From 65e049f9da7175aa276b17cfb2e07e79b0bd7dcd Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Thu, 15 Feb 2024 13:06:11 +0200
Subject: [PATCH] signer: Try to guess where libykcs11 could be

This is not optimal from a security perspective (just blindly looking
for modules to dynamically load) but
* the probed locations are all system locations (not user installable)
* this makes the setup process much easier
---
 docs/SIGNER-SETUP.md           |  7 ++++---
 signer/tuf_on_ci_sign/_user.py | 28 +++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/docs/SIGNER-SETUP.md b/docs/SIGNER-SETUP.md
index 05b0139f..d1631184 100644
--- a/docs/SIGNER-SETUP.md
+++ b/docs/SIGNER-SETUP.md
@@ -52,8 +52,9 @@ $ brew install swig
 
   ```
   [settings]
-  # Path to PKCS#11 module
-  pykcs11lib = /usr/lib/x86_64-linux-gnu/libykcs11.so
+  # Path to PKCS#11 module (optional)
+  # If not provided, tuf-on-ci-sign will probe some known install locations
+  # pykcs11lib = /usr/lib/x86_64-linux-gnu/libykcs11.so
 
   # GitHub username
   user-name = @my-github-username
@@ -62,6 +63,6 @@ $ brew install swig
   pull-remote = origin
 
   # push-remote: If you are allowed to push to the TUF repository, you can use the same value
-  # as pull-remote. Otherwise use the rmeote name of your fork 
+  # as pull-remote. Otherwise use the remote name of your fork
   push-remote = origin
   ```
diff --git a/signer/tuf_on_ci_sign/_user.py b/signer/tuf_on_ci_sign/_user.py
index c7cd696e..76eb7eee 100644
--- a/signer/tuf_on_ci_sign/_user.py
+++ b/signer/tuf_on_ci_sign/_user.py
@@ -1,9 +1,25 @@
+import logging
+import os
+import platform
 import sys
 from configparser import ConfigParser
 
 import click
 from securesystemslib.signer import Key, Signer
 
+logger = logging.getLogger(__name__)
+
+# some known locations where we might find libykcs11.
+# These should all be _system_ locations (not user writable)
+LIBYKCS11_LOCATIONS = {
+    "Linux": [
+        "/usr/lib/x86_64-linux-gnu/libykcs11.so",
+        "/usr/lib64/libykcs11.so",
+        "/usr/local/lib/libykcs11.so",
+    ],
+    "Darwin": ["/opt/homebrew/lib/libykcs11.dylib", "/usr/local/lib/libykcs11.dylib"],
+}
+
 
 def bold(text: str) -> str:
     return click.style(text, bold=True)
@@ -23,7 +39,6 @@ def __init__(self, path: str):
             raise click.ClickException(f"Settings file {path} not found")
         try:
             self.name = self._config["settings"]["user-name"]
-            self.pykcs11lib = self._config["settings"]["pykcs11lib"]
             self.push_remote = self._config["settings"]["push-remote"]
             self.pull_remote = self._config["settings"]["pull-remote"]
         except KeyError as e:
@@ -35,6 +50,17 @@ def __init__(self, path: str):
         else:
             self._signing_key_uris = {}
 
+        # probe for pykcs11lib if it's not set
+        self.pykcs11lib = self._config["settings"].get("pykcs11lib")
+        if self.pykcs11lib is None:
+            for loc in LIBYKCS11_LOCATIONS.get(platform.system(), []):
+                if os.path.exists(loc):
+                    self.pykcs11lib = loc
+                    break
+            if self.pykcs11lib is None:
+                raise click.ClickException("Failed to find libykcs11")
+            logger.debug("Using probed YKCS11 location %s", self.pykcs11lib)
+
         # signer cache gets populated as they are used the first time
         self._signers: dict[str, Signer] = {}