Relax key kind check in derive_key for hmacsha256

In #38 [0], we restricted the operations for the hmacsha256 mechanism to symmetric and shared keys. This breaks fido-authenticator because it uses hmacsha256 derive_key on EC keys [1]. This patch relaxes the restrictions to allow all key kinds. [0] #38 [1] trussed-dev/fido-authenticator#21
trussed-dev · Dec 1, 2022 · 36ee8ff · 36ee8ff
1 parent be33405
commit 36ee8ff
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/mechanisms/hmacsha256.rs b/src/mechanisms/hmacsha256.rs
@@ -16,7 +16,9 @@ impl DeriveKey for super::HmacSha256 {
         let key_id = request.base_key;
         let key = keystore.load_key(key::Secrecy::Secret, None, &key_id)?;
         if !matches!(key.kind, key::Kind::Symmetric(..) | key::Kind::Shared(..)) {
-            return Err(Error::WrongKeyKind);
+            // We have to disable this check for compatibility with fido-authenticator, see:
+            // https://github.com/solokeys/fido-authenticator/issues/21
+            warn!("derive_key for hmacsha256 called with invalid key kind ({:?})", key.kind);
         }
         let shared_secret = key.material;