experimental-features: add 'keystore'

Support OpenSSL keystores. Formatting is identical to our normal private
key format (keyname:private-key-here) but OpenSSL will parse it as a URI
(e.g. keyname:scheme:private-key-here).

Add --key-uri in addition to --key-file that automatically enables the
'keystore' feature and performs the signature, without the need to put
the private key in a file.

This allows using PEM-formatted private keys if desired
(e.g. mykey:file:/etc/nix/mykey.pem), in addition to PKCS#11
(e.g. mykey:pkcs11:id=%01;object=mykey;token=nixpkcs;type=private?foo).

Tested using [nixpkcs](https://github.com/numinit/nixpkcs) by injecting
an OpenSSL config into Nix that adds support for the PKCS#11 scheme with
pkcs11-provider.

Signing:

```
$ nix-shell -p openssl pkcs11-provider yubico-piv-tool
$ openssl ecparam -genkey -name secp384r1 -noout -out p384.pem
$ echo "p384:file:$(realpath p384.pem)" > p384.uri
$ ./src/nix/nix store sign \
  /nix/store/icq1cx1x7fjxim84sfanrv1j3vgb1qwp-pkcs11-provider-1.1 \
  --key-file ./p384.key \
  --extra-experimental-features 'cnsa keystore'
$ nixpkcs-uri ca
pkcs11:id=%02;token=YubiKey%20PIV%20%236108039;type=private?\
  module-path=%2Fnix%2Fstore%2Fxcmf5v8y8vn5g5krsr2cyxp7hjmjgijc-yubico-piv-tool-2.7.2%2Flib%2Flibykcs11.so&\
  pin-source=file%3A%2Fetc%2Fnixpkcs%2Fyubikeys%2F6108039%2Fuser.pin
$ # generated with nixpkcs:
$ export OPENSSL_CONF='/nix/store/gq3izqn2wflfr5cxan2nqz0nrww415h3-openssl-with-pkcs11.openssl.cnf'
$ ./src/nix/nix store sign \
  /nix/store/icq1cx1x7fjxim84sfanrv1j3vgb1qwp-pkcs11-provider-1.1 \
  --key-uri yubikey-6108039:$(nixpkcs-uri ca) \
  --extra-experimental-features cnsa
```

Verifying:

```
$ nix path-info --json --json-format 2 \
  /nix/store/icq1cx1x7fjxim84sfanrv1j3vgb1qwp-pkcs11-provider-1.1
{
  "info": {
    "icq1cx1x7fjxim84sfanrv1j3vgb1qwp-pkcs11-provider-1.1": {
      "ca": null,
      "deriver": "1lparccpa6kjh2sc7n4hkd3vkr4n1c1h-pkcs11-provider-1.1.drv",
      "narHash": "sha256-iS7ETDBufxea39YxmAWeJ67NHcSuPAvONWe462pQpAk=",
      "narSize": 613744,
      "references": [
        "1xj3zlgsv40gbhc0fxm0fphxsd4b7l7k-p11-kit-0.25.9",
        "daamdpmaz2vjvna55ccrc30qw3qb8h6d-glibc-2.40-66",
        "llswcygvgv9x2sa3z6j7i0g5iqqmn5gn-openssl-3.6.0"
      ],
      "registrationTime": 1779338946,
      "signatures": [
        "cache.nixos.org-1:mULTk4OTkR3WVcGF1ClS3kJdQcRMlgbjy7GhH0inFKe9qi4Fw9kVDb/3SaYpbXTgQzfpQJypI91Jx9lq5JhwBg==",
        "p384:MGUCMQDXldyCdoiVKOp/Mqf1cDjZ1lmmNgmnedh6eJFeHFtMgck0EjsfFXnWe/TMH+Rc1boCMDhvOj9n8yUkkketqM1thIE6fqiFp5lUYZ3KEZ2l8B2q4Sm1V/3ASeVYzBJ7y5hLeQ==",
        "yubikey-6108039:MGUCMQCzcVYwFttNbQxcxflbIsmEcAEPCI2fiNZEissy0razpmZDMT0MdjuIsN8HYyFe7f8CMFVxVfVn0kqXE3C01RWIVLy5BslkFX3xYTI6w56ooSWo4jRZCbdVXoKWNO5YVJcvYg=="
      ],
      "storeDir": "/nix/store",
      "ultimate": false,
      "version": 2
    }
  },
  "storeDir": "/nix/store",
  "version": 2
}
```

