signer: open session in sign method

Asking callers to handle the PyKCS11 session was a crutch to punt
the not quite straight-forward decision of how to identify the
correct token reader, but is no nice UX.

This commit moves session handling to the signer and just uses
the first reader slot that has a token.

This commit, move the session to the signer also requires loading
the pkcs11 library in the hsm module, and to take a login pin
(as secrets handler).

Signed-off-by: Lukas Puehringer <[email protected]>

Author: lukpueh

securesystemslib/signer/_hsm_signer.py

@@ -11,9 +11,13 @@
     CRYPTO_IMPORT_ERROR = "'cryptography' required"
 
 PYKCS11_IMPORT_ERROR = None
+PYKCS = None
 try:
     from PyKCS11 import PyKCS11
 
+    PYKCS = PyKCS11.PyKCS11Lib()
+    PYKCS.load()
+
 except ImportError:  # pragma: no cover
     PYKCS11_IMPORT_ERROR = "'PyKCS11' required"
 # pylint: enable=wrong-import-position
@@ -35,8 +39,6 @@ class HSMSigner(Signer):
     supports ecdsa on SECG curves secp256r1 (NIST P-256) or secp384r1 (NIST P-384).
 
     Arguments:
-        hsm_session: An open and logged-in ``PyKCS11.Session`` to the token with the
-                private key.
         hsm_keyid: Key identifier on the token.
         public_key: The related public key instance.
 
@@ -46,10 +48,7 @@ class HSMSigner(Signer):
     """
 
     def __init__(
-        self,
-        hsm_session: "PyKCS11.Session",
-        hsm_keyid: int,
-        public_key: Key,
+        self, hsm_keyid: int, public_key: Key, secrets_handler: SecretsHandler
     ):
         if CRYPTO_IMPORT_ERROR:
             raise UnsupportedLibraryError(CRYPTO_IMPORT_ERROR)
@@ -67,9 +66,9 @@ def __init__(
             raise ValueError(f"unsupported scheme {public_key.scheme}")
 
         self._mechanism = supported_schemes[public_key.scheme]
-        self.hsm_session = hsm_session
         self.hsm_keyid = hsm_keyid
         self.public_key = public_key
+        self.secrets_handler = secrets_handler
 
     @classmethod
     def from_priv_key_uri(
@@ -93,9 +92,12 @@ def sign(self, payload: bytes) -> Signature:
         Returns:
             Signature.
         """
+        slot_id = PYKCS.getSlotList(tokenPresent=True)[0]
+        session = PYKCS.openSession(slot_id, PyKCS11.CKF_RW_SESSION)
+        session.login(self.secrets_handler())
 
         # Search for ecdsa public keys with passed keyid on HSM
-        keys = self.hsm_session.findObjects(
+        keys = session.findObjects(
             [
                 (PyKCS11.CKA_CLASS, PyKCS11.CKO_PRIVATE_KEY),
                 (PyKCS11.CKA_KEY_TYPE, PyKCS11.CKK_ECDSA),
@@ -107,7 +109,9 @@ def sign(self, payload: bytes) -> Signature:
                 f"hsm_keyid must identify one {KEY_TYPE_ECDSA} key, found {len(keys)}"
             )
 
-        signature = self.hsm_session.sign(keys[0], payload, self._mechanism)
+        signature = session.sign(keys[0], payload, self._mechanism)
+        session.logout()
+        session.closeSession()
 
         # The PKCS11 signature octets correspond to the concatenation of the ECDSA
         # values r and s, both represented as an octet string of equal length of at

tests/check_hsm_signer.py

@@ -221,8 +221,7 @@ def _pre_hash(data, scheme):
         for hsm_keyid in self.hsm_keyids:
             public_key = self._from_hsm(session, hsm_keyid, keyid)
 
-            session.login(self.hsm_user_pin)  # Login for signing
-            signer = HSMSigner(session, hsm_keyid, public_key)
+            signer = HSMSigner(hsm_keyid, public_key, lambda: self.hsm_user_pin)
 
             # NOTE: HSMSigner supports CKM_ECDSA_SHA256 and CKM_ECDSA_SHA384
             # mechanisms. But SoftHSM only supports CKM_ECDSA. During testing we