Refactor modules/jwtx: Pull out key creation vs. loading

This patch only moves code around and splits out two functions from loadOrCreateAsymmetricKey(). The diff is best viewed with -b to ignore white space (indentation) changes. This is done for two reasons: - For future additions, we will need loadAsymmetricKey() only, without the create - The doubly nested immediately invoked closure construction was not exactly helping clarity
2026-05-12 22:10:25 +00:00 · 2026-02-05 18:33:41 +01:00 · 2026-02-05 18:33:41 +01:00 · f6ba8bac03
commit f6ba8bac03
parent ecae2459c7
1 changed files with 70 additions and 65 deletions
--- a/modules/jwtx/signingkey.go
+++ b/modules/jwtx/signingkey.go
@ -285,76 +285,65 @@ func CreateSigningKey(algorithm string, key any) (SigningKey, error) {
 	}
 }

-// loadOrCreateAsymmetricKey checks if the configured private key exists.
-// If it does not exist a new random key gets generated and saved on the configured path.
-func loadOrCreateAsymmetricKey(keyPath, algorithm string) (any, error) {
-	isExist, err := util.IsExist(keyPath)
-	if err != nil {
-		return nil, fmt.Errorf("Unable to check if %s exists. Error: %v", keyPath, err)
-	}
-	if !isExist {
-		err := func() error {
-			key, err := func() (any, error) {
-				switch {
-				case strings.HasPrefix(algorithm, "RS"):
-					var bits int
-					switch algorithm {
-					case "RS256":
-						bits = 2048
-					case "RS384":
-						bits = 3072
-					case "RS512":
-						bits = 4096
-					}
-					return rsa.GenerateKey(rand.Reader, bits)
-				case algorithm == "EdDSA":
-					_, pk, err := ed25519.GenerateKey(rand.Reader)
-					return pk, err
-				default:
-					var curve elliptic.Curve
-					switch algorithm {
-					case "ES256":
-						curve = elliptic.P256()
-					case "ES384":
-						curve = elliptic.P384()
-					case "ES512":
-						curve = elliptic.P521()
-					}
-					return ecdsa.GenerateKey(curve, rand.Reader)
-				}
-			}()
-			if err != nil {
-				return err
+func createAsymmetricKey(keyPath, algorithm string) error {
+	key, err := func() (any, error) {
+		switch {
+		case strings.HasPrefix(algorithm, "RS"):
+			var bits int
+			switch algorithm {
+			case "RS256":
+				bits = 2048
+			case "RS384":
+				bits = 3072
+			case "RS512":
+				bits = 4096
 			}
-
-			bytes, err := x509.MarshalPKCS8PrivateKey(key)
-			if err != nil {
-				return err
+			return rsa.GenerateKey(rand.Reader, bits)
+		case algorithm == "EdDSA":
+			_, pk, err := ed25519.GenerateKey(rand.Reader)
+			return pk, err
+		default:
+			var curve elliptic.Curve
+			switch algorithm {
+			case "ES256":
+				curve = elliptic.P256()
+			case "ES384":
+				curve = elliptic.P384()
+			case "ES512":
+				curve = elliptic.P521()
 			}
-
-			privateKeyPEM := &pem.Block{Type: "PRIVATE KEY", Bytes: bytes}
-
-			if err := os.MkdirAll(filepath.Dir(keyPath), os.ModePerm); err != nil {
-				return err
-			}
-
-			f, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
-			if err != nil {
-				return err
-			}
-			defer func() {
-				if err = f.Close(); err != nil {
-					log.Error("Close: %v", err)
-				}
-			}()
-
-			return pem.Encode(f, privateKeyPEM)
-		}()
-		if err != nil {
-			return nil, fmt.Errorf("Error generating private key %s: %v", keyPath, err)
+			return ecdsa.GenerateKey(curve, rand.Reader)
 		}
+	}()
+	if err != nil {
+		return err
 	}

+	bytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return err
+	}
+
+	privateKeyPEM := &pem.Block{Type: "PRIVATE KEY", Bytes: bytes}
+
+	if err := os.MkdirAll(filepath.Dir(keyPath), os.ModePerm); err != nil {
+		return err
+	}
+
+	f, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err = f.Close(); err != nil {
+			log.Error("Close: %v", err)
+		}
+	}()
+
+	return pem.Encode(f, privateKeyPEM)
+}
+
+func loadAsymmetricKey(keyPath string) (any, error) {
 	bytes, err := os.ReadFile(keyPath)
 	if err != nil {
 		return nil, err
@ -370,6 +359,22 @@ func loadOrCreateAsymmetricKey(keyPath, algorithm string) (any, error) {
 	return x509.ParsePKCS8PrivateKey(block.Bytes)
 }

+// loadOrCreateAsymmetricKey checks if the configured private key exists.
+// If it does not exist a new random key gets generated and saved on the configured path.
+func loadOrCreateAsymmetricKey(keyPath, algorithm string) (any, error) {
+	isExist, err := util.IsExist(keyPath)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to check if %s exists. Error: %v", keyPath, err)
+	}
+	if !isExist {
+		err := createAsymmetricKey(keyPath, algorithm)
+		if err != nil {
+			return nil, fmt.Errorf("Error generating private key %s: %v", keyPath, err)
+		}
+	}
+	return loadAsymmetricKey(keyPath)
+}
+
 // InitSigningKey creates a signing key from settings or creates a random key.
 func InitSigningKey(getGeneralTokenSigningSecret func() []byte, keyPath, algorithm string) (SigningKey, error) {
 	var err error