Skip to content

Commit

Permalink
Update hsm-service.ts
Browse files Browse the repository at this point in the history
  • Loading branch information
DanielHougaard committed Nov 11, 2024
1 parent 127b6f9 commit 7f5d7ec
Showing 1 changed file with 7 additions and 8 deletions.
15 changes: 7 additions & 8 deletions backend/src/ee/services/hsm/hsm-service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 } }: THsm
const BLOCK_SIZE = 16;
const HMAC_SIZE = 32;

const AES_KEY_SIZE = 256;
const HMAC_KEY_SIZE = 256;

const $withSession = async <T>(callbackWithSession: SessionCallback<T>): Promise<T> => {
const RETRY_INTERVAL = 300; // 300ms between attempts
const MAX_TIMEOUT = 30_000; // 30 seconds maximum total time
Expand Down Expand Up @@ -215,13 +218,9 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 } }: THsm

// Calculate max buffer size (input length + potential full block of padding)
const maxEncryptedLength = Math.ceil(data.length / BLOCK_SIZE) * BLOCK_SIZE + BLOCK_SIZE;
const tempBuffer = Buffer.alloc(maxEncryptedLength);

// First call to get the actual length
const encryptedLength = pkcs11.C_Encrypt(sessionHandle, data, tempBuffer);

// Create a copy of the encrypted data using the actual length
const encryptedData = Buffer.from(tempBuffer.subarray(0, encryptedLength.length || 16));
// Encrypt the data - this returns the encrypted data directly
const encryptedData = pkcs11.C_Encrypt(sessionHandle, data, Buffer.alloc(maxEncryptedLength));

// Initialize HMAC
const hmacMechanism = {
Expand Down Expand Up @@ -396,7 +395,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 } }: THsm
const keyTemplate = [
{ type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
{ type: pkcs11js.CKA_KEY_TYPE, value: pkcs11js.CKK_AES },
{ type: pkcs11js.CKA_VALUE_LEN, value: 256 / 8 },
{ type: pkcs11js.CKA_VALUE_LEN, value: AES_KEY_SIZE / 8 },
{ type: pkcs11js.CKA_LABEL, value: appCfg.HSM_KEY_LABEL! },
{ type: pkcs11js.CKA_ENCRYPT, value: true }, // Allow encryption
{ type: pkcs11js.CKA_DECRYPT, value: true }, // Allow decryption
Expand All @@ -420,7 +419,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 } }: THsm
const hmacKeyTemplate = [
{ type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
{ type: pkcs11js.CKA_KEY_TYPE, value: pkcs11js.CKK_GENERIC_SECRET },
{ type: pkcs11js.CKA_VALUE_LEN, value: 256 / 8 }, // 256-bit key
{ type: pkcs11js.CKA_VALUE_LEN, value: HMAC_KEY_SIZE / 8 }, // 256-bit key
{ type: pkcs11js.CKA_LABEL, value: `${appCfg.HSM_KEY_LABEL!}_HMAC` },
{ type: pkcs11js.CKA_SIGN, value: true }, // Allow signing
{ type: pkcs11js.CKA_VERIFY, value: true }, // Allow verification
Expand Down

0 comments on commit 7f5d7ec

Please sign in to comment.