From a6d039aa8f2f7a7c9a61f50b2239841e0ad3f7a4 Mon Sep 17 00:00:00 2001 From: Derek Burdick Date: Fri, 31 Mar 2023 13:16:28 -0400 Subject: [PATCH] Resolves #2685 (#2853) * Resolves #2685 pkcs11 ctx.OpenSession should only be read only and serial. Signed-off-by: Derek Burdick * Resolves sigstore/cosign#1489 pkcs11 tools use env.VariablePKCS11ModulePath as default if not provided through flag module-path Signed-off-by: Derek Burdick * Return helpful message if --module-path or COSIGN_PKCS11_MODULE_PATH is not set Signed-off-by: Derek Burdick --------- Signed-off-by: Derek Burdick Co-authored-by: Derek Burdick --- cmd/cosign/cli/options/pkcs11_tool.go | 6 ++++-- cmd/cosign/cli/pkcs11cli/commands.go | 8 +++++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/cmd/cosign/cli/options/pkcs11_tool.go b/cmd/cosign/cli/options/pkcs11_tool.go index 735e8009563..e673184e2d3 100644 --- a/cmd/cosign/cli/options/pkcs11_tool.go +++ b/cmd/cosign/cli/options/pkcs11_tool.go @@ -16,6 +16,7 @@ package options import ( + "github.com/sigstore/cosign/v2/pkg/cosign/env" "github.com/spf13/cobra" ) @@ -28,8 +29,9 @@ var _ Interface = (*PKCS11ToolListTokensOptions)(nil) // AddFlags implements Interface func (o *PKCS11ToolListTokensOptions) AddFlags(cmd *cobra.Command) { - cmd.Flags().StringVar(&o.ModulePath, "module-path", "", + cmd.Flags().StringVar(&o.ModulePath, "module-path", env.Getenv(env.VariablePKCS11ModulePath), "absolute path to the PKCS11 module") + _ = cmd.Flags().SetAnnotation("module-path", cobra.BashCompFilenameExt, []string{}) } // PKCS11ToolListKeysUrisOptions is the wrapper for `pkcs11-tool list-keys-uris` related options. @@ -43,7 +45,7 @@ var _ Interface = (*PKCS11ToolListKeysUrisOptions)(nil) // AddFlags implements Interface func (o *PKCS11ToolListKeysUrisOptions) AddFlags(cmd *cobra.Command) { - cmd.Flags().StringVar(&o.ModulePath, "module-path", "", + cmd.Flags().StringVar(&o.ModulePath, "module-path", env.Getenv(env.VariablePKCS11ModulePath), "absolute path to the PKCS11 module") _ = cmd.Flags().SetAnnotation("module-path", cobra.BashCompFilenameExt, []string{}) diff --git a/cmd/cosign/cli/pkcs11cli/commands.go b/cmd/cosign/cli/pkcs11cli/commands.go index 4c6dd4736f1..6d4609f5161 100644 --- a/cmd/cosign/cli/pkcs11cli/commands.go +++ b/cmd/cosign/cli/pkcs11cli/commands.go @@ -126,7 +126,7 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string) } // Open a new session to the token. - session, err := ctx.OpenSession(slotID, pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION) + session, err := ctx.OpenSession(slotID, pkcs11.CKF_SERIAL_SESSION) if err != nil { return nil, fmt.Errorf("open session: %w", err) } @@ -205,6 +205,9 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string) } func ListTokensCmd(ctx context.Context, modulePath string) error { + if modulePath == "" { + return fmt.Errorf("please specify --module-path or set COSIGN_PKCS11_MODULE_PATH") + } tokens, err := GetTokens(ctx, modulePath) if err != nil { return err @@ -223,6 +226,9 @@ func ListTokensCmd(ctx context.Context, modulePath string) error { } func ListKeysUrisCmd(ctx context.Context, modulePath string, slotID uint, pin string) error { + if modulePath == "" { + return fmt.Errorf("please specify --module-path or set COSIGN_PKCS11_MODULE_PATH") + } keysInfo, err := GetKeysInfo(ctx, modulePath, slotID, pin) if err != nil { return err