github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-09 15:38:03 -05:00
Code Issues Packages Projects Releases Wiki Activity

smaller fixes

Browse Source
This commit is contained in:
Daniel Hougaard
2025-10-21 20:48:47 +04:00
parent c8a00e7e3f
commit 0f925cfaad
4 changed files with 19 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/src/db/migrations/utils/services.ts
View File

@@ -68,13 +68,13 @@ export const getMigrationEncryptionServices = async ({ envConfig, db, keyStore }
// ----- HSM startup ----- // ----- HSM startup -----
const hsmModule = initializeHsmModule(envConfig); const hsmModule = initializeHsmModule(envConfig);
hsmModule.initialize();
const hsmService = hsmServiceFactory({ const hsmService = hsmServiceFactory({
hsmModule: hsmModule.getModule(), hsmModule: hsmModule.getModule(),
envConfig envConfig
}); });
hsmModule.initialize();
await hsmService.startService(); await hsmService.startService();
const hsmStatus = await isHsmActiveAndEnabled({ const hsmStatus = await isHsmActiveAndEnabled({

3
backend/src/ee/services/hsm/hsm-fns.ts
View File

@@ -35,6 +35,7 @@ export const initializeHsmModule = (envConfig: Pick<TEnvConfig, "isHsmConfigured
if ((error as { message?: string })?.message === "CKR_CRYPTOKI_ALREADY_INITIALIZED") { if ((error as { message?: string })?.message === "CKR_CRYPTOKI_ALREADY_INITIALIZED") {
logger.info("Skipping HSM initialization because it's already initialized."); logger.info("Skipping HSM initialization because it's already initialized.");
isInitialized = true;
} else { } else {
logger.error(error, "Failed to initialize PKCS#11 module"); logger.error(error, "Failed to initialize PKCS#11 module");
throw error; throw error;
@@ -83,7 +84,7 @@ export const isHsmActiveAndEnabled = async ({
const rootKmsConfig = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID).catch(() => null); const rootKmsConfig = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID).catch(() => null);
rootKmsConfigEncryptionStrategy = rootKmsConfig?.encryptionStrategy as RootKeyEncryptionStrategy | null; rootKmsConfigEncryptionStrategy = (rootKmsConfig?.encryptionStrategy || null) as RootKeyEncryptionStrategy | null;
if (rootKmsConfigEncryptionStrategy === RootKeyEncryptionStrategy.HSM && !licenseService.onPremFeatures.hsm) { if (rootKmsConfigEncryptionStrategy === RootKeyEncryptionStrategy.HSM && !licenseService.onPremFeatures.hsm) {
throw new BadRequestError({ throw new BadRequestError({
message: "Your license does not include HSM integration. Please upgrade to the Enterprise plan to use HSM." message: "Your license does not include HSM integration. Please upgrade to the Enterprise plan to use HSM."

15
backend/src/ee/services/hsm/hsm-service.ts
View File

@@ -460,10 +460,23 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
} }
}; };
const randomBytes = async (length: number) => {
if (!pkcs11 || !isInitialized) {
throw new Error("PKCS#11 module is not initialized");
}
const randomData = await $withSession((sessionHandle) =>
pkcs11.C_GenerateRandom(sessionHandle, Buffer.alloc(length))
);
return randomData;
};
return { return {
encrypt, encrypt,
startService, startService,
isActive, isActive,
decrypt decrypt,
randomBytes
}; };
}; };

4
backend/src/services/kms/kms-service.ts
View File

@@ -1083,8 +1083,8 @@ export const kmsServiceFactory = ({
const isHsmActive = hsmStatus.isHsmConfigured; const isHsmActive = hsmStatus.isHsmConfigured;
logger.info("KMS: Generating new ROOT Key"); logger.info(`KMS: Generating new ROOT Key with ${isHsmActive ? "HSM" : "software"} encryption`);
const newRootKey = crypto.randomBytes(32); const newRootKey = isHsmActive ? await hsmService.randomBytes(32) : crypto.randomBytes(32);
const encryptionStrategy = isHsmActive ? RootKeyEncryptionStrategy.HSM : RootKeyEncryptionStrategy.Software; const encryptionStrategy = isHsmActive ? RootKeyEncryptionStrategy.HSM : RootKeyEncryptionStrategy.Software;