derivecert: fix ecdsa code to be deterministic (#3989)

* derivecert: fix ecdsa code to be deterministic * lint
2025-08-03 00:40:25 +02:00 · 2023-02-17 16:57:15 -07:00 · 2023-02-17 16:57:15 -07:00 · b13afc7b0c
commit b13afc7b0c
parent 6b3e34c39f
5 changed files with 246 additions and 46 deletions
--- a/pkg/derivecert/notrand.go
+++ b/pkg/derivecert/notrand.go
@ -0,0 +1,40 @@
+package derivecert
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/sha256"
+	"io"
+
+	"golang.org/x/crypto/hkdf"
+
+	"github.com/pomerium/pomerium/internal/deterministicecdsa"
+)
+
+type readerType byte
+
+const (
+	readerTypeCAPrivateKey readerType = iota
+	readerTypeCACertificate
+	readerTypeServerPrivateKey
+	readerTypeServerCertificate
+	readerTypeSerialNumber
+)
+
+func newReader(readerType readerType, psk []byte, domains ...string) io.Reader {
+	var buf bytes.Buffer
+	buf.WriteByte(byte(readerType))
+	buf.Write(psk)
+	buf.WriteByte(0)
+	for _, domain := range domains {
+		buf.WriteString(domain)
+		buf.WriteByte(0)
+	}
+
+	return hkdf.New(sha256.New, buf.Bytes(), nil, nil)
+}
+
+func deriveKey(r io.Reader) (*ecdsa.PrivateKey, error) {
+	return deterministicecdsa.GenerateKey(elliptic.P256(), r)
+}