From e076c588edc206d06a9b72510ff1776c7ed29509 Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <gzdunek@users.noreply.github.com>
Date: Thu, 31 Oct 2024 23:09:39 +0100
Subject: [PATCH] Sign a hashed message in hardware key warmup call (#48206)

Otherwise, signing may fail with "input must be a hashed message" error.

(cherry picked from commit 47494db923e61bb12af54f65748584947c59bd9d)
---
 api/utils/keys/yubikey.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/utils/keys/yubikey.go b/api/utils/keys/yubikey.go
index 4687ab2da1322..09cf8e8bd4e06 100644
--- a/api/utils/keys/yubikey.go
+++ b/api/utils/keys/yubikey.go
@@ -286,8 +286,8 @@ func (y *YubiKeyPrivateKey) Public() crypto.PublicKey {
 // WarmupHardwareKey performs a bogus sign() call to prompt the user for
 // a PIN/touch (if needed).
 func (y *YubiKeyPrivateKey) WarmupHardwareKey(ctx context.Context) error {
-	b := make([]byte, 256)
-	_, err := y.sign(ctx, rand.Reader, b, crypto.SHA256)
+	hash := sha256.Sum256(make([]byte, 256))
+	_, err := y.sign(ctx, rand.Reader, hash[:], crypto.SHA256)
 	return trace.Wrap(err, "failed to access a YubiKey private key")
 }