Read multiline signing private key from the config and remove base64 encoding support

2025-05-31 14:11:51 +05:30 · 2024-03-05 13:55:31 +01:00
parent 436ff7c294
commit 528b131309
1 changed files with 21 additions and 27 deletions
--- a/internal/di/security.go
+++ b/internal/di/security.go
@@ -4,11 +4,11 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/pem"
-	"strings"
+	"errors"
+	"log/slog"

-	signerClient "ely.by/chrly/internal/client/signer"
+	"ely.by/chrly/internal/client/signer"
 	"ely.by/chrly/internal/http"
 	"ely.by/chrly/internal/security"

@@ -19,47 +19,41 @@ import (
 var securityDiOptions = di.Options(
 	di.Provide(newSigner,
 		di.As(new(http.Signer)),
-		di.As(new(signerClient.Signer)),
+		di.As(new(signer.Signer)),
 	),
 	di.Provide(newSignerService),
 )

 func newSigner(config *viper.Viper) (*security.Signer, error) {
+	var privateKey *rsa.PrivateKey
+	var err error
+
 	keyStr := config.GetString("chrly.signing.key")
 	if keyStr == "" {
-		// TODO: log a message about the generated signing key and the way to specify it permanently
-		privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+		privateKey, err = rsa.GenerateKey(rand.Reader, 2048)
 		if err != nil {
 			return nil, err
 		}

-		return security.NewSigner(privateKey), nil
-	}
-
-	var keyBytes []byte
-	if strings.HasPrefix(keyStr, "base64:") {
-		base64Value := keyStr[7:]
-		decodedKey, err := base64.URLEncoding.DecodeString(base64Value)
-		if err != nil {
-			return nil, err
-		}
-
-		keyBytes = decodedKey
+		slog.Warn("A private signing key has been generated. To make it permanent, specify the valid RSA private key in the config parameter chrly.signing.key")
 	} else {
-		keyBytes = []byte(keyStr)
-	}
+		keyBytes := []byte(keyStr)
+		rawPem, _ := pem.Decode(keyBytes)
+		if rawPem == nil {
+			return nil, errors.New("unable to decode pem key")
+		}

-	rawPem, _ := pem.Decode(keyBytes)
-	privateKey, err := x509.ParsePKCS1PrivateKey(rawPem.Bytes)
-	if err != nil {
-		return nil, err
+		privateKey, err = x509.ParsePKCS1PrivateKey(rawPem.Bytes)
+		if err != nil {
+			return nil, err
+		}
 	}

 	return security.NewSigner(privateKey), nil
 }

-func newSignerService(signer signerClient.Signer) http.SignerService {
-	return &signerClient.LocalSigner{
-		Signer: signer,
+func newSignerService(s signer.Signer) http.SignerService {
+	return &signer.LocalSigner{
+		Signer: s,
 	}
 }