pelican generate keygen creates invalid public keys

[jhiemstrawisc]

It looks like the pelican generate keygen command is creating public keys that don't have a kid or an alg field, both of which are required for token verification.

From @brianaydemir:

[baydemir@local Desktop]> pelican generate keygen --private-key foo --public-key bar
Successfully generated keys at: 
Private key: foo
Public Key: bar
[baydemir@local Desktop]> cat foo 
-----BEGIN PRIVATE KEY-----
<keep it secret, keep it safe>
-----END PRIVATE KEY-----
[baydemir@local Desktop]> cat bar 
{
        "keys": [
                {
                        "crv": "P-256",
                        "kty": "EC",
                        "x": "IzQKHe5_dg1J97rdyNgmjTjoEaiFtjG9eHdtctXmDsU",
                        "y": "zV1uxDLfu6AQh9oTHEsx-I14ffZaxNO1LvSBPvEH0hU"
                }
        ]
}[baydemir@local Desktop]> pelican --version
Version: 7.14.0
Build Date: 2025-03-05T17:39:03Z
Build Commit: 7bb5a5a4b1bae77fdf09b4c0ad9d1afffb22a98c
Built By: goreleaser

Brian also reports that testing this command with Pelican v7.9.X generates a valid public key, so the fix here should really have a regression test.

[jhiemstrawisc]

I'll further note that starting an origin locally does result in a valid public key at <origin url>/.well-known/issuer.jwks, so there must be drift in the way we're producing these keys. Let's make sure they're all driven by the same function when we implement a fix.

[brianaydemir]

7.13.1 is affected by this bug. 7.12.4 is not affected.

[brianaydemir]

In 7.12.4 and earlier, generate keygen relied on the same machinery as the server initialization flow:

pelican/cmd/generate_keygen.go

Lines 71 to 75 in d7aea0e

	viper.Set(param.IssuerKey.GetName(), privateKeyPath)
	// GetIssuerPublicJWKS will generate the private key at IssuerKey if it does not exist
	// and parse the private key and generate the corresponding public key for us
	pubkey, err := config.GetIssuerPublicJWKS()

In 7.13, the command was updated with its own key generation flow, because the server now initializes a directory of private keys. While I'm having trouble groking the code flow, I suspect something like the following got dropped in the process:

pelican/config/init_server_creds.go

Lines 522 to 533 in d7aea0e

	// Add the algorithm to the key, needed for verifying tokens elsewhere
	err = key.Set(jwk.AlgorithmKey, jwa.ES256)
	if err != nil {
	return nil, errors.Wrap(err, "Failed to add alg specification to key header")
	}
	// Assign key id to the private key so that the public key obtainer thereafter
	// has the same kid
	err = jwk.AssignKeyID(key)
	if err != nil {
	return nil, errors.Wrap(err, "Failed to assign key ID to private key")
	}