fix: allow concurrent sign operations and serialize if not possible

jakobmoellerdev · jakobmoellerdev · commit 513560151828 · 2025-06-25T18:21:46.000+02:00
diff --git a/cmd/signing-server/main.go b/cmd/signing-server/main.go
@@ -78,7 +78,7 @@ type Config struct {
 	HSMKeyLabel   string
 	HSMKeyId      string
 
-	HSMContext sign.HSMOptions
+	HSMContext *sign.HSMOptions
 
 	// calculated by program
 	Logger *zap.Logger
@@ -105,6 +105,7 @@ func (c *Config) SetupHSM() error {
 		TokenLabel: c.HSMTokenLabel,
 		Slot:       slot,
 		Pin:        c.HSMPass,
+		Logger:     c.Logger,
 	}
 
 	ctx, err := crypto11.NewSession(config)
@@ -516,7 +517,7 @@ func RunSigner(cfg *Config, args []string, responseBuilders map[string]encoding.
 
 	hashfunc, ok := sign.GetHashFunction(cfg.Hash)
 	if !ok {
-		return fmt.Errorf("unknown hash algorith %q", cfg.Hash)
+		return fmt.Errorf("unknown hash algorithm %q", cfg.Hash)
 	}
 
 	var data []byte
diff --git a/pkg/crypto11/rsa.go b/pkg/crypto11/rsa.go
@@ -121,6 +121,10 @@ func (s *Session) SignPSS(key pkcs11.ObjectHandle, digest []byte, opts *rsa.PSSO
 		ulongToBytes(mgf),
 		ulongToBytes(sLen))
 	mech := []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS_PSS, parameters)}
+	if s.serialized {
+		s.mu.Lock()
+		defer s.mu.Unlock()
+	}
 	if err = s.Ctx.SignInit(s.Handle, mech, key); err != nil {
 		return nil, err
 	}
@@ -142,6 +146,10 @@ func (s *Session) SignPKCS1v15(key pkcs11.ObjectHandle, digest []byte, hash cryp
 	copy(T[0:len(oid)], oid)
 	copy(T[len(oid):], digest)
 	mech := []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS, nil)}
+	if s.serialized {
+		s.mu.Lock()
+		defer s.mu.Unlock()
+	}
 	err = s.Ctx.SignInit(s.Handle, mech, key)
 	if err == nil {
 		signature, err = s.Ctx.Sign(s.Handle, T)
diff --git a/pkg/crypto11/session.go b/pkg/crypto11/session.go
@@ -5,9 +5,12 @@ package crypto11
 import (
 	"encoding/hex"
 	"fmt"
+	"strings"
+	"sync"
 
 	"github.com/miekg/pkcs11"
 	"github.com/pkg/errors"
+	"go.uber.org/zap"
 )
 
 // errTokenNotFound represents the failure to find the requested PKCS#11 token
@@ -18,6 +21,9 @@ var errTokenNotFound = errors.New("could not find PKCS#11 token")
 type Session struct {
 	Ctx    *pkcs11.Ctx
 	Handle pkcs11.SessionHandle
+
+	mu         sync.Mutex // protects the session if serialized
+	serialized bool
 }
 
 // Config describes the attributes required to access
@@ -34,6 +40,9 @@ type Config struct {
 	Slot *int
 	// Pin is the password used to access the described slot.
 	Pin string
+
+	// Logger is an optional logger to use for logging.
+	Logger *zap.Logger
 }
 
 // NewSession provides a session object for working with HSM signing
@@ -60,7 +69,13 @@ func NewSession(cfg *Config) (*Session, error) {
 		return nil, fmt.Errorf("lookup HSM slots: %w", err)
 	}
 
-	session, err := p.OpenSession(slot, pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
+	var serializedSession bool
+	session, err := p.OpenSession(slot, 0)
+	if err != nil && strings.Contains(err.Error(), fmt.Sprintf("0x%X", pkcs11.CKR_SESSION_PARALLEL_NOT_SUPPORTED)) {
+		session, err = p.OpenSession(slot, pkcs11.CKF_SERIAL_SESSION)
+		serializedSession = true
+		cfg.Logger.Warn("opening session in serialized mode as parallel sessions are unsupported", zap.Error(err))
+	}
 	if err != nil {
 		return nil, fmt.Errorf("open HSM session: %w", err)
 	}
@@ -73,8 +88,9 @@ func NewSession(cfg *Config) (*Session, error) {
 	}
 
 	return &Session{
-		Ctx:    p,
-		Handle: session,
+		Ctx:        p,
+		Handle:     session,
+		serialized: serializedSession,
 	}, nil
 }
 
