control/controlclient: update machine certificate signature version

This iterates on the original signature format. Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2025-08-20 01:47:33 +00:00 · 2021-09-17 13:17:57 -04:00
parent a722e48cef
commit 4da559d7cc
3 changed files with 35 additions and 10 deletions
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -558,10 +558,16 @@ const (
 	// be considered an error if seen.
 	SignatureUnknown
 	// SignatureV1 is computed as RSA-PSS-Sign(privateKeyForDeviceCert,
+	// SHA256(Timestamp || ServerIdentity || DeviceCert || ServerShortPubKey ||
+	// MachineShortPubKey)). The PSS salt length is equal to hash length
+	// (rsa.PSSSaltLengthEqualsHash). Device cert is required.
+	// Deprecated: uses old key serialization format.
+	SignatureV1
+	// SignatureV2 is computed as RSA-PSS-Sign(privateKeyForDeviceCert,
 	// SHA256(Timestamp || ServerIdentity || DeviceCert || ServerPubKey ||
 	// MachinePubKey)). The PSS salt length is equal to hash length
 	// (rsa.PSSSaltLengthEqualsHash). Device cert is required.
-	SignatureV1
+	SignatureV2
 )

 func (st SignatureType) MarshalText() ([]byte, error) {
@@ -574,6 +580,8 @@ func (st *SignatureType) UnmarshalText(b []byte) error {
 		*st = SignatureNone
 	case "signature-v1":
 		*st = SignatureV1
+	case "signature-v2":
+		*st = SignatureV2
 	default:
 		var val int
 		if _, err := fmt.Sscanf(string(b), "signature-unknown(%d)", &val); err != nil {
@@ -593,6 +601,8 @@ func (st SignatureType) String() string {
 		return "signature-unknown"
 	case SignatureV1:
 		return "signature-v1"
+	case SignatureV2:
+		return "signature-v2"
 	default:
 		return fmt.Sprintf("signature-unknown(%d)", int(st))
 	}