Correct way to conduct private key operation from PKCS11 for mTLS connection in Go

Question

I have successfully imported the private key into the PKCS11 token. The token object looks like this:

Private Key Object; RSA 
  label:      #####
  ID:         #####
  Usage:      decrypt, sign, unwrap
  Access:     sensitive
Public Key Object; RSA 2048 bits
  label:      #####
  ID:         #####
  Usage:      encrypt, verify, wrap
  Access:     none

I learned that CKA_VALUE usually could not be extracted. And I would like to know what is the correct procedure to create mTLS connection by using pkcs#11 private key and certificate.

Answer 1

I learned that CKA_VALUE usually could not be extracted

Just in case, check out ThalesIgnite/crypto11 exportDSAPublicKey() which does export pkcs11.Attribute, including pcs11.CKA_VALUE, using the public key.
(CKA_VALUE is one of the ECDSA private key objects)

For mTLS, check if miekg/pkcs11 can help (not tested).
It can at least help creating a tlsConfig based on private key and certificate.

tlsConfig := &tls.Config{
    Certificates: []tls.Certificate{
        {
            PrivateKey: privateKey,
            Cert:       cert,
        },
    },
}

Those should be extracted from your pkcs11 file:

privateKey, err := p.FindObject(session, []*pkcs11.Attribute{
    pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
    pkcs11.NewAttribute(pkcs11.CKA_LABEL, "private_key_label"),
})
if err != nil {
    panic(err)
}

cert, err := p.FindObject(session, []*pkcs11.Attribute{
    pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE),
    pkcs11.NewAttribute(pkcs11.CKA_LABEL, "certificate_label"),
})
if err != nil {
    panic(err)
}

That does not seem to require CKA_VALUE