@@ -134,6 +150,10 @@ func (s *Session) FindPrivateKey(keyId, keyLabel string) (pkcs11.ObjectHandle, e
 		}
 		attrs = append(attrs, pkcs11.NewAttribute(pkcs11.CKA_ID, id))
 	}
+	if s.serialized {
+		s.mu.Lock()
+		defer s.mu.Unlock()
+	}
 	if err := s.Ctx.FindObjectsInit(s.Handle, attrs); err != nil {
 		return 0, fmt.Errorf("HSM get private key handle %q: %w", keyId, err)
 	}
diff --git a/pkg/handler/sign/handler.go b/pkg/handler/sign/handler.go
@@ -19,8 +19,8 @@ type HSMOptions struct {
 	Key     pkcs11.ObjectHandle
 }
 
-func NewHSMOptions(session *crypto11.Session, key pkcs11.ObjectHandle) HSMOptions {
-	return HSMOptions{
+func NewHSMOptions(session *crypto11.Session, key pkcs11.ObjectHandle) *HSMOptions {
+	return &HSMOptions{
 		Session: session,
 		Key:     key,
 	}
diff --git a/pkg/handler/sign/hsm_pkcs1_1_5/handler.go b/pkg/handler/sign/hsm_pkcs1_1_5/handler.go
@@ -22,12 +22,12 @@ const (
 
 var mechanism = pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS, nil)
 
-func New(opt sign.HSMOptions) sign.SignHandler {
-	return &Handler{opt}
+func New(opt *sign.HSMOptions) sign.SignHandler {
+	return &Handler{options: opt}
 }
 
 type Handler struct {
-	options sign.HSMOptions
+	options *sign.HSMOptions
 }
 
 func (h *Handler) Name() string {
diff --git a/pkg/handler/sign/hsm_pss/handler.go b/pkg/handler/sign/hsm_pss/handler.go
@@ -23,12 +23,12 @@ const (
 
 var mechanism = pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS_PSS, nil)
 
-func New(opt sign.HSMOptions) sign.SignHandler {
-	return &Handler{opt}
+func New(opt *sign.HSMOptions) sign.SignHandler {
+	return &Handler{options: opt}
 }
 
 type Handler struct {
-	options sign.HSMOptions
+	options *sign.HSMOptions
 }
 
 func (h *Handler) Name() string {

Original file line number	Diff line number	Diff line change
`@@ -19,8 +19,8 @@ type HSMOptions struct {`
`19`	`19`	`Key pkcs11.ObjectHandle`
`20`	`20`	`}`
`21`	`21`
`22`		`-func NewHSMOptions(session *crypto11.Session, key pkcs11.ObjectHandle) HSMOptions {`
`23`		`- return HSMOptions{`
	`22`	`+func NewHSMOptions(session crypto11.Session, key pkcs11.ObjectHandle) HSMOptions {`
	`23`	`+ return &HSMOptions{`
`24`	`24`	`Session: session,`
`25`	`25`	`Key: key,`
`26`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,12 +22,12 @@ const (`
`22`	`22`
`23`	`23`	`var mechanism = pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS, nil)`
`24`	`24`
`25`		`-func New(opt sign.HSMOptions) sign.SignHandler {`
`26`		`- return &Handler{opt}`
	`25`	`+func New(opt *sign.HSMOptions) sign.SignHandler {`
	`26`	`+ return &Handler{options: opt}`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`type Handler struct {`
`30`		`- options sign.HSMOptions`
	`30`	`+ options *sign.HSMOptions`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`func (h *Handler) Name() string {`
Original file line number	Diff line number	Diff line change
`@@ -23,12 +23,12 @@ const (`
`23`	`23`
`24`	`24`	`var mechanism = pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS_PSS, nil)`
`25`	`25`
`26`		`-func New(opt sign.HSMOptions) sign.SignHandler {`
`27`		`- return &Handler{opt}`
	`26`	`+func New(opt *sign.HSMOptions) sign.SignHandler {`
	`27`	`+ return &Handler{options: opt}`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`type Handler struct {`
`31`		`- options sign.HSMOptions`
	`31`	`+ options *sign.HSMOptions`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`func (h *Handler) Name() string {`