prefer Nebula's public key handling functions where possible

JackDoan · JackDoan · commit 53686c935205 · 2025-12-10T10:57:34.000-06:00
diff --git a/client_test.go b/client_test.go
@@ -8,7 +8,6 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/json"
-	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
@@ -78,7 +77,7 @@ func TestEnroll(t *testing.T) {
 				HostID:      hostID,
 				Counter:     counter,
 				Config:      cfg,
-				TrustedKeys: marshalCAPublicKey(ca.Curve(), ca.PublicKey()),
+				TrustedKeys: ca.MarshalPublicKeyPEM(),
 				Organization: message.HostOrgMetadata{
 					ID:   orgID,
 					Name: orgName,
@@ -209,7 +208,7 @@ func TestDoUpdate(t *testing.T) {
 				HostID:      "foobar",
 				Counter:     1,
 				Config:      cfg,
-				TrustedKeys: marshalCAPublicKey(ca.Curve(), ca.PublicKey()),
+				TrustedKeys: ca.MarshalPublicKeyPEM(),
 				Organization: message.HostOrgMetadata{
 					ID:   "foobaz",
 					Name: "foobar's foo org",
@@ -278,7 +277,7 @@ func TestDoUpdate(t *testing.T) {
 			Config:      dnapitest.NebulaCfg(caPEM),
 			Counter:     2,
 			Nonce:       dnapitest.GetNonce(r),
-			TrustedKeys: marshalCAPublicKey(ca.Curve(), ca.PublicKey()),
+			TrustedKeys: ca.MarshalPublicKeyPEM(),
 			Organization: message.HostOrgMetadata{
 				ID:   "foobaz",
 				Name: "foobar's foo org",
@@ -333,7 +332,7 @@ func TestDoUpdate(t *testing.T) {
 			Config:      dnapitest.NebulaCfg(caPEM),
 			Counter:     0,
 			Nonce:       dnapitest.GetNonce(r),
-			TrustedKeys: marshalCAPublicKey(ca.Curve(), ca.PublicKey()),
+			TrustedKeys: ca.MarshalPublicKeyPEM(),
 			Organization: message.HostOrgMetadata{
 				ID:   "foobaz",
 				Name: "foobar's foo org",
@@ -393,7 +392,7 @@ func TestDoUpdate(t *testing.T) {
 			Config:      dnapitest.NebulaCfg(caPEM),
 			Counter:     3,
 			Nonce:       dnapitest.GetNonce(r),
-			TrustedKeys: marshalCAPublicKey(ca.Curve(), ca.PublicKey()),
+			TrustedKeys: ca.MarshalPublicKeyPEM(),
 			Organization: message.HostOrgMetadata{
 				ID:   orgID,
 				Name: orgName,
@@ -480,7 +479,7 @@ func TestDoUpdate_P256(t *testing.T) {
 				HostID:      "foobar",
 				Counter:     1,
 				Config:      cfg,
-				TrustedKeys: marshalCAPublicKey(ca.Curve(), ca.PublicKey()),
+				TrustedKeys: ca.MarshalPublicKeyPEM(),
 				Organization: message.HostOrgMetadata{
 					ID:   "foobaz",
 					Name: "foobar's foo org",
@@ -638,7 +637,7 @@ func TestDoUpdate_P256(t *testing.T) {
 			Config:      dnapitest.NebulaCfg(caPEM),
 			Counter:     3,
 			Nonce:       dnapitest.GetNonce(r),
-			TrustedKeys: marshalCAPublicKey(ca.Curve(), ca.PublicKey()),
+			TrustedKeys: ca.MarshalPublicKeyPEM(),
 			Organization: message.HostOrgMetadata{
 				ID:   "foobaz",
 				Name: "foobar's foo org",
@@ -720,7 +719,7 @@ func TestCommandResponse(t *testing.T) {
 				HostID:      "foobar",
 				Counter:     1,
 				Config:      cfg,
-				TrustedKeys: marshalCAPublicKey(ca.Curve(), ca.PublicKey()),
+				TrustedKeys: ca.MarshalPublicKeyPEM(),
 				Organization: message.HostOrgMetadata{
 					ID:   "foobaz",
 					Name: "foobar's foo org",
@@ -825,7 +824,7 @@ func TestStreamCommandResponse(t *testing.T) {
 				HostID:      "foobar",
 				Counter:     1,
 				Config:      cfg,
-				TrustedKeys: marshalCAPublicKey(ca.Curve(), ca.PublicKey()),
+				TrustedKeys: ca.MarshalPublicKeyPEM(),
 				Organization: message.HostOrgMetadata{
 					ID:   "foobaz",
 					Name: "foobar's foo org",
@@ -951,7 +950,7 @@ func TestReauthenticate(t *testing.T) {
 				HostID:      "foobar",
 				Counter:     1,
 				Config:      cfg,
-				TrustedKeys: marshalCAPublicKey(ca.Curve(), ca.PublicKey()),
+				TrustedKeys: ca.MarshalPublicKeyPEM(),
 				Organization: message.HostOrgMetadata{
 					ID:   "foobaz",
 					Name: "foobar's foo org",
@@ -1062,17 +1061,6 @@ func TestOverrideTimeout(t *testing.T) {
 	require.ErrorIs(t, err, context.DeadlineExceeded)
 }
 
