Skip to content

Commit

Permalink
Minor security fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
e-asphyx committed Nov 27, 2024
1 parent e6e56e6 commit 663a1b5
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 28 deletions.
3 changes: 3 additions & 0 deletions pkg/vault/pkcs11/vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,9 @@ func New(config *Config) (*PKCS11Vault, error) {
if err != nil {
return nil, formatError(mod, err)
}
if v > uint64(^uint(0)) {
return nil, fmt.Errorf("(PKCS#11/%s): slot value exceeds maximum uint size", path.Base(lib))
}
slot = uint(v)

Check failure

Code scanning / CodeQL

Incorrect conversion between integer types High

Incorrect conversion of an unsigned 64-bit integer from
strconv.ParseUint
to a lower bit size type uint without an upper bound check.
} else if slot, err = findSlot(mod); err != nil {
return nil, err
Expand Down
52 changes: 24 additions & 28 deletions pkg/vault/yubi/yubi.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,6 @@ type Config struct {
KeyImportDomains uint16 `yaml:"key_import_domains"`
}

func (c *Config) id() string {
return fmt.Sprintf("%s/%d", c.Address, c.AuthKeyID)
}

type hsmKey struct {
id uint16
pub crypt.PublicKey
Expand All @@ -66,7 +62,7 @@ func (key *hsmKey) Sign(ctx context.Context, message []byte) (sig crypt.Signatur
return key.hsm.signED25519(digest[:], key.id)
}

return nil, fmt.Errorf("(YubiHSM/%s): unexpected key type: %T", key.hsm.conf.id(), key.pub)
return nil, fmt.Errorf("(YubiHSM/%s): unexpected key type: %T", key.hsm.conf.Address, key.pub)
}

// HSM struct containing information required to interrogate a YubiHSM
Expand All @@ -77,7 +73,7 @@ type HSM struct {

// Name returns backend name
func (h *HSM) Name() string {
return fmt.Sprintf("YubiHSM/%s", h.conf.id())
return fmt.Sprintf("YubiHSM/%s", h.conf.Address)
}

type yubihsmStoredKeysIterator struct {
Expand Down Expand Up @@ -148,7 +144,7 @@ func (y *yubihsmStoredKeysIterator) Next() (key vault.KeyReference, err error) {
if y.objects == nil {
y.objects, err = y.hsm.listObjects(commands.NewObjectTypeOption(commands.ObjectTypeAsymmetricKey))
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): %w", y.hsm.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): %w", y.hsm.conf.Address, err)
}
}

Expand All @@ -160,22 +156,22 @@ func (y *yubihsmStoredKeysIterator) Next() (key vault.KeyReference, err error) {
obj := y.objects[y.idx]
command, err := commands.CreateGetPubKeyCommand(obj.ObjectID)
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): GetPubKey: %w", y.hsm.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): GetPubKey: %w", y.hsm.conf.Address, err)
}
res, err := y.hsm.session.SendEncryptedCommand(command)
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): GetPubKey: %w", y.hsm.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): GetPubKey: %w", y.hsm.conf.Address, err)
}

pubKeyResponse, ok := res.(*commands.GetPubKeyResponse)
if !ok {
return nil, fmt.Errorf("(YubiHSM/%s): unexpected response type: %T", y.hsm.conf.id(), res)
return nil, fmt.Errorf("(YubiHSM/%s): unexpected response type: %T", y.hsm.conf.Address, res)
}
y.idx++

pub, ok, err := parsePublicKey(pubKeyResponse)
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): %w", y.hsm.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): %w", y.hsm.conf.Address, err)
}
if !ok {
continue // Skip
Expand All @@ -197,24 +193,24 @@ func (h *HSM) List(ctx context.Context) vault.KeyIterator {
func (h *HSM) signECDSA(digest []byte, id uint16, curve elliptic.Curve) (*crypt.ECDSASignature, error) {
command, err := commands.CreateSignDataEcdsaCommand(id, digest)
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.Address, err)
}
res, err := h.session.SendEncryptedCommand(command)
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): SignDataEcdsa: %w", h.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): SignDataEcdsa: %w", h.conf.Address, err)
}

ecdsaResponse, ok := res.(*commands.SignDataEcdsaResponse)
if !ok {
return nil, fmt.Errorf("(YubiHSM/%s): unexpected response type: %T", h.conf.id(), res)
return nil, fmt.Errorf("(YubiHSM/%s): unexpected response type: %T", h.conf.Address, res)
}

var sig struct {
R *big.Int
S *big.Int
}
if _, err = asn1.Unmarshal(ecdsaResponse.Signature, &sig); err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.Address, err)
}
return &crypt.ECDSASignature{
R: sig.R,
Expand All @@ -226,20 +222,20 @@ func (h *HSM) signECDSA(digest []byte, id uint16, curve elliptic.Curve) (*crypt.
func (h *HSM) signED25519(digest []byte, id uint16) (crypt.Ed25519Signature, error) {
command, err := commands.CreateSignDataEddsaCommand(id, digest)
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.Address, err)
}
res, err := h.session.SendEncryptedCommand(command)
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): SignDataEddsa: %w", h.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): SignDataEddsa: %w", h.conf.Address, err)
}

eddsaResponse, ok := res.(*commands.SignDataEddsaResponse)
if !ok {
return nil, fmt.Errorf("(YubiHSM/%s): unexpected response type: %T", h.conf.id(), res)
return nil, fmt.Errorf("(YubiHSM/%s): unexpected response type: %T", h.conf.Address, res)
}

if len(eddsaResponse.Signature) != ed25519.SignatureSize {
return nil, fmt.Errorf("(YubiHSM/%s): invalid ED25519 signature length: %d", h.conf.id(), len(eddsaResponse.Signature))
return nil, fmt.Errorf("(YubiHSM/%s): invalid ED25519 signature length: %d", h.conf.Address, len(eddsaResponse.Signature))
}

return crypt.Ed25519Signature(eddsaResponse.Signature), nil
Expand All @@ -251,7 +247,7 @@ var echoMessage = []byte("health")
func (h *HSM) Ready(ctx context.Context) (bool, error) {
command, err := commands.CreateEchoCommand(echoMessage)
if err != nil {
return false, fmt.Errorf("(YubiHSM/%s): %w", h.conf.id(), err)
return false, fmt.Errorf("(YubiHSM/%s): %w", h.conf.Address, err)
}

res, err := h.session.SendEncryptedCommand(command)
Expand All @@ -261,11 +257,11 @@ func (h *HSM) Ready(ctx context.Context) (bool, error) {

echoResponse, ok := res.(*commands.EchoResponse)
if !ok {
return false, fmt.Errorf("(YubiHSM/%s): unexpected response type: %T", h.conf.id(), res)
return false, fmt.Errorf("(YubiHSM/%s): unexpected response type: %T", h.conf.Address, res)
}

if !bytes.Equal(echoResponse.Data, echoMessage) {
return false, fmt.Errorf("(YubiHSM/%s): echoed data is invalid", h.conf.id())
return false, fmt.Errorf("(YubiHSM/%s): echoed data is invalid", h.conf.Address)
}

return true, nil
Expand Down Expand Up @@ -295,39 +291,39 @@ func getPrivateKeyData(pk crypt.PrivateKey) (typ string, alg commands.Algorithm,
func (h *HSM) Import(ctx context.Context, pk crypt.PrivateKey, opt utils.Options) (vault.KeyReference, error) {
typ, alg, caps, p, err := getPrivateKeyData(pk)
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.Address, err)
}

domains := h.conf.KeyImportDomains
d, ok, err := opt.GetInt("domains")
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.Address, err)
}
if ok {
domains = uint16(d)
}

label, ok, err := opt.GetString("name")
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.Address, err)
}
if !ok {
label = fmt.Sprintf("signatory-%s-%d", typ, time.Now().Unix())
}

command, err := commands.CreatePutAsymmetricKeyCommand(0, []byte(label), domains, caps, alg, p, nil)
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): %w", h.conf.Address, err)
}

res, err := h.session.SendEncryptedCommand(command)
if err != nil {
return nil, fmt.Errorf("(YubiHSM/%s): PutAsymmetricKey: %w", h.conf.id(), err)
return nil, fmt.Errorf("(YubiHSM/%s): PutAsymmetricKey: %w", h.conf.Address, err)
}

keyResponse, ok := res.(*commands.PutAsymmetricKeyResponse)
if !ok {
return nil, fmt.Errorf("(YubiHSM/%s): unexpected response type: %T", h.conf.id(), res)
return nil, fmt.Errorf("(YubiHSM/%s): unexpected response type: %T", h.conf.Address, res)
}

return &hsmKey{
Expand Down

0 comments on commit 663a1b5

Please sign in to comment.