Check for CKA_LABEL in NewSigner. (#5067)

In #4992, we refactored NewSigner to look keys up by public key and by
label. However, we didn't correctly incorporate the label check into
the new code. This fixes that and adds a test.

pkcs11helpers/helpers.go

@@ -64,12 +64,13 @@ var curveOIDs = map[string]asn1.ObjectIdentifier{
 // getPublicKeyID looks up the given public key in the PKCS#11 token, and
 // returns its ID as a []byte, for use in looking up the corresponding private
 // key.
-func (s *Session) getPublicKeyID(publicKey crypto.PublicKey) ([]byte, error) {
+func (s *Session) getPublicKeyID(label string, publicKey crypto.PublicKey) ([]byte, error) {
 	var template []*pkcs11.Attribute
 	switch key := publicKey.(type) {
 	case *rsa.PublicKey:
 		template = []*pkcs11.Attribute{
 			pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
+			pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(label)),
 			pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_RSA),
 			pkcs11.NewAttribute(pkcs11.CKA_MODULUS, key.N.Bytes()),
 			pkcs11.NewAttribute(pkcs11.CKA_PUBLIC_EXPONENT, big.NewInt(int64(key.E)).Bytes()),
@@ -92,6 +93,7 @@ func (s *Session) getPublicKeyID(publicKey crypto.PublicKey) ([]byte, error) {
 		}
 		template = []*pkcs11.Attribute{
 			pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
+			pkcs11.NewAttribute(pkcs11.CKA_LABEL, []byte(label)),
 			pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_EC),
 			pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, curveOID),
 			pkcs11.NewAttribute(pkcs11.CKA_EC_POINT, marshalledPoint),
@@ -385,7 +387,7 @@ func (s *Session) NewSigner(label string, publicKey crypto.PublicKey) (crypto.Si
 		return nil, fmt.Errorf("unsupported public key of type %T", publicKey)
 	}
 
-	publicKeyID, err := s.getPublicKeyID(publicKey)
+	publicKeyID, err := s.getPublicKeyID(label, publicKey)
 	if err != nil {
 		return nil, fmt.Errorf("looking up public key: %s", err)
 	}

pkcs11helpers/helpers_test.go

@@ -289,6 +289,36 @@ func TestX509Signer(t *testing.T) {
 	test.AssertEquals(t, signer.Public(), tk.Public())
 }
 
+func TestGetKeyWhenLabelIsWrong(t *testing.T) {
+	s, ctx := newSessionWithMock()
+	pubKey := &rsa.PublicKey{N: big.NewInt(1), E: 1}
+	rightLabel := "label"
+	var objectsToReturn []pkcs11.ObjectHandle
+
+	ctx.FindObjectsInitFunc = func(_ pkcs11.SessionHandle, attr []*pkcs11.Attribute) error {
+		objectsToReturn = []pkcs11.ObjectHandle{1}
+		for _, a := range attr {
+			if a.Type == pkcs11.CKA_LABEL && !bytes.Equal(a.Value, []byte(rightLabel)) {
+				objectsToReturn = nil
+			}
+		}
+		return nil
+	}
+	ctx.FindObjectsFunc = func(_ pkcs11.SessionHandle, _ int) ([]pkcs11.ObjectHandle, bool, error) {
+		return objectsToReturn, false, nil
+	}
+	ctx.FindObjectsFinalFunc = func(_ pkcs11.SessionHandle) error {
+		return nil
+	}
+
+	_, err := s.NewSigner("wrong-label", pubKey)
+	test.AssertError(t, err, "newSigner didn't fail when label was a mismatch for public key")
+	expected := "no objects found matching provided template"
+	if !strings.Contains(err.Error(), expected) {
+		t.Errorf("expected error to contain %q but it was %q", expected, err)
+	}
+}
+
 func TestGetKeyWhenGetAttributeValueFails(t *testing.T) {
 	s, ctx := newSessionWithMock()
 	pubKey := &rsa.PublicKey{N: big.NewInt(1), E: 1}

test/cert-ceremonies/generate.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"os"
 	"os/exec"
@@ -35,9 +36,9 @@ func genKey(path string, inSlot string) error {
 	if err != nil {
 		return err
 	}
-	_, err = exec.Command("bin/ceremony", "-config", tmpPath).CombinedOutput()
+	output, err := exec.Command("bin/ceremony", "-config", tmpPath).CombinedOutput()
 	if err != nil {
-		return err
+		return fmt.Errorf("error running ceremony for %s: %s:\n%s", tmpPath, err, string(output))
 	}
 	return nil
 }