-func marshalCAPublicKey(curve cert.Curve, pubkey []byte) []byte {
-	switch curve {
-	case cert.Curve_CURVE25519:
-		return pem.EncodeToMemory(&pem.Block{Type: keys.NebulaEd25519PublicKeyBanner, Bytes: pubkey})
-	case cert.Curve_P256:
-		return pem.EncodeToMemory(&pem.Block{Type: keys.NebulaECDSAP256PublicKeyBanner, Bytes: pubkey})
-	default:
-		panic("unsupported curve")
-	}
-}
-
 func TestGetOidcPollCode(t *testing.T) {
 	t.Parallel()
 
@@ -1219,7 +1207,6 @@ func TestDownloads(t *testing.T) {
 }
 
 func TestNebulaPemBanners(t *testing.T) {
-	t.SkipNow() //todo this is correct for 25519 but not p256. Once this test passes, we can lean on Nebula's implementations.
 	const NebulaECDSAP256PublicKeyBanner = "NEBULA ECDSA P256 PUBLIC KEY"
 	const NebulaEd25519PublicKeyBanner = "NEBULA ED25519 PUBLIC KEY"
 	ca, _ := dnapitest.NebulaCACert()
diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.25
 
 require (
 	github.com/sirupsen/logrus v1.9.3
-	github.com/slackhq/nebula v1.10.0
+	github.com/slackhq/nebula v1.10.1-0.20251210163936-3ec527e42cec
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/crypto v0.46.0
 	gopkg.in/yaml.v2 v2.4.0
diff --git a/go.sum b/go.sum
@@ -18,8 +18,8 @@ github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZV
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/slackhq/nebula v1.10.0 h1:uhu4Cpzw3pXyDJ8G1fMSppsvG7aE9XCt4UaauggHax0=
-github.com/slackhq/nebula v1.10.0/go.mod h1:PmYcyoGhAX4X8lCzJjGv7aLTBbFbPy7QeWbpwWvJf+Y=
+github.com/slackhq/nebula v1.10.1-0.20251210163936-3ec527e42cec h1:F251X4hgG3Fen49ouS7yUVcwYkvvCjb5bmRFAbMnm+c=
+github.com/slackhq/nebula v1.10.1-0.20251210163936-3ec527e42cec/go.mod h1:mqXWEQjg+I1r5KeCqji83gA0rZPCY9yvP25USUBFGxc=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
diff --git a/keys/pem.go b/keys/pem.go
@@ -7,16 +7,15 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
+
+	"github.com/slackhq/nebula/cert"
 )
 
 const HostEd25519PublicKeyBanner = "DEFINED HOST ED25519 PUBLIC KEY"
 const HostEd25519PrivateKeyBanner = "DEFINED HOST ED25519 PRIVATE KEY"
 const HostP256PublicKeyBanner = "DEFINED HOST P256 PUBLIC KEY"
 const HostP256PrivateKeyBanner = "DEFINED HOST P256 PRIVATE KEY"
 
-const NebulaECDSAP256PublicKeyBanner = "NEBULA ECDSA P256 PUBLIC KEY"
-const NebulaEd25519PublicKeyBanner = "NEBULA ED25519 PUBLIC KEY"
-
 func MarshalHostEd25519PublicKey(k ed25519.PublicKey) ([]byte, error) {
 	b, err := x509.MarshalPKIXPublicKey(k)
 	if err != nil {
@@ -163,8 +162,9 @@ func UnmarshalTrustedKey(b []byte) (TrustedKey, []byte, error) {
 		return nil, r, fmt.Errorf("input did not contain a valid PEM encoded block")
 	}
 
+	// we could use Nebula's implementation here, but we want to make sure we only see these specific banners.
 	switch k.Type {
-	case NebulaECDSAP256PublicKeyBanner:
+	case cert.ECDSAP256PublicKeyBanner:
 		if len(k.Bytes) != 65 {
 			return nil, r, fmt.Errorf("key was not 65 bytes, is invalid P256 public key")
 		}
@@ -173,7 +173,7 @@ func UnmarshalTrustedKey(b []byte) (TrustedKey, []byte, error) {
 			return nil, r, fmt.Errorf("failed to parse public key: %s", err)
 		}
 		return P256TrustedKey{pk}, r, nil
-	case NebulaEd25519PublicKeyBanner:
+	case cert.Ed25519PublicKeyBanner:
 		if len(k.Bytes) != ed25519.PublicKeySize {
 			return nil, r, fmt.Errorf("key was not 32 bytes, is invalid ed25519 public key")
 		}
diff --git a/keys/trusted_keys.go b/keys/trusted_keys.go
@@ -7,6 +7,8 @@ import (
 	"crypto/sha256"
 	"encoding/pem"
 	"fmt"
+
+	"github.com/slackhq/nebula/cert"
 )
 
 // TrustedKey is an interface used to generically verify signatures returned
@@ -42,7 +44,7 @@ func (key Ed25519TrustedKey) Unwrap() any {
 }
 
 func (key Ed25519TrustedKey) MarshalPEM() ([]byte, error) {
-	return pem.EncodeToMemory(&pem.Block{Type: NebulaEd25519PublicKeyBanner, Bytes: key.PublicKey}), nil
+	return pem.EncodeToMemory(&pem.Block{Type: cert.Ed25519PublicKeyBanner, Bytes: key.PublicKey}), nil
 }
 
 // P256TrustedKey is the P256 implementation of TrustedKey.
@@ -61,7 +63,7 @@ func (key P256TrustedKey) Unwrap() any {
 
 func (key P256TrustedKey) MarshalPEM() ([]byte, error) {
 	b := elliptic.Marshal(elliptic.P256(), key.X, key.Y)
-	return pem.EncodeToMemory(&pem.Block{Type: NebulaECDSAP256PublicKeyBanner, Bytes: b}), nil
+	return pem.EncodeToMemory(&pem.Block{Type: cert.ECDSAP256PublicKeyBanner, Bytes: b}), nil
 }
 
 // TrustedKeysToPEM converts a slice of TrustedKey to a PEM-encoded byte slice.

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,8 @@ import (`
`7`	`7`	`"crypto/sha256"`
`8`	`8`	`"encoding/pem"`
`9`	`9`	`"fmt"`
	`10`	`+`
	`11`	`+ "github.com/slackhq/nebula/cert"`
`10`	`12`	`)`
`11`	`13`
`12`	`14`	`// TrustedKey is an interface used to generically verify signatures returned`
`@@ -42,7 +44,7 @@ func (key Ed25519TrustedKey) Unwrap() any {`
`42`	`44`	`}`
`43`	`45`
`44`	`46`	`func (key Ed25519TrustedKey) MarshalPEM() ([]byte, error) {`
`45`		`- return pem.EncodeToMemory(&pem.Block{Type: NebulaEd25519PublicKeyBanner, Bytes: key.PublicKey}), nil`
	`47`	`+ return pem.EncodeToMemory(&pem.Block{Type: cert.Ed25519PublicKeyBanner, Bytes: key.PublicKey}), nil`
`46`	`48`	`}`
`47`	`49`
`48`	`50`	`// P256TrustedKey is the P256 implementation of TrustedKey.`
`@@ -61,7 +63,7 @@ func (key P256TrustedKey) Unwrap() any {`
`61`	`63`
`62`	`64`	`func (key P256TrustedKey) MarshalPEM() ([]byte, error) {`
`63`	`65`	`b := elliptic.Marshal(elliptic.P256(), key.X, key.Y)`
`64`		`- return pem.EncodeToMemory(&pem.Block{Type: NebulaECDSAP256PublicKeyBanner, Bytes: b}), nil`
	`66`	`+ return pem.EncodeToMemory(&pem.Block{Type: cert.ECDSAP256PublicKeyBanner, Bytes: b}), nil`
`65`	`67`	`}`
`66`	`68`
`67`	`69`	`// TrustedKeysToPEM converts a slice of TrustedKey to a PEM-encoded byte slice.`