smaller fixes

2026-01-07 22:53:55 -05:00 · 2025-10-21 20:48:47 +04:00
parent c8a00e7e3f
commit 0f925cfaad
4 changed files with 19 additions and 5 deletions
--- a/backend/src/db/migrations/utils/services.ts
+++ b/backend/src/db/migrations/utils/services.ts
@@ -68,13 +68,13 @@ export const getMigrationEncryptionServices = async ({ envConfig, db, keyStore }
  // ----- HSM startup -----

  const hsmModule = initializeHsmModule(envConfig);
+  hsmModule.initialize();

  const hsmService = hsmServiceFactory({
    hsmModule: hsmModule.getModule(),
    envConfig
  });

-  hsmModule.initialize();
  await hsmService.startService();

  const hsmStatus = await isHsmActiveAndEnabled({
--- a/backend/src/ee/services/hsm/hsm-fns.ts
+++ b/backend/src/ee/services/hsm/hsm-fns.ts
@@ -35,6 +35,7 @@ export const initializeHsmModule = (envConfig: Pick<TEnvConfig, "isHsmConfigured

      if ((error as { message?: string })?.message === "CKR_CRYPTOKI_ALREADY_INITIALIZED") {
        logger.info("Skipping HSM initialization because it's already initialized.");
+        isInitialized = true;
      } else {
        logger.error(error, "Failed to initialize PKCS#11 module");
        throw error;
@@ -83,7 +84,7 @@ export const isHsmActiveAndEnabled = async ({

  const rootKmsConfig = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID).catch(() => null);

-  rootKmsConfigEncryptionStrategy = rootKmsConfig?.encryptionStrategy as RootKeyEncryptionStrategy | null;
+  rootKmsConfigEncryptionStrategy = (rootKmsConfig?.encryptionStrategy || null) as RootKeyEncryptionStrategy | null;
  if (rootKmsConfigEncryptionStrategy === RootKeyEncryptionStrategy.HSM && !licenseService.onPremFeatures.hsm) {
    throw new BadRequestError({
      message: "Your license does not include HSM integration. Please upgrade to the Enterprise plan to use HSM."
--- a/backend/src/ee/services/hsm/hsm-service.ts
+++ b/backend/src/ee/services/hsm/hsm-service.ts
@@ -460,10 +460,23 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
    }
  };

+  const randomBytes = async (length: number) => {
+    if (!pkcs11 || !isInitialized) {
+      throw new Error("PKCS#11 module is not initialized");
+    }
+
+    const randomData = await $withSession((sessionHandle) =>
+      pkcs11.C_GenerateRandom(sessionHandle, Buffer.alloc(length))
+    );
+
+    return randomData;
+  };
+
  return {
    encrypt,
    startService,
    isActive,
-    decrypt
+    decrypt,
+    randomBytes
  };
 };
--- a/backend/src/services/kms/kms-service.ts
+++ b/backend/src/services/kms/kms-service.ts
@@ -1083,8 +1083,8 @@ export const kmsServiceFactory = ({

      const isHsmActive = hsmStatus.isHsmConfigured;

-      logger.info("KMS: Generating new ROOT Key");
-      const newRootKey = crypto.randomBytes(32);
+      logger.info(`KMS: Generating new ROOT Key with ${isHsmActive ? "HSM" : "software"} encryption`);
+      const newRootKey = isHsmActive ? await hsmService.randomBytes(32) : crypto.randomBytes(32);

      const encryptionStrategy = isHsmActive ? RootKeyEncryptionStrategy.HSM : RootKeyEncryptionStrategy.Software;