TODO.pkcs11

TODO for PKCS#11 support

 • Clean up the support for entering PIN interactively, perhaps add URI
   pin-source= support

 • Automated testing, perhaps by pulling in the prepopulated SoftHSM tokens
   used for openconnect testing. I've manually tested those and Yubikey PIV
   URIs including the following as --private-key arguments:
    • pkcs11:token=openconnect-test;object=RSA;pin-value=1234
    • pkcs11:token=openconnect-test;object=EC;pin-value=1234
   Repeat those as --certificate in order to test cert to key matching.
   Repeat (as both key and cert arguments) with openconnect-test[123] tokens
   which are torture tests for various things seen in the wild (no pubkey,
   having to log in to the token, and tokens lacking CKF_LOGIN_REQUIRED).

   My Yubikey is old and doesn't have EC support, but it's useful for testing
   the CKA_ALWAYS_AUTHENTICATE support (on the Digital Signature key) and the
   matching by CKA_ID when CKA_LABEL doesn't match. So (assuming you provision
   the slot) this should work as both --private-key and --certificate:
    • pkcs11:manufacturer=piv_II;id=%02;pin-value=123456
   And this should work as --certificate, correctly finding the key:
    • pkcs11:manufacturer=piv_II;object=Certificate%20for%20Digital%20Signature?pin-value=123456

   Check the output by using 'openssl dgst -verify', for example:

 $ build/bin/aws_signing_helper sign-string --certificate pkcs11:token=openconnect-test\;object=RSA?pin-value=1234 <<< Test | xxd -r -ps > testsig
 $ openssl dgst -sha256 -engine pkcs11 -keyform engine -verify 'pkcs11:token=openconnect-test;object=RSA?pin-value=1234' -signature testsig  <<< Test


References:
  http://david.woodhou.se/draft-woodhouse-cert-best-practice.html#rfc.section.8
  https://datatracker.ietf.org/doc/html/rfc7512
  https://gitlab.com/openconnect/openconnect/-/blob/v9.12/openssl-pkcs11.c