add ecdsa support

ezekg · ezekg · commit 39748e704ab5 · 2025-09-15T16:27:01.000-05:00
diff --git a/client.go b/client.go
@@ -59,6 +59,7 @@ type ClientOptions struct {
 	APIVersion  string
 	APIPrefix   string
 	APIURL      string
+	Scheme      string
 }
 
 // Client represents the internal HTTP client and config used for API requests.
@@ -83,6 +84,7 @@ func NewClient() *Client {
 			APIPrefix:   APIPrefix,
 			APIVersion:  APIVersion,
 			APIURL:      APIURL,
+			Scheme:      Scheme,
 		},
 		mutex,
 	}
@@ -104,6 +106,7 @@ func NewClientWithOptions(options *ClientOptions) *Client {
 			APIPrefix:   options.APIPrefix,
 			APIVersion:  options.APIVersion,
 			APIURL:      options.APIURL,
+			Scheme:      options.Scheme,
 		},
 		mutex,
 	}
@@ -252,6 +255,10 @@ func (c *Client) new(ctx context.Context, method string, path string, params int
 		req.Header.Add("Keygen-Environment", c.Environment)
 	}
 
+	if c.Scheme != "" {
+		req.Header.Add("Keygen-Accept-Signature", fmt.Sprintf("algorithm=%q", c.Scheme))
+	}
+
 	req.Header.Add("Keygen-Version", c.APIVersion)
 
 	if in.Len() > 0 {
@@ -345,7 +352,7 @@ func (c *Client) send(req *http.Request, model interface{}) (*Response, error) {
 	}
 
 	if c.PublicKey != "" {
-		verifier := &verifier{c.PublicKey}
+		verifier := &verifier{PublicKey: c.PublicKey, Scheme: c.Scheme}
 
 		if err := verifier.VerifyResponse(response); err != nil {
 			Logger.Errorf("Error verifying response signature: id=%s status=%d size=%d body=%s err=%v", response.ID, response.Status, response.Size, response.tldr(), err)
diff --git a/errors.go b/errors.go
@@ -103,63 +103,65 @@ func (e *RateLimitError) Unwrap() error { return e.Err }
 
