aws
diff --git a/‎Makefile
+36-4 b/‎Makefile
+36-4
diff --git a/‎README.md
+31-2 b/‎README.md
+31-2
diff --git a/‎TODO.pkcs11
+36 b/‎TODO.pkcs11
+36
@@ -1,8 +1,13 @@
-VERSION=1.0.5
+VERSION=1.0.6
 
 release:
 	go build -buildmode=pie -ldflags "-X 'github.com/aws/rolesanywhere-credential-helper/cmd.Version=${VERSION}' -linkmode=external -w -s" -trimpath -o build/bin/aws_signing_helper main.go
 
+# Setting up SoftHSM for PKCS#11 tests. 
+# This portion is largely copied from https://gitlab.com/openconnect/openconnect/-/blob/v9.12/tests/Makefile.am#L363. 
+SHM2_UTIL=SOFTHSM2_CONF=tst/softhsm2.conf.tmp softhsm2-util
+P11TOOL=SOFTHSM2_CONF=tst/softhsm2.conf.tmp p11tool
+
 certsdir=tst/certs
 curdir=$(shell pwd)
 
@@ -13,8 +18,30 @@ ECCERTS := $(foreach digest, sha1 sha256 sha384 sha512, $(patsubst %-key.pem, %-
 RSACERTS := $(foreach digest, md5 sha1 sha256 sha384 sha512, $(patsubst %-key.pem, %-$(digest)-cert.pem, $(RSAKEYS)))
 PKCS12CERTS := $(patsubst %-cert.pem, %.p12, $(RSACERTS) $(ECCERTS))
 
-test: test-certs
-	go test -v ./...
+# It's hard to do a file-based rule for the contents of the SoftHSM token.
+# So just populate it as a side-effect of creating the softhsm2.conf file.
+tst/softhsm2.conf: tst/softhsm2.conf.template $(PKCS8KEYS) $(RSACERTS) $(ECCERTS)
+	rm -rf tst/softhsm/*
+	sed 's|@top_srcdir@|${curdir}|g' $< > $@.tmp
+	$(SHM2_UTIL) --show-slots
+	$(SHM2_UTIL) --init-token --free --label credential-helper-test \
+		--so-pin 12345678 --pin 1234
+
+	$(SHM2_UTIL) --token credential-helper-test --pin 1234 \
+		--import $(certsdir)/rsa-2048-key-pkcs8.pem --label RSA --id 01
+	$(P11TOOL) --load-certificate $(certsdir)/rsa-2048-sha256-cert.pem \
+		--no-mark-private --label RSA --id 01 --set-pin 1234 --login \
+		--write "pkcs11:token=credential-helper-test;pin-value=1234"
+
+	$(SHM2_UTIL) --token credential-helper-test --pin 1234 \
+		--import $(certsdir)/ec-prime256v1-key-pkcs8.pem --label EC --id 02
+	$(P11TOOL) --load-certificate $(certsdir)/ec-prime256v1-sha256-cert.pem \
+		--no-mark-private --label EC --id 02 --set-pin 1234 --login \
+		--write "pkcs11:token=credential-helper-test;pin-value=1234"
+	mv $@.tmp $@
+
+test: test-certs tst/softhsm2.conf
+	SOFTHSM2_CONF=$(curdir)/tst/softhsm2.conf go test -v ./...
 
 %-md5-cert.pem: %-key.pem
 	SUBJ=$$(echo "$@" | sed -r 's|.*/([^/]+)-cert.pem|\1|'); \
@@ -43,6 +70,8 @@ test: test-certs
 		-keypbe pbeWithSHA1And3-KeyTripleDES-CBC \
 		-inkey $${KEY} -out "$@" -in $${CERT}
 
+# And once again, it's hard to do a file-based rule for the contents of the certificate store. 
+# So just populate it as a side-effect of creating the p12 file.
 %-pass.p12: %-cert.pem
 	echo Creating $@...
 	ls -l $<
@@ -66,11 +95,14 @@ $(ECKEYS):
 $(certsdir)/cert-bundle.pem: $(RSACERTS) $(ECCERTS)
 	cat $^ > $@
 
-test-certs: $(PKCS8KEYS) $(RSAKEYS) $(ECKEYS) $(RSACERTS) $(ECCERTS) $(PKCS12CERTS) $(certsdir)/cert-bundle.pem 
+test-certs: $(PKCS8KEYS) $(RSAKEYS) $(ECKEYS) $(RSACERTS) $(ECCERTS) $(PKCS12CERTS) $(certsdir)/cert-bundle.pem tst/softhsm2.conf
 
+# TODO: Need to clean certificates and keys added to certificate store as well
 test-clean:
 	rm -f $(RSAKEYS) $(ECKEYS)
 	rm -f $(PKCS8KEYS)
 	rm -f $(RSACERTS) $(ECCERTS)
 	rm -f $(PKCS12CERTS)
 	rm -f $(certsdir)/cert-bundle.pem
+	rm -f tst/softhsm2.conf
+	rm -rf tst/softhsm/*
@@ -36,9 +36,9 @@ The project also comes with two bash scripts at its root, called `generate-certs
 
 ### read-certificate-data
 
-Reads a certificate that is on disk. Either the path to the certificate on disk is provided with the `--certificate` parameter, or the `--cert-selector` flag is provided to select a certificate within an OS certificate store. Further details about the flag are provided below.
+Reads a certificate. Either the path to the certificate on disk or PKCS#11 URI to identify the certificate is provided with the `--certificate` parameter, or the `--cert-selector` flag is provided to select a certificate within an OS certificate store. Further details about the `--cert-selector` flag are provided below.
 
