Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relax key kind check in derive_key for hmacsha256 #58

Merged
merged 1 commit into from Dec 15, 2022
Merged

Relax key kind check in derive_key for hmacsha256 #58

merged 1 commit into from Dec 15, 2022

Conversation

robin-nitrokey
Copy link
Member

In #38 [0], we restricted the operations for the hmacsha256 mechanism to symmetric and shared keys. This breaks fido-authenticator because it uses hmacsha256 derive_key on EC keys [1]. This patch relaxes the restrictions to allow all key kinds.

[0] #38
[1] trussed-dev/fido-authenticator#21

cc @sosthene-nitrokey: I can’t add you as a reviewer, but please have a look.

@sosthene-nitrokey
Copy link
Contributor

We should probably keep the check and add a warn! log so that we can see when it is relied upon and to make it less likely that we rely upon it by mistake in new updates.

@robin-nitrokey
Relax key kind check in derive_key for hmacsha256
36ee8ff 
In #38 [0], we restricted the operations for the hmacsha256 mechanism
to symmetric and shared keys.  This breaks fido-authenticator because it
uses hmacsha256 derive_key on EC keys [1].  This patch relaxes the
restrictions to allow all key kinds.

[0] trussed-dev#38
[1] trussed-dev/fido-authenticator#21
@robin-nitrokey
Copy link
Member Author

Good point, done.

@robin-nitrokey robin-nitrokey merged commit 99b6c94 into trussed-dev:main Dec 15, 2022
@robin-nitrokey robin-nitrokey deleted the relax-key-kind branch December 15, 2022 11:43
@nickray
Copy link
Member

nickray commented Jan 16, 2023

Philosophically, I think we could allow (or at least imagine) casting an asymmetric secret key to a "shared secret", which is always only used as input to a KDF kind of function.

@robin-nitrokey robin-nitrokey mentioned this pull request Jan 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daringer daringer daringer approved these changes

@sosthene-nitrokey sosthene-nitrokey sosthene-nitrokey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@robin-nitrokey @sosthene-nitrokey @nickray @daringer