cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

PKCS11 module path var unused

Open BlackthornYugen opened this issue 3 years ago • 2 comments

When I try to list tokens, I am given the unhelpful error "Error: flag: help requested"

Expected behaviour

export COSIGN_PKCS11_MODULE_PATH=/usr/local/lib/libykcs11.dylib
./cosign pkcs11-tool list-tokens

Listing tokens of PKCS11 module '/usr/local/lib/libykcs11.dylib'
Token in slot 0
	Label: YubiKey PIV #9727603
	Manufacturer: Yubico (www.yubico.com)
	Model: YubiKey YK5
	S/N: 9727603

Actual behaviour

./cosign pkcs11-tool list-tokens
Error: flag: help requested
main.go:46: error during command execution: flag: help requested

COSIGN_PKCS11_MODULE_PATH=/usr/local/lib/libykcs11.dylib ./cosign pkcs11-tool list-tokens
Error: flag: help requested
main.go:46: error during command execution: flag: help requested

Troubleshooting

I tried setting a breakpoint at https://github.com/sigstore/cosign/blob/main/pkg/cosign/pkcs11key/util.go#L168 but it never gets called when you try to list tokens.

COSIGN_PKCS11_MODULE_PATH=/usr/local/lib/libykcs11.dylib dlv debug --build-flags "-tags=pkcs11key" -- pkcs11-tool list-tokens
Type 'help' for list of commands.
(dlv) b cli/pkcs11_tool.go:56
Breakpoint 1 set at 0x102ac4ff8 for github.com/sigstore/cosign/cmd/cosign/cli.pkcs11ToolListTokens.func1() ./cli/pkcs11_tool.go:56
(dlv) b pkcs11key/util.go:167
Breakpoint 2 set at 0x101f66f2c for github.com/sigstore/cosign/pkg/cosign/pkcs11key.(*Pkcs11UriConfig).Parse() /Users/jsteel/pkcs11/cosign/pkg/cosign/pkcs11key/util.go:167
(dlv) c
> github.com/sigstore/cosign/cmd/cosign/cli.pkcs11ToolListTokens.func1() ./cli/pkcs11_tool.go:56 (hits goroutine(1):1 total:1) (PC: 0x102ac4ff8)
    51:		cmd := &cobra.Command{
    52:			Use:   "list-tokens",
    53:			Short: "list-tokens lists all PKCS11 tokens linked to a PKCS11 module",
    54:			Args:  cobra.ExactArgs(0),
    55:			RunE: func(cmd *cobra.Command, args []string) error {
=>  56:				return pkcs11cli.ListTokensCmd(cmd.Context(), o.ModulePath)
    57:			},
    58:		}
    59:	
    60:		o.AddFlags(cmd)
    61:	
(dlv) print o.ModulePath
""
(dlv) c
Error: flag: help requested
main.go:46: error during command execution: flag: help requested
Process 40850 has exited with status 1
(dlv) q

BlackthornYugen avatar Feb 20 '22 01:02 BlackthornYugen

I think the bug may be that cosign pkcs11-tool list-tokens doesn't honor COSIGN_PKCS11_MODULE_PATH, only --module-path.

I noticed this when testing myself:

# These work fine:
cosign pkcs11-tool list-tokens --module-path=/Library/OpenSC/lib/onepin-opensc-pkcs11.so
cosign pkcs11-tool list-tokens --module-path=/usr/local/lib/keychain-pkcs11.dylib
# These both return `help requested`
COSIGN_PKCS11_MODULE_PATH=/Library/OpenSC/lib/onepin-opensc-pkcs11.so cosign pkcs11-tool list-tokens
COSIGN_PKCS11_MODULE_PATH=/usr/local/lib/keychain-pkcs11.dylib cosign pkcs11-tool list-tokens

cosign sign appears to correctly honor both ?module-path= in the uri and the COSIGN_PKCS11_MODULE_PATH variable. (It doesn't accept a --module-path argument.)

bburky avatar Mar 04 '22 23:03 bburky

I haven't really played around with this code myself, is it just a matter of hooking up the extra flag?

dlorenc avatar Mar 19 '22 23:03 dlorenc