Allow to load ECDSA certificates for pages domains

Just replace RSA.new with PKey.read

2 files changed, 36 insertions, 2 deletions

diff --git a/app/validators/certificate_key_validator.rb b/app/validators/certificate_key_validator.rb
index 5b2bbffc066..b9d54d9636e 100644
--- a/app/validators/certificate_key_validator.rb
+++ b/app/validators/certificate_key_validator.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-# UrlValidator
+# CertificateKeyValidator
 #
 # Custom validator for private keys.
 #
@@ -20,7 +20,7 @@ class CertificateKeyValidator < ActiveModel::EachValidator
   def valid_private_key_pem?(value)
     return false unless value
 
-    pkey = OpenSSL::PKey::RSA.new(value)
+    pkey = OpenSSL::PKey.read(value)
     pkey.private?
   rescue OpenSSL::PKey::PKeyError
     false
diff --git a/app/validators/named_ecdsa_key_validator.rb b/app/validators/named_ecdsa_key_validator.rb
new file mode 100644
index 00000000000..42ee02b6ad4
--- /dev/null
+++ b/app/validators/named_ecdsa_key_validator.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+# NamedEcdsaKeyValidator
+#
+# Custom validator for ecdsa private keys.
+# Golang currently doesn't support explicit curves for ECDSA certificates
+# This validator checks if curve is set by name, not by parameters
+#
+#   class Project < ActiveRecord::Base
+#     validates :certificate_key, named_ecdsa_key: true
+#   end
+#
+class NamedEcdsaKeyValidator < ActiveModel::EachValidator
+  def validate_each(record, attribute, value)
+    if explicit_ec?(value)
+      record.errors.add(attribute, "ECDSA keys with explicit curves are not supported")
+    end
+  end
+
+  private
+
+  UNNAMED_CURVE = "UNDEF"
+
+  def explicit_ec?(value)
+    return false unless value
+
+    pkey = OpenSSL::PKey.read(value)
+    return false unless pkey.is_a?(OpenSSL::PKey::EC)
+
+    pkey.group.curve_name == UNNAMED_CURVE
+  rescue OpenSSL::PKey::PKeyError
+    false
+  end
+end