From 029eaa8d2f986e401066326b6012afe9e434512c Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Thu, 31 Oct 2024 13:09:38 +0100
Subject: [PATCH] Sign a hashed message in hardware key warmup call

Otherwise, signing may fail with "input must be a hashed message" error.
---
 api/utils/keys/yubikey.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/utils/keys/yubikey.go b/api/utils/keys/yubikey.go
index 15e12bfc7e3f6..2d16f967d851c 100644
--- a/api/utils/keys/yubikey.go
+++ b/api/utils/keys/yubikey.go
@@ -291,8 +291,8 @@ func (y *YubiKeyPrivateKey) Public() crypto.PublicKey {
 // WarmupHardwareKey performs a bogus sign() call to prompt the user for
 // a PIN/touch (if needed).
 func (y *YubiKeyPrivateKey) WarmupHardwareKey(ctx context.Context) error {
-	b := make([]byte, 256)
-	_, err := y.sign(ctx, rand.Reader, b, crypto.SHA256)
+	hash := sha256.Sum256(make([]byte, 256))
+	_, err := y.sign(ctx, rand.Reader, hash[:], crypto.SHA256)
 	return trace.Wrap(err, "failed to access a YubiKey private key")
 }