I haven't had a chance to debug further, but just in case you have an idea...
With all the latest fixes we did, I can list keys and certs with NSS fine, but if I try to use p11tool --list-certs, it gives me something like:
$ p11tool --list-certs pkcs11:token=test-sign-key
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /home/ec2-user/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Parsing certificate for slot test-sign-key from path /home/ec2-user/test-sign-cert.pem
AWS_KMS: Configured slots:
AWS_KMS: alias/test-sign-key
AWS_KMS: Getting public key for key alias/test-sign-key
AWS_KMS: Successfully fetched public key data.
No matching objects found
With ltrace, the last few lines look like:
gnutls_pkcs11_init(1, 0, 0x7fa85a4810e0, 0AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /home/ec2-user/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Parsing certificate for slot test-sign-key from path /home/ec2-user/test-sign-cert.pem
AWS_KMS: Configured slots:
AWS_KMS: alias/test-sign-key
) = 0
gnutls_pkcs11_set_pin_function(0x40a270, 0x7ffd99d67e60, 3, 0) = 0x7fa85a481fb8
gnutls_pkcs11_set_token_function(0x40a660, 0x7ffd99d67e60, 3, 0) = 0x7fa85a481fc8
gnutls_pkcs11_token_get_flags(0x7ffd99d682f7, 0x7ffd99d67d2c, 3, 0) = 0
gnutls_pkcs11_obj_list_import_url2(0x7ffd99d67d40, 0x7ffd99d67d34, 0x7ffd99d682f7, 3AWS_KMS: Getting public key for key alias/test-sign-key
AWS_KMS: Successfully fetched public key data.
) = 0
fwrite("No matching objects found\n", 1, 26, 0x7fa859115680No matching objects found
) = 26
exit(0 <no return ...>
So it's somewhat not happy but not too sure why at this stage.
I haven't had a chance to debug further, but just in case you have an idea...
With all the latest fixes we did, I can list keys and certs with NSS fine, but if I try to use p11tool --list-certs, it gives me something like:
With ltrace, the last few lines look like:
So it's somewhat not happy but not too sure why at this stage.