chore: simplify key generation

sweatybridge · sweatybridge · commit cd013f53a24e · 2025-08-15T11:07:55.000+08:00
diff --git a/internal/gen/signingkeys/signingkeys.go b/internal/gen/signingkeys/signingkeys.go
@@ -23,13 +23,8 @@ import (
 	"github.com/supabase/cli/pkg/config"
 )
 
-type KeyPair struct {
-	PublicKey  config.JWK
-	PrivateKey config.JWK
-}
-
-// GenerateKeyPair generates a new key pair for the specified algorithm
-func GenerateKeyPair(alg config.Algorithm) (*KeyPair, error) {
+// GeneratePrivateKey generates a new private key for the specified algorithm
+func GeneratePrivateKey(alg config.Algorithm) (*config.JWK, error) {
 	keyID := uuid.New()
 
 	switch alg {
@@ -42,7 +37,7 @@ func GenerateKeyPair(alg config.Algorithm) (*KeyPair, error) {
 	}
 }
 
-func generateRSAKeyPair(keyID uuid.UUID) (*KeyPair, error) {
+func generateRSAKeyPair(keyID uuid.UUID) (*config.JWK, error) {
 	// Generate RSA key pair (2048 bits for RS256)
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
@@ -72,24 +67,10 @@ func generateRSAKeyPair(keyID uuid.UUID) (*KeyPair, error) {
 		FirstCRTCoefficient:     base64.RawURLEncoding.EncodeToString(privateKey.Precomputed.Qinv.Bytes()),
 	}
 
-	publicJWK := config.JWK{
-		KeyType:     "RSA",
-		KeyID:       keyID,
-		Use:         "sig",
-		KeyOps:      []string{"verify"},
-		Algorithm:   "RS256",
-		Extractable: cast.Ptr(true),
-		Modulus:     privateJWK.Modulus,
-		Exponent:    privateJWK.Exponent,
-	}
-
-	return &KeyPair{
-		PublicKey:  publicJWK,
-		PrivateKey: privateJWK,
-	}, nil
+	return &privateJWK, nil
 }
 
-func generateECDSAKeyPair(keyID uuid.UUID) (*KeyPair, error) {
+func generateECDSAKeyPair(keyID uuid.UUID) (*config.JWK, error) {
 	// Generate ECDSA key pair (P-256 curve for ES256)
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
@@ -112,22 +93,7 @@ func generateECDSAKeyPair(keyID uuid.UUID) (*KeyPair, error) {
 		PrivateExponent: base64.RawURLEncoding.EncodeToString(privateKey.D.Bytes()),
 	}
 
-	publicJWK := config.JWK{
-		KeyType:     "EC",
-		KeyID:       keyID,
-		Use:         "sig",
-		KeyOps:      []string{"verify"},
-		Algorithm:   "ES256",
-		Extractable: cast.Ptr(true),
-		Curve:       "P-256",
-		X:           privateJWK.X,
-		Y:           privateJWK.Y,
-	}
-
-	return &KeyPair{
-		PublicKey:  publicJWK,
-		PrivateKey: privateJWK,
-	}, nil
+	return &privateJWK, nil
 }
 
 // Run generates a key pair and writes it to the specified file path
@@ -139,7 +105,7 @@ func Run(ctx context.Context, algorithm string, appendMode bool, fsys afero.Fs)
 	outputPath := utils.Config.Auth.SigningKeysPath
 
 	// Generate key pair
-	keyPair, err := GenerateKeyPair(config.Algorithm(algorithm))
+	privateJWK, err := GeneratePrivateKey(config.Algorithm(algorithm))
 	if err != nil {
 		return err
 	}
@@ -181,7 +147,7 @@ func Run(ctx context.Context, algorithm string, appendMode bool, fsys afero.Fs)
 		}
 		out = f
 	}
-	jwkArray = append(jwkArray, keyPair.PrivateKey)
+	jwkArray = append(jwkArray, *privateJWK)
 
 	// Write to file
 	enc := json.NewEncoder(out)
diff --git a/internal/gen/signingkeys/signingkeys_test.go b/internal/gen/signingkeys/signingkeys_test.go
@@ -31,61 +31,62 @@ func TestGenerateKeyPair(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			keyPair, err := GenerateKeyPair(tt.algorithm)
+			privateJWK, err := GeneratePrivateKey(tt.algorithm)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("GenerateKeyPair(%s) error = %v, wantErr %v", tt.algorithm, err, tt.wantErr)
 				return
 			}
 			if !tt.wantErr {
-				if keyPair == nil {
+				if privateJWK == nil {
 					t.Error("GenerateKeyPair() returned nil key pair")
 					return
 				}
 