-If there are multiple certificates that match a given `--cert-selector`, information about each of them is printed. 
+If there are multiple certificates that match a given `--cert-selector` or PKCS#11 URI (as specified through the `--certificate` parameter), information about each of them is printed. For PKCS#11, URIs for each matched certificate is also printed in the hopes that it will be useful in uniquely identifying a certificate. 
 
 #### cert-selector flag
 
@@ -129,6 +129,35 @@ The above command will import the PFX file into the user's "MY" certificate stor
 
 Also note that the above step can be done through a [Powershell cmdlet](https://learn.microsoft.com/en-us/powershell/module/pki/import-pfxcertificate?view=windowsserver2022-ps) or through [Windows CNG/Cryptography APIs](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-pfximportcertstore).
 
+#### PKCS#11 Integration
+
+As you should expect from all applications which use keys and certificates, you can simply give a
+[PKCS#11 URI](https://datatracker.ietf.org/doc/html/rfc7512) in place of a filename in order to
+use certificates and/or keys from hardware or software PKCS#11 tokens / HSMs. A hybrid mode
+using a certificate from a file but only the key in PKCS#11 is also supported. Some examples:
+
+  * `--certificate 'pkcs11:manufacturer=piv_II;id=%01'`
+  * `--certificate 'pkcs11:object=My%20RA%20key'`
+  * `--certificate client-cert.pem --private-key 'pkcs11:model=SoftHSM%20v2;object=My%20RA%20key'`
+
+Some documentation which may assist with finding the correct URI for
+your key can be found [here](https://www.infradead.org/openconnect/pkcs11.html).
+
+Most Linux and similar *nix systems use
+[p11-kit](https://p11-glue.github.io/p11-glue/p11-kit/manual/config.html)
+to provide consistent system-wide and per-user configuration of
+available PKCS#11 providers. Any properly packaged provider module
+will register itself with p11-kit and will be automatically visible
+through the `p11-kit-proxy.so` provider which is used by default.
+
+If you have a poorly packaged provider module from a vendor, then
+after you have filed a bug you can manually create a p11-kit [module
+file](https://p11-glue.github.io/p11-glue/p11-kit/manual/pkcs11-conf.html)
+for it.
+
+For systems or containers which lack p11-kit, a specific PKCS#11
+provider library can be specified using the `--pkcs11-lib` parameter.
+
 ### update
 
 Updates temporary credentials in the [credential file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Parameters for this command include those for the `credential-process` command, as well as `--profile`, which specifies the named profile for which credentials should be updated (if the profile doesn't already exist, it will be created), and `--once`, which specifies that credentials should be updated only once. Both arguments are optional. If `--profile` isn't specified, the default profile will have its credentials updated, and if `--once` isn't specified, credentials will be continuously updated. In this case, credentials will be updated through a call to `CreateSession` five minutes before the previous set of credentials are set to expire. Please note that running the `update` command multiple times, creating multiple processes, may not work as intended. There may be issues with concurrent writes to the credentials file.
 
@@ -0,0 +1,36 @@
+
+
+
+TODO for PKCS#11 support
+
+ • Clean up the support for entering PIN interactively, perhaps add URI
+   pin-source= support
+
+ • Automated testing, perhaps by pulling in the prepopulated SoftHSM tokens
+   used for openconnect testing. I've manually tested those and Yubikey PIV
+   URIs including the following as --private-key arguments:
+    • pkcs11:token=openconnect-test;object=RSA;pin-value=1234
+    • pkcs11:token=openconnect-test;object=EC;pin-value=1234
+   Repeat those as --certificate in order to test cert to key matching.
+   Repeat (as both key and cert arguments) with openconnect-test[123] tokens
+   which are torture tests for various things seen in the wild (no pubkey,
+   having to log in to the token, and tokens lacking CKF_LOGIN_REQUIRED).
+
+   My Yubikey is old and doesn't have EC support, but it's useful for testing
+   the CKA_ALWAYS_AUTHENTICATE support (on the Digital Signature key) and the
+   matching by CKA_ID when CKA_LABEL doesn't match. So (assuming you provision
+   the slot) this should work as both --private-key and --certificate:
+    • pkcs11:manufacturer=piv_II;id=%02;pin-value=123456
+   And this should work as --certificate, correctly finding the key:
+    • pkcs11:manufacturer=piv_II;object=Certificate%20for%20Digital%20Signature?pin-value=123456
+
+   Check the output by using 'openssl dgst -verify', for example:
+
+ $ build/bin/aws_signing_helper sign-string --certificate pkcs11:token=openconnect-test\;object=RSA?pin-value=1234 <<< Test | xxd -r -ps > testsig
+ $ openssl dgst -sha256 -engine pkcs11 -keyform engine -verify 'pkcs11:token=openconnect-test;object=RSA?pin-value=1234' -signature testsig  <<< Test
+
+
+References:
+  http://david.woodhou.se/draft-woodhouse-cert-best-practice.html#rfc.section.8
+  https://datatracker.ietf.org/doc/html/rfc7512
+  https://gitlab.com/openconnect/openconnect/-/blob/v9.12/openssl-pkcs11.c