Refactor PIV metadata certificate logic (#32250)

* Change PIV metadata cert to be self signed by an ephemeral key so it can be signed without touch/pin. * Refactor touch prompt logic. * Prompt user before overwriting non-teleport certificates instead of just returning an error. * Update RFD and Docs. * Address CR. * Export some methods and variables for use in tests. * Address comments.
gravitational · Sep 26, 2023 · 64d9466 · 64d9466
1 parent 8d38a06
commit 64d9466
Show file tree

Hide file tree

Showing 5 changed files with 221 additions and 105 deletions.
diff --git a/api/utils/keys/hardwaresigner_test.go b/api/utils/keys/hardwaresigner_test.go
@@ -16,14 +16,19 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package keys
+package keys_test
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"os"
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/utils/keys"
 )
 
 // TestHardwareSigner tests the HardwareSigner interface with hardware keys.
@@ -38,27 +43,29 @@ func TestHardwareSigner(t *testing.T) {
 	resetYubikey(ctx, t)
 
 	// Generate a new YubiKeyPrivateKey. It should return a valid attestation statement and key policy.
-	priv, err := GetOrGenerateYubiKeyPrivateKey(false)
+	priv, err := keys.GetOrGenerateYubiKeyPrivateKey(false)
 	require.NoError(t, err)
 
-	att, err := GetAttestationStatement(priv)
+	att, err := keys.GetAttestationStatement(priv)
 	require.NoError(t, err)
 	require.NotNil(t, att)
 
-	policy := GetPrivateKeyPolicy(priv)
-	require.Equal(t, PrivateKeyPolicyHardwareKey, policy)
+	policy := keys.GetPrivateKeyPolicy(priv)
+	require.Equal(t, keys.PrivateKeyPolicyHardwareKey, policy)
 }
 
 // TestNonHardwareSigner tests the HardwareSigner interface with non-hardware keys.
 func TestNonHardwareSigner(t *testing.T) {
-	// Non-hardware keys should return a nil attestation statement and PrivateKeyPolicyNone.
-	priv, err := ParsePrivateKey(rsaKeyPEM)
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	key, err := keys.NewPrivateKey(priv, nil)
 	require.NoError(t, err)
 
-	att, err := GetAttestationStatement(priv)
+	att, err := keys.GetAttestationStatement(key)
 	require.NoError(t, err)
 	require.Nil(t, att)
 
-	policy := GetPrivateKeyPolicy(priv)
-	require.Equal(t, PrivateKeyPolicyNone, policy)
+	policy := keys.GetPrivateKeyPolicy(key)
+	require.Equal(t, keys.PrivateKeyPolicyNone, policy)
 }