Skip to content

Commit

Permalink
address pr comments
Browse files Browse the repository at this point in the history
  • Loading branch information
pleasew8t authored and pleasew8t committed Dec 12, 2024
1 parent bcf5c67 commit d3bead1
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion node/pkg/guardiansigner/amazonkms.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@ var (

// The timeout for KMS operations. This is necessary to avoid situations where
// the signing or verification is blocked indefinitely.
KMS_TIMEOUT = time.Second * 15
KMS_TIMEOUT = time.Second * 15
MINIMUM_KMS_PUBKEY_LENGTH = 65
)

// The ASN.1 structure for an ECDSA signature produced by AWS KMS.
Expand Down Expand Up @@ -118,6 +119,11 @@ func NewAmazonKmsSigner(ctx context.Context, unsafeDevMode bool, keyPath string)
return nil, fmt.Errorf("Failed to unmarshal KMS public key: %w", err)
}

// The public key is expected to be at least `MINIMUM_KMS_PUBKEY_LENGTH` bytes long.
if len(asn1Pubkey.PublicKey.Bytes) < MINIMUM_KMS_PUBKEY_LENGTH {
return nil, errors.New("Invalid KMS public key length")
}

// It is possible to use `ethcrypto.UnmarshalPubkey(asn1Pubkey.PublicKey.Bytes)`` to get the public key,
// but `UnmarshalPubkey()` uses elliptic.Unmarshal() internally, which has been marked as deprecated.
// The following code implements similar logic, with the indexes meaning the following:
Expand Down

0 comments on commit d3bead1

Please sign in to comment.