When using remotely via p11-kit "server", keys aren't found

[ozbenh]

This is a slightly convoluted scenario (but I need it to use this from a chroot). Dumping the data here, I will try to debug later

1) Don't enable in p11-kit (ie, take out aws-kms-pkcs11.module) from /usr/share/p11-kit/modules or /etc/pkcs11/modules

2) Setup a server:

p11-kit server --provider /usr/lib64/pkcs11/aws_kms_pkcs11.so pkcs11:token=test-sign-key -f

(I use -f to easily ctrl-C)

Copy somewhere the output P11_KIT_SERVER_ADDRESS

3) Setup a client in .config/pkcs11/modules/p11-kit-client.module as follow

module: /usr/lib64/pkcs11/p11-kit-client.so

4) paste the P11_KIT_SERVER_ADDRESS

From this point p11-kit should use the client token which talks to the server which talks to aws-kms-pkcs11:

$ p11tool --list-all pkcs11:token=test-sign-key
Object 0:
    URL: pkcs11:token=test-sign-key;id=%61%6C%69%61%73%2F%74%65%73%74%2D%73%69%67%6E%2D%6B%65%79;object=test-sign-key;type=cert
    Type: X.509 Certificate
    Label: test-sign-key
    ID: 61:6c:69:61:73:2f:74:65:73:74:2d:73:69:67:6e:2d:6b:65:79

$ p11tool --list-keys pkcs11:token=test-sign-key
No matching objects found

[ozbenh]

I think this is the problem: https://gitlab.com/gnutls/gnutls/-/issues/1340, I'll try a fix later in gnutls. We might need to add an option to our plugin to create a dummy second priv. key as a workaround..

[ozbenh]

With the above, it seems to work now. Closing.