diff --git a/pkg/services/session/storage/persistent/storage.go b/pkg/services/session/storage/persistent/storage.go index 05ab607d5d..3e52a8dcfb 100644 --- a/pkg/services/session/storage/persistent/storage.go +++ b/pkg/services/session/storage/persistent/storage.go @@ -3,7 +3,6 @@ package persistent import ( "crypto/aes" "crypto/cipher" - "crypto/x509" "encoding/hex" "fmt" @@ -62,20 +61,10 @@ func NewTokenStore(path string, opts ...Option) (*TokenStore, error) { // enable encryption if it // was configured so if cfg.privateKey != nil { - rawKey, err := x509.MarshalECPrivateKey(cfg.privateKey) - if err != nil { - return nil, fmt.Errorf("could not marshal provided private key: %w", err) - } + rawKey := make([]byte, (cfg.privateKey.Curve.Params().N.BitLen()+7)/8) + cfg.privateKey.D.FillBytes(rawKey) - // tagOffset is a constant offset for - // tags when marshalling ECDSA key in - // ASN.1 DER form - const tagOffset = 7 - - // using first 32 bytes from - // the marshalled private key - // as a secret - c, err := aes.NewCipher(rawKey[tagOffset : tagOffset+32]) + c, err := aes.NewCipher(rawKey) if err != nil { return nil, fmt.Errorf("could not create cipher block: %w", err) } diff --git a/pkg/services/session/storage/persistent/util.go b/pkg/services/session/storage/persistent/util.go index 3180497f07..68ea581765 100644 --- a/pkg/services/session/storage/persistent/util.go +++ b/pkg/services/session/storage/persistent/util.go @@ -10,7 +10,7 @@ import ( "go.etcd.io/bbolt" ) -const expOffset = 8 +const keyOffset = 8 func (s *TokenStore) packToken(exp uint64, key *ecdsa.PrivateKey) ([]byte, error) { rawKey, err := x509.MarshalECPrivateKey(key) @@ -25,7 +25,7 @@ func (s *TokenStore) packToken(exp uint64, key *ecdsa.PrivateKey) ([]byte, error } } - res := make([]byte, expOffset, expOffset+len(rawKey)) + res := make([]byte, keyOffset, keyOffset+len(rawKey)) binary.LittleEndian.PutUint64(res, exp) res = append(res, rawKey...) @@ -37,7 +37,7 @@ func (s *TokenStore) unpackToken(raw []byte) (*storage.PrivateToken, error) { var err error epoch := epochFromToken(raw) - rawKey := raw[expOffset:] + rawKey := raw[keyOffset:] if s.gcm != nil { rawKey, err = s.decrypt(rawKey)