fix: support more key formats

cheina97 · cheina97 · commit 7d5506214ee7 · 2025-11-27T14:58:06.000+01:00
diff --git a/docs/usage/stateful-applications.md b/docs/usage/stateful-applications.md
@@ -81,7 +81,7 @@ Where:
 * `$NAMESPACE_NAME` is the name of the namespace where the *PVC* lives in.
 * `$TARGET_NODE_NAME` is the name of the node where the *PVC* will be moved to.
 
-Under the hood, the migration process leverages the Liqo cross-cluster network fabric and the [Restic project](https://restic.net/) to back up the original data in a temporary repository, and then restore it in a brand-new *PVC* forced to be created in the target cluster.
+Under the hood, the migration process leverages the Liqo cross-cluster network fabric and the [Restic project](https://github.com/restic/restic) to back up the original data in a temporary repository, and then restore it in a brand-new *PVC* forced to be created in the target cluster.
 
 ```{warning}
 *Liqo* and *liqoctl* **are not** backup tools. Make sure to properly back up important data before starting the migration process.
diff --git a/pkg/liqo-controller-manager/authentication/csr.go b/pkg/liqo-controller-manager/authentication/csr.go
@@ -170,13 +170,24 @@ func checkCSR(csr, publicKey []byte, checkPublicKey bool, commonName, organizati
 			return fmt.Errorf("invalid public key")
 		}
 
-		// Marshal CSR public key to PKIX DER and compare with provided PKIX public key bytes
+		// Parse the provided public key (supports PEM, PKIX DER, or raw Ed25519)
+		parsedPubKey, err := parsePublicKey(publicKey)
+		if err != nil {
+			return fmt.Errorf("failed to parse provided public key: %w", err)
+		}
+
+		// Marshal both keys to PKIX DER for comparison
 		csrPubDER, err := x509.MarshalPKIXPublicKey(x509Csr.PublicKey)
 		if err != nil {
 			return fmt.Errorf("failed to marshal CSR public key: %w", err)
 		}
 
-		if !bytes.Equal(csrPubDER, publicKey) {
+		parsedPubDER, err := x509.MarshalPKIXPublicKey(parsedPubKey)
+		if err != nil {
+			return fmt.Errorf("failed to marshal provided public key: %w", err)
+		}
+
+		if !bytes.Equal(csrPubDER, parsedPubDER) {
 			return fmt.Errorf("invalid public key")
 		}
 	}
diff --git a/pkg/liqo-controller-manager/authentication/keys.go b/pkg/liqo-controller-manager/authentication/keys.go
@@ -109,10 +109,37 @@ func SignNonce(priv crypto.PrivateKey, nonce []byte) ([]byte, error) {
 	}
 }
 
-// VerifyNonce verifies the signature of a nonce using the PKIX-encoded public key bytes of the cluster.
+// parsePublicKey parses a public key from various formats:
+// - PKIX DER-encoded bytes
+// - PEM-encoded public key
+// - Raw Ed25519 public key bytes (32 bytes)
+func parsePublicKey(pubKeyBytes []byte) (crypto.PublicKey, error) {
+	// Try PEM decoding first
+	if block, _ := pem.Decode(pubKeyBytes); block != nil {
+		pubKeyBytes = block.Bytes
+	}
+
+	// Try PKIX parsing
+	if pub, err := x509.ParsePKIXPublicKey(pubKeyBytes); err == nil {
+		return pub, nil
+	}
+
+	// Try raw Ed25519 public key (32 bytes)
+	if len(pubKeyBytes) == ed25519.PublicKeySize {
+		return ed25519.PublicKey(pubKeyBytes), nil
+	}
+
+	return nil, fmt.Errorf("unable to parse public key: unrecognized format (length: %d)", len(pubKeyBytes))
+}
+
+// VerifyNonce verifies the signature of a nonce using the public key bytes of the cluster.
 // The public key can be Ed25519, RSA, or ECDSA.
-func VerifyNonce(pubKeyPKIX, nonce, signature []byte) (bool, error) {
-	pub, err := x509.ParsePKIXPublicKey(pubKeyPKIX)
+// It accepts the public key in multiple formats:
+// - PKIX DER-encoded bytes
+// - PEM-encoded public key (will be decoded first)
+// - Raw Ed25519 public key bytes (32 bytes)
+func VerifyNonce(pubKeyBytes, nonce, signature []byte) (bool, error) {
+	pub, err := parsePublicKey(pubKeyBytes)
 	if err != nil {
 		return false, fmt.Errorf("failed to parse public key: %w", err)
 	}
