Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add support for ignoring certificates with pkcs11 #3334

Merged
merged 1 commit into from
Nov 6, 2023

Conversation

dylrich
Copy link
Contributor

@dylrich dylrich commented Nov 2, 2023

Summary

This commit adds a new environment variable,
COSIGN_PKCS11_IGNORE_CERTIFICATE, which will skip loading certificates into a PKCS11 key when set to "1". This is desirable when you want to sign with a private key that has a certificate associated with it, but do not want that certificate to be included with the signature for verification. Certificates are already optional for keys from non-PKCS11 sources via the --certificate command line flag.

I also added a test, but I wasn't actually able to run the test. Do you have any advice for how to work with the HSM that Cosign's tests are supposed to use? I am happy to make any requested changes to the test or implementation! I'm also not sure how to indicate documentation should be changed, and would appreciate some guidance there.

Release Note

  • Added a new environment variable, COSIGN_PKCS11_IGNORE_CERTIFICATE, which will skip loading certificates associated with PKCS11-sourced keys

Closes #3333

@dylrich dylrich force-pushed the pkcs11-ignore-certificate branch from b78e1ae to f119b40 Compare November 2, 2023 00:49
Copy link

codecov bot commented Nov 2, 2023

Codecov Report

Merging #3334 (ac202c9) into main (a00600a) will not change coverage.
Report is 4 commits behind head on main.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #3334   +/-   ##
=======================================
  Coverage   30.32%   30.32%           
=======================================
  Files         155      155           
  Lines        9921     9921           
=======================================
  Hits         3009     3009           
  Misses       6462     6462           
  Partials      450      450           
Files Coverage Δ
pkg/cosign/env/env.go 88.88% <ø> (ø)

@haydentherapper
Copy link
Contributor

I haven't tried to run these tests before. You'll need to use SoftHSMv2 as noted in the comment, though how exactly everything should be configured I'm not sure. If you do get tests running locally, please write up some docs, that would very helpful!

@haydentherapper
Copy link
Contributor

For doc updates, you can add a section to https://github.com/sigstore/docs/blob/main/content/en/signing/pkcs11.md

@haydentherapper
Copy link
Contributor

Are you able to compile this locally and confirm it's working as expected?

@dylrich
Copy link
Contributor Author

dylrich commented Nov 2, 2023

Do the PKCS11 tests not run in CI at all? I'll see if I can get them to run locally tomorrow, along with those docs updates.

I am able to compile Cosign with this patch and have confirmed that it works correctly with my specific HSM via PKCS11.

@haydentherapper
Copy link
Contributor

I’ve got to double check, but it appears that these tests aren’t running on CI.
The PR looks good. If you’re not able to get tests working locally, we can go through with merging.

haydentherapper
haydentherapper previously approved these changes Nov 2, 2023
@dylrich
Copy link
Contributor Author

dylrich commented Nov 2, 2023

Great! I am still working on the local tests. I opened a docs PR for afterwards here: sigstore/docs#266

This commit adds a new environment variable,
COSIGN_PKCS11_IGNORE_CERTIFICATE, which will skip loading certificates
into a PKCS11 key when set to "1". This is desirable when you want to
sign with a private key that has a certificate associated with it, but
do not want that certificate to be included with the signature for
verification. Certificates are already optional for keys from non-PKCS11
sources via the --certificate command line flag.

Signed-off-by: dylrich <dylan.richardson@mongodb.com>
@dylrich
Copy link
Contributor Author

dylrich commented Nov 2, 2023

@haydentherapper I was able to run the PKCS11 tests locally! #1256 introduced a compilation error into the tests, but I pushed an update to my commit that fixes it. The rest of the tests worked without issue. Here are my notes, tested in a Debian 11 container image:

  • Installed the softhsm package for the PKCS11 library
  • I had to initialize a token with the following command before running tests: softhsm2-util --init-token --slot 0 --pin=1234 --so-pin=1234 --label "My Token"
  • My command for running these tests looked like: SOFTHSM2_CONF=/workspace/softhsm2.conf SOFTHSM_LIB=/usr/lib/softhsm/libsofthsm2.so go test -v -cover -coverprofile=./cover.out -tags=softhsm,pkcs11key -coverpkg github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key test/pkcs11_test.go
  • SOFTHSM2_CONF seems necessary to make sure exists or the PKCS11 library will fail
  • Both tags, softhsm and pkcs11key, are necessary
  • The coverage of pkcs11key.go seems about ~40% right now
  • Softhsm doesn't seem to have an easy way to change logging location and instead logs to syslog, so I also installed the rsyslog package and tailed /var/log/messages to see PKCS11 errors.

