Fixed lint and doc issues, and added pkcs11key flag to verify.sh.

Signed-off-by: Kieran Miller <[email protected]>

PKCS11.md

@@ -7,7 +7,7 @@ This support is enabled through the [crypto11](https://github.com/ThalesIgnite/c
 
 ### Setup
 
-To get started, make sure you already have your PKCS11 module installed, and insert your PKCS11-compatible token. 
+To get started, make sure you already have your PKCS11 module installed, and insert your PKCS11-compatible token.
 
 Then, run the command `cosign pkcs11-tool list-tokens` to get the slot id of your token, as follows :
 
@@ -59,7 +59,7 @@ $ cosign sign --key "<PKCS11_URI>" gcr.io/dlorenc-vmtest2/demo
 Pushing signature to: gcr.io/dlorenc-vmtest2/demo:sha256-410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd.sig
 ```
 
-To verify, you can either use the PKCS11 token key directly:  
+To verify, you can either use the PKCS11 token key directly:
 
 ```shell
 $ cosign verify --key "<PKCS11_URI>" gcr.io/dlorenc-vmtest2/demo
@@ -72,7 +72,7 @@ The following checks were performed on each of these signatures:
 [{"critical":{"identity":{"docker-reference":"gcr.io/dlorenc-vmtest2/demo"},"image":{"docker-manifest-digest":"sha256:410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd"},"type":"cosign container image signature"},"optional":null}]
 ```
 
-Or export the public key and verify against that:  
+Or export the public key and verify against that:
 
 ```shell
 $ cosign public-key --key "<PKCS11_URI>" > pub.key

cmd/cosign/cli/options/pkcs11_tool.go

@@ -35,7 +35,7 @@ func (o *PKCS11ToolListTokensOptions) AddFlags(cmd *cobra.Command) {
 // PKCS11ToolListKeysUrisOptions is the wrapper for `pkcs11-tool list-keys-uris` related options.
 type PKCS11ToolListKeysUrisOptions struct {
 	ModulePath string
-	SlotId     uint
+	SlotID     uint
 	Pin        string
 }
 
@@ -46,7 +46,7 @@ func (o *PKCS11ToolListKeysUrisOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.ModulePath, "module-path", "",
 		"absolute path to the PKCS11 module")
 
-	cmd.Flags().UintVar(&o.SlotId, "slot-id", 0,
+	cmd.Flags().UintVar(&o.SlotID, "slot-id", 0,
 		"id of the PKCS11 slot, uses 0 if empty")
 
 	cmd.Flags().StringVar(&o.Pin, "pin", "",

cmd/cosign/cli/pkcs11_tool.go

@@ -70,7 +70,7 @@ func PKCS11ToolListKeysUrisOptions() *cobra.Command {
 		Short: "list-keys-uris lists URIs of all keys in a PKCS11 token",
 		Args:  cobra.ExactArgs(0),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return pkcs11cli.ListKeysUrisCmd(cmd.Context(), o.ModulePath, o.SlotId, o.Pin)
+			return pkcs11cli.ListKeysUrisCmd(cmd.Context(), o.ModulePath, o.SlotID, o.Pin)
 		},
 	}
 

cmd/cosign/cli/pkcs11cli/commands.go

@@ -71,7 +71,7 @@ func ListTokensCmd(_ context.Context, modulePath string) error {
 	return nil
 }
 
-func ListKeysUrisCmd(_ context.Context, modulePath string, slotId uint, pin string) error {
+func ListKeysUrisCmd(_ context.Context, modulePath string, SlotID uint, pin string) error {
 	if modulePath == "" || !filepath.IsAbs(modulePath) {
 		return flag.ErrHelp
 	}
@@ -90,7 +90,7 @@ func ListKeysUrisCmd(_ context.Context, modulePath string, slotId uint, pin stri
 
 	// Get token Info.
 	var tokenInfo pkcs11.TokenInfo
-	tokenInfo, err = ctx.GetTokenInfo(uint(slotId))
+	tokenInfo, err = ctx.GetTokenInfo(uint(SlotID))
 	if err != nil {
 		return errors.Wrap(err, "get token info")
 	}
@@ -114,7 +114,7 @@ func ListKeysUrisCmd(_ context.Context, modulePath string, slotId uint, pin stri
 	}
 
 	// Open a new session to the token.
-	session, err := ctx.OpenSession(slotId, pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
+	session, err := ctx.OpenSession(SlotID, pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
 	if err != nil {
 		return errors.Wrap(err, "open session")
 	}
@@ -156,7 +156,7 @@ func ListKeysUrisCmd(_ context.Context, modulePath string, slotId uint, pin stri
 
