refactor: migrate key handling to wgtypes.Key, removing custom crypto wrappers

Replace PrivateKey []byte helpers (PubKey, KeyToBase64, Base64ToKey) and
manual curve25519/rand usage with wgtypes.Key and wgtypes.GeneratePrivateKey.
EnsurePrivateKey now returns wgtypes.Key directly, propagated through
runtimeconfig.

Author: sechmann

internal/deviceagent/runtimeconfig/runtimeconfig.go

@@ -3,7 +3,6 @@ package runtimeconfig
 import (
 	"bytes"
 	"context"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -27,6 +26,7 @@ import (
 	"github.com/nais/device/pkg/pb"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/api/iterator"
 	"google.golang.org/api/option"
 	"google.golang.org/grpc"
@@ -76,7 +76,7 @@ var _ RuntimeConfig = &runtimeConfig{}
 type runtimeConfig struct {
 	enrollConfig *bootstrap.Config // TODO: convert to enroll.Config
 	config       *config.Config
-	privateKey   []byte
+	privateKey   wgtypes.Key
 	tokens       *auth.Tokens
 	tenants      []*pb.Tenant
 	log          *logrus.Entry
@@ -153,7 +153,7 @@ func (rc *runtimeConfig) ConnectToAPIServer(ctx context.Context) (pb.APIServerCl
 
 func (rc *runtimeConfig) BuildHelperConfiguration(peers []*pb.Gateway) *pb.Configuration {
 	return &pb.Configuration{
-		PrivateKey: base64.StdEncoding.EncodeToString(rc.privateKey),
+		PrivateKey: rc.privateKey.String(),
 		DeviceIPv4: rc.enrollConfig.DeviceIPv4,
 		DeviceIPv6: rc.enrollConfig.DeviceIPv6,
 		Gateways:   peers,
@@ -206,7 +206,7 @@ func New(log *logrus.Entry, cfg *config.Config) (RuntimeConfig, error) {
 		return nil, fmt.Errorf("ensuring private key: %w", err)
 	}
 
-	rc.log.WithField("public_key", wireguard.PublicKey(rc.privateKey)).Info("runtime config initialized")
+	rc.log.WithField("public_key", rc.privateKey.PublicKey().String()).Info("runtime config initialized")
 
 	return rc, nil
 }
@@ -230,7 +230,7 @@ func (r *runtimeConfig) enroll(ctx context.Context, serial, token string) error
 	req := &enroll.DeviceRequest{
 		Platform:           r.config.Platform,
 		Serial:             serial,
-		WireGuardPublicKey: wireguard.PublicKey(r.privateKey),
+		WireGuardPublicKey: []byte(r.privateKey.PublicKey().String()),
 	}
 
 	buf := &bytes.Buffer{}

internal/deviceagent/wireguard/wireguard.go

@@ -1,39 +1,39 @@
 package wireguard
 
 import (
+	"encoding/base64"
 	"fmt"
 	"os"
 
 	"github.com/nais/device/internal/deviceagent/filesystem"
-	"github.com/nais/device/internal/wireguard"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
-func EnsurePrivateKey(keyPath string) ([]byte, error) {
+func EnsurePrivateKey(keyPath string) (wgtypes.Key, error) {
 	if err := filesystem.FileMustExist(keyPath); os.IsNotExist(err) {
-		key, err := wireguard.GenKey()
+		key, err := wgtypes.GeneratePrivateKey()
 		if err != nil {
-			return nil, fmt.Errorf("generating private key: %w", err)
+			return wgtypes.Key{}, fmt.Errorf("generating private key: %w", err)
 		}
-		if err := os.WriteFile(keyPath, wireguard.KeyToBase64(key), 0o600); err != nil {
-			return nil, fmt.Errorf("writing private key to disk: %w", err)
+		if err := os.WriteFile(keyPath, []byte(key.String()), 0o600); err != nil {
+			return wgtypes.Key{}, fmt.Errorf("writing private key to disk: %w", err)
 		}
+		return key, nil
 	} else if err != nil {
-		return nil, fmt.Errorf("ensuring private key exists: %w", err)
+		return wgtypes.Key{}, fmt.Errorf("ensuring private key exists: %w", err)
 	}
 
 	privateKeyEncoded, err := os.ReadFile(keyPath)
 	if err != nil {
-		return nil, fmt.Errorf("reading private key: %v", err)
+		return wgtypes.Key{}, fmt.Errorf("reading private key: %v", err)
 	}
 
