Bug 1592206

Summary: NSS load p11-kit modules by default
Product: [Fedora] Fedora Reporter: Jan Kurik <jkurik>
Component: Changes TrackingAssignee: Daiki Ueno <dueno>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: dueno, riehecky, rpattath
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ChangeAcceptedF29,SystemWideChange
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-30 17:04:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1173577    
Bug Blocks:    

Description Jan Kurik 2018-06-18 07:45:40 UTC
This is a tracking bug for Change: NSS load p11-kit modules by default
For more details, see: https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules

When NSS database is created, PKCS#11 modules configured in the system's p11-kit will be automatically registered and visible to NSS applications.

Comment 1 Jan Kurik 2018-08-14 11:18:29 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.

Comment 2 Ben Cotton 2018-08-28 13:54:12 UTC
Today is the '100% code complete deadline' Change Checkpoint[1], meaning that Fedora 29 Changes must now be code complete. All the code required to enable to the new change should now be finished. If your Change is code complete, please update the status of this tracker back to "ON_QA". The change does not have to be fully tested by this deadline.

We have now reached the Beta freeze. If your Change is not code complete, you need to request a Freeze Exception[2] or invoke the contingency plan.

[1] https://fedoraproject.org/wiki/Changes/Policy#Beta_deadline.2Faccepted_changes_100.25_complete

[2] https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process

Comment 3 Roshni 2018-11-05 20:50:04 UTC
[root@dhcp129-78 ~]# rpm -qi p11-kit
Name        : p11-kit
Version     : 0.23.14
Release     : 4.el8
Architecture: x86_64
Install Date: Mon 05 Nov 2018 02:13:28 PM EST
Group       : Unspecified
Size        : 1395029
License     : BSD
Signature   : RSA/SHA256, Tue 30 Oct 2018 11:06:11 AM EDT, Key ID 938a80caf21541eb
Source RPM  : p11-kit-0.23.14-4.el8.src.rpm
Build Date  : Mon 29 Oct 2018 05:33:51 AM EDT
Build Host  : x86-vm-10.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://p11-glue.freedesktop.org/p11-kit.html
Summary     : Library for loading and sharing PKCS#11 modules
Description :
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
as a standard configuration setup for installing PKCS#11 modules in
such a way that they're discoverable.
[root@dhcp129-78 ~]# rpm -qi opensc
Name        : opensc
Version     : 0.19.0
Release     : 2.el8
Architecture: x86_64
Install Date: Mon 05 Nov 2018 02:15:50 PM EST
Group       : System Environment/Libraries
Size        : 3783991
License     : LGPLv2+
Signature   : RSA/SHA256, Mon 22 Oct 2018 10:22:29 AM EDT, Key ID 199e2f91fd431d51
Source RPM  : opensc-0.19.0-2.el8.src.rpm
Build Date  : Mon 22 Oct 2018 09:02:15 AM EDT
Build Host  : x86-vm-05.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/OpenSC/OpenSC/wiki
Summary     : Smart card library and applications
Description :
OpenSC provides a set of libraries and utilities to work with smart cards. Its
main focus is on cards that support cryptographic operations, and facilitate
their use in security applications such as authentication, mail encryption and
digital signatures. OpenSC implements the PKCS#11 API so applications
supporting this API (such as Mozilla Firefox and Thunderbird) can use it. On
the card OpenSC implements the PKCS#15 standard and aims to be compatible with
every software/card that does so, too.
[root@dhcp129-78 ~]# rpm -qi nss
Name        : nss
Version     : 3.39.0
Release     : 1.1.el8
Architecture: x86_64
Install Date: Mon 05 Nov 2018 02:14:46 PM EST
Group       : System Environment/Libraries
Size        : 3993849
License     : MPLv2.0
Signature   : RSA/SHA256, Mon 22 Oct 2018 05:33:18 AM EDT, Key ID 938a80caf21541eb
Source RPM  : nss-3.39.0-1.1.el8.src.rpm
Build Date  : Thu 18 Oct 2018 11:11:45 AM EDT
Build Host  : x86-vm-07.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.mozilla.org/projects/security/pki/nss/
Summary     : Network Security Services
Description :
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.

The following testes were successfully run:

Using the following default modules under nssdb:
[root@dhcp129-78 ~]# modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
  1. NSS Internal Crypto Services
	   uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.39
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services
	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. p11-kit-proxy
	library name: p11-kit-proxy.so
	   uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
	 slots: 1 slot attached
	status: loaded

	 slot: OMNIKEY AG CardMan 3121 00 00
	token: Test Cardholder
	  uri: pkcs11:token=Test%20Cardholder;manufacturer=piv_II;serial=c9d45c86501843e2;model=PKCS%2315%20emulated

1. Smartcard detection by pkcs11-tool
2. Smartcard authentication using one and multiple smartcards
3. Smartcard detection by Firefox using p11-kit module

Comment 4 Ben Cotton 2018-11-30 17:04:51 UTC
This Change appears to have been implemented for Fedora 29. If it is not closed, please let me know so I can re-open it against Rawhide.