Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v13] fix: Save device keys on %APPDATA%/Local instead of %APPDATA%/Roaming #30177

Merged
merged 1 commit into from Aug 8, 2023
Merged

[v13] fix: Save device keys on %APPDATA%/Local instead of %APPDATA%/Roaming #30177

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
16 changes: 11 additions & 5 deletions lib/devicetrust/native/device_windows.go
View file
Open in desktop
Expand Up @@ -50,6 +50,12 @@ type deviceState struct {
credentialActivationPath string
}

// userDirFunc is used to determine where to save/lookup the device's
// attestation key.
// We use os.UserCacheDir instead of os.UserConfigDir because the latter is
// roaming (which we don't want for device-specific keys).
var userDirFunc = os.UserCacheDir

// setupDeviceStateDir ensures that device state directory exists.
// It returns a struct containing the path of each part of the device state,
// or nil and an error if it was not possible to set up the directory.
Expand Down Expand Up @@ -149,7 +155,7 @@ func createAndSaveAK(
}

func enrollDeviceInit() (*devicepb.EnrollDeviceInit, error) {
stateDir, err := setupDeviceStateDir(os.UserConfigDir)
stateDir, err := setupDeviceStateDir(userDirFunc)
if err != nil {
return nil, trace.Wrap(err, "setting up device state directory")
}
Expand Down Expand Up @@ -426,7 +432,7 @@ func collectDeviceData() (*devicepb.DeviceCollectedData, error) {
// getDeviceCredential will only return the credential ID on windows. The
// other information is determined server-side.
func getDeviceCredential() (*devicepb.DeviceCredential, error) {
stateDir, err := setupDeviceStateDir(os.UserConfigDir)
stateDir, err := setupDeviceStateDir(userDirFunc)
if err != nil {
return nil, trace.Wrap(err, "setting up device state directory")
}
Expand Down Expand Up @@ -463,7 +469,7 @@ func solveTPMEnrollChallenge(
challenge *devicepb.TPMEnrollChallenge,
debug bool,
) (*devicepb.TPMEnrollChallengeResponse, error) {
stateDir, err := setupDeviceStateDir(os.UserConfigDir)
stateDir, err := setupDeviceStateDir(userDirFunc)
if err != nil {
return nil, trace.Wrap(err, "setting up device state directory")
}
Expand Down Expand Up @@ -622,7 +628,7 @@ func handleTPMActivateCredential(encryptedCredential, encryptedCredentialSecret
return trace.Wrap(err, "decoding encrypted credential secret")
}

stateDir, err := setupDeviceStateDir(os.UserConfigDir)
stateDir, err := setupDeviceStateDir(userDirFunc)
if err != nil {
return trace.Wrap(err, "setting up device state directory")
}
Expand Down Expand Up @@ -666,7 +672,7 @@ func handleTPMActivateCredential(encryptedCredential, encryptedCredentialSecret
func solveTPMAuthnDeviceChallenge(
challenge *devicepb.TPMAuthenticateDeviceChallenge,
) (*devicepb.TPMAuthenticateDeviceChallengeResponse, error) {
stateDir, err := setupDeviceStateDir(os.UserConfigDir)
stateDir, err := setupDeviceStateDir(userDirFunc)
if err != nil {
return nil, trace.Wrap(err, "setting up device state directory")
}
Expand Down