tka: add public API on NodeKeySignature key information

This is needed in the coordination server. Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-02-18 02:48:40 +00:00 · 2023-02-23 10:31:13 -08:00 · 2023-02-23 10:31:13 -08:00 · abc874b04e
commit abc874b04e
parent 61a345c8e1
1 changed files with 21 additions and 0 deletions
--- a/tka/sig.go
+++ b/tka/sig.go
@ -96,6 +96,18 @@ type NodeKeySignature struct {
 	WrappingPubkey []byte `cbor:"6,keyasint,omitempty"`
 }

+// UnverifiedWrappingPublic returns the public key which must sign a
+// signature which embeds this one, if any.
+//
+// See docs on NodeKeySignature.WrappingPubkey & SigRotation for documentation
+// about wrapping public keys.
+//
+// SAFETY: The caller MUST verify the signature using
+// Authority.NodeKeyAuthorized if treating this as authentic information.
+func (s NodeKeySignature) UnverifiedWrappingPublic() (pub ed25519.PublicKey, ok bool) {
+	return s.wrappingPublic()
+}
+
 // wrappingPublic returns the public key which must sign a signature which
 // embeds this one, if any.
 func (s NodeKeySignature) wrappingPublic() (pub ed25519.PublicKey, ok bool) {
@ -115,6 +127,15 @@ func (s NodeKeySignature) wrappingPublic() (pub ed25519.PublicKey, ok bool) {
 	}
 }

+// UnverifiedAuthorizingKeyID returns the KeyID of the key which authorizes
+// this signature.
+//
+// SAFETY: The caller MUST verify the signature using
+// Authority.NodeKeyAuthorized if treating this as authentic information.
+func (s NodeKeySignature) UnverifiedAuthorizingKeyID() (tkatype.KeyID, error) {
+	return s.authorizingKeyID()
+}
+
 // authorizingKeyID returns the KeyID of the key trusted by network-lock which authorizes
 // this signature.
 func (s NodeKeySignature) authorizingKeyID() (tkatype.KeyID, error) {