Add check to use same key for TA force reinit

NLnetLabs · Jan 31, 2025 · c9f54a8 · c9f54a8
1 parent 364199b
commit c9f54a8
Showing 1 changed file with 33 additions and 3 deletions.
diff --git a/src/cli/ta/signer.rs b/src/cli/ta/signer.rs
@@ -1,6 +1,7 @@
 //! Managing the Trust Anchor Signer.
 
 use std::sync::Arc;
+use openssl::error::ErrorStack;
 use rpki::ca::idexchange;
 use rpki::uri;
 use crate::ta;
@@ -132,14 +133,43 @@ impl TrustAnchorSignerManager {
         &self,
         info: SignerInitInfo,
     ) -> Result<Success, SignerClientError> {
-        if self.store.has(&self.ta_handle)? {
+        if let Ok(cert) = self.store.get_latest(&self.ta_handle) {
             if !info.force {
                 return Err(SignerClientError::other(
                     "Trust Anchor Signer was already initialised.",
                 ));
-            } else if let Err(e) = self.store.drop(&self.ta_handle) {
+            } 
+            if let Some(priv_key) = &info.private_key_pem {
+                let res = || -> Result<(Vec<u8>, Vec<u8>), ErrorStack> {
+                    let priv_key = openssl::pkey::PKey::private_key_from_pem(
+                        priv_key.as_bytes()
+                    )?;
+                    let signer_info = cert.get_signer_info();
+                    let pub_key = signer_info.ta_cert_details.cert().csr_info().key();
+                    let k1 = priv_key.public_key_to_der()?;
+                    let k2 = pub_key.to_info_bytes().to_vec();
+                    return Ok((k1, k2));
+                }();
+                if let Ok((k1, k2)) = res {
+                    if k1 != k2 {
+                        return Err(SignerClientError::other(
+                            "You are not using the same private key."
+                        ));
+                    }
+                } else if let Err(e) = res {
+                    return Err(SignerClientError::other(
+                        e.to_string()
+                    ));
+                }
+
+                if let Err(e) = self.store.drop(&self.ta_handle) {
+                    return Err(SignerClientError::other(
+                        e.to_string(),
+                    ));
+                }
+            } else {
                 return Err(SignerClientError::other(
-                    e.to_string(),
+                    "Private key must be provided when force reinitialising."
                 ));
             }
         }