separate key algorithm setting for instance provider

Signed-off-by: Henry Avetisyan <hga@yahooinc.com>

servers/zts/conf/zts.properties

@@ -708,6 +708,11 @@ athenz.zts.cert_signer_factory_class=com.yahoo.athenz.zts.cert.impl.SelfCertSign
 # to the plugins if they require the server's private key
 #athenz.zts.key_algo_plugins=EC
 
+# If the ZTS has both EC and RSA private keys defined, then this setting
+# specifies the preferred algorithm for the private key to be passed
+# to the instance provider plugins if they require the server's private key
+#athenz.zts.key_instance_providers=EC
+
 # this property specifies the audience field to be used while requesting id token from the OIDC provider
 # id_token has to be specifically requested for the below-mentioned audience
 #athenz.zts.k8s_provider_attestation_expected_audience=

servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java

@@ -270,6 +270,7 @@ public final class ZTSConsts {
     public static final String ZTS_PROP_KEY_ALGO_JSON_WEB_OBJECTS    = "athenz.zts.key_algo_json_web_objects";
     public static final String ZTS_PROP_KEY_ALGO_PROPRIETARY_OBJECTS = "athenz.zts.key_algo_proprietary_objects";
     public static final String ZTS_PROP_KEY_ALGO_PLUGINS             = "athenz.zts.key_algo_plugins";
+    public static final String ZTS_PROP_KEY_ALGO_INSTANCE_PROVIDERS  = "athenz.zts.key_algo_instance_providers";
 
     public static final String ZTS_PROP_GCP_WORKLOAD_POOL_NAME     = "athenz.zts.gcp_workload_pool_name";
     public static final String ZTS_PROP_GCP_WORKLOAD_PROVIDER_NAME = "athenz.zts.gcp_workload_provider_name";

servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java

@@ -126,6 +126,7 @@ public class ZTSImpl implements KeyStore, ZTSHandler {
     protected String keyAlgoForJsonWebObjects;
     protected String keyAlgoForProprietaryObjects;
     protected String keyAlgoForPlugins;
+    protected String keyAlgoForInstanceProviders;
     protected PrivateKeyStore privateKeyStore = null;
     protected HostnameResolver hostnameResolver = null;
     protected int roleTokenDefaultTimeout;
@@ -361,7 +362,7 @@ public ZTSImpl(CloudStore implCloudStore, DataStore implDataStore) {
         instanceProviderManager = new InstanceProviderManager(dataStore,
                 ZTSUtils.getAthenzServerSSLContext(privateKeyStore),
                 ZTSUtils.getAthenzProviderClientSSLContext(privateKeyStore),
-                getServerPrivateKey(keyAlgoForPlugins), this, authorizer, this);
+                getServerPrivateKey(keyAlgoForInstanceProviders), this, authorizer, this);
 
         // make sure to set the keystore for any instance that requires it
 
@@ -558,6 +559,7 @@ void loadConfigurationSettings() {
         keyAlgoForJsonWebObjects = System.getProperty(ZTSConsts.ZTS_PROP_KEY_ALGO_JSON_WEB_OBJECTS, ZTSConsts.EC).toUpperCase();
         keyAlgoForProprietaryObjects = System.getProperty(ZTSConsts.ZTS_PROP_KEY_ALGO_PROPRIETARY_OBJECTS, ZTSConsts.EC).toUpperCase();
         keyAlgoForPlugins = System.getProperty(ZTSConsts.ZTS_PROP_KEY_ALGO_PLUGINS, ZTSConsts.EC).toUpperCase();
+        keyAlgoForInstanceProviders = System.getProperty(ZTSConsts.ZTS_PROP_KEY_ALGO_INSTANCE_PROVIDERS, keyAlgoForPlugins).toUpperCase();
 
         // check to see if we want to disable allowing clients to ask for role
         // tokens without role name thus violating the least privilege principle