Add sanity check to key pair generation

A new mechanism for SHA256 has been added to the key pair generation process in the hsm.go file. A corresponding error logging has been implemented in case of failed verification. This is to improve the reliability of key pairs and add further security checks.
arkavo-org · May 12, 2024 · 53f3ab8 · 53f3ab8
1 parent 5bc4b3e
commit 53f3ab8
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/service/internal/security/hsm.go b/service/internal/security/hsm.go
@@ -498,6 +498,12 @@ func (h *HSMSession) LoadECKey(info KeyInfo) (*ECKeyPair, error) {
 	pair.PublicKey = ecPublicKey
 
 	// Do a sanity check of the key pair
+	mechanism := []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_SHA256, nil)}
+	err = h.ctx.SignInit(h.sh, mechanism, keyHandleEC)
+	if err != nil {
+		slog.Error("pkcs11 SignInit", "err", err)
+		return nil, err
+	}
 	hash := sha256.Sum256([]byte("sanity now"))
 	sig, err := h.ctx.Sign(h.sh, hash[:])
 	if err != nil {
@@ -506,7 +512,7 @@ func (h *HSMSession) LoadECKey(info KeyInfo) (*ECKeyPair, error) {
 	}
 	valid := ecdsa.VerifyASN1(ecPublicKey, hash[:], sig)
 	if !valid {
-		slog.Error("pkcs11 Sign", "err", err)
+		slog.Error("pkcs11 VerifyASN1", "err", err)
 		return nil, err
 	}
 	return &pair, nil