Skip to content

Commit 12e5e9c

Browse files
kruskallkruskall
authored
feat(fips): update keystore to use crypto/pbkdf2 in go 1.24 (#289)
* feat(fips): update keystore to use crypto/pbkdf2 in go 1.24 the keystore is not used in fips mode but importing the pkg is causing x/crypto to be linked in the final binary. We can't drop go 1.23 so just add build tags to use stdlib crypto/pbkdf2 if the app is on go 1.24 (which is required for fips anyway). * Update pbkdf2_legacy.go
1 parent 1b263ef commit 12e5e9c

File tree

3 files changed

+67
-9
lines changed

3 files changed

+67
-9
lines changed

keystore/file_keystore.go

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,6 @@ import (
2222
"crypto/aes"
2323
"crypto/cipher"
2424
"crypto/rand"
25-
"crypto/sha512"
2625
"encoding/base64"
2726
"encoding/json"
2827
"fmt"
@@ -32,8 +31,6 @@ import (
3231
"runtime"
3332
"sync"
3433

35-
"golang.org/x/crypto/pbkdf2"
36-
3734
"github.com/elastic/elastic-agent-libs/config"
3835
"github.com/elastic/elastic-agent-libs/file"
3936
)
@@ -342,7 +339,10 @@ func (k *FileKeystore) encrypt(reader io.Reader) (io.Reader, error) {
342339

343340
// Stretch the user provided key
344341
password, _ := k.password.Get()
345-
passwordBytes := k.hashPassword(password, salt)
342+
passwordBytes, err := k.hashPassword(string(password), salt)
343+
if err != nil {
344+
return nil, fmt.Errorf("could not hash password, error: %w", err)
345+
}
346346

347347
// Select AES-256: because len(passwordBytes) == 32 bytes
348348
block, err := aes.NewCipher(passwordBytes)
@@ -388,7 +388,10 @@ func (k *FileKeystore) decrypt(reader io.Reader) (io.Reader, error) {
388388
encodedBytes := data[saltLength+iVLength:]
389389

390390
password, _ := k.password.Get()
391-
passwordBytes := k.hashPassword(password, salt)
391+
passwordBytes, err := k.hashPassword(string(password), salt)
392+
if err != nil {
393+
return nil, fmt.Errorf("could not hash password, error: %w", err)
394+
}
392395

393396
block, err := aes.NewCipher(passwordBytes)
394397
if err != nil {
@@ -456,10 +459,6 @@ func (k *FileKeystore) ConfiguredPath() string {
456459
return k.Path
457460
}
458461

459-
func (k *FileKeystore) hashPassword(password, salt []byte) []byte {
460-
return pbkdf2.Key(password, salt, iterationsCount, keyLength, sha512.New)
461-
}
462-
463462
// randomBytes return a slice of random bytes of the defined length
464463
func randomBytes(length int) ([]byte, error) {
465464
r := make([]byte, length)

keystore/pbkdf2_go124.go

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
// Licensed to Elasticsearch B.V. under one or more contributor
2+
// license agreements. See the NOTICE file distributed with
3+
// this work for additional information regarding copyright
4+
// ownership. Elasticsearch B.V. licenses this file to you under
5+
// the Apache License, Version 2.0 (the "License"); you may
6+
// not use this file except in compliance with the License.
7+
// You may obtain a copy of the License at
8+
//
9+
// http://www.apache.org/licenses/LICENSE-2.0
10+
//
11+
// Unless required by applicable law or agreed to in writing,
12+
// software distributed under the License is distributed on an
13+
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14+
// KIND, either express or implied. See the License for the
15+
// specific language governing permissions and limitations
16+
// under the License.
17+
18+
//go:build go1.24
19+
20+
package keystore
21+
22+
import (
23+
"crypto/pbkdf2"
24+
"crypto/sha512"
25+
)
26+
27+
func (k *FileKeystore) hashPassword(password string, salt []byte) ([]byte, error) {
28+
return pbkdf2.Key(sha512.New, password, salt, iterationsCount, keyLength)
29+
}

keystore/pbkdf2_legacy.go

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
// Licensed to Elasticsearch B.V. under one or more contributor
2+
// license agreements. See the NOTICE file distributed with
3+
// this work for additional information regarding copyright
4+
// ownership. Elasticsearch B.V. licenses this file to you under
5+
// the Apache License, Version 2.0 (the "License"); you may
6+
// not use this file except in compliance with the License.
7+
// You may obtain a copy of the License at
8+
//
9+
// http://www.apache.org/licenses/LICENSE-2.0
10+
//
11+
// Unless required by applicable law or agreed to in writing,
12+
// software distributed under the License is distributed on an
13+
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14+
// KIND, either express or implied. See the License for the
15+
// specific language governing permissions and limitations
16+
// under the License.
17+
18+
//go:build !go1.24
19+
20+
package keystore
21+
22+
import (
23+
"crypto/sha512"
24+
25+
"golang.org/x/crypto/pbkdf2"
26+
)
27+
28+
func (k *FileKeystore) hashPassword(password string, salt []byte) ([]byte, error) {
29+
return pbkdf2.Key([]byte(password), salt, iterationsCount, keyLength, sha512.New), nil
30+
}

0 commit comments

Comments
 (0)