Bug 1085327

Summary: softhsm does not provide a p11-kit module file
Product: [Fedora] Fedora Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: softhsmAssignee: Paul Wouters <pwouters>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: dwmw2, nmavrogi, pwouters, stefw
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-23 16:07:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1173546    

Description Nikos Mavrogiannopoulos 2014-04-08 11:35:11 UTC 
p11-kit is used in fedora to access pkcs11 modules: http://p11-glue.freedesktop.org/p11-kit.html

However it requires each available module to register itself using a .module file in /usr/share/p11-kit/modules/.


Installing the attached sample file on this location will do the trick and allow softhsm keys to be visible to applications that utilize p11-kit.

The library visibility can be tested using p11-kit list-modules.


An example module file can be found in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1073320
Comment 1 Paul Wouters 2014-04-19 00:56:27 UTC 
I'm looking at adding this for softhsm and looked at coolkey. It seems I need to do the same with softhsm that is done by coolkey's pk11install. It seems silly to either need to depend on coolkey for it, or bundle a copy of this installer within softhsm.

should we split of p11install into its own package? or is there another way to register with the nss db in /etc/pki/nssdb/ that other modules use?

For testing, I let it depend on coolkey for now. It seems to work according to p11-kit list-modules:

softhsm: /usr/lib64/pkcs11/libsofthsm.so
    library-description: Implementation of PKCS11
    library-manufacturer: SoftHSM
    library-version: 1.3
    token: OpenDNSSEC
        manufacturer: SoftHSM
        model: SoftHSM
        serial-number: 1
        hardware-version: 1.3
        firmware-version: 1.3
        flags:
               rng
               login-required
               user-pin-initialized
               clock-on-token
               token-initialized
    token: A token
        manufacturer: SoftHSM
        model: SoftHSM
        serial-number: 1
        hardware-version: 1.3
        firmware-version: 1.3
        flags:
               rng
               login-required
               user-pin-initialized
               clock-on-token
               token-initialized
Comment 2 Nikos Mavrogiannopoulos 2014-04-29 12:54:22 UTC 
I'm not sure whether pk11install is the appropriate solution as it looks very tied to mozilla, rather than a generic pkcs11 framework. I don't know details though but Stef may have some better suggestion.
Comment 3 Stef Walter 2014-05-01 19:58:19 UTC 
I'd like to get to the point where we can have the p11-kit-proxy.so module installed in NSS by default, so that we can load all the p11-kit configured modules into NSS.
Comment 4 David Woodhouse 2014-12-15 12:48:58 UTC 
pk11install looks like it's just doing what you could do with the NSS 'modutil' routine. Hell, it could be a one-line shell script invoking modutil.

It's not the right answer. SoftHSM and coolkey need to be providing p11-kit module files in /usr/share/p11-kit/modules/, which was the subject of this bug.

As for making NSS automatically *use* the modules which are configured in p11-kit, that's the topic of bug 1173577. Nothing stops us from preserving pk11install (or just using modutil) to work around the NSS problem in the meantime, but *do* please provide the p11-kit module file.
Comment 5 Nikos Mavrogiannopoulos 2014-12-23 16:07:07 UTC 
I believe that this issue is resolved in F21. There is /usr/share/p11-kit/modules/softhsm.module.