kolide · James-Pickett · May 23, 2024 · May 22, 2024 · May 22, 2024 · May 22, 2024
diff --git a/ee/secureenclavesigner/secureenclavesigner_darwin.go b/ee/secureenclavesigner/secureenclavesigner_darwin.go
@@ -7,6 +7,8 @@ import (
 	"context"
 	"crypto"
 	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -123,11 +125,6 @@ func (ses *secureEnclaveSigner) Sign(rand io.Reader, digest []byte, opts crypto.
 	return nil, fmt.Errorf("not implemented")
 }
 
-type keyData struct {
-	Uid    string `json:"uid"`
-	PubKey string `json:"pub_key"`
-}
-
 func (ses *secureEnclaveSigner) currentConsoleUserKey(ctx context.Context) (*ecdsa.PublicKey, error) {
 	ctx, span := traces.StartSpan(ctx)
 	defer span.End()
@@ -172,41 +169,47 @@ func (ses *secureEnclaveSigner) currentConsoleUserKey(ctx context.Context) (*ecd
 }
 
 func (ses *secureEnclaveSigner) MarshalJSON() ([]byte, error) {
-	var keyDatas []keyData
+	keyMap := make(map[string]string)
 
 	for uid, pubKey := range ses.uidPubKeyMap {
-		pubKeyBytes, err := echelper.PublicEcdsaToB64Der(pubKey)
+		pubKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey)
 		if err != nil {
-			return nil, fmt.Errorf("converting public key to b64 der: %w", err)
+			return nil, fmt.Errorf("marshalling to PXIX public key: %w", err)
 		}
 
-		keyDatas = append(keyDatas, keyData{
-			Uid:    uid,
-			PubKey: string(pubKeyBytes),
-		})
-
+		keyMap[uid] = base64.StdEncoding.EncodeToString(pubKeyBytes)
 	}
 
-	return json.Marshal(keyDatas)
+	return json.Marshal(keyMap)
 }
 
 func (ses *secureEnclaveSigner) UnmarshalJSON(data []byte) error {
 	if ses.uidPubKeyMap == nil {
 		ses.uidPubKeyMap = make(map[string]*ecdsa.PublicKey)
 	}
 
-	var keyDatas []keyData
-	if err := json.Unmarshal(data, &keyDatas); err != nil {
+	var keyMap map[string]string
+	if err := json.Unmarshal(data, &keyMap); err != nil {
 		return fmt.Errorf("unmarshalling key data: %w", err)
 	}
 
-	for _, kd := range keyDatas {
-		pubKey, err := echelper.PublicB64DerToEcdsaKey([]byte(kd.PubKey))
+	for k, v := range keyMap {
+		decoded, err := base64.StdEncoding.DecodeString(v)
+		if err != nil {
+			return fmt.Errorf("decoding base64: %w", err)
+		}
+
+		pubKey, err := x509.ParsePKIXPublicKey(decoded)
 		if err != nil {
-			return fmt.Errorf("converting public key to ecdsa: %w", err)
+			return fmt.Errorf("parsing PXIX public key: %w", err)
+		}
+
+		ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
+		if !ok {
+			return fmt.Errorf("public key is not ecdsa")
 		}
 
-		ses.uidPubKeyMap[kd.Uid] = pubKey
+		ses.uidPubKeyMap[k] = ecdsaPubKey
 	}
 
 	return nil

diff --git a/pkg/osquery/table/launcher_info.go b/pkg/osquery/table/launcher_info.go
@@ -112,8 +112,18 @@ func generateLauncherInfoTable(store types.GetterSetter) table.GenerateFunc {
 		}
 
 		if hardwareKeyDer, err := x509.MarshalPKIXPublicKey(agent.HardwareKeys().Public()); err == nil {
+			// on non-darwin we'll only have 1 key for the entire machine, but we want to keep format consistent with darwin
+			// so just return a map with 0 as the uid
+			jsonBytes, err := json.Marshal(map[string]string{
+				"0": base64.StdEncoding.EncodeToString(hardwareKeyDer),
+			})
+
+			if err != nil {
+				return nil, fmt.Errorf("marshalling hardware keys: %w", err)
+			}
+
 			// der is a binary format, so convert to b64
-			results[0]["hardware_key"] = base64.StdEncoding.EncodeToString(hardwareKeyDer)
+			results[0]["hardware_key"] = string(jsonBytes)
 			results[0]["hardware_key_source"] = agent.HardwareKeys().Type()
 		}