From 022537ee956314490eeb485e39ed91ad7f047647 Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 8 Mar 2024 14:23:00 -0800 Subject: [PATCH] dont use hardware keys for signing on darwin --- ee/control/client_http.go | 5 ++++- ee/debug/shipper/shipper.go | 7 ++++++- ee/localserver/krypto-ec-middleware.go | 4 +++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ee/control/client_http.go b/ee/control/client_http.go index d8b195960..4c163e861 100644 --- a/ee/control/client_http.go +++ b/ee/control/client_http.go @@ -11,6 +11,7 @@ import ( "io" "net/http" "net/url" + "runtime" "time" "github.com/kolide/krypto/pkg/echelper" @@ -97,7 +98,9 @@ func (c *HTTPClient) GetConfig() (io.Reader, error) { // Calculate second signature if available hardwareKeys := agent.HardwareKeys() - if hardwareKeys.Public() != nil { + + // hardware signing is not implemented for darwin + if runtime.GOOS != "darwin" && hardwareKeys.Public() != nil { key2, err := echelper.PublicEcdsaToB64Der(hardwareKeys.Public().(*ecdsa.PublicKey)) if err != nil { return nil, fmt.Errorf("could not get key header from hardware keys: %w", err) diff --git a/ee/debug/shipper/shipper.go b/ee/debug/shipper/shipper.go index 7dad9584e..41e1ef983 100644 --- a/ee/debug/shipper/shipper.go +++ b/ee/debug/shipper/shipper.go @@ -13,6 +13,7 @@ import ( "net/url" "os" "os/user" + "runtime" "strings" "sync" "time" @@ -206,7 +207,11 @@ func signHttpRequest(req *http.Request, body []byte) { } sign(agent.LocalDbKeys(), control.HeaderKey, control.HeaderSignature, req) - sign(agent.HardwareKeys(), control.HeaderKey2, control.HeaderSignature2, req) + + // hardware signing is not implemented for darwin + if runtime.GOOS != "darwin" { + sign(agent.HardwareKeys(), control.HeaderKey2, control.HeaderSignature2, req) + } } func launcherData(k types.Knapsack, note string) ([]byte, error) { diff --git a/ee/localserver/krypto-ec-middleware.go b/ee/localserver/krypto-ec-middleware.go index 4efe5e604..ca9ed15ee 100644 --- a/ee/localserver/krypto-ec-middleware.go +++ b/ee/localserver/krypto-ec-middleware.go @@ -13,6 +13,7 @@ import ( "log/slog" "net/http" "net/url" + "runtime" "strings" "time" @@ -303,7 +304,8 @@ func (e *kryptoEcMiddleware) Wrap(next http.Handler) http.Handler { // it's possible the keys will be noop keys, then they will error or give nil when crypto.Signer funcs are called // krypto library has a nil check for the object but not the funcs, so if are getting nil from the funcs, just // pass nil to krypto - if e.hardwareSigner != nil && e.hardwareSigner.Public() != nil { + // hardware signing is not implemented for darwin + if runtime.GOOS != "darwin" && e.hardwareSigner != nil && e.hardwareSigner.Public() != nil { response, err = challengeBox.Respond(e.localDbSigner, e.hardwareSigner, bhr.Bytes()) } else { response, err = challengeBox.Respond(e.localDbSigner, nil, bhr.Bytes())