tka: make rotation signatures use nested keyID

Duplicating this at each layer doesnt make any sense, and is another invariant where things could go wrong. Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-10-09 08:01:31 +00:00 · 2022-10-14 12:34:04 -07:00
parent 86c5bddce2
commit e8a11f6181
3 changed files with 38 additions and 5 deletions
--- a/tka/sig.go
+++ b/tka/sig.go
@@ -116,6 +116,27 @@ func (s NodeKeySignature) wrappingPublic() (pub ed25519.PublicKey, ok bool) {
 	}
 }

+// authorizingKeyID returns the KeyID of the key trusted by network-lock which authorizes
+// this signature.
+func (s NodeKeySignature) authorizingKeyID() (tkatype.KeyID, error) {
+	switch s.SigKind {
+	case SigDirect, SigCredential:
+		if len(s.KeyID) == 0 {
+			return tkatype.KeyID{}, errors.New("invalid signature: no keyID present")
+		}
+		return tkatype.KeyID(s.KeyID), nil
+
+	case SigRotation:
+		if s.Nested == nil {
+			return tkatype.KeyID{}, errors.New("invalid signature: rotation signature missing nested signature")
+		}
+		return s.Nested.authorizingKeyID()
+
+	default:
+		return tkatype.KeyID{}, fmt.Errorf("unhandled signature type: %v", s.SigKind)
+	}
+}
+
 // SigHash returns the cryptographic digest which a signature
 // is over.
 //