Introduce public_key_der attribute

docs/data-sources/public_key.md

@@ -43,6 +43,7 @@ data "tls_public_key" "private_key_openssh-example" {
 
 - `algorithm` (String) The name of the algorithm used by the given private key. Possible values are: `RSA`, `ECDSA`, `ED25519`.
 - `id` (String) Unique identifier for this data source: hexadecimal representation of the SHA1 checksum of the data source.
+- `public_key_der` (String) The public key data in raw ASN.1 DER format, Base64-encoded without headers or newlines.
 - `public_key_fingerprint_md5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, as per the rules for `public_key_openssh` and [ECDSA P224 limitations](../../docs#limitations).
 - `public_key_fingerprint_sha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, as per the rules for `public_key_openssh` and [ECDSA P224 limitations](../../docs#limitations).
 - `public_key_openssh` (String) The public key, in  [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format. This is also known as ['Authorized Keys'](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).

docs/resources/private_key.md

@@ -61,6 +61,7 @@ resource "tls_private_key" "ed25519-example" {
 - `private_key_openssh` (String, Sensitive) Private key data in [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format.
 - `private_key_pem` (String, Sensitive) Private key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
 - `private_key_pem_pkcs8` (String, Sensitive) Private key data in [PKCS#8 PEM (RFC 5208)](https://datatracker.ietf.org/doc/html/rfc5208) format.
+- `public_key_der` (String) The public key data in raw ASN.1 DER format, Base64-encoded without headers or newlines.
 - `public_key_fingerprint_md5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
 - `public_key_fingerprint_sha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
 - `public_key_openssh` (String) The public key data in ["Authorized Keys"](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).

internal/provider/common_key.go

@@ -12,6 +12,7 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 
@@ -188,6 +189,11 @@ func setPublicKeyAttributes(ctx context.Context, s *tfsdk.State, prvKey crypto.P
 		return diags
 	}
 
+	diags.Append(s.SetAttribute(ctx, path.Root("public_key_der"), string(base64.RawStdEncoding.EncodeToString(pubKeyBytes)))...)
+	if diags.HasError() {
+		return diags
+	}
+
 	diags.Append(s.SetAttribute(ctx, path.Root("public_key_pem"), string(pem.EncodeToMemory(pubKeyPemBlock)))...)
 	if diags.HasError() {
 		return diags

internal/provider/data_source_public_key.go

@@ -69,6 +69,10 @@ func (d *publicKeyDataSource) Schema(ctx context.Context, req datasource.SchemaR
 				Description: "The name of the algorithm used by the given private key. " +
 					fmt.Sprintf("Possible values are: `%s`. ", strings.Join(supportedAlgorithmsStr(), "`, `")),
 			},
+			"public_key_der": schema.StringAttribute{
+				Computed:    true,
+				Description: "The public key data in raw ASN.1 DER format, Base64-encoded without headers or newlines.",
+			},
 			"public_key_pem": schema.StringAttribute{
 				Computed: true,
 				Description: "The public key, in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. " +

