Fix two bugs in the pivkey code related to cleanup and certs. (#912)

The card management was refactored a bit so we can't just defer a close on the key itself, we need to move this up to the Signer. There was also an errant break statement causing a fallback in our switch. Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
sigstore · Oct 18, 2021 · 2594f7a · 2594f7a
1 parent 699fab4
commit 2594f7a
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 6 deletions.
diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go
@@ -85,6 +85,7 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt
 	if err != nil {
 		return errors.Wrap(err, "getting signer")
 	}
+	defer sv.Close()
 	wrapped := dsse.WrapSigner(sv, predicateURI)
 	dd := cremote.NewDupeDetector(sv)
 

diff --git a/cmd/cosign/cli/policy_init.go b/cmd/cosign/cli/policy_init.go
@@ -172,6 +172,8 @@ func signPolicy() *cobra.Command {
 			if err != nil {
 				return err
 			}
+			defer sv.Close()
+
 			certs, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(sv.Cert))
 			if err != nil {
 				return err

diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go
@@ -138,6 +138,7 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, a
 	if err != nil {
 		return errors.Wrap(err, "getting signer")
 	}
+	defer sv.Close()
 	dd := cremote.NewDupeDetector(sv)
 
 	var staticPayload []byte
@@ -295,7 +296,6 @@ func SignerFromKeyOpts(ctx context.Context, certPath string, ko KeyOpts) (*CertS
 	switch {
 	case ko.Sk:
 		sk, err := pivkey.GetKeyWithSlot(ko.Slot)
-		defer sk.Close()
 		if err != nil {
 			return nil, err
 		}
@@ -309,17 +309,20 @@ func SignerFromKeyOpts(ctx context.Context, certPath string, ko KeyOpts) (*CertS
 		// token as the private key. If it's not there, show a warning to the
 		// user.
 		certFromPIV, err := sk.Certificate()
+		var pemBytes []byte
 		if err != nil {
 			fmt.Fprintln(os.Stderr, "warning: no x509 certificate retrieved from the PIV token")
-			break
-		}
-		pemBytes, err := cryptoutils.MarshalCertificateToPEM(certFromPIV)
-		if err != nil {
-			return nil, err
+		} else {
+			pemBytes, err = cryptoutils.MarshalCertificateToPEM(certFromPIV)
+			if err != nil {
+				return nil, err
+			}
 		}
+
 		return &CertSignVerifier{
 			Cert:           pemBytes,
 			SignerVerifier: sv,
+			close:          sk.Close,
 		}, nil
 
 	case ko.KeyRef != "":
@@ -404,4 +407,11 @@ type CertSignVerifier struct {
 	Cert  []byte
 	Chain []byte
 	signature.SignerVerifier
+	close func()
+}
+
+func (c *CertSignVerifier) Close() {
+	if c.close != nil {
+		c.close()
+	}
 }
diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go
@@ -65,6 +65,7 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
 	if err != nil {
 		return nil, err
 	}
+	defer sv.Close()
 
 	sig, err := sv.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
 	if err != nil {