Rely on dlopen to locate p11-kit-proxy.so

smallstep · Jun 8, 2023 · 1e80f66 · 1e80f66
1 parent 237a370
commit 1e80f66
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 87 deletions.
diff --git a/kms/pkcs11/pkcs11.go b/kms/pkcs11/pkcs11.go
@@ -12,13 +12,9 @@ import (
 	"encoding/hex"
 	"fmt"
 	"math/big"
-	"os"
-	"os/exec"
 	"runtime"
 	"strconv"
-	"strings"
 	"sync"
-	"time"
 
 	"github.com/ThalesIgnite/crypto11"
 	"github.com/pkg/errors"
@@ -75,9 +71,13 @@ func New(ctx context.Context, opts apiv1.Options) (*PKCS11, error) {
 			}
 			config.SlotNumber = &n
 		}
-		// Get module or default to use p11-kit-proxy.so
+		// Get module or default to use p11-kit-proxy.so.
+		//
+		// pkcs11.New(module string) will use dlopen that will look for the
+		// given library in the appropriate paths, so there's no need to provide
+		// the full path.
 		if config.Path = u.Get("module-path"); config.Path == "" {
-			config.Path = findP11KitProxy(ctx)
+			config.Path = defaultModule
 		}
 	}
 	if config.Pin == "" && opts.Pin != "" {
@@ -109,7 +109,14 @@ func New(ctx context.Context, opts apiv1.Options) (*PKCS11, error) {
 	}, nil
 }
 
+// defaultModule defines the defaultModule used, in this case is the
+// p11-kit-proxy provided by p11-kit.
+var defaultModule = "p11-kit-proxy.so"
+
 func init() {
+	if runtime.GOOS == "darwin" {
+		defaultModule = "p11-kit-proxy.dylib"
+	}
 	apiv1.Register(apiv1.PKCS11, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
 		return New(ctx, opts)
 	})
@@ -411,34 +418,4 @@ func findCertificate(ctx P11, rawuri string) (*x509.Certificate, error) {
 	return cert, nil
 }
 
-// findP11KitProxy uses pkg-config to locate p11-kit-proxy.so
-var findP11KitProxy = func(ctx context.Context) string {
-	var out strings.Builder
-
-	// It should be more than enough even in constraint VMs
-	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
-	defer cancel()
-
-	cmd := exec.CommandContext(ctx, "pkg-config", "--variable=proxy_module", "p11-kit-1")
-	cmd.Stdout = &out
-	if err := cmd.Run(); err != nil {
-		return ""
-	}
-
-	path := strings.TrimSpace(out.String())
-	if _, err := os.Stat(path); err != nil {
-		if runtime.GOOS != "darwin" {
-			return ""
-		}
-
-		// pkg-config might return an .so file instead of a .dylib on macOs.
-		path = strings.Replace(path, ".so", ".dylib", 1)
-		if _, err := os.Stat(path); err != nil {
-			return ""
-		}
-	}
-
-	return path
-}
-
 var _ apiv1.CertificateManager = (*PKCS11)(nil)
diff --git a/kms/pkcs11/pkcs11_test.go b/kms/pkcs11/pkcs11_test.go
@@ -26,10 +26,8 @@ import (
 
 func TestNew(t *testing.T) {
 	tmp0 := p11Configure
-	tmp1 := findP11KitProxy
 	t.Cleanup(func() {
 		p11Configure = tmp0
-		findP11KitProxy = tmp1
 	})
 
 	k := mustPKCS11(t)
@@ -44,21 +42,6 @@ func TestNew(t *testing.T) {
 		return k.p11, nil
 	}
 
-	findP11KitProxy = func(ctx context.Context) string {
-		select {
-		case <-ctx.Done():
-			return ""
-		default:
-			if fail, _ := ctx.Value("fail").(bool); fail {
-				return ""
-			}
-			return "/usr/local/lib/p11-kit-proxy.so"
-		}
-	}
-
-	canceledContext, cancel := context.WithCancel(context.Background())
-	cancel()
-
 	type args struct {
 		ctx  context.Context
 		opts apiv1.Options
@@ -91,15 +74,9 @@ func TestNew(t *testing.T) {
 			URI:  "pkcs11:token=pkcs11-test",
 			Pin:  "passowrd",
 		}}, k, false},
-		{"fail with missing module", args{context.WithValue(context.Background(), "fail", true), apiv1.Options{
+		{"fail missing module", args{context.Background(), apiv1.Options{
 			Type: "pkcs11",
-			URI:  "pkcs11:token=pkcs11-test",
-			Pin:  "passowrd",
-		}}, nil, true},
-		{"fail findP11KitProxy", args{canceledContext, apiv1.Options{
-			Type: "pkcs11",
-			URI:  "pkcs11:token=pkcs11-test?pin-value=password",
-		}}, nil, true},
+		}}, k, false},
 		{"fail missing pin", args{context.Background(), apiv1.Options{
 			Type: "pkcs11",
 			URI:  "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=pkcs11-test",
@@ -861,29 +838,3 @@ func TestPKCS11_Close(t *testing.T) {
 		})
 	}
 }
-
-func Test_findP11KitProxy(t *testing.T) {
-	expected := findP11KitProxy(context.Background())
-
-	canceledContext, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	type args struct {
-		ctx context.Context
-	}
-	tests := []struct {
-		name string
-		args args
-		want string
-	}{
-		{"expected", args{context.Background()}, expected},
-		{"fail", args{canceledContext}, ""},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := findP11KitProxy(tt.args.ctx); got != tt.want {
-				t.Errorf("findP11KitProxy() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}