Includes too many certificates in chain when pkcs11 has multiple

[egglestongc-NIH]

I'm using a smart card on Linux with multiple certificates on it, and authentication is failing due to a very long "X-Amz-X509-Chain" header being added. It appears the "certIssues" function in aws_signing_helper/pkcs11_signer.go inverts the result of the issuer check, causing it to think that every certificate on my smart card issues the one before it.

If you change "err != nil" to "err == nil" at the end of the certIssues function:

rolesanywhere-credential-helper/aws_signing_helper/pkcs11_signer.go

Lines 1046 to 1047 in 1f9c897

	_, err := candidate.Verify(opts)
	return err != nil

it fixes the problem. This is because certIssues() should return true when there are no errors in the "candidate.Verify", and should return false when there are errors.

Additional details:

• I'm selecting the certificate with --certificate "pkcs11:object=Certificate%20for%20PIV%20Authentication", which returns only one certificate when run with "read-certificate-data"
• The pkcs11 URI returned for my cert is "pkcs11:slot-manufacturer=VMware;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert;model=PKCS%2315%20emulated;manufacturer=piv_II;serial=REDACTED;slot-description=VMware%20Virtual%20USB%20CCID%2000%2000
• There are 8 other certificates on my card, visible with --certificate "pkcs11:"
• The error I get without the fix is "operation error RolesAnywhere: CreateSession, https response error StatusCode: 400, RequestID: , deserialization failed, failed to decode response body, invalid character '<' looking for beginning of value"
• The HTTP response causing that error is an html "400 Bad Request" (with no further details)

[joebelford]

I'm seeing similar and like you have 9 certs on my smart card but am running on windows. I'll give your fix a try and see if it gets me through.