Bug 1173546 (PKCS11)

Summary: PKCS#11 sanity tracker
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: distributionAssignee: David Woodhouse <dwmw2>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dennis, nmavrogi, scampa.giovanni, stefw
Target Milestone: ---Keywords: Tracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-08 10:02:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1073320, 1085327, 1135932, 1172247, 1173279, 1173548, 1173552, 1173554, 1173559, 1173577, 1173579, 1173581, 1173582, 1205120, 1217727, 1217915, 1219544, 1233593, 1233626, 1236107, 1236526, 1242469, 1251018, 1378800    
Bug Blocks:    

Description David Woodhouse 2014-12-12 12:00:57 UTC 
We ship p11-kit which gives PKCS#11 modules such as OpenSC a a simple way to register themselves with the system and be automatically visible to applications.

With well-behaved applications, the device (and objects therein) will Just Work™. It's as simple as installing the OpenSC (or whatever) package, and plugging the device in. And then they appear in the seahorse GUI, can be queried with p11tool, can be used with applications like the OpenConnect VPN client by using standard PKCS#11 URIs.

Well-behaved applications should:

 - Use the p11-kit-configured set of modules instead of having to be
   explicitly told which provider module to use (defaulting to
   p11-kit-proxy.so as the provider is a simple way to fix this).

 - Use standard PKCS#11 URIs as described in
   https://tools.ietf.org/html/draft-pechanec-pkcs11uri-16 instead of
   their own non-standard form (engine_pkcs11, pkcs11_helper thus
   OpenVPN).

 - Allow the use of PKCS#11 objects in all cases that a file can be
   used for a certificate and/or key.
Comment 1 Nikos Mavrogiannopoulos 2015-04-23 07:12:03 UTC 
PKCS #11 URLs is now a standard's track RFC:
http://www.rfc-editor.org/rfc/rfc7512.txt
Comment 2 Nikos Mavrogiannopoulos 2019-11-08 10:02:37 UTC 
Closing tracker as everything tracked is complete.