internal/provider/data_source_public_key_test.go

@@ -38,6 +38,7 @@ func TestPublicKey_dataSource_PEM(t *testing.T) {
 			{
 				Config: fmt.Sprintf(configDataSourcePublicKeyViaPEM, fixtures.TestPrivateKeyPEM),
 				Check: r.ComposeAggregateTestCheckFunc(
+					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_der", fixtures.TestPublicKeyDER),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_pem", strings.TrimSpace(fixtures.TestPublicKeyPEM)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),
@@ -92,6 +93,7 @@ func TestPublicKey_dataSource_PEM_UpgradeFromVersion3_4_0(t *testing.T) {
 				ExternalProviders: providerVersion340(),
 				Config:            fmt.Sprintf(configDataSourcePublicKeyViaPEM, fixtures.TestPrivateKeyPEM),
 				Check: r.ComposeAggregateTestCheckFunc(
+					r.TestCheckNoResourceAttr("data.tls_public_key.test", "public_key_der"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_pem", strings.TrimSpace(fixtures.TestPublicKeyPEM)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),
@@ -108,6 +110,7 @@ func TestPublicKey_dataSource_PEM_UpgradeFromVersion3_4_0(t *testing.T) {
 				ProtoV5ProviderFactories: protoV5ProviderFactories(),
 				Config:                   fmt.Sprintf(configDataSourcePublicKeyViaPEM, fixtures.TestPrivateKeyPEM),
 				Check: r.ComposeAggregateTestCheckFunc(
+					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_der", fixtures.TestPublicKeyDER),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_pem", strings.TrimSpace(fixtures.TestPublicKeyPEM)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),
@@ -126,6 +129,7 @@ func TestPublicKey_dataSource_OpenSSHPEM(t *testing.T) {
 			{
 				Config: fmt.Sprintf(configDataSourcePublicKeyViaOpenSSHPEM, fixtures.TestPrivateKeyOpenSSHPEM),
 				Check: r.ComposeAggregateTestCheckFunc(
+					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_der", fixtures.TestPublicKeyDER),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_pem", strings.TrimSpace(fixtures.TestPublicKeyPEM)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),
@@ -179,6 +183,7 @@ func TestAccPublicKey_dataSource_OpenSSHPEM_UpgradeFromVersion3_4_0(t *testing.T
 				ExternalProviders: providerVersion340(),
 				Config:            fmt.Sprintf(configDataSourcePublicKeyViaOpenSSHPEM, fixtures.TestPrivateKeyOpenSSHPEM),
 				Check: r.ComposeAggregateTestCheckFunc(
+					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_der", fixtures.TestPublicKeyDER),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_pem", strings.TrimSpace(fixtures.TestPublicKeyPEM)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),
@@ -190,6 +195,7 @@ func TestAccPublicKey_dataSource_OpenSSHPEM_UpgradeFromVersion3_4_0(t *testing.T
 				ProtoV5ProviderFactories: protoV5ProviderFactories(),
 				Config:                   fmt.Sprintf(configDataSourcePublicKeyViaOpenSSHPEM, fixtures.TestPrivateKeyOpenSSHPEM),
 				Check: r.ComposeAggregateTestCheckFunc(
+					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_der", fixtures.TestPublicKeyDER),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_pem", strings.TrimSpace(fixtures.TestPublicKeyPEM)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),

internal/provider/fixtures/fixtures.go

@@ -61,6 +61,8 @@ ynTNwKyKaFWqB0r8hTuh60yRA5iBUNrQrpjVS6RuadFXep4fUV1mleVdUWFupzhr
 -----END CERTIFICATE REQUEST-----
 `
 
+	TestPublicKeyDER = `MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPLaq43D9C596ko9yQipWUf2FbRhFs18D3wBDBqXLIoP7W3rm5S292/JiNPa+mX76IYFF416zTBGG9J5w4d4VFrROn8IuMWqHgdXsCUf2szN7EnJcVBsBzTxxWqz4DjX315vbm/PFOLlKzC0Ngs4h1iDiCD9Hk2MajZuFnJiqj1QIDAQAB`
+
 	TestPublicKeyPEM = `
 -----BEGIN PUBLIC KEY-----
 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPLaq43D9C596ko9yQipWUf2Fb

internal/provider/models.go

@@ -70,6 +70,7 @@ type privateKeyResourceModel struct {
 	PrivateKeyPem              types.String `tfsdk:"private_key_pem"`
 	PrivateKeyOpenSSH          types.String `tfsdk:"private_key_openssh"`
 	PrivateKeyPKCS8            types.String `tfsdk:"private_key_pem_pkcs8"`
+	PublicKeyDer               types.String `tfsdk:"public_key_der"`
 	PublicKeyPem               types.String `tfsdk:"public_key_pem"`
 	PublicKeyOpenSSH           types.String `tfsdk:"public_key_openssh"`
 	PublicKeyFingerprintMD5    types.String `tfsdk:"public_key_fingerprint_md5"`

internal/provider/resource_private_key.go

@@ -100,6 +100,10 @@ func (r *privateKeyResource) Schema(_ context.Context, req resource.SchemaReques
 				Sensitive:           true,
 				MarkdownDescription: "Private key data in [PKCS#8 PEM (RFC 5208)](https://datatracker.ietf.org/doc/html/rfc5208) format.",
 			},
+			"public_key_der": schema.StringAttribute{
+				Computed:            true,
+				MarkdownDescription: "The public key data in raw ASN.1 DER format, Base64-encoded without headers or newlines.",
+			},
 			"public_key_pem": schema.StringAttribute{
 				Computed: true,
 				MarkdownDescription: "Public key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. " +
@@ -187,6 +191,10 @@ func privateKeyResourceSchemaV1() schema.Schema {
 				Sensitive:           true,
 				MarkdownDescription: "Private key data in [PKCS#8 PEM (RFC 5208)](https://datatracker.ietf.org/doc/html/rfc5208) format.",
 			},
+			"public_key_der": schema.StringAttribute{
+				Computed:            true,
+				MarkdownDescription: "The public key data in raw ASN.1 DER format, Base64-encoded without headers or newlines.",
+			},
 			"public_key_pem": schema.StringAttribute{
 				Computed: true,
 				MarkdownDescription: "Public key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. " +