Bug 2141356

Summary: p11-kit and certutil token interference
Product: [Fedora] Fedora Reporter: Rob Crittenden <rcritten>
Component: nssAssignee: Bob Relyea <rrelyea>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 35CC: crypto-team, elio.maldonado.batiz, kai-engert-fedora, rrelyea
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-09 16:57:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2022-11-09 14:58:15 UTC 
On a system with two NSS databases and a token configured via p11-kit there can be unnecessary password prompting.

The scenario is:

- Install the softhsm2 package. It will be registered with p11-kit
- Create a new softhsm2 token (softhsm-util --init-token --free --pin password --so-pin password --label "softhsm_token")
- Create a new NSS database
- Generate a self-signed CA on the new softhsm_token in the NSS database
- export that certificate to a text file using certutil
- Create a second NSS database
- Import the exported CA certificate
- certutil -L -d /path/to/second/db -n CA

This will prompt for the softhsm_token in order to determine if the private key is available.

This second database doesn't know or care about the token, it just needs access to the CA certificate for trust purposes. It should not need read access to the token.

It isn't possible to disable the p11-kit-proxy per-database using: 

# modutil -disable p11-kit-proxy -dbdir /etc/dirsrv/slapd-EXAMPLE-TEST

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Slot "SoftHSM slot ID 0x2baa5eb4" disabled.
Slot "SoftHSM slot ID 0x39ecd5cb" disabled.
Slot "SoftHSM slot ID 0x2" disabled.
ERROR: Failed to update module "p11-kit-proxy"

Disabling a specific slot fails in the same way.

The only way to prevent p11-kit interference between different NSS databases is to disable a token entirely in p11-kit via:

# cat /etc/pkcs11/modules/softhsm2.module 
module: /usr/lib64/pkcs11/libsofthsm2.so
disable-in: p11-kit-proxy
Comment 1 Bob Relyea 2022-11-09 16:57:54 UTC 
Ithe proxy server is always configured when installed. If you don't want a token to be installed globally, you need to install it with modutil in just the databases you want to use it with.

So our step 1) is a  global step. If you instead installed it with modutil in your first database, everything will work as you expected.

(Work around hack note: If you really did want the module installed globally, but you want to do some little thing on the side, you can disable all global operations by setting: export NSS_IGNORE_SYSTEM_POLICY=1. NOTE: this also turns off system policy as well, so it's not really a solution if you are wanting to run multiple servers where one server is not using the HSM, but it's probably OK for a setup script).