This PR makes the following changes:

1. When creating a new private key object, a new certificate object, or setting a certificate on an existing private key object, populate the CKA_PUBLIC_KEY_INFO attribute with the respective public key value.

2. Include the following attributes and values when creating a private key object:

   • CKA_TOKEN (true)
   • CKA_SENSITIVE (true)
   • CKA_ALWAYS_SENSITIVE (true)
   • CKA_NEVER_EXTRACTABLE (true)
   • CKA_ALWAYS_AUTHENTICATE (false)
   • CKA_UNWRAP (false, not implemented)
   • CKA_DERIVE (false, not implemented)

3. ~Include the SHA1 hash prefix digest algorithm identifier used in RSA-PKCS mechanisms.~

Of the attributes listed in (2), CKA_TOKEN appears to be necessary for some tools to discover private keys associated with certificates, notably NSS. In my testing, I found NSS searches for respective private keys by the CKA_ID of the CKO_CERTIFICATE object and with a CKA_TOKEN attribute set to true.

https://github.com/google/go-p11-kit/pull/20 includes additional context here.

$ cat /usr/share/p11-kit/modules/gop11kit.module 
remote: |/home/gerow/repos/go-p11-kit/bin/example-p11-kit-server --priv /home/gerow/repos/go-p11-kit/example/priv.pem --pub /home/gerow/repos/go-p11-kit/example/pub.pem --cert /home/gerow/repos/go-p11-kit/example/cert.pem --stdio

$ p11tool --list-all
warning: no token URL was provided for this operation; the available tokens are:

pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example
2022/04/27 16:41:37 Handling over stdio: read request: reading request header: EOF

$ gnutls-cli google.com --app-proto=https --x509keyfile='pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example' --x509certfile='pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example'
Processed 141 CA certificate(s).
2022/04/27 16:42:49 Error with C_GetSessionInfo: CKR_FUNCTION_NOT_SUPPORTED
Token 'example' with URL 'pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example' requires user PIN
Enter PIN: 
2022/04/27 16:42:52 Error with C_Login: CKR_FUNCTION_NOT_SUPPORTED
*** Error loading cert file.
2022/04/27 16:42:52 Handling over stdio: read request: reading request header: EOF

Seems we should just need to add support for C_GetSessionInfo if we want to be able to convince gnutls that we don't need a pin for the token.

This chnage adds an "stdio" flag to the example server in order to support remote p11-kit module entries, which dynamically launch a managed server for clients that support it. This includes clients that use gnutls.

See pkcs11.conf(5) for details on what the remote entry is meant to do.

This is still a WIP as I think gnutls and p11-kit in managed mode still have trouble accessing go-p11-kit remote modules when configured in this manner.

This allows gnutls and p11-kit to properly enumerate objects on example server. This is a bit hacky, just assuming that if we're passing multiple certs and keys that the cert properties are meant to align by index, but it's just an example server, so we can probably take some liberties.

Fixes #21.

C_GetAttributeValue should return CKR_ATTRIBUTE_TYPE_INVALID in the case that one or more of the attributes requested aren't valid for the given object, so this fixes that.

When using gnutls this actually manifests as a segfault, as it assumes in the CKR_OK case that all the returned buffers are valid, but p11-kit "helpfully" sets the "length" value for invalid buffers to -1, which gnutls interprets as a uint, which means it tries to read a very large amount of memory before eventually failing.

Addresses part of #21.

PKCS11 use raw R, S value as signature, crypto.Signer.Sign return the DER encoded R, S sequence. Convert DER sequence to raw R, S and pad to same length. http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.html#_Toc399398879