Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PCKS11 tokens are opened with read/write sessions, even for enlisting keys and signing #2685

Closed
paulsavoie opened this issue Feb 2, 2023 · 0 comments · Fixed by #2853
Closed

PCKS11 tokens are opened with read/write sessions, even for enlisting keys and signing #2685

paulsavoie opened this issue Feb 2, 2023 · 0 comments · Fixed by #2853
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@paulsavoie
Copy link

Description

I am trying to get our own SignPath PKCS#11 module to work with cosign. It is a "write-protected token" (C_OpenSession() immediately returns CKR_TOKEN_WRITE_PROTECTED in case of CKF_RW_SESSION) because the PKCS#11 interface basically only allows signing, all management (modifications) happens within the "back end". Still an authenticated session is required.

We had the same issue with the original pkcs11-tool (see their issue 2812).

Cosign uses the pkcs11.CKF_RW_SESSION flag in its GetKeysInfo function at

cosign/cmd/cosign/cli/pkcs11cli/commands.go

Line 129 in 27bb6ad

session, err := ctx.OpenSession(slotID, pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)

Also, you call crypto11.Configure at

cosign/pkg/cosign/pkcs11key/pkcs11key.go

Line 161 in 27bb6ad

ctx, err := crypto11.Configure(conf)
and in their function they are also using the pkcs11.CKF_RW_SESSION flag - see https://github.com/ThalesIgnite/crypto11/blob/master/crypto11.go#L365. As soon as you confirmed fixing this problem, I'd be happy to open an issue in their project also.

In both cases (enlisting and signing), a RW session is not required (only for creating keys it would be) and prevents cosign from being used with an read-only token. Please change the behavior to using a read-only session.

Version

GitVersion: v1.13.1
GitCommit: d1c6336
GitTreeState: clean
BuildDate: 2022-10-17T18:00:05Z
GoVersion: go1.19.2
Compiler: gc
Platform: linux/amd64
@paulsavoie paulsavoie added the bug Something isn't working label Feb 2, 2023
@znewman01 znewman01 added the good first issue Good for newcomers label Feb 5, 2023
derek-burdick added a commit to derek-burdick/cosign that referenced this issue Mar 30, 2023
@derek-burdick
Resolves sigstore#2685
7d15017 
pkcs11 ctx.OpenSession should only be read only and serial.

Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com>
@derek-burdick derek-burdick mentioned this issue Mar 30, 2023
Merged
znewman01 pushed a commit that referenced this issue Mar 31, 2023
@derek-burdick
Resolves #2685 (#2853)
a6d039a 
* Resolves #2685
pkcs11 ctx.OpenSession should only be read only and serial.

Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com>

* Resolves #1489
pkcs11 tools use env.VariablePKCS11ModulePath as default if not provided through flag module-path

Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com>

* Return helpful message if --module-path or COSIGN_PKCS11_MODULE_PATH is not set

Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com>

---------

Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com>
Co-authored-by: Derek Burdick <derek-burdick@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Resolves #2685 derek-burdick/cosign
2 participants
@znewman01 @paulsavoie