Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add automatic support for p11-kit #260

Merged
merged 8 commits into from
Jun 12, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 13 additions & 36 deletions kms/pkcs11/pkcs11.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,9 @@ import (
"encoding/hex"
"fmt"
"math/big"
"os"
"os/exec"
"runtime"
"strconv"
"strings"
"sync"
"time"

"github.com/ThalesIgnite/crypto11"
"github.com/pkg/errors"
Expand Down Expand Up @@ -75,9 +71,13 @@ func New(ctx context.Context, opts apiv1.Options) (*PKCS11, error) {
}
config.SlotNumber = &n
}
// Get module or default to use p11-kit-proxy.so
// Get module or default to use p11-kit-proxy.so.
//
// pkcs11.New(module string) will use dlopen that will look for the
// given library in the appropriate paths, so there's no need to provide
// the full path.
if config.Path = u.Get("module-path"); config.Path == "" {
config.Path = findP11KitProxy(ctx)
config.Path = defaultModule
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is in the wrong place, isn't it? It'll only happen if a URI is given, but there's an alternative code flow where it's all in the config? That should benefit from the default, too.

There's already a check for config.Path == "" a few lines further down, with an error return which is no longer telling the truth because it says that 'module-path is required'.

Also... what's wrong with pkcs11:manufacturer=piv_II;id=%01 which I usually use as my examples in documentation? Why are only token/serial/slot-id accepted, and not model/manufacturer?

(And why is this something you even need to do for yourself; surely "match token against the attributes in a URI" is a generic thing that ought to be somewhere much further down the stack than your code; in ThalesIgnite/crypto11 or miekg/pkcs11. Ideally you just want to call a function like the matchSlots() I wrote here, and in your case as discussed, you want to just bail if len(slots) != 1).

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd still like to see the documentation at least mention that in a properly configured system, module-path should be unnecessary.

In particular, these two:

.. especially the former. I don't want to live in a world where we have to tell users to explicitly pass a module-path.

All those examples for how to use different HSMs differ mostly in the module-path, which shouldn't be needed anyway.

The packaging of the PKCS#11 provider module itself should come with a p11-kit .module file, the token should automatically appear in the output of things like p11-kit list-tokens or p11tool --list-tokens (and thus also in GUIs when you're selecting a client cert for 802.1x or VPN auth, etc.)

The common case is that user should just be able to select a token from the list, e.g. pkcs11:manufacturer=piv_II.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is in the wrong place, isn't it? It'll only happen if a URI is given, but there's an alternative code flow where it's all in the config? That should benefit from the default, too.

PKCS#11 cannot be configured without a URI, currently you will get the following error:

return nil, errors.New("kms uri 'module-path' are required")

We can make it more explicit and actually fail if URI == "".

Also... what's wrong with pkcs11:manufacturer=piv_II;id=%01 which I usually use as my examples in documentation? Why are only token/serial/slot-id accepted, and not model/manufacturer?

Nothing, but https://github.com/ThalesIgnite/crypto11, which is the one we use on top of github.com/miekg/pkcs11 doesn't support it, see this code.

Regarding the documentation, some of it is managed by a different team, and we haven't integrated this yet, so it will have to wait a bit. But I can change step-kms-plugin README and help once this is integrated.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've fixed some of this in a23378d

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing, but https://github.com/ThalesIgnite/crypto11, which is the one we use on top of github.com/miekg/pkcs11 doesn't support it, see this code.

Thanks. I've added that specific reference to ThalesGroup/crypto11#104

}
if config.Pin == "" && opts.Pin != "" {
Expand Down Expand Up @@ -109,7 +109,14 @@ func New(ctx context.Context, opts apiv1.Options) (*PKCS11, error) {
}, nil
}

// defaultModule defines the defaultModule used, in this case is the
// p11-kit-proxy provided by p11-kit.
var defaultModule = "p11-kit-proxy.so"

func init() {
if runtime.GOOS == "darwin" {
defaultModule = "p11-kit-proxy.dylib"
maraino marked this conversation as resolved.
Show resolved Hide resolved
}
apiv1.Register(apiv1.PKCS11, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
return New(ctx, opts)
})
Expand Down Expand Up @@ -411,34 +418,4 @@ func findCertificate(ctx P11, rawuri string) (*x509.Certificate, error) {
return cert, nil
}

// findP11KitProxy uses pkg-config to locate p11-kit-proxy.so
var findP11KitProxy = func(ctx context.Context) string {
var out strings.Builder

// It should be more than enough even in constraint VMs
ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
defer cancel()

cmd := exec.CommandContext(ctx, "pkg-config", "--variable=proxy_module", "p11-kit-1")
cmd.Stdout = &out
if err := cmd.Run(); err != nil {
return ""
}

path := strings.TrimSpace(out.String())
if _, err := os.Stat(path); err != nil {
if runtime.GOOS != "darwin" {
return ""
}

// pkg-config might return an .so file instead of a .dylib on macOs.
path = strings.Replace(path, ".so", ".dylib", 1)
if _, err := os.Stat(path); err != nil {
return ""
}
}

return path
}

var _ apiv1.CertificateManager = (*PKCS11)(nil)
53 changes: 2 additions & 51 deletions kms/pkcs11/pkcs11_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,8 @@ import (

func TestNew(t *testing.T) {
tmp0 := p11Configure
tmp1 := findP11KitProxy
t.Cleanup(func() {
p11Configure = tmp0
findP11KitProxy = tmp1
})

k := mustPKCS11(t)
Expand All @@ -44,21 +42,6 @@ func TestNew(t *testing.T) {
return k.p11, nil
}

findP11KitProxy = func(ctx context.Context) string {
select {
case <-ctx.Done():
return ""
default:
if fail, _ := ctx.Value("fail").(bool); fail {
return ""
}
return "/usr/local/lib/p11-kit-proxy.so"
}
}

canceledContext, cancel := context.WithCancel(context.Background())
cancel()

type args struct {
ctx context.Context
opts apiv1.Options
Expand Down Expand Up @@ -91,15 +74,9 @@ func TestNew(t *testing.T) {
URI: "pkcs11:token=pkcs11-test",
Pin: "passowrd",
}}, k, false},
{"fail with missing module", args{context.WithValue(context.Background(), "fail", true), apiv1.Options{
{"fail missing module", args{context.Background(), apiv1.Options{
Type: "pkcs11",
URI: "pkcs11:token=pkcs11-test",
Pin: "passowrd",
}}, nil, true},
{"fail findP11KitProxy", args{canceledContext, apiv1.Options{
Type: "pkcs11",
URI: "pkcs11:token=pkcs11-test?pin-value=password",
}}, nil, true},
}}, k, false},
{"fail missing pin", args{context.Background(), apiv1.Options{
Type: "pkcs11",
URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=pkcs11-test",
Expand Down Expand Up @@ -861,29 +838,3 @@ func TestPKCS11_Close(t *testing.T) {
})
}
}

func Test_findP11KitProxy(t *testing.T) {
expected := findP11KitProxy(context.Background())

canceledContext, cancel := context.WithCancel(context.Background())
cancel()

type args struct {
ctx context.Context
}
tests := []struct {
name string
args args
want string
}{
{"expected", args{context.Background()}, expected},
{"fail", args{canceledContext}, ""},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := findP11KitProxy(tt.args.ctx); got != tt.want {
t.Errorf("findP11KitProxy() = %v, want %v", got, tt.want)
}
})
}
}