PKCS#11 Forwarding: Clarifying Client and Server Confusion
I am trying to follow this tutorial https://p11-glue.github.io/p11-glue/p11-kit/manual/remoting.html , but there are many points making me confused.
- Which side is pkcs11 server?
It said "Setting up the PKCS#11 forwarding server on a local client". So I understand that my local machine plays a role as p11 server, where directly connects with smart-card (in the later set up I use softhsm as a smart card). They mention the
P11_KIT_SERVER_ADDRESS, but the command is executed on the "local client," which is confusing.
- Which side is the pkcs11 client?
In session "Preparing the remote system for PKCS#11 socket forwarding". "Forwarding the PKCS#11 socket", they locate the user runtime directory, but one of them is done by "ssh". So I thought the
runtime directorywas on the remote system. (They also use termremote serverorremote host)
As bellowed I describe the step by step I have done in 2 containers, A - as my local machine, and B-as a remote host. I use softhsm for a stimulated smart card. On local machine A:
$ p11tool --list-tokens
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 1:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=d1472478b9829554;token=mimi
Label: mimi
Type: Generic token
Flags: RNG, Requires login
Manufacturer: SoftHSM project
Model: SoftHSM v2
Serial: d1472478b9829554
Module: /usr/local/lib/softhsm/libsofthsm2.so
So, there are 2 tokens available on machine A.
I also need to create runtime dir on local host. Otherwise it shows error when I do p11-kit server --provider ...
export XDG_RUNTIME_DIR=/tmp/$(id -u)-today
mkdir -p $XDG_RUNTIME_DIR
chmod 700 $XDG_RUNTIME_DIR
p11-kit server --provider /usr/local/lib/softhsm/libsofthsm2.so "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=01165599c52ea1fe;token=mimi"
P11_KIT_SERVER_ADDRESS=unix:path=/tmp/0-today/p11-kit/pkcs11-73; export P11_KIT_SERVER_ADDRESS;
P11_KIT_SERVER_PID=74; export P11_KIT_SERVER_PID;
On remote host - B (172.18.0.3):
root@1de661b77dbd:~# export XDG_RUNTIME_DIR=/tmp/$(id -u)-nginx
root@1de661b77dbd:~# mkdir -p $XDG_RUNTIME_DIR && chmod 700 $XDG_RUNTIME_DIR
root@1de661b77dbd:~# systemd-path user-runtime
/tmp/0-nginx
root@1de661b77dbd:~# systemctl enable p11-kit-client.service
Failed to enable unit, unit p11-kit-client.service does not exist.
root@1de661b77dbd:~# systemctl list-unit-files | grep p11
p11-kit-client.service enabled enabled
root@1de661b77dbd:~# mkdir /tmp/0-nginx/p11-kit
I tried to ssh from A to machine B with ssh -R /tmp/0-nginx/p11-kit/pkcs11:${P11_KIT_SERVER_ADDRESS#*=} root@172.18.0.3 but get the warning so I needed to create /tmp/0-nginx/p11-kit on B, then warning is over.
On/From Machine A
root@b1d0c05c4ec6:~# ssh -R /tmp/0-nginx/p11-kit/pkcs11:${P11_KIT_SERVER_ADDRESS#*=} root@172.18.0.3
and then
root@1de661b77dbd:~# ls -l /tmp/0-nginx/p11-kit/pkcs11
srw------- 1 root root 0 Oct 17 10:56 /tmp/0-nginx/p11-kit/pkcs11
p11tool --provider /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so --list-tokens
p11tool --provider /usr/local/lib/pkcs11/p11-kit-client.so --list-tokens
=> No token shows up with p11-kit-client.so on remote machine.
Did I make a mistake in any of the steps? Why are no tokens showing up on the remote machine when using p11-kit-client.so?