-	privateKey, err := wireguard.Base64ToKey(privateKeyEncoded)
+	var key wgtypes.Key
+	b, err := base64.StdEncoding.DecodeString(string(privateKeyEncoded))
 	if err != nil {
-		return nil, fmt.Errorf("decoding private key: %v", err)
+		return wgtypes.Key{}, fmt.Errorf("decoding private key: %v", err)
 	}
+	copy(key[:], b)
 
-	return privateKey, nil
-}
-
-func PublicKey(privateKey []byte) []byte {
-	return wireguard.KeyToBase64(wireguard.PubKey(privateKey))
+	return key, nil
 }

internal/deviceagent/wireguard/wireguard_test.go

@@ -3,14 +3,13 @@ package wireguard_test
 import (
 	"testing"
 
-	"github.com/nais/device/internal/wireguard"
 	"github.com/stretchr/testify/assert"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 func TestGenKey(t *testing.T) {
-	privateKey, err := wireguard.GenKey()
+	key, err := wgtypes.GeneratePrivateKey()
 	assert.NoError(t, err)
-	assert.Len(t, privateKey, 32)
-	privateKeyB64 := wireguard.KeyToBase64(privateKey)
-	assert.Len(t, privateKeyB64, 44)
+	assert.Len(t, key, 32)
+	assert.Len(t, key.String(), 44)
 }

internal/wireguard/keys.go

@@ -1,68 +1,35 @@
 package wireguard
 
 import (
-	"crypto/rand"
-	"encoding/base64"
 	"errors"
 	"fmt"
 	"io/fs"
 	"os"
 	"path/filepath"
 
 	"github.com/sirupsen/logrus"
-	"golang.org/x/crypto/curve25519"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 type PrivateKey []byte
 
-// Public returns the public key base64 encoded
 func (p PrivateKey) Public() []byte {
-	return KeyToBase64(PubKey(p))
+	key, _ := wgtypes.NewKey(p)
+	pub := key.PublicKey()
+	return []byte(pub.String())
 }
 
-// Private returns the private key base64 encoded
 func (p PrivateKey) Private() []byte {
-	return KeyToBase64(p)
+	key, _ := wgtypes.NewKey(p)
+	return []byte(key.String())
 }
 
 func GenKey() (PrivateKey, error) {
-	var privateKey [32]byte
-
-	n, err := rand.Read(privateKey[:])
-
-	if err != nil || n != len(privateKey) {
-		return nil, fmt.Errorf("unable to generate random bytes")
-	}
-
-	privateKey[0] &= 248
-	privateKey[31] = (privateKey[31] & 127) | 64
-	return PrivateKey(privateKey[:]), nil
-}
-
-// PubKey derives the Curve25519 public key from a raw 32-byte private key.
-func PubKey(privateKeySlice []byte) []byte {
-	var privateKey [32]byte
-	var publicKey [32]byte
-	copy(privateKey[:], privateKeySlice[:])
-
-	curve25519.ScalarBaseMult(&publicKey, &privateKey)
-
-	return publicKey[:]
-}
-
-func KeyToBase64(key []byte) []byte {
-	dst := make([]byte, base64.StdEncoding.EncodedLen(len(key)))
-	base64.StdEncoding.Encode(dst, key)
-	return dst
-}
-
-func Base64ToKey(encoded []byte) ([]byte, error) {
-	decoded := make([]byte, 32)
-	_, err := base64.StdEncoding.Decode(decoded, encoded)
+	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
-		return nil, fmt.Errorf("decoding base64 key: %w", err)
+		return nil, fmt.Errorf("generate private key: %w", err)
 	}
-	return decoded, nil
+	return PrivateKey(key[:]), nil
 }
 
 func ReadOrCreatePrivateKey(path string, log *logrus.Entry) (PrivateKey, error) {