Allow multiple private keys but use the latest one

.github/workflows/test-template.yml

@@ -42,7 +42,7 @@ jobs:
     - name: Test
       run: |
         make web-build
-        go test -tags=${{ inputs.tags }} -timeout 15m -coverpkg=./... -coverprofile=${{ inputs.coverprofile }} -covermode=count ./...
+        go test -tags=${{ inputs.tags }} -timeout 5m -coverpkg=./... -coverprofile=${{ inputs.coverprofile }} -covermode=count ./...
     - name: Get total code coverage
       if: github.event_name == 'pull_request'
       id: cc
@@ -67,7 +67,7 @@ jobs:
         git reset --hard ${{ github.event.pull_request.base.sha }}
         make web-build
         go generate ./...
-        go test -tags=${{ inputs.tags }} -timeout 15m -coverpkg=./... -coverprofile=base_coverage.out -covermode=count ./...
+        go test -tags=${{ inputs.tags }} -timeout 5m -coverpkg=./... -coverprofile=base_coverage.out -covermode=count ./...
         go tool cover -func=base_coverage.out > unit-base.txt
         git reset --hard $HEAD
     - name: Get base code coverage value

cmd/generate_keygen.go

@@ -39,7 +39,7 @@ func keygenMain(cmd *cobra.Command, args []string) error {
 		return errors.Wrap(err, "failed to get the current working directory")
 	}
 	if privateKeyPath == "" {
-		privateKeyPath = filepath.Join(wd, "issuer.jwk")
+		privateKeyPath = filepath.Join(wd, "issuer-keys")
 	} else {
 		privateKeyPath = filepath.Clean(strings.TrimSpace(privateKeyPath))
 	}
@@ -68,9 +68,9 @@ func keygenMain(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("file exists for public key under %s", publicKeyPath)
 	}
 
-	viper.Set(param.IssuerKey.GetName(), privateKeyPath)
+	viper.Set(param.IssuerKeysDirectory.GetName(), privateKeyPath)
 
-	// GetIssuerPublicJWKS will generate the private key at IssuerKey if it does not exist
+	// GetIssuerPublicJWKS will generate the private key in IssuerKeysDirectory if it does not exist
 	// and parse the private key and generate the corresponding public key for us
 	pubkey, err := config.GetIssuerPublicJWKS()
 	if err != nil {

cmd/generate_keygen_test.go

@@ -50,8 +50,8 @@ func setupTestRun(t *testing.T) string {
 	return tmpDir
 }
 
-func checkKeys(t *testing.T, privateKey, publicKey string) {
-	_, err := config.LoadPrivateKey(privateKey, false)
+func checkKeys(t *testing.T, publicKey string) {
+	_, err := config.GetIssuerPrivateJWK()
 	require.NoError(t, err)
 
 	jwks, err := jwk.ReadFile(publicKey)
@@ -81,7 +81,6 @@ func TestKeygenMain(t *testing.T) {
 
 		checkKeys(
 			t,
-			filepath.Join(tempDir, "issuer.jwk"),
 			filepath.Join(tempDir, "issuer-pub.jwks"),
 		)
 	})
@@ -97,7 +96,6 @@ func TestKeygenMain(t *testing.T) {
 
 		checkKeys(
 			t,
-			privateKeyPath,
 			filepath.Join(tempWd, "issuer-pub.jwks"),
 		)
 	})
@@ -113,7 +111,6 @@ func TestKeygenMain(t *testing.T) {
 
 		checkKeys(
 			t,
-			filepath.Join(tempWd, "issuer.jwk"),
 			publicKeyPath,
 		)
 	})
@@ -130,7 +127,6 @@ func TestKeygenMain(t *testing.T) {
 
 		checkKeys(
 			t,
-			privateKeyPath,
 			filepath.Join(tempWd, "issuer-pub.jwks"),
 		)
 	})
@@ -147,7 +143,6 @@ func TestKeygenMain(t *testing.T) {
 
 		checkKeys(
 			t,
-			filepath.Join(tempWd, "issuer.jwk"),
 			publicKeyPath,
 		)
 	})

cmd/registry_client.go

@@ -32,14 +32,12 @@ import (
 	"net/url"
 	"os"
 
