@@ -32,8 +32,8 @@ import (
32
32
// ECDSAWithSHA256Signer implements crypto.Signer using Google Cloud Secret Manager.
33
33
// Only crypto.SHA256 and ECDSA are supported.
34
34
type ECDSAWithSHA256Signer struct {
35
- publicKey crypto .PublicKey
36
- privateKey crypto .PrivateKey
35
+ publicKey * ecdsa .PublicKey
36
+ privateKey * ecdsa .PrivateKey
37
37
}
38
38
39
39
// Public returns the public key stored in the Signer object.
@@ -54,12 +54,7 @@ func (s *ECDSAWithSHA256Signer) Sign(rand io.Reader, digest []byte, opts crypto.
54
54
return nil , fmt .Errorf ("digest bytes length %d does not match hash function bytes length %d" , len (digest ), opts .HashFunc ().Size ())
55
55
}
56
56
57
- privateKey , ok := s .privateKey .(* ecdsa.PrivateKey )
58
- if ! ok {
59
- return nil , fmt .Errorf ("the key stored in Secret Manager is not an ECDSA key" )
60
- }
61
-
62
- return ecdsa .SignASN1 (rand , privateKey , digest )
57
+ return ecdsa .SignASN1 (rand , s .privateKey , digest )
63
58
}
64
59
65
60
// NewSecretManagerSigner creates a new signer that uses the ECDSA P-256 key pair in
@@ -86,16 +81,21 @@ func NewSecretManagerSigner(ctx context.Context, publicKeySecretName, privateKey
86
81
if err != nil {
87
82
return nil , err
88
83
}
84
+ var ecdsaPublicKey * ecdsa.PublicKey
85
+ ecdsaPublicKey , ok := publicKey .(* ecdsa.PublicKey )
86
+ if ! ok {
87
+ return nil , fmt .Errorf ("the public key stored in Secret Manager is not an ECDSA key" )
88
+ }
89
89
90
90
// Private Key
91
- var privateKey crypto .PrivateKey
91
+ var ecdsaPrivateKey * ecdsa .PrivateKey
92
92
pemBlock , err = secretPEM (ctx , client , privateKeySecretName )
93
93
if err != nil {
94
94
return nil , fmt .Errorf ("failed to get private key secret PEM (%s): %w" , privateKeySecretName , err )
95
95
}
96
96
switch pemBlock .Type {
97
97
case "EC PRIVATE KEY" :
98
- privateKey , err = x509 .ParseECPrivateKey (pemBlock .Bytes )
98
+ ecdsaPrivateKey , err = x509 .ParseECPrivateKey (pemBlock .Bytes )
99
99
default :
100
100
return nil , fmt .Errorf ("unsupported PEM type: %s" , pemBlock .Type )
101
101
}
@@ -104,13 +104,13 @@ func NewSecretManagerSigner(ctx context.Context, publicKeySecretName, privateKey
104
104
}
105
105
106
106
// Verify the correctness of the signer key pair
107
- if ! privateKey .( * ecdsa. PrivateKey ). PublicKey .Equal (publicKey ) {
107
+ if ! ecdsaPrivateKey . PublicKey .Equal (ecdsaPublicKey ) {
108
108
return nil , errors .New ("signer key pair doesn't match" )
109
109
}
110
110
111
111
return & ECDSAWithSHA256Signer {
112
- publicKey : publicKey ,
113
- privateKey : privateKey ,
112
+ publicKey : ecdsaPublicKey ,
113
+ privateKey : ecdsaPrivateKey ,
114
114
}, nil
115
115
}
116
116
0 commit comments