You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to get our own SignPath PKCS#11 module to work with cosign. It is a "write-protected token" (C_OpenSession() immediately returns CKR_TOKEN_WRITE_PROTECTED in case of CKF_RW_SESSION) because the PKCS#11 interface basically only allows signing, all management (modifications) happens within the "back end". Still an authenticated session is required.
We had the same issue with the original pkcs11-tool (see their issue 2812).
Cosign uses the pkcs11.CKF_RW_SESSION flag in its GetKeysInfo function at
In both cases (enlisting and signing), a RW session is not required (only for creating keys it would be) and prevents cosign from being used with an read-only token. Please change the behavior to using a read-only session.
* Resolves#2685
pkcs11 ctx.OpenSession should only be read only and serial.
Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com>
* Resolves#1489
pkcs11 tools use env.VariablePKCS11ModulePath as default if not provided through flag module-path
Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com>
* Return helpful message if --module-path or COSIGN_PKCS11_MODULE_PATH is not set
Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com>
---------
Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com>
Co-authored-by: Derek Burdick <derek-burdick@users.noreply.github.com>
Description
I am trying to get our own SignPath PKCS#11 module to work with cosign. It is a "write-protected token" (
C_OpenSession()
immediately returnsCKR_TOKEN_WRITE_PROTECTED
in case ofCKF_RW_SESSION
) because the PKCS#11 interface basically only allows signing, all management (modifications) happens within the "back end". Still an authenticated session is required.We had the same issue with the original pkcs11-tool (see their issue 2812).
Cosign uses the
pkcs11.CKF_RW_SESSION
flag in itsGetKeysInfo
function atcosign/cmd/cosign/cli/pkcs11cli/commands.go
Line 129 in 27bb6ad
Also, you call
crypto11.Configure
atcosign/pkg/cosign/pkcs11key/pkcs11key.go
Line 161 in 27bb6ad
pkcs11.CKF_RW_SESSION
flag - see https://github.com/ThalesIgnite/crypto11/blob/master/crypto11.go#L365. As soon as you confirmed fixing this problem, I'd be happy to open an issue in their project also.In both cases (enlisting and signing), a RW session is not required (only for creating keys it would be) and prevents cosign from being used with an read-only token. Please change the behavior to using a read-only session.
Version
GitVersion: v1.13.1
GitCommit: d1c6336
GitTreeState: clean
BuildDate: 2022-10-17T18:00:05Z
GoVersion: go1.19.2
Compiler: gc
Platform: linux/amd64
The text was updated successfully, but these errors were encountered: