p11-kit remoting strips unkown mechanisms

[Jakuje]

the p11-kit remoting removes unknown agorithms from the list of supported algorithms from the underlying pkcs11-module.

This bite me while trying to use the CKM_EDDSA mechanism through p11-kit client/server connection. The difference between listing of mechanisms on the token look like this:

--- /tmp/softhsm.mechs	2025-01-22 17:14:42.050733701 +0100
+++ /tmp/p11-kit.mechs	2025-01-22 17:14:42.050733701 +0100
@@ -1,29 +1,21 @@
-pkcs11-tool -M --login --pin=1234 --module=$LIBSOFTHSM_PATH
+pkcs11-tool -M --login --pin=1234 --module=$P11_KIT_CLIENT
 Supported mechanisms:
   AES-CBC, keySize={16,32}, encrypt, decrypt, wrap
-  AES-CBC-ENCRYPT-DATA, derive
   AES-CBC-PAD, keySize={16,32}, encrypt, decrypt
   AES-CMAC, keySize={16,32}, sign, verify
   AES-CTR, keySize={16,32}, encrypt, decrypt
   AES-ECB, keySize={16,32}, encrypt, decrypt
-  AES-ECB-ENCRYPT-DATA, derive
   AES-GCM, keySize={16,32}, encrypt, decrypt
   AES-KEY-GEN, keySize={16,32}, generate
-  AES-KEY-WRAP, keySize={16,2147483648}, wrap, unwrap
-  AES-KEY-WRAP-PAD, keySize={1,2147483648}, wrap, unwrap
   DES2-KEY-GEN, generate
   DES3-CBC, encrypt, decrypt, wrap
-  DES3-CBC-ENCRYPT-DATA, derive
   DES3-CBC-PAD, encrypt, decrypt
   DES3-CMAC, sign, verify
   DES3-ECB, encrypt, decrypt
-  DES3-ECB-ENCRYPT-DATA, derive
   DES3-KEY-GEN, generate
   DES-CBC, encrypt, decrypt, wrap
-  DES-CBC-ENCRYPT-DATA, derive
   DES-CBC-PAD, encrypt, decrypt, wrap
   DES-ECB, encrypt, decrypt, wrap
-  DES-ECB-ENCRYPT-DATA, derive
   DES-KEY-GEN, generate
   DH-PKCS-DERIVE, keySize={512,10000}, derive
   DH-PKCS-KEY-PAIR-GEN, keySize={512,10000}, generate_key_pair
@@ -32,15 +24,9 @@
   DSA-KEY-PAIR-GEN, keySize={512,1024}, generate_key_pair
   DSA-PARAMETER-GEN, keySize={512,1024}, generate
   DSA-SHA1, keySize={512,1024}, sign, verify
-  DSA-SHA224, keySize={512,1024}, sign, verify
-  DSA-SHA256, keySize={512,1024}, sign, verify
-  DSA-SHA384, keySize={512,1024}, sign, verify
-  DSA-SHA512, keySize={512,1024}, sign, verify
   ECDH1-DERIVE, keySize={112,521}, derive
   ECDSA, keySize={112,521}, sign, verify, EC F_P, EC OID, EC uncompressed
-  EC-EDWARDS-KEY-PAIR-GEN, keySize={256,456}, generate_key_pair
   ECDSA-KEY-PAIR-GEN, keySize={112,521}, generate_key_pair, EC F_P, EC OID, EC uncompressed
-  EDDSA, keySize={256,456}, sign, verify
   GENERIC-SECRET-KEY-GEN, keySize={1,2147483648}, generate
   MD5, digest
   MD5-HMAC, keySize={16,512}, sign, verify

I think the p11-kit remote should proxy all the mechanisms as they are instead of doing some selection on them.

[ueno]

That's intentional; without knowing the mechanism, we can't determine the size of parameters to be serialized on the RPC protocol, but we are open to add any specific mechanisms with known sizes of the parameters. For the meantime, do you want to support CKM_EDDSA, right?

[Jakuje]

Yes. The EDDSA is the one I needed. But I removed the p11-kit from the chain so there is no immediate need for it now.

Given that the EDDSA is supported in the other parts of the code and defines are in place, I would expect it to work also for this, but this was likely bad expectation:

https://github.com/search?q=repo%3Ap11-glue%2Fp11-kit%20CKM_EDDSA&type=code