Skip to content

fix: handle EC parameters before TLS private keys#9338

Open
jvlxz wants to merge 2 commits into
envoyproxy:mainfrom
jvlxz:tls-key-ec-parameters
Open

fix: handle EC parameters before TLS private keys#9338
jvlxz wants to merge 2 commits into
envoyproxy:mainfrom
jvlxz:tls-key-ec-parameters

Conversation

@jvlxz

@jvlxz jvlxz commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

What type of PR is this?

fix

What this PR does / why we need it:

This PR fixes TLS Secret parsing when an ECDSA private key contains an EC PARAMETERS PEM block before the actual private key block.

Some tools, including OpenSSL workflows, can produce tls.key data shaped like:

-----BEGIN EC PARAMETERS-----
...
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----

Envoy Gateway previously decoded only the first PEM block from tls.key. When that first block was EC PARAMETERS, the Secret was rejected because EC PARAMETERS is not a private key format. That caused the Gateway listener to report an invalid certificate reference even though the same Secret also contained a valid EC PRIVATE KEY block.

The fix changes TLS key parsing to scan through PEM blocks and use the first supported private key block: PRIVATE KEY, RSA PRIVATE KEY, or EC PRIVATE KEY. If no supported private key block exists, Envoy Gateway still returns the existing validation error path using the first decoded PEM block type, so invalid Secrets continue to fail clearly.

This keeps compatibility with existing PKCS1, PKCS8, and EC private keys while accepting EC keys that include leading EC parameters.

Tests:

  • go test ./internal/gatewayapi
  • Local Kind HTTPS smoke test with a Secret whose tls.key starts with EC PARAMETERS

Which issue(s) this PR fixes:

Fixes #

Release Notes: No

@jvlxz jvlxz requested a review from a team as a code owner June 24, 2026 12:41
@netlify

netlify Bot commented Jun 24, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 5a71558
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6a3e40d8b3158b00080ba597
😎 Deploy Preview https://deploy-preview-9338--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 886f3e1be0

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread internal/gatewayapi/tls.go
@codecov

codecov Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.18%. Comparing base (39850aa) to head (5a71558).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #9338   +/-   ##
=======================================
  Coverage   75.17%   75.18%           
=======================================
  Files         252      252           
  Lines       41049    41062   +13     
=======================================
+ Hits        30860    30873   +13     
- Misses       8094     8095    +1     
+ Partials     2095     2094    -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

jvlxz added 2 commits June 26, 2026 11:04
Signed-off-by: Jules Dutel <jules.dutel@numberly.com>
Signed-off-by: Jules Dutel <jules.dutel@numberly.com>
@jvlxz jvlxz force-pushed the tls-key-ec-parameters branch from 74f33fc to 5a71558 Compare June 26, 2026 09:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant