From 318545e4fd6024297068222bcb27c809ae6cc4a5 Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Mon, 12 Aug 2024 18:42:04 -0700 Subject: [PATCH] Make SignKM accept generic crypto.Signer Accepting crypto.PrivateKey uneccessarily restricts this library to software crypto algorithms provided by the golang crypto packages. By allowing the more generic crypto.Signer interface alternative implementations, e.g., backed by HSMs, can be supported. --- cmd/core/bg-prov/cmd.go | 3 ++- pkg/provisioning/bootguard/bootguard.go | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/cmd/core/bg-prov/cmd.go b/cmd/core/bg-prov/cmd.go index e5e15f35..cb269b31 100644 --- a/cmd/core/bg-prov/cmd.go +++ b/cmd/core/bg-prov/cmd.go @@ -2,6 +2,7 @@ package main import ( "bytes" + "crypto" "encoding/binary" "fmt" "os" @@ -858,7 +859,7 @@ func (s *signKMCmd) Run(ctx *context) error { if err != nil { return err } - bKMSigned, err := bg.SignKM(s.SignAlgo, privkey) + bKMSigned, err := bg.SignKM(s.SignAlgo, privkey.(crypto.Signer)) if err != nil { return err } diff --git a/pkg/provisioning/bootguard/bootguard.go b/pkg/provisioning/bootguard/bootguard.go index c8f6484c..d25db6ea 100644 --- a/pkg/provisioning/bootguard/bootguard.go +++ b/pkg/provisioning/bootguard/bootguard.go @@ -419,7 +419,7 @@ func (b *BootGuard) StitchBPM(pubKey crypto.PublicKey, signature []byte) ([]byte } // SignKM signs an unsigned KM with signAlgo and private key as input -func (b *BootGuard) SignKM(signAlgo string, privkey crypto.PrivateKey) ([]byte, error) { +func (b *BootGuard) SignKM(signAlgo string, signer crypto.Signer) ([]byte, error) { buf := new(bytes.Buffer) switch b.Version { case bgheader.Version10: @@ -433,7 +433,7 @@ func (b *BootGuard) SignKM(signAlgo string, privkey crypto.PrivateKey) ([]byte, return nil, err } unsignedKM := buf.Bytes()[:b.VData.BGkm.KeyAndSignatureOffset()] - if err := b.VData.BGkm.SetSignature(signAlgo, privkey.(crypto.Signer), unsignedKM); err != nil { + if err := b.VData.BGkm.SetSignature(signAlgo, signer, unsignedKM); err != nil { return nil, err } case bgheader.Version20: @@ -447,7 +447,7 @@ func (b *BootGuard) SignKM(signAlgo string, privkey crypto.PrivateKey) ([]byte, return nil, err } unsignedKM := buf.Bytes()[:b.VData.CBNTkm.KeyAndSignatureOffset()] - if err = b.VData.CBNTkm.SetSignature(signAlgo, b.VData.CBNTkm.PubKeyHashAlg, privkey.(crypto.Signer), unsignedKM); err != nil { + if err = b.VData.CBNTkm.SetSignature(signAlgo, b.VData.CBNTkm.PubKeyHashAlg, signer, unsignedKM); err != nil { return nil, err } default: