verifyKeysMatch verifies that the public key in the [x509.Certificate] matches the public key of the [crypto.Signer].
(crt *x509.Certificate, signer crypto.Signer)
| 125 | // verifyKeysMatch verifies that the public key in the [x509.Certificate] matches |
| 126 | // the public key of the [crypto.Signer]. |
| 127 | func verifyKeysMatch(crt *x509.Certificate, signer crypto.Signer) error { |
| 128 | switch pub := crt.PublicKey.(type) { |
| 129 | case *rsa.PublicKey: |
| 130 | pk, ok := signer.Public().(*rsa.PublicKey) |
| 131 | if !ok { |
| 132 | return fmt.Errorf("private key type %T does not match issuer public key type %T", signer.Public(), pub) |
| 133 | } |
| 134 | if !pub.Equal(pk) { |
| 135 | return errors.New("private key does not match issuer public key") |
| 136 | } |
| 137 | case *ecdsa.PublicKey: |
| 138 | pk, ok := signer.Public().(*ecdsa.PublicKey) |
| 139 | if !ok { |
| 140 | return fmt.Errorf("private key type %T does not match issuer public key type %T", signer.Public(), pub) |
| 141 | } |
| 142 | if !pub.Equal(pk) { |
| 143 | return errors.New("private key does not match issuer public key") |
| 144 | } |
| 145 | case ed25519.PublicKey: |
| 146 | pk, ok := signer.Public().(ed25519.PublicKey) |
| 147 | if !ok { |
| 148 | return fmt.Errorf("private key type %T does not match issuer public key type %T", signer.Public(), pub) |
| 149 | } |
| 150 | if !pub.Equal(pk) { |
| 151 | return errors.New("private key does not match issuer public key") |
| 152 | } |
| 153 | default: |
| 154 | return fmt.Errorf("unsupported key type: %T", pub) |
| 155 | } |
| 156 | |
| 157 | return nil |
| 158 | } |