Closed pcolmer closed 2 weeks ago
I think those warnings are expected; I hadn't tested with pkcs11-tools specifically but the module implements the bare minimum that's need to support signing operations with PKCS#11-aware tools and so there's and bunch of attributes that weren't implemented.
Where you put the aws-kms-pkcs11.x864_64.so
file and whether PKCS11_MODULE_PATH
is respected will probably depend on the tool (and even the distro), but on Ubuntu at least putting it in /usr/lib/x86_64-linux-gnu/pkcs11/
has worked for me.
I'm experimenting with the possibility of using KMS to store certificates generated by a firmware code signing tool, and then using
aws-kms-pkcs11
as the bridge between the code signing tool and KMS, so that I don't have to keep the certificates on the filing system.I've managed to import the keys into KMS and I've created a
config.json
file foraws-kms-pkcs11
that lists the different keys and IDs.If I run
pkcs11-tool --module /home/ec2-user/aws_kms_pkcs11.x86_64.so -I --list-objects --pin 123456
, I get this output:Are those warnings to be expected?
Where should I be placing
aws-kms-pkcs11.x864_64.so
so that PKCS#11 URIs work? Does it matter, so long as I definePKCS11_MODULE_PATH
, or is that dependent on the PKCS#11 library being used by the tool?Many thanks