operator/pkg/certs: validate key types and val err

In this commit, we enhance the `GeneratePrivateKey` and `ParsePrivateKeyPEM` functions: - Added validation for unsupported key types and provided a more descriptive error message. This function supports ECDSA (using P-256) and RSA (with a key size of 3072 bits) algorithms. It returns an error for unsupported key types. - Improved error handling to include the type of the unsupported key format in the error message. This function now provides more informative feedback when the private key format is neither RSA nor ECDSA. Signed-off-by: Mohamed Awnallah <[email protected]>
karmada-io · Oct 17, 2024 · a2171c3 · a2171c3
1 parent 671372a
commit a2171c3
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 9 deletions.
diff --git a/operator/pkg/certs/certs.go b/operator/pkg/certs/certs.go
@@ -25,7 +25,6 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"math"
 	"math/big"
@@ -247,14 +246,16 @@ func (cert *KarmadaCert) KeyName() string {
 	return pair + keyExtension
 }
 
-// GeneratePrivateKey generates cert key with default size if 1024. it supports
-// ECDSA and RAS algorithm.
+// GeneratePrivateKey generates a certificate key. It supports both
+// ECDSA (using the P-256 elliptic curve) and RSA algorithms. For RSA,
+// the key is generated with a size of 3072 bits.
 func GeneratePrivateKey(keyType x509.PublicKeyAlgorithm) (crypto.Signer, error) {
 	if keyType == x509.ECDSA {
 		return ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
+	} else if keyType == x509.RSA {
+		return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
 	}
-
-	return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
+	return nil, fmt.Errorf("unsupported key type: %v, supported key types are RSA and ECDSA", keyType)
 }
 
 // NewCertificateAuthority creates new certificate and private key for the certificate authority
@@ -428,7 +429,7 @@ func ParsePrivateKeyPEM(keyData []byte) (crypto.Signer, error) {
 	case *ecdsa.PrivateKey:
 		key = k
 	default:
-		return nil, errors.New("the private key is neither in RSA nor ECDSA format")
+		return nil, fmt.Errorf("the private key is in an unsupported format: %s, supported formats are RSA and ECDSA", caPrivateKey)
 	}
 
 	return key, nil

diff --git a/pkg/karmadactl/cmdinit/cert/cert.go b/pkg/karmadactl/cmdinit/cert/cert.go
@@ -54,13 +54,16 @@ const (
 // NewPrivateKey returns a new private key.
 var NewPrivateKey = GeneratePrivateKey
 
-// GeneratePrivateKey Generate CA Private Key
+// GeneratePrivateKey generates a certificate key. It supports both
+// ECDSA (using the P-256 elliptic curve) and RSA algorithms. For RSA,
+// the key is generated with a size of 3072 bits.
 func GeneratePrivateKey(keyType x509.PublicKeyAlgorithm) (crypto.Signer, error) {
 	if keyType == x509.ECDSA {
 		return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	} else if keyType == x509.RSA {
+		return rsa.GenerateKey(rand.Reader, rsaKeySize)
 	}
-
-	return rsa.GenerateKey(rand.Reader, rsaKeySize)
+	return nil, fmt.Errorf("unsupported key type: %v, supported key types are RSA and ECDSA", keyType)
 }
 
 // CertsConfig is a wrapper around certutil.Config extending it with PublicKeyAlgorithm.