From abc874b04e85619afeed5f187f6b6c150f4eefbe Mon Sep 17 00:00:00 2001
From: Tom DNetto <tom@tailscale.com>
Date: Thu, 23 Feb 2023 10:31:13 -0800
Subject: [PATCH] tka: add public API on NodeKeySignature key information

This is needed in the coordination server.

Signed-off-by: Tom DNetto <tom@tailscale.com>
---
 tka/sig.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/tka/sig.go b/tka/sig.go
index f31738f1e..8376889c3 100644
--- a/tka/sig.go
+++ b/tka/sig.go
@@ -96,6 +96,18 @@ type NodeKeySignature struct {
 	WrappingPubkey []byte `cbor:"6,keyasint,omitempty"`
 }
 
+// UnverifiedWrappingPublic returns the public key which must sign a
+// signature which embeds this one, if any.
+//
+// See docs on NodeKeySignature.WrappingPubkey & SigRotation for documentation
+// about wrapping public keys.
+//
+// SAFETY: The caller MUST verify the signature using
+// Authority.NodeKeyAuthorized if treating this as authentic information.
+func (s NodeKeySignature) UnverifiedWrappingPublic() (pub ed25519.PublicKey, ok bool) {
+	return s.wrappingPublic()
+}
+
 // wrappingPublic returns the public key which must sign a signature which
 // embeds this one, if any.
 func (s NodeKeySignature) wrappingPublic() (pub ed25519.PublicKey, ok bool) {
@@ -115,6 +127,15 @@ func (s NodeKeySignature) wrappingPublic() (pub ed25519.PublicKey, ok bool) {
 	}
 }
 
+// UnverifiedAuthorizingKeyID returns the KeyID of the key which authorizes
+// this signature.
+//
+// SAFETY: The caller MUST verify the signature using
+// Authority.NodeKeyAuthorized if treating this as authentic information.
+func (s NodeKeySignature) UnverifiedAuthorizingKeyID() (tkatype.KeyID, error) {
+	return s.authorizingKeyID()
+}
+
 // authorizingKeyID returns the KeyID of the key trusted by network-lock which authorizes
 // this signature.
 func (s NodeKeySignature) authorizingKeyID() (tkatype.KeyID, error) {