fix: support more key formats

Author: cheina97

pkg/liqo-controller-manager/authentication/csr.go

@@ -170,13 +170,24 @@ func checkCSR(csr, publicKey []byte, checkPublicKey bool, commonName, organizati
 			return fmt.Errorf("invalid public key")
 		}
 
-		// Marshal CSR public key to PKIX DER and compare with provided PKIX public key bytes
+		// Parse the provided public key (supports PEM, PKIX DER, or raw Ed25519)
+		parsedPubKey, err := parsePublicKey(publicKey)
+		if err != nil {
+			return fmt.Errorf("failed to parse provided public key: %w", err)
+		}
+
+		// Marshal both keys to PKIX DER for comparison
 		csrPubDER, err := x509.MarshalPKIXPublicKey(x509Csr.PublicKey)
 		if err != nil {
 			return fmt.Errorf("failed to marshal CSR public key: %w", err)
 		}
 
-		if !bytes.Equal(csrPubDER, publicKey) {
+		parsedPubDER, err := x509.MarshalPKIXPublicKey(parsedPubKey)
+		if err != nil {
+			return fmt.Errorf("failed to marshal provided public key: %w", err)
+		}
+
+		if !bytes.Equal(csrPubDER, parsedPubDER) {
 			return fmt.Errorf("invalid public key")
 		}
 	}

pkg/liqo-controller-manager/authentication/keys.go

@@ -109,10 +109,37 @@ func SignNonce(priv crypto.PrivateKey, nonce []byte) ([]byte, error) {
 	}
 }
 
-// VerifyNonce verifies the signature of a nonce using the PKIX-encoded public key bytes of the cluster.
+// parsePublicKey parses a public key from various formats:
+// - PKIX DER-encoded bytes
+// - PEM-encoded public key
+// - Raw Ed25519 public key bytes (32 bytes)
+func parsePublicKey(pubKeyBytes []byte) (crypto.PublicKey, error) {
+	// Try PEM decoding first
+	if block, _ := pem.Decode(pubKeyBytes); block != nil {
+		pubKeyBytes = block.Bytes
+	}
+
+	// Try PKIX parsing
+	if pub, err := x509.ParsePKIXPublicKey(pubKeyBytes); err == nil {
+		return pub, nil
+	}
+
+	// Try raw Ed25519 public key (32 bytes)
+	if len(pubKeyBytes) == ed25519.PublicKeySize {
+		return ed25519.PublicKey(pubKeyBytes), nil
+	}
+
+	return nil, fmt.Errorf("unable to parse public key: unrecognized format (length: %d)", len(pubKeyBytes))
+}
+
+// VerifyNonce verifies the signature of a nonce using the public key bytes of the cluster.
 // The public key can be Ed25519, RSA, or ECDSA.
-func VerifyNonce(pubKeyPKIX, nonce, signature []byte) (bool, error) {
-	pub, err := x509.ParsePKIXPublicKey(pubKeyPKIX)
+// It accepts the public key in multiple formats:
+// - PKIX DER-encoded bytes
+// - PEM-encoded public key (will be decoded first)
+// - Raw Ed25519 public key bytes (32 bytes)
+func VerifyNonce(pubKeyBytes, nonce, signature []byte) (bool, error) {
+	pub, err := parsePublicKey(pubKeyBytes)
 	if err != nil {
 		return false, fmt.Errorf("failed to parse public key: %w", err)
 	}

tmp.yml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nginx-daemonset
+  namespace: test
+  labels:
+    app: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:latest
+          ports:
+            - containerPort: 80