Virtual PKCS#11 Token: Rekor Validation Fails

[ThomasPorterAVEVA]

Description

Overview

It appears that when using a Virtual PKCS#11 Token, such as those provided by service providers like DigiCert to communicate with a Hardware Security Module (HSM), cosign does not push the public key to Rekor. Instead the full public certificate is stored, which confuses cosign on verification on the image consumer's end.

It seems to stem from this area of the code where, if the public certificate is available, the public certificate is uploaded to Rekor instead of the public key:

cosign/internal/pkg/cosign/rekor/signer.go

Line 77 in 173f547

// Upload the cert or the public key, depending on what we have

Granted, the error message makes sense: validating against Rekor doesn't work because a public key is being compared to a public certificate. However, we don't want to require consumers of our images to have the full public certificate, and it doesn't seem clear how that would work.

Disabling Rekor on both ends (--tlog-upload=false on signing and insecure-ignore-tlog=true on verification) works. However we don't want to do that if we don't have to, and the insecure messages will lead to more questions by our image consumers.

I admit this may be user error somewhere, so any guidance on how to have customers validate with the public signature would be appreciated.

Thanks!

How to reproduce

1. Use cosign Sign an image using a Virtual PKCS#11 Token:

   $ cosign sign \
       --key "pkcs11:token=Virtual%20PKCS%2311%20Token;slot-id=0;id=<id>;object=<object>?module-path=/usr/local/lib/smpkcs11.so&pin-value=anything" \
       $IMAGE_DIGEST
   
   WARNING: "<repository>" appears to be a private repository, please confirm uploading to the transparency log at "https://rekor.sigstore.dev"
   Are you sure you would like to continue? [y/N] y
   
       The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
       Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
       This may include the email address associated with the account with which you authenticate your contractual Agreement.
       This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.
   
   By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
   Are you sure you would like to continue? [y/N] y
   tlog entry created with index: <index>
   Pushing signature to: <repository>

2. Use cosign to verify using same Virtual PKCS#11 Token:

   $ cosign verify \
       --key "pkcs11:token=Virtual%20PKCS%2311%20Token;slot-id=0;id=<id>;object=<object>?module-path=/usr/local/lib/smpkcs11.so&pin-value=anything" \
       $IMAGE_DIGEST
   
   Error: no matching signatures: error verifying bundle: comparing public key PEMs, expected -----BEGIN PUBLIC KEY-----
   <PUBLIC KEY>
   -----END PUBLIC KEY-----
   , got -----BEGIN CERTIFICATE-----
   <PUBLIC CERTIFICATE>
   -----END CERTIFICATE-----
   
   main.go:69: error during command execution: no matching signatures: error verifying bundle: comparing public key PEMs, expected -----BEGIN PUBLIC KEY-----
   <PUBLIC KEY>
   -----END PUBLIC KEY-----
   , got -----BEGIN CERTIFICATE-----
   <PUBLIC CERTIFICATE>
   -----END CERTIFICATE-----

3. Exporting the public key and attempting to verify on it directly has the same result:

   $ cosign verify --key ExportedPublicKey.pub $IMAGE_DIGEST
   Error: no matching signatures: error verifying bundle: comparing public key PEMs, expected -----BEGIN PUBLIC KEY-----
   <PUBLIC KEY>
   -----END PUBLIC KEY-----
   , got -----BEGIN CERTIFICATE-----
   <PUBLIC CERTIFICATE>
   -----END CERTIFICATE-----
   
   main.go:69: error during command execution: no matching signatures: error verifying bundle: comparing public key PEMs, expected -----BEGIN PUBLIC KEY-----
   <PUBLIC KEY>
   -----END PUBLIC KEY-----
   , got -----BEGIN CERTIFICATE-----
   <PUBLIC CERTIFICATE>
   -----END CERTIFICATE-----

Version

Version of ubuntu and cosign

 $ lsb_release -a
 No LSB modules are available.
 Distributor ID: Ubuntu
 Description:    Ubuntu 22.04.3 LTS
 Release:        22.04
 Codename:       jammy

 $ cosign version
   ______   ______        _______. __    _______ .__   __.
  /      | /  __  \      /       ||  |  /  _____||  \ |  |
 |  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
 |  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
 |  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
  \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

 GitVersion:    v2.2.1
 GitCommit:     12cbf9ea177d22bbf5cf028bcb4712b5f174ebc6
 GitTreeState:  clean
 BuildDate:     2023-11-07T12:39:46Z
 GoVersion:     go1.21.3
 Compiler:      gc
 Platform:      linux/amd64
 ```

[haydentherapper]

Does #3334 resolve this?

[ThomasPorterAVEVA]

I will configure that and give it a shot!

[ThomasPorterAVEVA]

Heck yes, this does exactly what is needed, crazy how it just was added to the latest version. Thank you so much for pointing it out!

For anyone watching this from the future, I did an export to set that flag and it all works now!

export COSIGN_PKCS11_IGNORE_CERTIFICATE=1