 				// Check that both public and private keys are generated
-				if keyPair.PublicKey.KeyType == "" {
+				publicJWK := privateJWK.ToPublicJWK()
+				if publicJWK.KeyType == "" {
 					t.Error("Public key type is empty")
 				}
-				if keyPair.PrivateKey.KeyType == "" {
+				if privateJWK.KeyType == "" {
 					t.Error("Private key type is empty")
 				}
 
 				// Check that key IDs match
-				if keyPair.PublicKey.KeyID != keyPair.PrivateKey.KeyID {
+				if publicJWK.KeyID != privateJWK.KeyID {
 					t.Error("Public and private key IDs don't match")
 				}
 
 				// Algorithm-specific checks
 				switch tt.algorithm {
 				case config.AlgRS256:
-					if keyPair.PublicKey.KeyType != "RSA" {
-						t.Errorf("Expected RSA key type, got %s", keyPair.PublicKey.KeyType)
+					if publicJWK.KeyType != "RSA" {
+						t.Errorf("Expected RSA key type, got %s", publicJWK.KeyType)
 					}
-					if keyPair.PrivateKey.Algorithm != "RS256" {
-						t.Errorf("Expected RS256 algorithm, got %s", keyPair.PrivateKey.Algorithm)
+					if privateJWK.Algorithm != "RS256" {
+						t.Errorf("Expected RS256 algorithm, got %s", privateJWK.Algorithm)
 					}
 					// Check that RSA-specific fields are present
-					if keyPair.PrivateKey.Modulus == "" {
+					if privateJWK.Modulus == "" {
 						t.Error("RSA private key missing modulus")
 					}
-					if keyPair.PrivateKey.PrivateExponent == "" {
+					if privateJWK.PrivateExponent == "" {
 						t.Error("RSA private key missing private exponent")
 					}
 				case config.AlgES256:
-					if keyPair.PublicKey.KeyType != "EC" {
-						t.Errorf("Expected EC key type, got %s", keyPair.PublicKey.KeyType)
+					if publicJWK.KeyType != "EC" {
+						t.Errorf("Expected EC key type, got %s", publicJWK.KeyType)
 					}
-					if keyPair.PrivateKey.Algorithm != "ES256" {
-						t.Errorf("Expected ES256 algorithm, got %s", keyPair.PrivateKey.Algorithm)
+					if privateJWK.Algorithm != "ES256" {
+						t.Errorf("Expected ES256 algorithm, got %s", privateJWK.Algorithm)
 					}
 					// Check that EC-specific fields are present
-					if keyPair.PrivateKey.Curve != "P-256" {
-						t.Errorf("Expected P-256 curve, got %s", keyPair.PrivateKey.Curve)
+					if privateJWK.Curve != "P-256" {
+						t.Errorf("Expected P-256 curve, got %s", privateJWK.Curve)
 					}
-					if keyPair.PrivateKey.X == "" {
+					if privateJWK.X == "" {
 						t.Error("EC private key missing X coordinate")
 					}
-					if keyPair.PrivateKey.Y == "" {
+					if privateJWK.Y == "" {
 						t.Error("EC private key missing Y coordinate")
 					}
 				}

