search

JackOfMostTrades / aws-kms-pkcs11

PKCS#11 Provider Using AWS KMS
MIT License
39 stars 17 forks source link

p11tool --list-certs not working #15

Closed ozbenh closed 2 years ago

ozbenh commented 2 years ago

I haven't had a chance to debug further, but just in case you have an idea...

With all the latest fixes we did, I can list keys and certs with NSS fine, but if I try to use p11tool --list-certs, it gives me something like:

$ p11tool --list-certs pkcs11:token=test-sign-key
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /home/ec2-user/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Parsing certificate for slot test-sign-key from path /home/ec2-user/test-sign-cert.pem
AWS_KMS: Configured slots:
AWS_KMS:   alias/test-sign-key
AWS_KMS: Getting public key for key alias/test-sign-key
AWS_KMS: Successfully fetched public key data.
No matching objects found

With ltrace, the last few lines look like:

gnutls_pkcs11_init(1, 0, 0x7fa85a4810e0, 0AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /home/ec2-user/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Parsing certificate for slot test-sign-key from path /home/ec2-user/test-sign-cert.pem
AWS_KMS: Configured slots:
AWS_KMS:   alias/test-sign-key
)                                             = 0
gnutls_pkcs11_set_pin_function(0x40a270, 0x7ffd99d67e60, 3, 0)                          = 0x7fa85a481fb8
gnutls_pkcs11_set_token_function(0x40a660, 0x7ffd99d67e60, 3, 0)                        = 0x7fa85a481fc8
gnutls_pkcs11_token_get_flags(0x7ffd99d682f7, 0x7ffd99d67d2c, 3, 0)                     = 0
gnutls_pkcs11_obj_list_import_url2(0x7ffd99d67d40, 0x7ffd99d67d34, 0x7ffd99d682f7, 3AWS_KMS: Getting public key for key alias/test-sign-key
AWS_KMS: Successfully fetched public key data.
)   = 0
fwrite("No matching objects found\n", 1, 26, 0x7fa859115680No matching objects found
)                            = 26
exit(0 <no return ...>

So it's somewhat not happy but not too sure why at this stage.

ozbenh commented 2 years ago

GnuTLS bug : https://gitlab.com/gnutls/gnutls/-/issues/1340