Resolves #2685 (#2853)

* Resolves #2685 pkcs11 ctx.OpenSession should only be read only and serial. Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com> * Resolves #1489 pkcs11 tools use env.VariablePKCS11ModulePath as default if not provided through flag module-path Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com> * Return helpful message if --module-path or COSIGN_PKCS11_MODULE_PATH is not set Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com> --------- Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com> Co-authored-by: Derek Burdick <derek-burdick@users.noreply.github.com>
sigstore · Mar 31, 2023 · a6d039a · a6d039a
1 parent 062dd84
commit a6d039a
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/cmd/cosign/cli/options/pkcs11_tool.go b/cmd/cosign/cli/options/pkcs11_tool.go
@@ -16,6 +16,7 @@
 package options
 
 import (
+	"github.com/sigstore/cosign/v2/pkg/cosign/env"
 	"github.com/spf13/cobra"
 )
 
@@ -28,8 +29,9 @@ var _ Interface = (*PKCS11ToolListTokensOptions)(nil)
 
 // AddFlags implements Interface
 func (o *PKCS11ToolListTokensOptions) AddFlags(cmd *cobra.Command) {
-	cmd.Flags().StringVar(&o.ModulePath, "module-path", "",
+	cmd.Flags().StringVar(&o.ModulePath, "module-path", env.Getenv(env.VariablePKCS11ModulePath),
 		"absolute path to the PKCS11 module")
+	_ = cmd.Flags().SetAnnotation("module-path", cobra.BashCompFilenameExt, []string{})
 }
 
 // PKCS11ToolListKeysUrisOptions is the wrapper for `pkcs11-tool list-keys-uris` related options.
@@ -43,7 +45,7 @@ var _ Interface = (*PKCS11ToolListKeysUrisOptions)(nil)
 
 // AddFlags implements Interface
 func (o *PKCS11ToolListKeysUrisOptions) AddFlags(cmd *cobra.Command) {
-	cmd.Flags().StringVar(&o.ModulePath, "module-path", "",
+	cmd.Flags().StringVar(&o.ModulePath, "module-path", env.Getenv(env.VariablePKCS11ModulePath),
 		"absolute path to the PKCS11 module")
 	_ = cmd.Flags().SetAnnotation("module-path", cobra.BashCompFilenameExt, []string{})
 

diff --git a/cmd/cosign/cli/pkcs11cli/commands.go b/cmd/cosign/cli/pkcs11cli/commands.go
@@ -126,7 +126,7 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string)
 	}
 
 	// Open a new session to the token.
-	session, err := ctx.OpenSession(slotID, pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
+	session, err := ctx.OpenSession(slotID, pkcs11.CKF_SERIAL_SESSION)
 	if err != nil {
 		return nil, fmt.Errorf("open session: %w", err)
 	}
@@ -205,6 +205,9 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string)
 }
 
 func ListTokensCmd(ctx context.Context, modulePath string) error {
+	if modulePath == "" {
+		return fmt.Errorf("please specify --module-path or set COSIGN_PKCS11_MODULE_PATH")
+	}
 	tokens, err := GetTokens(ctx, modulePath)
 	if err != nil {
 		return err
@@ -223,6 +226,9 @@ func ListTokensCmd(ctx context.Context, modulePath string) error {
 }
 
 func ListKeysUrisCmd(ctx context.Context, modulePath string, slotID uint, pin string) error {
+	if modulePath == "" {
+		return fmt.Errorf("please specify --module-path or set COSIGN_PKCS11_MODULE_PATH")
+	}
 	keysInfo, err := GetKeysInfo(ctx, modulePath, slotID, pin)
 	if err != nil {
 		return err