Support for remote signing infrastructure

[psangster1]

I'm currently investigating building centralized code signing infrastructure for a number of projects. I'm considering using p11 kit because if it's remote PKCS 11 support and my potential software clients use this SPI.

Because the P11 crypto operations are run often I would prefer to handle operations mostly local except when an operation intending to use the private (signing) key. For instance I prefer to have all the hashing, key generation and other PKCS 11 operations happen locally for performance reasons but when it comes time to do a C_Sign or friends that would be remoted to another system that has the special release signing keys. Has anyone looked into only having p11 kit remote certain calls and not others or is it all or nothing as it appears to be? I've done some initial analysis and my apps just use C_Sign but supporting C_SignInit and Update could also work. I know there are issues for when the application is looking for attributes about the keys but I have a workaround for that.