Author: numinit

src/libstore/binary-cache-store.cc

@@ -27,14 +27,29 @@ namespace nix {
 BinaryCacheStore::BinaryCacheStore(Config & config)
     : config{config}
 {
-    if (!config.secretKeyFile.get().empty())
-        signers.push_back(std::make_unique<LocalSigner>(SecretKey::parse(readFile(config.secretKeyFile.get()))));
+    auto keystoreEnabled = experimentalFeatureSettings.isEnabled(Xp::Keystore);
+    if (!config.secretKeyFile.get().empty()) {
+        auto isUri = keystoreEnabled && !std::get<0>(splitColon(config.secretKeyFile.get().string())).empty();
+        signers.push_back(
+            std::make_unique<LocalSigner>(
+                SecretKey::parse(
+                    isUri ? config.secretKeyFile.get().string() : readFile(config.secretKeyFile.get()),
+                    isUri
+                )
+            )
+        );
+    }
 
     if (config.secretKeyFiles != "") {
         std::stringstream ss(config.secretKeyFiles);
         std::string keyPath;
         while (std::getline(ss, keyPath, ',')) {
-            signers.push_back(std::make_unique<LocalSigner>(SecretKey::parse(readFile(keyPath))));
+            auto isUri = keystoreEnabled && !std::get<0>(splitColon(keyPath)).empty();
+            signers.push_back(
+                std::make_unique<LocalSigner>(
+                    SecretKey::parse(isUri ? keyPath : readFile(keyPath), isUri)
+                )
+            );
         }
     }
 

src/libstore/include/nix/store/binary-cache-store.hh

@@ -40,10 +40,10 @@ struct BinaryCacheStoreConfig : virtual StoreConfig
         )"};
 
     Setting<AbsolutePath> secretKeyFile{
-        this, "", "secret-key", "Path to the secret key used to sign the binary cache."};
+        this, "", "secret-key", "Path or URI to the secret key used to sign the binary cache."};
 
     Setting<std::string> secretKeyFiles{
-        this, "", "secret-keys", "List of comma-separated paths to the secret keys used to sign the binary cache."};
+        this, "", "secret-keys", "List of comma-separated paths or URIs to the secret keys used to sign the binary cache."};
 
     Setting<std::optional<AbsolutePath>> localNarCache{
         this,

src/libstore/keys.cc

@@ -1,5 +1,6 @@
 #include "nix/util/file-system.hh"
 #include "nix/store/globals.hh"
+#include "nix/util/signature/local-keys.hh"
 #include "nix/store/keys.hh"
 
 namespace nix {
@@ -17,9 +18,11 @@ PublicKeys getDefaultPublicKeys()
     }
 
     // FIXME: keep secret keys in memory (see Store::signRealisation()).
+    auto keystoreEnabled = experimentalFeatureSettings.isEnabled(Xp::Keystore);
     for (const auto & secretKeyFile : settings.secretKeyFiles.get()) {
         try {
-            auto secretKey = SecretKey::parse(readFile(secretKeyFile));
+            auto isUri = keystoreEnabled && !std::get<0>(splitColon(secretKeyFile)).empty();
+            auto secretKey = SecretKey::parse(isUri ? secretKeyFile : readFile(secretKeyFile), isUri);
             publicKeys.emplace(secretKey->name, secretKey->toPublicKey());
         } catch (SystemError & e) {
             /* Ignore unreadable key files. That's normal in a

src/libstore/store-api.cc

@@ -1266,10 +1266,12 @@ void Store::signPathInfo(ValidPathInfo & info)
 {
     // FIXME: keep secret keys in memory.
 
+    auto keystoreEnabled = experimentalFeatureSettings.isEnabled(Xp::Keystore);
     auto secretKeyFiles = settings.secretKeyFiles;
 
     for (auto & secretKeyFile : secretKeyFiles.get()) {
-        LocalSigner signer(SecretKey::parse(readFile(secretKeyFile)));
+        auto isUri = keystoreEnabled && !std::get<0>(splitColon(secretKeyFile)).empty();
+        LocalSigner signer(SecretKey::parse(isUri ? secretKeyFile : readFile(secretKeyFile), isUri));
         info.sign(*this, signer);
     }
 }
@@ -1278,10 +1280,12 @@ void Store::signRealisation(Realisation & realisation)
 {
     // FIXME: keep secret keys in memory.
 
