Feature(Go): issue-token subcommand for minting customer JWTs

2026-06-04 10:04:02 +02:00
parent 4064bbe25d
commit be09b271e1
7 changed files with 328 additions and 36 deletions
--- a/server/go/licensing/token.go
+++ b/server/go/licensing/token.go
@@ -23,6 +23,34 @@ type LicenseClaims struct {
 	jwt.RegisteredClaims
 }

+// LoadRSAPrivateKey parses an RSA private key from a PEM file. Used by the
+// "issue-token" CLI subcommand to sign customer JWTs offline.
+// Accepts PKCS#1 ("RSA PRIVATE KEY") and PKCS#8 ("PRIVATE KEY") PEM encodings.
+func LoadRSAPrivateKey(pemPath string) (*rsa.PrivateKey, error) {
+	data, err := os.ReadFile(pemPath)
+	if err != nil {
+		return nil, fmt.Errorf("read private key %s: %w", pemPath, err)
+	}
+	block, _ := pem.Decode(data)
+	if block == nil {
+		return nil, fmt.Errorf("no PEM block in %s", pemPath)
+	}
+
+	// PKCS#1: "RSA PRIVATE KEY"
+	if key, err := x509.ParsePKCS1PrivateKey(block.Bytes); err == nil {
+		return key, nil
+	}
+	// PKCS#8: "PRIVATE KEY"
+	if key, err := x509.ParsePKCS8PrivateKey(block.Bytes); err == nil {
+		rsaKey, ok := key.(*rsa.PrivateKey)
+		if !ok {
+			return nil, fmt.Errorf("PKCS#8 key in %s is not RSA", pemPath)
+		}
+		return rsaKey, nil
+	}
+	return nil, fmt.Errorf("failed to parse %s as PKCS#1 or PKCS#8 RSA private key", pemPath)
+}
+
 // LoadRSAPublicKey parses an RSA public key from a PEM file. The License
 // Server loads this once at startup to verify incoming customer JWTs.
 // Accepts both PKCS#1 ("RSA PUBLIC KEY") and PKIX ("PUBLIC KEY") PEM