 // General errors
 var (
-	ErrReleaseLocationMissing       = errors.New("release has no download URL")
-	ErrUpgradeNotAvailable          = errors.New("no upgrades available (already up-to-date)")
-	ErrResponseSignatureMissing     = errors.New("response signature is missing")
-	ErrResponseSignatureInvalid     = errors.New("response signature is invalid")
-	ErrResponseDigestMissing        = errors.New("response digest is missing")
-	ErrResponseDigestInvalid        = errors.New("response digest is invalid")
-	ErrResponseDateMissing          = errors.New("response date is missing")
-	ErrResponseDateInvalid          = errors.New("response date is invalid")
-	ErrResponseDateTooOld           = errors.New("response date is too old")
-	ErrRequestSignatureMissing      = errors.New("request signature is missing")
-	ErrRequestSignatureInvalid      = errors.New("request signature is invalid")
-	ErrRequestDigestMissing         = errors.New("request digest is missing")
-	ErrRequestDigestInvalid         = errors.New("request digest is invalid")
-	ErrRequestDateMissing           = errors.New("request date is missing")
-	ErrRequestDateInvalid           = errors.New("request date is invalid")
-	ErrRequestDateTooOld            = errors.New("request date is too old")
-	ErrPublicKeyMissing             = errors.New("public key is missing")
-	ErrPublicKeyInvalid             = errors.New("public key is invalid")
-	ErrValidationFingerprintMissing = errors.New("validation fingerprint scope is missing")
-	ErrValidationComponentsMissing  = errors.New("validation components scope is missing")
-	ErrValidationProductMissing     = errors.New("validation product scope is missing")
-	ErrHeartbeatPingFailed          = errors.New("heartbeat ping failed")
-	ErrHeartbeatRequired            = errors.New("heartbeat is required")
-	ErrHeartbeatDead                = errors.New("heartbeat is dead")
-	ErrMachineAlreadyActivated      = errors.New("machine is already activated")
-	ErrMachineLimitExceeded         = errors.New("machine limit has been exceeded")
-	ErrMachineNotFound              = errors.New("machine no longer exists")
-	ErrProcessNotFound              = errors.New("process no longer exists")
-	ErrMachineFileNotSupported      = errors.New("machine file is not supported")
-	ErrMachineFileNotEncrypted      = errors.New("machine file is not encrypted")
-	ErrMachineFileNotGenuine        = errors.New("machine file is not genuine")
-	ErrMachineFileExpired           = errors.New("machine file is expired")
-	ErrComponentNotActivated        = errors.New("component is not activated")
-	ErrComponentAlreadyActivated    = errors.New("component is already activated")
-	ErrComponentConflict            = errors.New("component is duplicated")
-	ErrProcessLimitExceeded         = errors.New("process limit has been exceeded")
-	ErrLicenseSchemeNotSupported    = errors.New("license scheme is not supported")
-	ErrLicenseSchemeMissing         = errors.New("license scheme is missing")
-	ErrLicenseKeyMissing            = errors.New("license key is missing")
-	ErrLicenseKeyNotGenuine         = errors.New("license key is not genuine")
-	ErrLicenseNotActivated          = errors.New("license is not activated")
-	ErrLicenseNotAllowed            = errors.New("license authentication is not allowed by policy")
-	ErrLicenseExpired               = errors.New("license is expired")
-	ErrLicenseSuspended             = errors.New("license is suspended")
-	ErrLicenseTooManyMachines       = errors.New("license has too many machines")
-	ErrLicenseTooManyCores          = errors.New("license has too many cores")
-	ErrLicenseTooManyProcesses      = errors.New("license has too many processes")
-	ErrLicenseNotSigned             = errors.New("license is not signed")
-	ErrLicenseInvalid               = errors.New("license is invalid")
-	ErrLicenseFileNotSupported      = errors.New("license file is not supported")
-	ErrLicenseFileNotEncrypted      = errors.New("license file is not encrypted")
-	ErrLicenseFileNotGenuine        = errors.New("license file is not genuine")
-	ErrLicenseFileExpired           = errors.New("license file is expired")
-	ErrLicenseFileSecretMissing     = errors.New("license file secret is missing")
-	ErrTokenNotAllowed              = errors.New("token authentication is not allowed by policy")
-	ErrTokenFormatInvalid           = errors.New("token format is invalid")
-	ErrTokenInvalid                 = errors.New("token is invalid")
-	ErrTokenExpired                 = errors.New("token is expired")
-	ErrSystemClockUnsynced          = errors.New("system clock is out of sync")
+	ErrReleaseLocationMissing        = errors.New("release has no download URL")
+	ErrUpgradeNotAvailable           = errors.New("no upgrades available (already up-to-date)")
+	ErrResponseSignatureMissing      = errors.New("response signature is missing")
+	ErrResponseSignatureInvalid      = errors.New("response signature is invalid")
+	ErrResponseSignatureNotSupported = errors.New("response signature is not supported")
+	ErrResponseDigestMissing         = errors.New("response digest is missing")
+	ErrResponseDigestInvalid         = errors.New("response digest is invalid")
+	ErrResponseDateMissing           = errors.New("response date is missing")
+	ErrResponseDateInvalid           = errors.New("response date is invalid")
+	ErrResponseDateTooOld            = errors.New("response date is too old")
+	ErrRequestSignatureMissing       = errors.New("request signature is missing")
+	ErrRequestSignatureInvalid       = errors.New("request signature is invalid")
+	ErrRequestDigestMissing          = errors.New("request digest is missing")
+	ErrRequestDigestInvalid          = errors.New("request digest is invalid")
+	ErrRequestDateMissing            = errors.New("request date is missing")
+	ErrRequestDateInvalid            = errors.New("request date is invalid")
+	ErrRequestDateTooOld             = errors.New("request date is too old")
+	ErrPublicKeyMissing              = errors.New("public key is missing")
+	ErrPublicKeyInvalid              = errors.New("public key is invalid")
+	ErrSchemeNotSupported            = errors.New("cryptographic scheme is not supported")
+	ErrValidationFingerprintMissing  = errors.New("validation fingerprint scope is missing")
+	ErrValidationComponentsMissing   = errors.New("validation components scope is missing")
+	ErrValidationProductMissing      = errors.New("validation product scope is missing")
+	ErrHeartbeatPingFailed           = errors.New("heartbeat ping failed")
+	ErrHeartbeatRequired             = errors.New("heartbeat is required")
+	ErrHeartbeatDead                 = errors.New("heartbeat is dead")
+	ErrMachineAlreadyActivated       = errors.New("machine is already activated")
+	ErrMachineLimitExceeded          = errors.New("machine limit has been exceeded")
+	ErrMachineNotFound               = errors.New("machine no longer exists")
+	ErrProcessNotFound               = errors.New("process no longer exists")
+	ErrMachineFileNotSupported       = errors.New("machine file is not supported")
+	ErrMachineFileNotEncrypted       = errors.New("machine file is not encrypted")
+	ErrMachineFileNotGenuine         = errors.New("machine file is not genuine")
+	ErrMachineFileExpired            = errors.New("machine file is expired")
+	ErrComponentNotActivated         = errors.New("component is not activated")
+	ErrComponentAlreadyActivated     = errors.New("component is already activated")
+	ErrComponentConflict             = errors.New("component is duplicated")
+	ErrProcessLimitExceeded          = errors.New("process limit has been exceeded")
+	ErrLicenseSchemeNotSupported     = errors.New("license scheme is not supported")
+	ErrLicenseSchemeMissing          = errors.New("license scheme is missing")
+	ErrLicenseKeyMissing             = errors.New("license key is missing")
+	ErrLicenseKeyNotGenuine          = errors.New("license key is not genuine")
+	ErrLicenseNotActivated           = errors.New("license is not activated")
+	ErrLicenseNotAllowed             = errors.New("license authentication is not allowed by policy")
+	ErrLicenseExpired                = errors.New("license is expired")
+	ErrLicenseSuspended              = errors.New("license is suspended")
+	ErrLicenseTooManyMachines        = errors.New("license has too many machines")
+	ErrLicenseTooManyCores           = errors.New("license has too many cores")
+	ErrLicenseTooManyProcesses       = errors.New("license has too many processes")
+	ErrLicenseNotSigned              = errors.New("license is not signed")
+	ErrLicenseInvalid                = errors.New("license is invalid")
+	ErrLicenseFileNotSupported       = errors.New("license file is not supported")
+	ErrLicenseFileNotEncrypted       = errors.New("license file is not encrypted")
+	ErrLicenseFileNotGenuine         = errors.New("license file is not genuine")
+	ErrLicenseFileExpired            = errors.New("license file is expired")
+	ErrLicenseFileSecretMissing      = errors.New("license file secret is missing")
+	ErrTokenNotAllowed               = errors.New("token authentication is not allowed by policy")
+	ErrTokenFormatInvalid            = errors.New("token format is invalid")
+	ErrTokenInvalid                  = errors.New("token is invalid")
+	ErrTokenExpired                  = errors.New("token is expired")
+	ErrSystemClockUnsynced           = errors.New("system clock is out of sync")
 )
diff --git a/keygen.go b/keygen.go
@@ -18,7 +18,7 @@ var (
 	APIURL = "https://api.keygen.sh"
 
 	// APIVersion is the currently supported API version.
-	APIVersion = "1.7"
+	APIVersion = "1.8"
 
 	// APIPrefix is the major version prefix included in all API URLs.
 	APIPrefix = "v1"
@@ -67,4 +67,9 @@ var (
 	// requests. Set this to a custom HTTP client, to implement e.g.
 	// automatic retries, rate limiting checks, or for tests.
 	HTTPClient = cleanhttp.DefaultPooledClient()
+
+	// Scheme is the acceptable cryptographic scheme to be used for
+	// verifying signatures for license keys, license/machine files,
+	// and responses. Supported schemes: ed25519, ecdsa-secp256r1.
+	Scheme = "ed25519"
 )
diff --git a/keygen_test.go b/keygen_test.go
@@ -18,8 +18,12 @@ func init() {
 	log := Logger.(*logger)
 	log.Level = LogLevelDebug
 
-	if url := os.Getenv("KEYGEN_CUSTOM_DOMAIN"); url != "" {
-		APIURL = url
+	if scheme := os.Getenv("KEYGEN_SIGNATURE_SCHEME"); scheme != "" {
+		Scheme = scheme
+	}
+
+	if host := os.Getenv("KEYGEN_HOST"); host != "" {
+		APIURL = host
 	}
 
 	PublicKey = os.Getenv("KEYGEN_PUBLIC_KEY")
@@ -38,6 +42,8 @@ func TestValidate(t *testing.T) {
 		t.Fatalf("Should fingerprint the current machine: err=%v", err)
 	}
 
