fix(service): cert

service/internal/security/crypto_provider.go

@@ -16,6 +16,7 @@ type CryptoProvider interface {
 	RSADecrypt(hash crypto.Hash, keyID string, keyLabel string, ciphertext []byte) ([]byte, error)
 
 	ECPublicKey(keyID string) (string, error)
+	ECCertificate(keyID string) (string, error)
 	GenerateNanoTDFSymmetricKey(ephemeralPublicKeyBytes []byte) ([]byte, error)
 	GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error)
 	GenerateNanoTDFSessionKey(privateKeyHandle PrivateKeyEC, ephemeralPublicKey []byte) ([]byte, error)

service/internal/security/hsm.go

@@ -702,6 +702,17 @@ func (h *HSMSession) RSAPublicKeyAsJSON(keyID string) (string, error) {
 	return string(jsonPublicKey), nil
 }
 
+func (h *HSMSession) ECCertificate(string) (string, error) {
+	if h.EC == nil || h.EC.Certificate == nil {
+		return "", ErrCertNotFound
+	}
+	certPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: h.EC.Certificate.Raw,
+	})
+	return string(certPEM), nil
+}
+
 func (h *HSMSession) ECPublicKey(string) (string, error) {
 	if h.EC == nil || h.EC.PublicKey == nil {
 		return "", ErrCertNotFound

service/internal/security/standard_crypto.go

@@ -148,23 +148,29 @@ func (s StandardCrypto) RSAPublicKey(keyID string) (string, error) {
 	return pem, nil
 }
 
-func (s StandardCrypto) ECPublicKey(string) (string, error) {
+func (s StandardCrypto) ECCertificate(string) (string, error) {
 	if len(s.ecKeys) == 0 {
 		return "", ErrCertNotFound
 	}
 	// this endpoint returns certificate
 	ecKey := s.ecKeys[0]
 	return ecKey.ecCertificatePEM, nil
-	//publicKeyBytes, err := x509.MarshalPKIXPublicKey(ecKey.ecPublicKey)
-	//if err != nil {
-	//	return "", ErrPublicKeyMarshal
-	//}
-	//pemEncoded := pem.EncodeToMemory(&pem.Block{
-	//	Type:  "PUBLIC KEY",
-	//	Bytes: publicKeyBytes,
-	//})
-	//return string(pemEncoded), nil
+}
 
+func (s StandardCrypto) ECPublicKey(string) (string, error) {
+	if len(s.ecKeys) == 0 {
+		return "", ErrCertNotFound
+	}
+	ecKey := s.ecKeys[0]
+	publicKeyBytes, err := x509.MarshalPKIXPublicKey(ecKey.ecPublicKey)
+	if err != nil {
+		return "", ErrPublicKeyMarshal
+	}
+	pemEncoded := pem.EncodeToMemory(&pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: publicKeyBytes,
+	})
+	return string(pemEncoded), nil
 }
 
 func (s StandardCrypto) RSADecrypt(_ crypto.Hash, keyID string, _ string, ciphertext []byte) ([]byte, error) {
@@ -205,6 +211,7 @@ func (s StandardCrypto) RSAPublicKeyAsJSON(keyID string) (string, error) {
 }
 
 func (s StandardCrypto) GenerateNanoTDFSymmetricKey([]byte) ([]byte, error) {
+
 	return nil, errNotImplemented
 }
 

service/kas/access/publicKey.go

@@ -23,29 +23,25 @@ const (
 
 func (p *Provider) LegacyPublicKey(ctx context.Context, in *kaspb.LegacyPublicKeyRequest) (*wrapperspb.StringValue, error) {
 	algorithm := in.GetAlgorithm()
-	var pem string
+	var cert string
 	var err error
 	if p.CryptoProvider == nil {
 		return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error"))
 	}
 	if algorithm == algorithmEc256 {
-		pem, err = p.CryptoProvider.ECPublicKey("unknown")
+		cert, err = p.CryptoProvider.ECCertificate("unknown")
 		if err != nil {
 			slog.ErrorContext(ctx, "CryptoProvider.ECPublicKey failed", "err", err)
 			return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error"))
 		}
 	} else {
-		pem, err = p.CryptoProvider.RSAPublicKey("unknown")
+		cert, err = p.CryptoProvider.RSAPublicKey("unknown")
 		if err != nil {
 			slog.ErrorContext(ctx, "CryptoProvider.RSAPublicKey failed", "err", err)
 			return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error"))
 		}
 	}
-	if err != nil {
-		slog.ErrorContext(ctx, "unable to generate PEM", "err", err)
-		return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error"))
-	}
-	return &wrapperspb.StringValue{Value: pem}, nil
+	return &wrapperspb.StringValue{Value: cert}, nil
 }
 
 func (p *Provider) PublicKey(ctx context.Context, in *kaspb.PublicKeyRequest) (*kaspb.PublicKeyResponse, error) {