+			jwtPublicKey, err := keys.MarshalPublicKey(signer.Public())
+			if err != nil {
+				return trace.Wrap(err)
+			}
+			jwtPrivateKey, err := keys.MarshalPrivateKey(signer)
 			if err != nil {
 				return trace.Wrap(err)
 			}

lib/auth/tls_test.go

@@ -55,6 +55,7 @@ import (
 	eventtypes "github.com/gravitational/teleport/api/types/events"
 	"github.com/gravitational/teleport/api/types/wrappers"
 	apiutils "github.com/gravitational/teleport/api/utils"
+	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/api/utils/sshutils"
 	"github.com/gravitational/teleport/lib/auth/authclient"
 	"github.com/gravitational/teleport/lib/auth/join"
@@ -2612,7 +2613,7 @@ func TestGenerateCerts(t *testing.T) {
 		require.Error(t, err)
 		require.True(t, trace.IsAccessDenied(err), "trace.IsAccessDenied failed: err=%v (%T)", err, trace.Unwrap(err))
 
-		_, privateKeyPEM, err := utils.MarshalPrivateKey(privateKey.(crypto.Signer))
+		privateKeyPEM, err := keys.MarshalPrivateKey(privateKey.(crypto.Signer))
 		require.NoError(t, err)
 
 		clientCert, err := tls.X509KeyPair(userCerts.TLS, privateKeyPEM)
@@ -4855,7 +4856,7 @@ func TestGRPCServer_DeleteToken(t *testing.T) {
 func verifyJWT(clock clockwork.Clock, clusterName string, pairs []*types.JWTKeyPair, token string) (*jwt.Claims, error) {
 	errs := []error{}
 	for _, pair := range pairs {
-		publicKey, err := utils.ParsePublicKey(pair.PublicKey)
+		publicKey, err := keys.ParsePublicKey(pair.PublicKey)
 		if err != nil {
 			errs = append(errs, trace.Wrap(err))
 			continue
@@ -4889,7 +4890,7 @@ func verifyJWT(clock clockwork.Clock, clusterName string, pairs []*types.JWTKeyP
 func verifyJWTAWSOIDC(clock clockwork.Clock, clusterName string, pairs []*types.JWTKeyPair, token, issuer string) (*jwt.Claims, error) {
 	errs := []error{}
 	for _, pair := range pairs {
-		publicKey, err := utils.ParsePublicKey(pair.PublicKey)
+		publicKey, err := keys.ParsePublicKey(pair.PublicKey)
 		if err != nil {
 			errs = append(errs, trace.Wrap(err))
 			continue

lib/client/db/oracle/oracle.go

@@ -32,6 +32,7 @@ import (
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/constants"
+	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
@@ -85,11 +86,11 @@ func createClientWallet(key *client.Key, certPem []byte, password string, wallet
 }
 
 func createJKSWallet(keyPEM, certPEM, caPEM []byte, password string) ([]byte, error) {
-	key, err := utils.ParsePrivateKey(keyPEM)
+	key, err := keys.ParsePrivateKey(keyPEM)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
-	privateKey, err := x509.MarshalPKCS8PrivateKey(key)
+	privateKey, err := x509.MarshalPKCS8PrivateKey(key.Signer)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}