@haydentherapper
Copy link
Contributor

@dylrich Thanks for getting this working locally. I'll get this merged in. If you're interested, I filed #3343 to see if we can add e2e testing via GitHub Actions.

@haydentherapper haydentherapper merged commit 8b366c4 into sigstore:main Nov 6, 2023
28 checks passed
@github-actions github-actions bot added this to the v2.3.0 milestone Nov 6, 2023
@cpanato cpanato modified the milestones: v2.3.0, v2.2.1 Nov 16, 2023
@viveksahu26
Copy link
Contributor

@dylrich , I am also testing the same way as you did.

The slots seems to be present using commands:

 sudo ./cosign pkcs11-tool list-tokens --module-path=/usr/lib/softhsm/libsofthsm2.so

Listing tokens of PKCS11 module '/usr/lib/softhsm/libsofthsm2.so'
Token in slot 2061180494
        Label: My Token
        Manufacturer: SoftHSM project
        Model: SoftHSM v2
        S/N: 282c49d5fadb1e4e

Token in slot 1
        Label: 
        Manufacturer: SoftHSM project
        Model: SoftHSM v2
        S/N: 

The issue I am facing is not getting uris. So, my question is did you got the uris when you tested.

sudo ./cosign pkcs11-tool list-keys-uris --module-path=/usr/lib/softhsm/libsofthsm2.so --slot-id 2061180494 --pin 1234 

Listing URIs of keys in slot '2061180494' of PKCS11 module '/usr/lib/softhsm/libsofthsm2.so'

@dylrich
Copy link
Contributor Author

dylrich commented Dec 4, 2023

@viveksahu26 The tests already have a PKCS11 URI configured without using cosign pkcs11-tool list-keys-uris, so I never attempted to fetch the URI from the command line. Try to follow the uri variable in the init() function to see how it's being constructed. It's possible you are running into a bug with list-keys-uris and SoftHSM?

@viveksahu26
Copy link
Contributor

viveksahu26 commented Dec 5, 2023

Yeah, "Definitely." Running the command list-keys-uris leads to a bug. Or we can say the docs for PKCS are incomplete. But I've figured it out.
Finally, after a lot of research, I found the reason why it is so. It's because by default SoftHSM didn't have any keys, as a result, newhandle variable ends to length zero or Objects(i.e. data, keys, certificate) in SoftHSM is empty. Therefore, it doesn't proceed further to construct a URI. Hence, an empty output is being thrown on running the list-keys-uris command.

Let's see below how we can get URIs by running the command list-keys-uris:

  1. First need to create keys:
    openssl genpkey -algorithm RSA -out private_key.pem

  2. Now, convert the private key to a format that can be used by the SoftHSM import tool.
    openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private_key.pem -out private_key.pk8

  3. Import the private key into SoftHSM.
    sudo softhsm2-util --import private_key.pk8 --slot 1683720452 --label "vivek" --pin 4321 --id 0011

NOTE: --id could be any random number.

  1. Now run list-key-uris command:
sudo cosign pkcs11-tool list-keys-uris --module-path=/usr/lib/softhsm/libsofthsm2.so --slot-id 1683720452 --pin 4321

Listing URIs of keys in slot '1683720452' of PKCS11 module '/usr/lib/softhsm/libsofthsm2.so'
Object 0
        Label: vivek
        ID: 0011
        URI: pkcs11:token=vivek;slot-id=1683720452;id=%00%11;object=vivek?module-path=/usr/lib/softhsm/libsofthsm2.so&pin-value=4321
  1. Now sign the container image using 'URI`
sudo cosign sign --key "pkcs11:token=vivek;slot-id=1683720452;id=%00%11;object=vivek?module-path=/usr/lib/softhsm/libsofthsm2.so&pin-value=4321"  viveksahu26/nginx@sha256:c260f4049d499d01e5940acefa1a27f9928c7c20845baf08c3e3ce28ee57bc11

WARNING: no x509 certificate retrieved from the PKCS11 token
.
.
tlog entry created with index: 54833270
Pushing signature to: index.docker.io/viveksahu26/nginx
  1. Now verify the container image using same URI
sudo  cosign verify --key "pkcs11:token=vivek;slot-id=1683720452;id=%00%11;object=vivek?module-path=/usr/lib/softhsm/libsofthsm2.so&pin-value=4321"  viveksahu26/nginx@sha256:c260f4049d499d01e5940acefa1a27f9928c7c20845baf08c3e3ce28ee57bc11

Verification for index.docker.io/viveksahu26/nginx@sha256:c260f4049d499d01e5940acefa1a27f9928c7c20845baf08c3e3ce28ee57bc11 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key
  .
  .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support ignoring x509 certificates when signing with a key via PKCS11
5 participants