dont use hardware keys for signing on darwin

kolide · Mar 8, 2024 · 022537e · 022537e
1 parent 721794d
commit 022537e
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 3 deletions.
diff --git a/ee/control/client_http.go b/ee/control/client_http.go
@@ -11,6 +11,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"runtime"
 	"time"
 
 	"github.com/kolide/krypto/pkg/echelper"
@@ -97,7 +98,9 @@ func (c *HTTPClient) GetConfig() (io.Reader, error) {
 
 	// Calculate second signature if available
 	hardwareKeys := agent.HardwareKeys()
-	if hardwareKeys.Public() != nil {
+
+	// hardware signing is not implemented for darwin
+	if runtime.GOOS != "darwin" && hardwareKeys.Public() != nil {
 		key2, err := echelper.PublicEcdsaToB64Der(hardwareKeys.Public().(*ecdsa.PublicKey))
 		if err != nil {
 			return nil, fmt.Errorf("could not get key header from hardware keys: %w", err)

diff --git a/ee/debug/shipper/shipper.go b/ee/debug/shipper/shipper.go
@@ -13,6 +13,7 @@ import (
 	"net/url"
 	"os"
 	"os/user"
+	"runtime"
 	"strings"
 	"sync"
 	"time"
@@ -206,7 +207,11 @@ func signHttpRequest(req *http.Request, body []byte) {
 	}
 
 	sign(agent.LocalDbKeys(), control.HeaderKey, control.HeaderSignature, req)
-	sign(agent.HardwareKeys(), control.HeaderKey2, control.HeaderSignature2, req)
+
+	// hardware signing is not implemented for darwin
+	if runtime.GOOS != "darwin" {
+		sign(agent.HardwareKeys(), control.HeaderKey2, control.HeaderSignature2, req)
+	}
 }
 
 func launcherData(k types.Knapsack, note string) ([]byte, error) {

diff --git a/ee/localserver/krypto-ec-middleware.go b/ee/localserver/krypto-ec-middleware.go
@@ -13,6 +13,7 @@ import (
 	"log/slog"
 	"net/http"
 	"net/url"
+	"runtime"
 	"strings"
 	"time"
 
@@ -303,7 +304,8 @@ func (e *kryptoEcMiddleware) Wrap(next http.Handler) http.Handler {
 		// it's possible the keys will be noop keys, then they will error or give nil when crypto.Signer funcs are called
 		// krypto library has a nil check for the object but not the funcs, so if are getting nil from the funcs, just
 		// pass nil to krypto
-		if e.hardwareSigner != nil && e.hardwareSigner.Public() != nil {
+		// hardware signing is not implemented for darwin
+		if runtime.GOOS != "darwin" && e.hardwareSigner != nil && e.hardwareSigner.Public() != nil {
 			response, err = challengeBox.Respond(e.localDbSigner, e.hardwareSigner, bhr.Bytes())
 		} else {
 			response, err = challengeBox.Respond(e.localDbSigner, nil, bhr.Bytes())