-	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 
 	"github.com/pelicanplatform/pelican/config"
-	"github.com/pelicanplatform/pelican/param"
 	"github.com/pelicanplatform/pelican/registry"
 )
 
@@ -109,16 +107,11 @@ func registerANamespace(cmd *cobra.Command, args []string) {
 		os.Exit(1)
 	}
 
-	privateKeyRaw, err := config.LoadPrivateKey(param.IssuerKey.GetString(), false)
+	privateKey, err := config.GetIssuerPrivateJWK()
 	if err != nil {
 		log.Error("Failed to load private key", err)
 		os.Exit(1)
 	}
-	privateKey, err := jwk.FromRaw(privateKeyRaw)
-	if err != nil {
-		log.Error("Failed to create JWK private key", err)
-		os.Exit(1)
-	}
 
 	if withIdentity {
 		// We haven't added support to pass sitename from CLI, so leave it empty

config/config.go

@@ -1027,6 +1027,7 @@ func SetServerDefaults(v *viper.Viper) error {
 	v.SetDefault(param.Xrootd_Authfile.GetName(), filepath.Join(configDir, "xrootd", "authfile"))
 	v.SetDefault(param.Xrootd_MacaroonsKeyFile.GetName(), filepath.Join(configDir, "macaroons-secret"))
 	v.SetDefault(param.IssuerKey.GetName(), filepath.Join(configDir, "issuer.jwk"))
+	v.SetDefault(param.IssuerKeysDirectory.GetName(), filepath.Join(configDir, "issuer-keys"))
 	v.SetDefault(param.Server_UIPasswordFile.GetName(), filepath.Join(configDir, "server-web-passwd"))
 	v.SetDefault(param.Server_UIActivationCodeFile.GetName(), filepath.Join(configDir, "server-web-activation-code"))
 	v.SetDefault(param.OIDC_ClientIDFile.GetName(), filepath.Join(configDir, "oidc-client-id"))
@@ -1433,7 +1434,7 @@ func InitServer(ctx context.Context, currentServers server_structs.ServerType) e
 
 	// As necessary, generate private keys, JWKS and corresponding certs
 
-	// Note: This function will generate a private key in the location stored by the viper var "IssuerKey"
+	// Note: This function will generate a private key in the location stored by the viper var "IssuerKeysDirectory"
 	// iff there isn't any valid private key present in that location
 	_, err = GetIssuerPublicJWKS()
 	if err != nil {
@@ -1484,6 +1485,8 @@ func SetClientDefaults(v *viper.Viper) error {
 	configDir := v.GetString("ConfigDir")
 
 	v.SetDefault(param.IssuerKey.GetName(), filepath.Join(configDir, "issuer.jwk"))
+	v.SetDefault(param.IssuerKeysDirectory.GetName(), filepath.Join(configDir, "issuer-keys"))
+
 	upperPrefix := GetPreferredPrefix()
 	if upperPrefix == OsdfPrefix || upperPrefix == StashPrefix {
 		v.SetDefault("Federation.TopologyNamespaceURL", "https://topology.opensciencegrid.org/osdf/namespaces")
@@ -1638,6 +1641,9 @@ func ResetConfig() {
 	globalFedErr = nil
 
 	ResetIssuerJWKPtr()
+	ResetIssuerPrivateKeys()
+	ResetPreviousIssuerPrivateJWK()
+
 	ResetClientInitialized()
 
 	// other than what's above, resetting Origin exports will be done by ResetTestState() in server_utils pkg

config/encrypted.go

@@ -22,7 +22,6 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/ed25519"
-	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/sha512"
@@ -42,8 +41,6 @@ import (
 	"golang.org/x/crypto/nacl/box"
 	"golang.org/x/term"
 	"gopkg.in/yaml.v3"
-
-	"github.com/pelicanplatform/pelican/param"
 )
 
