KAS nano #7
Open
KAS nano #7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Enhanced error logging in rewrap.go to help with debugging. In each error case, an error log is now added which gives more context about what caused the failure. In hsm.go, renamed the 'hkdf' variable to 'hkdfParams' for clarity and readability.
The logging statements in the "getEntityInfo" and "Rewrap" functions of rewrap.go have been updated for increased clarity and more detailed error tracking. This includes changing the level of some logs from 'warn' to 'error' when an issue arises while obtaining a token, and adding more context information to debug logs.
Added certificate caching mechanism to the PublicKey Provider to reduce the number of calls to the CryptoProvider. Now, before performing an expensive certificate generation operation, the system will first check if a cached certificate for the requested key exists. If it does, it returns the cached certificate, otherwise, it generates a new one and stores it in the cache for future requests.
This commitment enhances error handling and logging in various functions within hsm.go. Now, errors are clearly logged with slog.Error specifying the error type. Additionally, a sanity check has been added to the key pair generation process. Finally, a debug message is logged showing the length of the derived key during the symmetric key generation process.
A new mechanism for SHA256 has been added to the key pair generation process in the hsm.go file. A corresponding error logging has been implemented in case of failed verification. This is to improve the reliability of key pairs and add further security checks.
The key pair sanity check mechanism in the hsm.go file has been updated. Previously, it used the `CKM_SHA256` mechanism from the pkcs11 package, but now it is using the `CKM_ECDSA_SHA256` mechanism. This change helps to improve the security of the key pair verification process.
The ECDSA mechanism used in the sanity check of the key pair (in the hsm.go file) was updated from CKM_ECDSA_SHA256 to CKM_ECDSA. The aim of this change is to prevent potential issues related to signing.
The error logging in the PKCS11 VerifyASN1 method has been enhanced. Now it includes details such as the hash, the signature, and the EC Public Key when the verification fails.
Added extensive info for failed signature verification in the pkcs11 VerifyASN1 method. Logs now include the public key in PEM format, making error tracing easier and more effective.
The previously used sha256 to hash a string directly has been changed. Now, the Digest function of the pkcs11 context is used to hash the string. This method better suits the pkcs11 framework and may prevent possible errors.
Modified the execution flow in hsm.go to return errors immediately when RSA or EC key loads fail. Also, updated the initialization of pkcs11 digest and improved the error handling in the sanity check of the key pair.
Errors related to loading RSA key and verifying ASN1 signature are no longer returned immediately. Added a break statement after assigning a certificate to pair.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Current error