 	// For each private key, get key label and key id then construct uri.
 	i := 0
-	fmt.Fprintf(os.Stdout, "Listing URIs of keys in slot '%d' of PKCS11 module '%s'\n", slotId, modulePath)
+	fmt.Fprintf(os.Stdout, "Listing URIs of keys in slot '%d' of PKCS11 module '%s'\n", SlotID, modulePath)
 	for _, handle := range handles {
 		attributes := []*pkcs11.Attribute{
 			pkcs11.NewAttribute(pkcs11.CKA_ID, nil),
@@ -165,16 +165,16 @@ func ListKeysUrisCmd(_ context.Context, modulePath string, slotId uint, pin stri
 		if attributes, err = ctx.GetAttributeValue(session, handle, attributes); err != nil {
 			return errors.Wrap(err, "get attributes")
 		}
-		keyId := attributes[0].Value
+		keyID := attributes[0].Value
 		keyLabel := attributes[1].Value
 
 		// If the object has neither a key id nor a key label, we skip it.
-		if (keyId == nil || len(keyId) == 0) && (keyLabel == nil || len(keyLabel) == 0) {
+		if (keyID == nil || len(keyID) == 0) && (keyLabel == nil || len(keyLabel) == 0) {
 			continue
 		}
 
-		slotIdInt := int(slotId)
-		pkcs11Uri := pkcs11key.NewPkcs11UriConfigFromInput(modulePath, &slotIdInt, tokenInfo.Label, keyLabel, keyId, pin)
+		SlotIDInt := int(SlotID)
+		pkcs11Uri := pkcs11key.NewPkcs11UriConfigFromInput(modulePath, &SlotIDInt, tokenInfo.Label, keyLabel, keyID, pin)
 		pkcs11UriStr, err := pkcs11Uri.Construct()
 		if err != nil {
 			return errors.Wrap(err, "construct pkcs11 uri")
@@ -184,8 +184,8 @@ func ListKeysUrisCmd(_ context.Context, modulePath string, slotId uint, pin stri
 		if keyLabel != nil && len(keyLabel) != 0 {
 			fmt.Fprintf(os.Stdout, "\tLabel: %s\n", string(keyLabel))
 		}
-		if keyId != nil && len(keyId) != 0 {
-			fmt.Fprintf(os.Stdout, "\tID: %s\n", hex.EncodeToString(keyId))
+		if keyID != nil && len(keyID) != 0 {
+			fmt.Fprintf(os.Stdout, "\tID: %s\n", hex.EncodeToString(keyID))
 		}
 		fmt.Fprintf(os.Stdout, "\tURI: %s\n", pkcs11UriStr)
 

cmd/cosign/cli/publickey/public_key.go

@@ -55,7 +55,7 @@ func GetPublicKey(ctx context.Context, opts Pkopts, writer NamedWriter, pf cosig
 				return errors.Wrap(err, "parsing pkcs11 uri")
 			}
 
-			sk, err := pkcs11key.GetKeyWithUriConfig(pkcs11UriConfig, false)
+			sk, err := pkcs11key.GetKeyWithURIConfig(pkcs11UriConfig, false)
 			if err != nil {
 				return errors.Wrap(err, "opening pkcs11 token key")
 			}

cmd/cosign/cli/sign/sign.go

@@ -337,7 +337,7 @@ func SignerFromKeyOpts(ctx context.Context, certPath string, ko KeyOpts) (*CertS
 
 			// Since we'll be signing, we need to set askForPinIsNeeded to true
 			// because we need access to the private key.
-			sk, err := pkcs11key.GetKeyWithUriConfig(pkcs11UriConfig, true)
+			sk, err := pkcs11key.GetKeyWithURIConfig(pkcs11UriConfig, true)
 			if err != nil {
 				return nil, err
 			}

cmd/cosign/cli/verify/verify.go

@@ -101,7 +101,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 
 			// Since we'll be verifying a signature, we do not need to set askForPinIsNeeded to true
 			// because we only need access to the public key.
-			sk, err := pkcs11key.GetKeyWithUriConfig(pkcs11UriConfig, false)
+			sk, err := pkcs11key.GetKeyWithURIConfig(pkcs11UriConfig, false)
 			if err != nil {
 				return errors.Wrap(err, "opening pkcs11 token key")
 			}

cmd/cosign/cli/verify/verify_attestation.go

@@ -90,7 +90,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 				return errors.Wrap(err, "parsing pkcs11 uri")
 			}
 
-			sk, err := pkcs11key.GetKeyWithUriConfig(pkcs11UriConfig, false)
+			sk, err := pkcs11key.GetKeyWithURIConfig(pkcs11UriConfig, false)
 			if err != nil {
 				return errors.Wrap(err, "opening pkcs11 token key")
 			}

cmd/cosign/cli/verify/verify_blob.go

@@ -70,7 +70,7 @@ func VerifyBlobCmd(ctx context.Context, ko sign.KeyOpts, certRef, sigRef, blobRe
 				return errors.Wrap(err, "parsing pkcs11 uri")
 			}
 