+    auto keystoreEnabled = experimentalFeatureSettings.isEnabled(Xp::Keystore);
     auto secretKeyFiles = settings.secretKeyFiles;
 
     for (auto & secretKeyFile : secretKeyFiles.get()) {
-        LocalSigner signer(SecretKey::parse(readFile(secretKeyFile)));
+        auto isUri = keystoreEnabled && !std::get<0>(splitColon(secretKeyFile)).empty();
+        LocalSigner signer(SecretKey::parse(isUri ? secretKeyFile : readFile(secretKeyFile), isUri));
         realisation.sign(realisation.id, signer);
     }
 }

src/libutil-tests/local-keys.cc

@@ -24,7 +24,7 @@ TEST(local_keys, signAndVerify)
         ASSERT_EQ(sig.keyName, "test-key-1");
         ASSERT_TRUE(pk->verifyDetached("hello world", sig));
 
-        auto sk2 = SecretKey::parse(sk->to_string());
+        auto sk2 = SecretKey::parse(sk->to_string(), false);
         ASSERT_EQ(sk2->name, sk->name);
         ASSERT_EQ(sk2->key, sk->key);
 
@@ -58,7 +58,7 @@ TEST(local_keys, rfc8032TestVector)
     auto skBytes = seed + pubKeyBytes;
     auto skString = "test:" + base64::encode(std::as_bytes(std::span<const char>{skBytes.data(), skBytes.size()}));
 
-    auto sk = SecretKey::parse(skString);
+    auto sk = SecretKey::parse(skString, false);
     auto sig = sk->signDetached(message);
 
     ASSERT_EQ(sig.keyName, "test");
@@ -157,7 +157,7 @@ TEST(local_keys, rfc6979EcdsaP384TestVector)
         "99ef4aeb15f178cea1fe40db2603138f130e740a19624526203b6351d0a3a94fa329c145786e679e7b82c71a38628ac8");
 
     auto skString = "rfc6979-test:" + base64::encode(std::as_bytes(std::span<const char>{skDer.data(), skDer.size()}));
-    auto sk = SecretKey::parse(skString);
+    auto sk = SecretKey::parse(skString, false);
 
     auto sig = sk->signDetached("sample");
     ASSERT_EQ(sig.keyName, "rfc6979-test");
@@ -198,7 +198,7 @@ runMlDsaAcvpTest(std::string_view variant, std::string_view derPrefixHex, size_t
     auto der = base16::decode(derPrefixHex) + sk;
     auto skString =
         std::string(variant) + ":" + base64::encode(std::as_bytes(std::span<const char>{der.data(), der.size()}));
-    auto parsed = SecretKey::parse(skString);
+    auto parsed = SecretKey::parse(skString, false);
 
     auto sig = parsed->signDetached(message);
     ASSERT_EQ(sig.keyName, std::string(variant));

src/libutil/experimental-features.cc

@@ -25,7 +25,7 @@ struct ExperimentalFeatureDetails
  * feature, we either have no issue at all if few features are not added
  * at the end of the list, or a proper merge conflict if they are.
  */
-constexpr size_t numXpFeatures = 1 + static_cast<size_t>(Xp::CNSA);
+constexpr size_t numXpFeatures = 1 + static_cast<size_t>(Xp::Keystore);
 
 constexpr std::array<ExperimentalFeatureDetails, numXpFeatures> xpFeatureDetails = {{
     {
@@ -315,6 +315,14 @@ constexpr std::array<ExperimentalFeatureDetails, numXpFeatures> xpFeatureDetails
         )",
         .trackingUrl = "",
     },
+    {
+        .tag = Xp::Keystore,
+        .name = "keystore",
+        .description = R"(
+            Enable support for loading signing keys from OpenSSL store URIs.
+        )",
+        .trackingUrl = "",
+    },
 }};
 
 static_assert(

src/libutil/include/nix/util/experimental-features.hh

@@ -42,6 +42,7 @@ enum struct ExperimentalFeature {
     WasmDerivations,
     Provenance,
     CNSA,
+    Keystore,
 };
 
 extern std::set<std::string> stabilizedFeatures;

src/libutil/include/nix/util/signature/local-keys.hh

@@ -49,6 +49,8 @@ enum KeyType {
     ECDSAP384,
 };
 
+std::tuple<std::string_view, std::string_view> splitColon(std::string_view s);
+
 KeyType parseKeyType(std::string_view s);
 
 const StringSet & getKeyTypes();
@@ -78,7 +80,7 @@ struct SecretKey : Key
 
     virtual ~SecretKey() {};
 
-    static std::unique_ptr<SecretKey> parse(std::string_view s);
+    static std::unique_ptr<SecretKey> parse(std::string_view s, bool forceUri);
 
     /**
      * Return a detached signature of the given string.