tka: support rotating node-keys in node-key signatures

Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-10-08 23:49:56 +00:00 · 2022-08-23 13:13:46 -07:00
parent b3cc719add
commit a78f8fa701
5 changed files with 280 additions and 52 deletions
--- a/types/key/nl_test.go
+++ b/types/key/nl_test.go
@@ -6,10 +6,7 @@ package key

 import (
 	"bytes"
-	"crypto/ed25519"
 	"testing"
-
-	"tailscale.com/tka"
 )

 func TestNLPrivate(t *testing.T) {
@@ -40,30 +37,4 @@ func TestNLPrivate(t *testing.T) {
 	if !bytes.Equal(decodedPub.k[:], pub.k[:]) {
 		t.Error("decoded and generated NLPublic bytes differ")
 	}
-
-	// Test that NLPrivate implements tka.Signer by making a new
-	// authority.
-	k := tka.Key{Kind: tka.Key25519, Public: pub.Verifier(), Votes: 1}
-	_, aum, err := tka.Create(&tka.Mem{}, tka.State{
-		Keys:               []tka.Key{k},
-		DisablementSecrets: [][]byte{bytes.Repeat([]byte{1}, 32)},
-	}, p)
-	if err != nil {
-		t.Fatalf("tka.Create() failed: %v", err)
-	}
-
-	// Make sure the generated genesis AUM was signed.
-	if got, want := len(aum.Signatures), 1; got != want {
-		t.Fatalf("len(signatures) = %d, want %d", got, want)
-	}
-	sigHash := aum.SigHash()
-	if ok := ed25519.Verify(pub.Verifier(), sigHash[:], aum.Signatures[0].Signature); !ok {
-		t.Error("signature did not verify")
-	}
-
-	// We manually compute the keyID, so make sure its consistent with
-	// tka.Key.ID().
-	if !bytes.Equal(k.ID(), p.KeyID()) {
-		t.Errorf("private.KeyID() & tka KeyID differ: %x != %x", k.ID(), p.KeyID())
-	}
 }