Sign a hashed message in hardware key warmup call (#48567)

Otherwise, signing may fail with "input must be a hashed message" error.
gravitational · Nov 12, 2024 · c59507b · c59507b
1 parent 00ec4da
commit c59507b
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/api/utils/keys/yubikey.go b/api/utils/keys/yubikey.go
@@ -287,8 +287,8 @@ func (y *YubiKeyPrivateKey) Public() crypto.PublicKey {
 // WarmupHardwareKey performs a bogus sign() call to prompt the user for
 // a PIN/touch (if needed).
 func (y *YubiKeyPrivateKey) WarmupHardwareKey(ctx context.Context) error {
-	b := make([]byte, 256)
-	_, err := y.sign(ctx, rand.Reader, b, crypto.SHA256)
+	hash := sha256.Sum256(make([]byte, 256))
+	_, err := y.sign(ctx, rand.Reader, hash[:], crypto.SHA256)
 	return trace.Wrap(err, "failed to access a YubiKey private key")
 }