Original file line number	Diff line number	Diff line change
`@@ -31,61 +31,62 @@ func TestGenerateKeyPair(t *testing.T) {`
`31`	`31`
`32`	`32`	`for _, tt := range tests {`
`33`	`33`	`t.Run(tt.name, func(t *testing.T) {`
`34`		`- keyPair, err := GenerateKeyPair(tt.algorithm)`
	`34`	`+ privateJWK, err := GeneratePrivateKey(tt.algorithm)`
`35`	`35`	`if (err != nil) != tt.wantErr {`
`36`	`36`	`t.Errorf("GenerateKeyPair(%s) error = %v, wantErr %v", tt.algorithm, err, tt.wantErr)`
`37`	`37`	`return`
`38`	`38`	`}`
`39`	`39`	`if !tt.wantErr {`
`40`		`- if keyPair == nil {`
	`40`	`+ if privateJWK == nil {`
`41`	`41`	`t.Error("GenerateKeyPair() returned nil key pair")`
`42`	`42`	`return`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`// Check that both public and private keys are generated`
`46`		`- if keyPair.PublicKey.KeyType == "" {`
	`46`	`+ publicJWK := privateJWK.ToPublicJWK()`
	`47`	`+ if publicJWK.KeyType == "" {`
`47`	`48`	`t.Error("Public key type is empty")`
`48`	`49`	`}`
`49`		`- if keyPair.PrivateKey.KeyType == "" {`
	`50`	`+ if privateJWK.KeyType == "" {`
`50`	`51`	`t.Error("Private key type is empty")`
`51`	`52`	`}`
`52`	`53`
`53`	`54`	`// Check that key IDs match`
`54`		`- if keyPair.PublicKey.KeyID != keyPair.PrivateKey.KeyID {`
	`55`	`+ if publicJWK.KeyID != privateJWK.KeyID {`
`55`	`56`	`t.Error("Public and private key IDs don't match")`
`56`	`57`	`}`
`57`	`58`
`58`	`59`	`// Algorithm-specific checks`
`59`	`60`	`switch tt.algorithm {`
`60`	`61`	`case config.AlgRS256:`
`61`		`- if keyPair.PublicKey.KeyType != "RSA" {`
`62`		`- t.Errorf("Expected RSA key type, got %s", keyPair.PublicKey.KeyType)`
	`62`	`+ if publicJWK.KeyType != "RSA" {`
	`63`	`+ t.Errorf("Expected RSA key type, got %s", publicJWK.KeyType)`
`63`	`64`	`}`
`64`		`- if keyPair.PrivateKey.Algorithm != "RS256" {`
`65`		`- t.Errorf("Expected RS256 algorithm, got %s", keyPair.PrivateKey.Algorithm)`
	`65`	`+ if privateJWK.Algorithm != "RS256" {`
	`66`	`+ t.Errorf("Expected RS256 algorithm, got %s", privateJWK.Algorithm)`
`66`	`67`	`}`
`67`	`68`	`// Check that RSA-specific fields are present`
`68`		`- if keyPair.PrivateKey.Modulus == "" {`
	`69`	`+ if privateJWK.Modulus == "" {`
`69`	`70`	`t.Error("RSA private key missing modulus")`
`70`	`71`	`}`
`71`		`- if keyPair.PrivateKey.PrivateExponent == "" {`
	`72`	`+ if privateJWK.PrivateExponent == "" {`
`72`	`73`	`t.Error("RSA private key missing private exponent")`
`73`	`74`	`}`
`74`	`75`	`case config.AlgES256:`
`75`		`- if keyPair.PublicKey.KeyType != "EC" {`
`76`		`- t.Errorf("Expected EC key type, got %s", keyPair.PublicKey.KeyType)`
	`76`	`+ if publicJWK.KeyType != "EC" {`
	`77`	`+ t.Errorf("Expected EC key type, got %s", publicJWK.KeyType)`
`77`	`78`	`}`
`78`		`- if keyPair.PrivateKey.Algorithm != "ES256" {`
`79`		`- t.Errorf("Expected ES256 algorithm, got %s", keyPair.PrivateKey.Algorithm)`
	`79`	`+ if privateJWK.Algorithm != "ES256" {`
	`80`	`+ t.Errorf("Expected ES256 algorithm, got %s", privateJWK.Algorithm)`
`80`	`81`	`}`
`81`	`82`	`// Check that EC-specific fields are present`
`82`		`- if keyPair.PrivateKey.Curve != "P-256" {`
`83`		`- t.Errorf("Expected P-256 curve, got %s", keyPair.PrivateKey.Curve)`
	`83`	`+ if privateJWK.Curve != "P-256" {`
	`84`	`+ t.Errorf("Expected P-256 curve, got %s", privateJWK.Curve)`
`84`	`85`	`}`
`85`		`- if keyPair.PrivateKey.X == "" {`
	`86`	`+ if privateJWK.X == "" {`
`86`	`87`	`t.Error("EC private key missing X coordinate")`
`87`	`88`	`}`
`88`		`- if keyPair.PrivateKey.Y == "" {`
	`89`	`+ if privateJWK.Y == "" {`
`89`	`90`	`t.Error("EC private key missing Y coordinate")`
`90`	`91`	`}`
`91`	`92`	`}`