Bug 1085327 - softhsm does not provide a p11-kit module file
Summary: softhsm does not provide a p11-kit module file
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: softhsm
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: PKCS11
TreeView+ depends on / blocked
 
Reported: 2014-04-08 11:35 UTC by Nikos Mavrogiannopoulos
Modified: 2014-12-23 16:07 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-12-23 16:07:07 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Nikos Mavrogiannopoulos 2014-04-08 11:35:11 UTC 
p11-kit is used in fedora to access pkcs11 modules: http://p11-glue.freedesktop.org/p11-kit.html

However it requires each available module to register itself using a .module file in /usr/share/p11-kit/modules/.


Installing the attached sample file on this location will do the trick and allow softhsm keys to be visible to applications that utilize p11-kit.

The library visibility can be tested using p11-kit list-modules.


An example module file can be found in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1073320
Comment 1 Paul Wouters 2014-04-19 00:56:27 UTC 
I'm looking at adding this for softhsm and looked at coolkey. It seems I need to do the same with softhsm that is done by coolkey's pk11install. It seems silly to either need to depend on coolkey for it, or bundle a copy of this installer within softhsm.

should we split of p11install into its own package? or is there another way to register with the nss db in /etc/pki/nssdb/ that other modules use?

For testing, I let it depend on coolkey for now. It seems to work according to p11-kit list-modules:

softhsm: /usr/lib64/pkcs11/libsofthsm.so
    library-description: Implementation of PKCS11
    library-manufacturer: SoftHSM
    library-version: 1.3
    token: OpenDNSSEC
        manufacturer: SoftHSM
        model: SoftHSM
        serial-number: 1
        hardware-version: 1.3
        firmware-version: 1.3
        flags:
               rng
               login-required
               user-pin-initialized
               clock-on-token
               token-initialized
    token: A token
        manufacturer: SoftHSM
        model: SoftHSM
        serial-number: 1
        hardware-version: 1.3
        firmware-version: 1.3
        flags:
               rng
               login-required
               user-pin-initialized
               clock-on-token
               token-initialized
Comment 2 Nikos Mavrogiannopoulos 2014-04-29 12:54:22 UTC 
I'm not sure whether pk11install is the appropriate solution as it looks very tied to mozilla, rather than a generic pkcs11 framework. I don't know details though but Stef may have some better suggestion.
Comment 3 Stef Walter 2014-05-01 19:58:19 UTC 
I'd like to get to the point where we can have the p11-kit-proxy.so module installed in NSS by default, so that we can load all the p11-kit configured modules into NSS.
Comment 4 David Woodhouse 2014-12-15 12:48:58 UTC 
pk11install looks like it's just doing what you could do with the NSS 'modutil' routine. Hell, it could be a one-line shell script invoking modutil.

It's not the right answer. SoftHSM and coolkey need to be providing p11-kit module files in /usr/share/p11-kit/modules/, which was the subject of this bug.

As for making NSS automatically *use* the modules which are configured in p11-kit, that's the topic of bug 1173577. Nothing stops us from preserving pk11install (or just using modutil) to work around the NSS problem in the meantime, but *do* please provide the p11-kit module file.
Comment 5 Nikos Mavrogiannopoulos 2014-12-23 16:07:07 UTC 
I believe that this issue is resolved in F21. There is /usr/share/p11-kit/modules/softhsm.module.
Note You need to log in before you can comment on or make changes to this bug.