tka: support rotating node-keys in node-key signatures

Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-10-09 08:01:31 +00:00 · 2022-08-23 13:13:46 -07:00
parent b3cc719add
commit a78f8fa701
5 changed files with 280 additions and 52 deletions
--- a/tka/tka.go
+++ b/tka/tka.go
@@ -13,6 +13,7 @@ import (
 	"sort"

 	"github.com/fxamacker/cbor/v2"
+	"tailscale.com/types/key"
 	"tailscale.com/types/tkatype"
 )

@@ -23,7 +24,7 @@ var cborDecOpts = cbor.DecOptions{
 	TagsMd:      cbor.TagsForbidden,

 	// Arbitrarily-chosen maximums.
-	MaxNestedLevels:  8,
+	MaxNestedLevels:  16, // Most likely to be hit for SigRotation sigs.
 	MaxArrayElements: 4096,
 	MaxMapPairs:      1024,
 }
@@ -604,9 +605,9 @@ func (a *Authority) Inform(updates []AUM) error {
 	return nil
 }

-// VerifySignature returns true if the provided nodeKeySignature is signed
-// correctly by a trusted key.
-func (a *Authority) VerifySignature(nodeKeySignature tkatype.MarshaledSignature) error {
+// NodeKeyAuthorized checks if the provided nodeKeySignature authorizes
+// the given node key.
+func (a *Authority) NodeKeyAuthorized(nodeKey key.NodePublic, nodeKeySignature tkatype.MarshaledSignature) error {
 	var decoded NodeKeySignature
 	if err := decoded.Unserialize(nodeKeySignature); err != nil {
 		return fmt.Errorf("unserialize: %v", err)
@@ -616,7 +617,7 @@ func (a *Authority) VerifySignature(nodeKeySignature tkatype.MarshaledSignature)
 		return fmt.Errorf("key: %v", err)
 	}

-	return decoded.verifySignature(key)
+	return decoded.verifySignature(nodeKey, key)
 }

 // KeyTrusted returns true if the given keyID is trusted by the tailnet