 // If we prompted the user for a new password while setting up the file,
@@ -380,17 +377,18 @@ func SaveConfigContents_internal(config *OSDFConfig, forcePassword bool) error {
 // Take a hash, and use the hash's bytes as the secret.
 func GetSecret() (string, error) {
 	// Use issuer private key as the source to generate the secret
-	issuerKeyFile := param.IssuerKey.GetString()
-	err := GeneratePrivateKey(issuerKeyFile, elliptic.P256(), false)
+	privateKey, err := GetIssuerPrivateJWK()
 	if err != nil {
 		return "", err
 	}
-	privateKey, err := LoadPrivateKey(issuerKeyFile, false)
-	if err != nil {
+
+	// Extract the underlying ECDSA private key in native Go crypto key type
+	var rawKey interface{}
+	if err := privateKey.Raw(&rawKey); err != nil {
 		return "", err
 	}
 
-	derPrivateKey, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	derPrivateKey, err := x509.MarshalPKCS8PrivateKey(rawKey)
 
 	if err != nil {
 		return "", err

config/encrypted_test.go

@@ -37,8 +37,8 @@ func TestGetSecret(t *testing.T) {
 	})
 	t.Run("generate-32B-hash", func(t *testing.T) {
 		tmp := t.TempDir()
-		keyName := filepath.Join(tmp, "issuer.key")
-		viper.Set(param.IssuerKey.GetName(), keyName)
+		keyDir := filepath.Join(tmp, "issuer-keys")
+		viper.Set(param.IssuerKeysDirectory.GetName(), keyDir)
 
 		get, err := GetSecret()
 		require.NoError(t, err)
@@ -55,8 +55,8 @@ func TestEncryptString(t *testing.T) {
 
 	t.Run("encrypt-without-err", func(t *testing.T) {
 		tmp := t.TempDir()
-		keyName := filepath.Join(tmp, "issuer.key")
-		viper.Set(param.IssuerKey.GetName(), keyName)
+		keyDir := filepath.Join(tmp, "issuer-keys")
+		viper.Set(param.IssuerKeysDirectory.GetName(), keyDir)
 
 		get, err := EncryptString("Some secret to encrypt")
 		require.NoError(t, err)
@@ -72,8 +72,8 @@ func TestDecryptString(t *testing.T) {
 	})
 	t.Run("decrypt-without-err", func(t *testing.T) {
 		tmp := t.TempDir()
-		keyName := filepath.Join(tmp, "issuer.key")
-		viper.Set(param.IssuerKey.GetName(), keyName)
+		keyDir := filepath.Join(tmp, "issuer-keys")
+		viper.Set(param.IssuerKeysDirectory.GetName(), keyDir)
 
 		secret := "Some secret to encrypt"
 
@@ -88,17 +88,18 @@ func TestDecryptString(t *testing.T) {
 
 	t.Run("diff-secrets-yield-diff-result", func(t *testing.T) {
 		tmp := t.TempDir()
-		keyName := filepath.Join(tmp, "issuer.key")
-		viper.Set(param.IssuerKey.GetName(), keyName)
+		keyDir := filepath.Join(tmp, "issuer-keys")
+		viper.Set(param.IssuerKeysDirectory.GetName(), keyDir)
 
 		secret := "Some secret to encrypt"
 
 		getEncrypt, err := EncryptString(secret)
 		require.NoError(t, err)
 		assert.NotEmpty(t, getEncrypt)
 
-		newKeyName := filepath.Join(tmp, "new-issuer.key")
-		viper.Set(param.IssuerKey.GetName(), newKeyName)
+		ResetConfig()
+		newKeyDir := filepath.Join(tmp, "new-issuer-keys")
+		viper.Set(param.IssuerKeysDirectory.GetName(), newKeyDir)
 
 		getDecrypt, err := DecryptString(getEncrypt)
 		require.NoError(t, err)