Bug 1272423

Summary:	Softhsm PKCS#11 module not visible to NSS becasue it is not in the search path
Product:	[Fedora] Fedora	Reporter:	Sumit Bose <sbose>
Component:	softhsm	Assignee:	Paul Wouters <pwouters>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	22	CC:	dwmw2, pspacek, pwouters, sbose
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	softhsm-2.1.0-1.fc24 softhsm-2.1.0-1.fc23 softhsm-2.1.0-1.fc22	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-07-05 05:00:13 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Sumit Bose 2015-10-16 11:25:47 UTC

Description of problem:
Although the softhsm PKCS#11 module is added to the system's default NSS database /etc/pki/nssdb it cannot be accessed by NSS utilities because it is not in the standard library search path.


Version-Release number of selected component (if applicable):
softhsm-2.0.0b1-3.fc22

How reproducible:


Steps to Reproduce:
1. modutil lists the softhsm module but reports no token
# softhsm2-util --init-token --slot 0 --label 'Test Token' --so-pin 12345678 --pin 123456
The token has been initialized.
# modutil -dbdir /etc/pki/nssdb -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. SoftHSM PKCS #11 Module
        library name: libsofthsm2.so
         slots: There are no slots attached to this module
        status: Not loaded
-----------------------------------------------------------

2. strace shows that libsofthsm2.so is not found
# strace -f -eopen modutil -dbdir /etc/pki/nssdb -list 2>&1 | grep softhsm                                                                                                 
open("/lib64/tls/x86_64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/tls/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/x86_64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/x86_64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
        library name: libsofthsm2.so

3. After linking softhsm2.so to /usr/lib64 modutil works as expected:
# ln -s /usr/lib64/pkcs11/libsofthsm2.so /usr/lib64
# modutil -dbdir /etc/pki/nssdb -list                                                                                                                                      

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. SoftHSM PKCS #11 Module
        library name: libsofthsm2.so
         slots: 2 slots attached
        status: loaded

         slot: SoftHSM slot 0
        token: Test Token

         slot: SoftHSM slot 1
        token: 
-----------------------------------------------------------


Additional info:
It looks like most other packages with PKCS#11 modules like coolkey or opensc make the modules available in /usr/lib64/pkcs11 and /usr/lib64 by linking one to the other.

opencryptoki creates a file with the library path in /etc/ld.so.conf.d and calls ldconfig during installation. But adding /usr/lib64/pkcs11 here might not be a good idea since the directory is used by other packages as well.

Comment 1 Paul Wouters 2016-05-16 14:58:49 UTC

I do not need the softlink when using softhsm-2.0.0rc1-3.fc23.x86_64

Can you check if this is now also resolved for you?

Comment 2 Paul Wouters 2016-05-16 15:03:52 UTC

oops. test error. configured the fix.

Comment 3 Fedora Update System 2016-06-22 02:23:23 UTC

softhsm-2.1.0-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-40cd1f94ba

Comment 4 Fedora Update System 2016-06-22 12:32:46 UTC

softhsm-2.1.0-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c43dd0091f

Comment 5 Fedora Update System 2016-06-22 12:33:08 UTC

softhsm-2.1.0-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-376bda6d1d

Comment 6 Fedora Update System 2016-06-22 22:56:25 UTC

softhsm-2.1.0-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-40cd1f94ba

Comment 7 Fedora Update System 2016-06-22 22:59:26 UTC

softhsm-2.1.0-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c43dd0091f

Comment 8 Fedora Update System 2016-06-22 23:02:32 UTC

softhsm-2.1.0-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-376bda6d1d

Comment 9 Fedora Update System 2016-07-05 05:00:01 UTC

softhsm-2.1.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2016-07-05 08:25:29 UTC

softhsm-2.1.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2016-07-05 14:22:09 UTC

softhsm-2.1.0-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 David Woodhouse 2016-09-28 13:30:23 UTC

Grrr. Sumit, this bug is bogus. NSS is broken and should be using the system-configured tokens. This was really just another symptom of bug 1173577

Please don't propagate the broken workarounds for NSS.

Comment 13 Sumit Bose 2016-09-28 15:17:51 UTC

David, I agree with you. But my point was since the softhsm package calls 'softhsm2-pk11install -p %{nssdb} 'name=%{softhsm_module} library=libsofthsm2.so' in %post it should end up in a working state.

Maybe it would make sense to open tickets to remove the explicit addition of PKCS#11 modules to /etc/pki/nssdb in the softhsm and other packages for PKCS#11 modules?