add support for ignoring certificates with pkcs11

[dylrich]

Summary

This commit adds a new environment variable,
COSIGN_PKCS11_IGNORE_CERTIFICATE, which will skip loading certificates into a PKCS11 key when set to "1". This is desirable when you want to sign with a private key that has a certificate associated with it, but do not want that certificate to be included with the signature for verification. Certificates are already optional for keys from non-PKCS11 sources via the --certificate command line flag.

I also added a test, but I wasn't actually able to run the test. Do you have any advice for how to work with the HSM that Cosign's tests are supposed to use? I am happy to make any requested changes to the test or implementation! I'm also not sure how to indicate documentation should be changed, and would appreciate some guidance there.

Release Note

• Added a new environment variable, COSIGN_PKCS11_IGNORE_CERTIFICATE, which will skip loading certificates associated with PKCS11-sourced keys

Closes #3333

[codecov]

Codecov Report

Merging #3334 (ac202c9) into main (a00600a) will not change coverage.
Report is 4 commits behind head on main.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #3334   +/-   ##
=======================================
  Coverage   30.32%   30.32%           
=======================================
  Files         155      155           
  Lines        9921     9921           
=======================================
  Hits         3009     3009           
  Misses       6462     6462           
  Partials      450      450           

Files	Coverage Δ
pkg/cosign/env/env.go	88.88% <ø> (ø)

[haydentherapper]

I haven't tried to run these tests before. You'll need to use SoftHSMv2 as noted in the comment, though how exactly everything should be configured I'm not sure. If you do get tests running locally, please write up some docs, that would very helpful!

[haydentherapper]

For doc updates, you can add a section to https://github.com/sigstore/docs/blob/main/content/en/signing/pkcs11.md

[haydentherapper]

Are you able to compile this locally and confirm it's working as expected?

[dylrich]

Do the PKCS11 tests not run in CI at all? I'll see if I can get them to run locally tomorrow, along with those docs updates.

I am able to compile Cosign with this patch and have confirmed that it works correctly with my specific HSM via PKCS11.

[haydentherapper]

I’ve got to double check, but it appears that these tests aren’t running on CI.
The PR looks good. If you’re not able to get tests working locally, we can go through with merging.

[dylrich]

Great! I am still working on the local tests. I opened a docs PR for afterwards here: sigstore/docs#266

[dylrich]

@haydentherapper I was able to run the PKCS11 tests locally! #1256 introduced a compilation error into the tests, but I pushed an update to my commit that fixes it. The rest of the tests worked without issue. Here are my notes, tested in a Debian 11 container image:

• Installed the softhsm package for the PKCS11 library
• I had to initialize a token with the following command before running tests: softhsm2-util --init-token --slot 0 --pin=1234 --so-pin=1234 --label "My Token"
• My command for running these tests looked like: SOFTHSM2_CONF=/workspace/softhsm2.conf SOFTHSM_LIB=/usr/lib/softhsm/libsofthsm2.so go test -v -cover -coverprofile=./cover.out -tags=softhsm,pkcs11key -coverpkg github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key test/pkcs11_test.go
• SOFTHSM2_CONF seems necessary to make sure exists or the PKCS11 library will fail
• Both tags, softhsm and pkcs11key, are necessary
• The coverage of pkcs11key.go seems about ~40% right now
• Softhsm doesn't seem to have an easy way to change logging location and instead logs to syslog, so I also installed the rsyslog package and tailed /var/log/messages to see PKCS11 errors.

[haydentherapper]

@dylrich Thanks for getting this working locally. I'll get this merged in. If you're interested, I filed #3343 to see if we can add e2e testing via GitHub Actions.

[viveksahu26]

@dylrich , I am also testing the same way as you did.

The slots seems to be present using commands:

 sudo ./cosign pkcs11-tool list-tokens --module-path=/usr/lib/softhsm/libsofthsm2.so

Listing tokens of PKCS11 module '/usr/lib/softhsm/libsofthsm2.so'
Token in slot 2061180494
        Label: My Token
        Manufacturer: SoftHSM project
        Model: SoftHSM v2
        S/N: 282c49d5fadb1e4e

Token in slot 1
        Label: 
        Manufacturer: SoftHSM project
        Model: SoftHSM v2
        S/N: 

The issue I am facing is not getting uris. So, my question is did you got the uris when you tested.

sudo ./cosign pkcs11-tool list-keys-uris --module-path=/usr/lib/softhsm/libsofthsm2.so --slot-id 2061180494 --pin 1234 

Listing URIs of keys in slot '2061180494' of PKCS11 module '/usr/lib/softhsm/libsofthsm2.so'

[dylrich]

@viveksahu26 The tests already have a PKCS11 URI configured without using cosign pkcs11-tool list-keys-uris, so I never attempted to fetch the URI from the command line. Try to follow the uri variable in the init() function to see how it's being constructed. It's possible you are running into a bug with list-keys-uris and SoftHSM?

[viveksahu26]

Yeah, "Definitely." Running the command list-keys-uris leads to a bug. Or we can say the docs for PKCS are incomplete. But I've figured it out.
Finally, after a lot of research, I found the reason why it is so. It's because by default SoftHSM didn't have any keys, as a result, newhandle variable ends to length zero or Objects(i.e. data, keys, certificate) in SoftHSM is empty. Therefore, it doesn't proceed further to construct a URI. Hence, an empty output is being thrown on running the list-keys-uris command.

Let's see below how we can get URIs by running the command list-keys-uris:

1. First need to create keys:
   openssl genpkey -algorithm RSA -out private_key.pem

2. Now, convert the private key to a format that can be used by the SoftHSM import tool.
   openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private_key.pem -out private_key.pk8

3. Import the private key into SoftHSM.
   sudo softhsm2-util --import private_key.pk8 --slot 1683720452 --label "vivek" --pin 4321 --id 0011

NOTE: --id could be any random number.

4. Now run list-key-uris command:

sudo cosign pkcs11-tool list-keys-uris --module-path=/usr/lib/softhsm/libsofthsm2.so --slot-id 1683720452 --pin 4321

Listing URIs of keys in slot '1683720452' of PKCS11 module '/usr/lib/softhsm/libsofthsm2.so'
Object 0
        Label: vivek
        ID: 0011
        URI: pkcs11:token=vivek;slot-id=1683720452;id=%00%11;object=vivek?module-path=/usr/lib/softhsm/libsofthsm2.so&pin-value=4321

5. Now sign the container image using 'URI`

sudo cosign sign --key "pkcs11:token=vivek;slot-id=1683720452;id=%00%11;object=vivek?module-path=/usr/lib/softhsm/libsofthsm2.so&pin-value=4321"  viveksahu26/nginx@sha256:c260f4049d499d01e5940acefa1a27f9928c7c20845baf08c3e3ce28ee57bc11

WARNING: no x509 certificate retrieved from the PKCS11 token
.
.
tlog entry created with index: 54833270
Pushing signature to: index.docker.io/viveksahu26/nginx

6. Now verify the container image using same URI

sudo  cosign verify --key "pkcs11:token=vivek;slot-id=1683720452;id=%00%11;object=vivek?module-path=/usr/lib/softhsm/libsofthsm2.so&pin-value=4321"  viveksahu26/nginx@sha256:c260f4049d499d01e5940acefa1a27f9928c7c20845baf08c3e3ce28ee57bc11

Verification for index.docker.io/viveksahu26/nginx@sha256:c260f4049d499d01e5940acefa1a27f9928c7c20845baf08c3e3ce28ee57bc11 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key
  .
  .