From 15c6c6488e95896f2e127e8c8b9ea3c32682c801 Mon Sep 17 00:00:00 2001
From: "Greg T. Wallace" <greg@gregtwallace.com>
Date: Sun, 17 Mar 2024 13:45:55 -0400
Subject: [PATCH] minor envelope reorg

---
 pkg/pkcs15/encrypted_envelope.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/pkcs15/encrypted_envelope.go b/pkg/pkcs15/encrypted_envelope.go
index b0eef9d..cead3c8 100644
--- a/pkg/pkcs15/encrypted_envelope.go
+++ b/pkg/pkcs15/encrypted_envelope.go
@@ -120,9 +120,6 @@ func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
 	encryptedContent := make([]byte, len(content))
 	contentEncrypter.CryptBlocks(encryptedContent, content)
 
-	// encrypted content MAC
-	macKey := pbkdf2.Key(cek, []byte("authentication"), 1, 32, sha1.New)
-
 	// data encryption alg block
 	encAlgObj := asn1obj.Sequence([][]byte{
 		// ContentEncryptionAlgorithmIdentifier
@@ -144,6 +141,9 @@ func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
 		}),
 	})
 
+	// encrypted content MAC
+	macKey := pbkdf2.Key(cek, []byte("authentication"), 1, 32, sha1.New)
+
 	macHasher := hmac.New(sha256.New, macKey)
 	// the data the MAC covers is the algId header bytes + encrypted data bytes
 	hashMe := append(encAlgObj, encryptedContent...)