Skip to content

[WIP] fix(auth): auto-detect non-RSA private keys in service account info#17660

Draft
ohmayr wants to merge 2 commits into
mainfrom
pqc-service-account-key-autodetect
Draft

[WIP] fix(auth): auto-detect non-RSA private keys in service account info#17660
ohmayr wants to merge 2 commits into
mainfrom
pqc-service-account-key-autodetect

Conversation

@ohmayr

@ohmayr ohmayr commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease (if any source code was changed)
  • Appropriate docs were updated (if necessary)

Fixes #<issue_number_goes_here> 🦕

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces auto-detection for non-RSA (EC) keys when parsing service account info, automatically switching to an EC signer if "EC PRIVATE KEY" or "EC PARAMETERS" is detected in the private key. A corresponding test case is added to verify this behavior. The reviewer suggested improving the auto-detection logic to also handle bytes types for the private key by decoding them to UTF-8 before performing substring checks.

Comment on lines +56 to +62
private_key = data.get("private_key", "")
if (
use_rsa_signer
and isinstance(private_key, str)
and ("EC PRIVATE KEY" in private_key or "EC PARAMETERS" in private_key)
):
use_rsa_signer = False

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The current auto-detection logic only checks if private_key is an instance of str. However, in Python, private_key can also be passed as bytes (which is supported by crypt.RSASigner.from_string and crypt.EsSigner.from_string). If private_key is bytes, the check isinstance(private_key, str) will evaluate to False, and the auto-detection will fail, leading to a subsequent failure when attempting to load the key as RSA.

To make this more robust, we should decode private_key to a string if it is an instance of bytes before performing the substring checks.

Suggested change
private_key = data.get("private_key", "")
if (
use_rsa_signer
and isinstance(private_key, str)
and ("EC PRIVATE KEY" in private_key or "EC PARAMETERS" in private_key)
):
use_rsa_signer = False
private_key = data.get("private_key", "")
if use_rsa_signer:
if isinstance(private_key, bytes):
private_key = private_key.decode("utf-8", errors="ignore")
if isinstance(private_key, str) and (
"EC PRIVATE KEY" in private_key or "EC PARAMETERS" in private_key
):
use_rsa_signer = False

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant