Closed ozbenh closed 2 years ago
I think this is the problem: https://gitlab.com/gnutls/gnutls/-/issues/1340, I'll try a fix later in gnutls. We might need to add an option to our plugin to create a dummy second priv. key as a workaround..
With the above, it seems to work now. Closing.
This is a slightly convoluted scenario (but I need it to use this from a chroot). Dumping the data here, I will try to debug later
1) Don't enable in p11-kit (ie, take out aws-kms-pkcs11.module) from /usr/share/p11-kit/modules or /etc/pkcs11/modules
2) Setup a server:
p11-kit server --provider /usr/lib64/pkcs11/aws_kms_pkcs11.so pkcs11:token=test-sign-key -f
(I use -f to easily ctrl-C)
Copy somewhere the output P11_KIT_SERVER_ADDRESS
3) Setup a client in .config/pkcs11/modules/p11-kit-client.module as follow
module: /usr/lib64/pkcs11/p11-kit-client.so
4) paste the P11_KIT_SERVER_ADDRESS
From this point p11-kit should use the client token which talks to the server which talks to aws-kms-pkcs11: