Expect PEM-encoded sealing key

node-repository/src/main/java/com/yahoo/vespa/hosted/provision/backup/Snapshots.java

@@ -10,6 +10,7 @@
 import com.yahoo.config.provision.HostName;
 import com.yahoo.config.provision.NodeType;
 import com.yahoo.config.provision.SnapshotId;
+import com.yahoo.security.KeyAlgorithm;
 import com.yahoo.security.KeyId;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SealedSharedKey;
@@ -28,9 +29,8 @@
 import com.yahoo.vespa.hosted.provision.provisioning.SnapshotStore;
 
 import java.security.KeyPair;
+import java.security.PrivateKey;
 import java.security.PublicKey;
-import java.security.interfaces.XECPrivateKey;
-import java.security.interfaces.XECPublicKey;
 import java.time.Instant;
 import java.util.ArrayList;
 import java.util.List;
@@ -196,8 +196,12 @@ private VersionedKeyPair sealingKeyPair(SecretVersionId version) {
         }
         Key key = Key.fromString(sealingPrivateKeySecretName.get());
         Secret sealingPrivateKey = version == null ? secretStore.getSecret(key) : secretStore.getSecret(key, version);
-        XECPrivateKey privateKey = KeyUtils.fromBase64EncodedX25519PrivateKey(sealingPrivateKey.secretValue().value());
-        XECPublicKey publicKey = KeyUtils.extractX25519PublicKey(privateKey);
+        PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(sealingPrivateKey.secretValue().value());
+        PublicKey publicKey = KeyUtils.extractPublicKey(privateKey);
+        if (KeyAlgorithm.from(privateKey.getAlgorithm()) != KeyAlgorithm.XDH) {
+            throw new IllegalArgumentException("Expected sealing key to use algorithm " + KeyAlgorithm.XDH +
+                                               ", but got " + privateKey.getAlgorithm());
+        }
         return new VersionedKeyPair(new KeyPair(publicKey, privateKey), sealingPrivateKey.version());
     }
 

node-repository/src/test/java/com/yahoo/vespa/hosted/provision/backup/SnapshotsTest.java

@@ -9,6 +9,7 @@
 import com.yahoo.config.provision.ClusterSpec;
 import com.yahoo.config.provision.NodeResources;
 import com.yahoo.config.provision.NodeType;
+import com.yahoo.security.KeyFormat;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SealedSharedKey;
 import com.yahoo.vespa.hosted.provision.Node;
@@ -17,7 +18,6 @@
 
 import java.security.KeyPair;
 import java.security.PublicKey;
-import java.security.interfaces.XECPrivateKey;
 import java.util.List;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -54,8 +54,7 @@ void snapshot() {
         // Sealing key can be rotated independently of existing snapshots
         KeyPair keyPair = KeyUtils.generateX25519KeyPair();
         tester.secretStore().add(new Secret(Key.fromString("snapshot/sealingPrivateKey"),
-                                            KeyUtils.toBase64EncodedX25519PrivateKey((XECPrivateKey) keyPair.getPrivate())
-                                                    .getBytes(),
+                                            KeyUtils.toPem(keyPair.getPrivate(), KeyFormat.PKCS8).getBytes(),
                                             SecretVersionId.of("2")));
         assertEquals(SecretVersionId.of("1"), snapshots.require(snapshot0.id(), node0).key().sealingKeyVersion());
         assertNotEquals(snapshot0.key().sharedKey(), snapshots.keyOf(snapshot0.id(), node0, receiverPublicKey),

node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/ProvisioningTester.java

@@ -33,6 +33,7 @@
 import com.yahoo.config.provision.Zone;
 import com.yahoo.config.provisioning.FlavorsConfig;
 import com.yahoo.jdisc.test.MockMetric;
+import com.yahoo.security.KeyFormat;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.test.ManualClock;
 import com.yahoo.transaction.NestedTransaction;
@@ -69,7 +70,6 @@
 import com.yahoo.vespa.service.duper.TenantHostApplication;
 
 import java.security.KeyPair;
-import java.security.interfaces.XECPrivateKey;
 import java.time.temporal.TemporalAmount;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -772,8 +772,7 @@ private SecretStoreMock defaultSecretStore() {
             SecretStoreMock secretStore = new SecretStoreMock();
             KeyPair keyPair = KeyUtils.generateX25519KeyPair();
             secretStore.add(new Secret(Key.fromString("snapshot/sealingPrivateKey"),
-                                       KeyUtils.toBase64EncodedX25519PrivateKey((XECPrivateKey) keyPair.getPrivate())
-                                               .getBytes(),
+                                       KeyUtils.toPem(keyPair.getPrivate(), KeyFormat.PKCS8).getBytes(),
                                        SecretVersionId.of("1")));
             return secretStore;
         }

node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/NodesV2ApiTest.java

@@ -11,6 +11,7 @@
 import com.yahoo.config.provision.NodeType;
 import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.TenantName;
+import com.yahoo.security.KeyFormat;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.slime.SlimeUtils;
 import com.yahoo.text.Utf8;
@@ -28,7 +29,6 @@
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
-import java.security.interfaces.XECPrivateKey;
 import java.security.interfaces.XECPublicKey;
 import java.time.Duration;
 import java.util.Arrays;
@@ -876,8 +876,7 @@ public void test_snapshots() throws IOException {
                                                               .getComponent(SecretStoreMock.class.getName());
         KeyPair keyPair = KeyUtils.generateX25519KeyPair();
         secretStore.add(new Secret(Key.fromString("snapshot/sealingPrivateKey"),
-                                   KeyUtils.toBase64EncodedX25519PrivateKey((XECPrivateKey) keyPair.getPrivate())
-                                           .getBytes(),
+                                   KeyUtils.toPem(keyPair.getPrivate(), KeyFormat.PKCS8).getBytes(),
                                    SecretVersionId.of("1")));
 
         // Trigger creation of snapshots