RFE: Use RFC7512 PKCS#11 URI about aws_hmac HOT 6 OPEN

You're right, i'll look into this shortly and reusue that code that understand and URI format.

i'll also see if i can adapt a sample so its more generic (eg for psanford/awsv4signer)

@psanford

fyi, go-tpm and go-tpm-tools needs to support hmac import and even use

google/go-tpm-tools#317

thanks!

from aws_hmac.

i'll have to update the the go-jwt issuer for pkcs as well

https://github.com/salrashid123/golang-jwt-pkcs11

from aws_hmac.

this repo uses low-level github.com/miekg/pkcs11 constructs and its not easy to account for and appropriately inject values if given just the URI. closing this but will entertain if upstream miekg/pkcs11 supports interprting the uri on its own

from aws_hmac.

The code at https://github.com/stefanberger/go-pkcs11uri wraps around the miekg/pkcs11 code and provides the necessary URI parsing support.

Matching a PKCS#11 token given a URI, or generating a FindObjects template from a URI, is then fairly simple; examples in the matchSlots() and getFindTemplate() functions in https://github.com/dwmw2/rolesanywhere-credential-helper/blob/pkcs11/aws_signing_helper/pkcs11_signer.go

from aws_hmac.

I do agree it would be better if the underlying modules made it easy for applications to get this right. Filed miekg/pkcs11#170

from aws_hmac.

i'll reopen this and await the upstream changes (which would address using the uri much easier for everyone and give near automatic support)

also noticed the issue for the thales library (which i also use elsewhere):
ThalesGroup/crypto11#104

from aws_hmac.