From 3ec527e42cecfcf17b31d201eb4ce349c2e32067 Mon Sep 17 00:00:00 2001
From: Jack Doan <me@jackdoan.com>
Date: Wed, 10 Dec 2025 10:39:36 -0600
Subject: [PATCH] cert.MarshalSigningPublicKeyToPEM should emit the 'ECDSA'
 variant of the banner (#1552)

* cert.MarshalSigningPublicKeyToPEM should emit the 'ECDSA' variant of the banner

* oof owie ouch my tests
---
 cert/cert_v1_test.go | 8 +++++++-
 cert/cert_v2_test.go | 9 ++++++++-
 cert/pem.go          | 2 +-
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/cert/cert_v1_test.go b/cert/cert_v1_test.go
index 3b7d585..ea5805a 100644
--- a/cert/cert_v1_test.go
+++ b/cert/cert_v1_test.go
@@ -99,13 +99,19 @@ func TestCertificateV1_PublicKeyPem(t *testing.T) {
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAA=
 -----END NEBULA P256 PUBLIC KEY-----
+`)
+
+	pubP256KeyPemCA := []byte(`-----BEGIN NEBULA ECDSA P256 PUBLIC KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAA=
+-----END NEBULA ECDSA P256 PUBLIC KEY-----
 `)
 	pubP256Key, _, _, err := UnmarshalPublicKeyFromPEM(pubP256KeyPem)
 	require.NoError(t, err)
 	nc.details.curve = Curve_P256
 	nc.details.publicKey = pubP256Key
 	assert.Equal(t, Curve_P256, nc.Curve())
-	assert.Equal(t, string(nc.MarshalPublicKeyPEM()), string(pubP256KeyPem))
+	assert.Equal(t, string(nc.MarshalPublicKeyPEM()), string(pubP256KeyPemCA))
 	assert.True(t, nc.IsCA())
 
 	nc.details.isCA = false
diff --git a/cert/cert_v2_test.go b/cert/cert_v2_test.go
index 84362ef..ee7c26c 100644
--- a/cert/cert_v2_test.go
+++ b/cert/cert_v2_test.go
@@ -114,12 +114,19 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAA=
 -----END NEBULA P256 PUBLIC KEY-----
 `)
+
+	pubP256KeyPemCA := []byte(`-----BEGIN NEBULA ECDSA P256 PUBLIC KEY-----
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAA=
+-----END NEBULA ECDSA P256 PUBLIC KEY-----
+`)
+
 	pubP256Key, _, _, err := UnmarshalPublicKeyFromPEM(pubP256KeyPem)
 	require.NoError(t, err)
 	nc.curve = Curve_P256
 	nc.publicKey = pubP256Key
 	assert.Equal(t, Curve_P256, nc.Curve())
-	assert.Equal(t, string(nc.MarshalPublicKeyPEM()), string(pubP256KeyPem))
+	assert.Equal(t, string(nc.MarshalPublicKeyPEM()), string(pubP256KeyPemCA))
 	assert.True(t, nc.IsCA())
 
 	nc.details.isCA = false
diff --git a/cert/pem.go b/cert/pem.go
index a5aabdc..8942c23 100644
--- a/cert/pem.go
+++ b/cert/pem.go
@@ -86,7 +86,7 @@ func MarshalSigningPublicKeyToPEM(curve Curve, b []byte) []byte {
 	case Curve_CURVE25519:
 		return pem.EncodeToMemory(&pem.Block{Type: Ed25519PublicKeyBanner, Bytes: b})
 	case Curve_P256:
-		return pem.EncodeToMemory(&pem.Block{Type: P256PublicKeyBanner, Bytes: b})
+		return pem.EncodeToMemory(&pem.Block{Type: ECDSAP256PublicKeyBanner, Bytes: b})
 	default:
 		return nil
 	}