From 4d60f8553cfe0401aa56eaf7ff64668362cb36f5 Mon Sep 17 00:00:00 2001
From: Kevin Wang <wy721@qq.com>
Date: Wed, 5 Feb 2025 03:36:57 +0000
Subject: [PATCH] kms: Refined key derivation

---
 kms/src/crypto.rs       | 4 ++--
 kms/src/main_service.rs | 3 +--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/kms/src/crypto.rs b/kms/src/crypto.rs
index 0074bf98..f45c6a4d 100644
--- a/kms/src/crypto.rs
+++ b/kms/src/crypto.rs
@@ -7,10 +7,10 @@ use ra_tls::kdf;
 pub(crate) fn derive_k256_key(
     parent_key: &SigningKey,
     app_id: &[u8],
-    context_data: &[&[u8]],
 ) -> Result<(SigningKey, Signature, RecoveryId)> {
+    let context_data = [app_id, b"app-key"];
     let derived_key_bytes: [u8; 32] =
-        kdf::derive_ecdsa_key(&parent_key.to_bytes(), context_data, 32)?
+        kdf::derive_ecdsa_key(&parent_key.to_bytes(), &context_data, 32)?
             .try_into()
             .ok()
             .context("Invalid derived key len")?;
diff --git a/kms/src/main_service.rs b/kms/src/main_service.rs
index f49cdccb..2d1005af 100644
--- a/kms/src/main_service.rs
+++ b/kms/src/main_service.rs
@@ -186,8 +186,7 @@ impl KmsRpc for RpcHandler {
         let (k256_key, k256_signature) = {
             let (k256_app_key, signature, recid) = derive_k256_key(
                 &self.state.k256_key,
-                &app_id,
-                &[&app_id[..], "app-key".as_bytes()],
+                &app_id
             )
             .context("Failed to derive app ecdsa key")?;