+	Logger.Debugf("key=%q", LicenseKey)
+
 	if _, err := Validate(ctx); err != ErrValidationFingerprintMissing {
 		t.Fatalf("Should have a required scope: err=%v", err)
 	}
diff --git a/license.go b/license.go
@@ -12,7 +12,8 @@ import (
 type SchemeCode string
 
 const (
-	SchemeCodeEd25519 SchemeCode = "ED25519_SIGN"
+	SchemeCodeEd25519        SchemeCode = "ED25519_SIGN"
+	SchemeCodeECDSASecp256r1 SchemeCode = "ECDSA_SECP256R1_SIGN"
 )
 
 // License represents a Keygen license object.
@@ -139,7 +140,7 @@ func (l *License) Verify() ([]byte, error) {
 		return nil, ErrLicenseNotSigned
 	}
 
-	verifier := &verifier{PublicKey: PublicKey}
+	verifier := &verifier{PublicKey: PublicKey, Scheme: Scheme}
 
 	return verifier.VerifyLicense(l)
 }
diff --git a/license_file.go b/license_file.go
@@ -49,7 +49,7 @@ func (lic *LicenseFile) SetRelationships(relationships map[string]interface{}) e
 // Decrypt verifies the license file's signature. It returns any errors
 // that occurred during verification, e.g. ErrLicenseFileInvalid.
 func (lic *LicenseFile) Verify() error {
-	verifier := &verifier{PublicKey: PublicKey}
+	verifier := &verifier{PublicKey: PublicKey, Scheme: Scheme}
 
 	if err := verifier.VerifyLicenseFile(lic); err != nil {
 		return &LicenseFileError{err}
@@ -69,7 +69,7 @@ func (lic *LicenseFile) Decrypt(key string) (*LicenseFileDataset, error) {
 	switch {
 	case cert.Alg == "aes-256-gcm+rsa-pss-sha256" || cert.Alg == "aes-256-gcm+rsa-sha256":
 		return nil, ErrLicenseFileNotSupported
-	case cert.Alg != "aes-256-gcm+ed25519":
+	case cert.Alg != "aes-256-gcm+ed25519" && cert.Alg != "aes-256-gcm+ecdsa-secp256r1":
 		return nil, ErrLicenseFileNotEncrypted
 	}
 
diff --git a/machine_file.go b/machine_file.go
@@ -54,7 +54,7 @@ func (lic *MachineFile) SetRelationships(relationships map[string]interface{}) e
 // Decrypt verifies the machine file's signature. It returns any errors
 // that occurred during verification, e.g. ErrMachineFileInvalid.
 func (lic *MachineFile) Verify() error {
-	verifier := &verifier{PublicKey: PublicKey}
+	verifier := &verifier{PublicKey: PublicKey, Scheme: Scheme}
 
 	if err := verifier.VerifyMachineFile(lic); err != nil {
 		return &MachineFileError{err}
@@ -74,7 +74,7 @@ func (lic *MachineFile) Decrypt(key string) (*MachineFileDataset, error) {
 	switch {
 	case cert.Alg == "aes-256-gcm+rsa-pss-sha256" || cert.Alg == "aes-256-gcm+rsa-sha256":
 		return nil, ErrMachineFileNotSupported
-	case cert.Alg != "aes-256-gcm+ed25519":
+	case cert.Alg != "aes-256-gcm+ed25519" && cert.Alg != "aes-256-gcm+ecdsa-secp256r1":
 		return nil, ErrMachineFileNotEncrypted
 	}
 
diff --git a/verifier.go b/verifier.go
diff --git a/webhook.go b/webhook.go

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,8 @@ import (`
`12`	`12`	`type SchemeCode string`
`13`	`13`
`14`	`14`	`const (`
`15`		`- SchemeCodeEd25519 SchemeCode = "ED25519_SIGN"`
	`15`	`+ SchemeCodeEd25519 SchemeCode = "ED25519_SIGN"`
	`16`	`+ SchemeCodeECDSASecp256r1 SchemeCode = "ECDSA_SECP256R1_SIGN"`
`16`	`17`	`)`
`17`	`18`
`18`	`19`	`// License represents a Keygen license object.`
`@@ -139,7 +140,7 @@ func (l *License) Verify() ([]byte, error) {`
`139`	`140`	`return nil, ErrLicenseNotSigned`
`140`	`141`	`}`
`141`	`142`
`142`		`- verifier := &verifier{PublicKey: PublicKey}`
	`143`	`+ verifier := &verifier{PublicKey: PublicKey, Scheme: Scheme}`
`143`	`144`
`144`	`145`	`return verifier.VerifyLicense(l)`
`145`	`146`	`}`