-			sk, err := pkcs11key.GetKeyWithUriConfig(pkcs11UriConfig, false)
+			sk, err := pkcs11key.GetKeyWithURIConfig(pkcs11UriConfig, false)
 			if err != nil {
 				return errors.Wrap(err, "opening pkcs11 token key")
 			}

cmd/help/verify.sh

@@ -18,8 +18,8 @@ set -e
 
 # Verify that generated Markdown docs are up-to-date.
 tmpdir=$(mktemp -d)
-go run -tags pivkey,cgo cmd/help/main.go --dir "$tmpdir"
+go run -tags pivkey,pkcs11key,cgo cmd/help/main.go --dir "$tmpdir"
 echo "###########################################"
-echo "If diffs are found, run: go run -tags pivkey,cgo ./cmd/help/"
+echo "If diffs are found, run: go run -tags pivkey,pkcs11key,cgo ./cmd/help/"
 echo "###########################################"
 diff -Naur "$tmpdir" doc/

pkg/cosign/pkcs11key/disabled.go

@@ -33,7 +33,7 @@ type empty struct{} //nolint
 
 type Key struct{}
 
-func GetKeyWithUriConfig(config *Pkcs11UriConfig, askForPinIfNeeded bool) (*Key, error) {
+func GetKeyWithURIConfig(config *Pkcs11UriConfig, askForPinIfNeeded bool) (*Key, error) {
 	return nil, errors.New("unimplemented")
 }
 

pkg/cosign/pkcs11key/pkcs11key.go

@@ -48,19 +48,19 @@ type Key struct {
 	cert   *x509.Certificate
 }
 
-func GetKeyWithUriConfig(config *Pkcs11UriConfig, askForPinIfNeeded bool) (*Key, error) {
+func GetKeyWithURIConfig(config *Pkcs11UriConfig, askForPinIfNeeded bool) (*Key, error) {
 	conf := &crypto11.Config{
 		Path: config.modulePath,
 		Pin:  config.pin,
 	}
 
 	// At least one of object and id must be specified.
-	if (config.keyLabel == nil || len(config.keyLabel) == 0) && (config.keyId == nil || len(config.keyId) == 0) {
-		return nil, errors.New("one of keyLabel and keyId must be set")
+	if (config.keyLabel == nil || len(config.keyLabel) == 0) && (config.keyID == nil || len(config.keyID) == 0) {
+		return nil, errors.New("one of keyLabel and keyID must be set")
 	}
 
 	// At least one of token and slot-id must be specified.
-	if config.tokenLabel == "" && config.slotId == nil {
+	if config.tokenLabel == "" && config.slotID == nil {
 		return nil, errors.New("one of token and slot id must be set")
 	}
 
@@ -81,8 +81,8 @@ func GetKeyWithUriConfig(config *Pkcs11UriConfig, askForPinIfNeeded bool) (*Key,
 			}
 
 			var tokenInfo pkcs11.TokenInfo
-			if config.slotId != nil {
-				tokenInfo, err = p.GetTokenInfo(uint(*config.slotId))
+			if config.slotID != nil {
+				tokenInfo, err = p.GetTokenInfo(uint(*config.slotID))
 				if err != nil {
 					return nil, errors.Wrap(err, "get token info")
 				}
@@ -118,10 +118,10 @@ func GetKeyWithUriConfig(config *Pkcs11UriConfig, askForPinIfNeeded bool) (*Key,
 		}
 	}
 
-	// We must set one slotId or tokenLabel, never both.
-	// slotId has priority over tokenLabel.
-	if config.slotId != nil {
-		conf.SlotNumber = config.slotId
+	// We must set one SlotID or tokenLabel, never both.
+	// SlotID has priority over tokenLabel.
+	if config.slotID != nil {
+		conf.SlotNumber = config.slotID
 	} else if config.tokenLabel != "" {
 		conf.TokenLabel = config.tokenLabel
 	}
@@ -131,10 +131,10 @@ func GetKeyWithUriConfig(config *Pkcs11UriConfig, askForPinIfNeeded bool) (*Key,
 		return nil, err
 	}
 
-	// If both keyId and keyLabel are set, keyId has priority.
+	// If both keyID and keyLabel are set, keyID has priority.
 	var signer crypto11.Signer
-	if config.keyId != nil && len(config.keyId) != 0 {
-		signer, err = ctx.FindKeyPair(config.keyId, nil)
+	if config.keyID != nil && len(config.keyID) != 0 {
+		signer, err = ctx.FindKeyPair(config.keyID, nil)
 	} else if config.keyLabel != nil && len(config.keyLabel) != 0 {
 		signer, err = ctx.FindKeyPair(nil, config.keyLabel)
 	}
@@ -145,8 +145,8 @@ func GetKeyWithUriConfig(config *Pkcs11UriConfig, askForPinIfNeeded bool) (*Key,
 	// Key's corresponding cert might not exist,
 	// therefore, we do not fail if it is the case.
 	var cert *x509.Certificate
-	if config.keyId != nil && len(config.keyId) != 0 {
-		cert, _ = ctx.FindCertificate(config.keyId, nil, nil)
+	if config.keyID != nil && len(config.keyID) != 0 {
+		cert, _ = ctx.FindCertificate(config.keyID, nil, nil)
 	} else if config.keyLabel != nil && len(config.keyLabel) != 0 {
 		cert, _ = ctx.FindCertificate(nil, config.keyLabel, nil)
 	}