From 1e30cd02c4283c4beabeec37b632b423969e3a82 Mon Sep 17 00:00:00 2001 From: Andy Golay Date: Tue, 7 Jan 2025 17:44:14 -0500 Subject: [PATCH] debug invalid length error for HashiCorp Vault public key --- .../cli/server/ed25519/hashi_corp_vault.rs | 3 +++ .../signing/interface/src/cryptography/mod.rs | 3 +++ util/signing/providers/aws-kms/src/hsm/key.rs | 23 +++++++++++++++---- .../providers/hashicorp-vault/src/hsm/key.rs | 12 ++++++++-- .../providers/hashicorp-vault/src/hsm/mod.rs | 4 ++-- 5 files changed, 36 insertions(+), 9 deletions(-) diff --git a/demo/hsm/src/cli/server/ed25519/hashi_corp_vault.rs b/demo/hsm/src/cli/server/ed25519/hashi_corp_vault.rs index 9c2db2ae6..5129a6739 100644 --- a/demo/hsm/src/cli/server/ed25519/hashi_corp_vault.rs +++ b/demo/hsm/src/cli/server/ed25519/hashi_corp_vault.rs @@ -19,8 +19,11 @@ pub struct HashiCorpVault { impl HashiCorpVault { pub async fn run(&self) -> Result<(), anyhow::Error> { // build the hsm + dotenv::dotenv().ok(); + println!("Canonical Key String: {}", self.canonical_key); let key = Key::try_from_canonical_string(self.canonical_key.as_str()) .map_err(|e| anyhow::anyhow!(e))?; + println!("Parsed Key: {:?}", key); let builder = Builder::::new(); let hsm = Signer::new(builder.build(key).await?); diff --git a/util/signing/interface/src/cryptography/mod.rs b/util/signing/interface/src/cryptography/mod.rs index 808611178..640d8762b 100644 --- a/util/signing/interface/src/cryptography/mod.rs +++ b/util/signing/interface/src/cryptography/mod.rs @@ -13,6 +13,9 @@ macro_rules! fixed_size { impl crate::cryptography::TryFromBytes for $Name { fn try_from_bytes(bytes: &[u8]) -> Result { + println!("Self::BYTES_LEN: {}", Self::BYTES_LEN); + println!("bytes: {:?}", bytes); + println!("bytes.len: {:?}", bytes.len()); if bytes.len() != Self::BYTES_LEN { Err(anyhow::anyhow!("invalid length"))?; } diff --git a/util/signing/providers/aws-kms/src/hsm/key.rs b/util/signing/providers/aws-kms/src/hsm/key.rs index bb94477e0..2dce48517 100644 --- a/util/signing/providers/aws-kms/src/hsm/key.rs +++ b/util/signing/providers/aws-kms/src/hsm/key.rs @@ -22,10 +22,23 @@ where C: Curve + AwsKmsCryptographySpec + Sync, { async fn build(&self, key: Key) -> Result, SignerBuilderError> { - let mut hsm = AwsKms::try_from_env() - .await - .map_err(|e| SignerBuilderError::Internal(e.to_string()))?; - hsm.set_key_id(key.to_delimited_canonical_string("/")); + // Log the key being used to build the HSM + println!("Building HSM with key: {:?}", key); + + // Attempt to create the AwsKms HSM from the environment + let mut hsm = AwsKms::try_from_env().await.map_err(|e| { + println!("Failed to create AwsKms from environment: {:?}", e); + SignerBuilderError::Internal(e.to_string()) + })?; + + // Convert the key to a delimited canonical string and log it + let key_id = key.to_delimited_canonical_string("/"); + println!("Setting key ID: {}", key_id); + + // Set the key ID in the HSM + hsm.set_key_id(key_id); + + // Return the successfully built HSM Ok(hsm) } -} +} \ No newline at end of file diff --git a/util/signing/providers/hashicorp-vault/src/hsm/key.rs b/util/signing/providers/hashicorp-vault/src/hsm/key.rs index ce28c2695..fdb71a703 100644 --- a/util/signing/providers/hashicorp-vault/src/hsm/key.rs +++ b/util/signing/providers/hashicorp-vault/src/hsm/key.rs @@ -22,9 +22,17 @@ where C: Curve + HashiCorpVaultCryptographySpec + Sync, { async fn build(&self, key: Key) -> Result, SignerBuilderError> { + println!("Building HSM with key: {:?}", key); let mut hsm = HashiCorpVault::try_from_env() - .map_err(|e| SignerBuilderError::Internal(e.to_string()))?; - hsm.set_key_id(key.to_delimited_canonical_string("/")); + .map_err(|e| { + println!("Failed to create HashiCorpVault from environment: {:?}", e); + SignerBuilderError::Internal(e.to_string()) + })?; + + let key_id = key.to_delimited_canonical_string("/"); + println!("Setting key ID: {}", key_id); + hsm.set_key_id(key_id); + Ok(hsm) } } diff --git a/util/signing/providers/hashicorp-vault/src/hsm/mod.rs b/util/signing/providers/hashicorp-vault/src/hsm/mod.rs index 0fde70a0b..82d375b2e 100644 --- a/util/signing/providers/hashicorp-vault/src/hsm/mod.rs +++ b/util/signing/providers/hashicorp-vault/src/hsm/mod.rs @@ -58,13 +58,13 @@ where let key_name = std::env::var("VAULT_KEY_NAME").context("VAULT_KEY_NAME not set")?; let mount_name = std::env::var("VAULT_MOUNT_NAME").context("VAULT_MOUNT_NAME not set")?; - let public_key = std::env::var("VAULT_PUBLIC_KEY").unwrap_or_default(); + let public_key = base64::decode(std::env::var("VAULT_PUBLIC_KEY").unwrap_or_default())?; Ok(Self::new( client, key_name, mount_name, - C::PublicKey::try_from_bytes(public_key.as_bytes())?, + C::PublicKey::try_from_bytes(&public_key)?, )) }