Fix CA signature check

[carlosmonastyrski]

Description 📣

Fix CA signature check, previously failing with CA can only sign with unknown-based signature algorithms. for valid signatures

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

# Here's some code block to paste some code snippets

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

Fixed CA signature validation bug where valid ECDSA signatures were incorrectly rejected with error message "CA can only sign with unknown-based signature algorithms."

Root Cause
The old logic in two places (issueCertFromCa and signCertFromCa) was comparing CA key algorithms (e.g., EC_prime256v1) against signature algorithm prefixes (e.g., ECDSA). Since ECDSA key algorithms start with EC not ECDSA, the check caKeyAlgorithm.startsWith(CertKeyAlgorithm.ECDSA_P256.split("_")[0]) would look for caKeyAlgorithm.startsWith("EC"), but CertSignatureAlgorithm.ECDSA_SHA256.split("-")[0] returns "ECDSA", causing a mismatch.

Changes Made

• Removed unused imports CertSignatureAlgorithm and CertSignatureType
• Extracted duplicate validation logic into new $checkSignature helper function
• Fixed the logic to check for both EC and ECDSA prefixes when validating ECDSA algorithms: caKeyAlg.startsWith("EC") || caKeyAlg.startsWith("ECDSA")
• Replaced two instances of duplicate validation code with calls to the new helper

Confidence Score: 5/5

• This PR is safe to merge - it fixes a legitimate bug in signature validation logic
• The fix correctly addresses the root cause by checking for both 'EC' and 'ECDSA' prefixes. The refactoring into a shared helper function improves maintainability and eliminates code duplication. No security concerns, breaking changes, or edge cases identified.
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts	5/5	Refactored duplicate CA signature validation logic into reusable $checkSignature function. Fixed bug where ECDSA CAs were incorrectly rejected due to comparing EC* key algorithm against ECDSA signature prefix.

[greptile-apps]

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}