tka: make rotation signatures use nested keyID

Duplicating this at each layer doesnt make any sense, and is another invariant where things could go wrong. Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-08-23 03:17:43 +00:00 · 2022-10-14 12:34:04 -07:00
parent 86c5bddce2
commit e8a11f6181
3 changed files with 38 additions and 5 deletions
--- a/tka/sig_test.go
+++ b/tka/sig_test.go
@@ -79,7 +79,6 @@ func TestSigNested(t *testing.T) {
 	// rotation key & embedding the original signature.
 	sig := NodeKeySignature{
 		SigKind: SigRotation,
-		KeyID:   k.ID(),
 		Pubkey:  nodeKeyPub,
 		Nested:  &nestedSig,
 	}
@@ -145,14 +144,13 @@ func TestSigNested_DeepNesting(t *testing.T) {

 	outer := nestedSig
 	var lastNodeKey key.NodePrivate
-	for i := 0; i < 100; i++ {
+	for i := 0; i < 15; i++ { // 15 = max nesting level for CBOR
 		lastNodeKey = key.NewNode()
 		nodeKeyPub, _ := lastNodeKey.Public().MarshalBinary()

 		tmp := outer
 		sig := NodeKeySignature{
 			SigKind: SigRotation,
-			KeyID:   k.ID(),
 			Pubkey:  nodeKeyPub,
 			Nested:  &tmp,
 		}
@@ -166,6 +164,16 @@ func TestSigNested_DeepNesting(t *testing.T) {
 		t.Fatalf("verifySignature(lastNodeKey) failed: %v", err)
 	}

+	// Test this works with our public API
+	a, _ := Open(newTestchain(t, "G1\nG1.template = genesis",
+		optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
+			Keys:               []Key{k},
+			DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
+		}})).Chonk())
+	if err := a.NodeKeyAuthorized(lastNodeKey.Public(), outer.Serialize()); err != nil {
+		t.Errorf("NodeKeyAuthorized(lastNodeKey) failed: %v", err)
+	}
+
 	// Test verification fails if the inner signature is invalid
 	tmp := make([]byte, ed25519.SignatureSize)
 	copy(tmp, nestedSig.Signature)
@@ -206,7 +214,6 @@ func TestSigCredential(t *testing.T) {
 	// delegated key & embedding the original signature.
 	sig := NodeKeySignature{
 		SigKind: SigRotation,
-		KeyID:   k.ID(),
 		Pubkey:  nodeKeyPub,
 		Nested:  &nestedSig,
 	}