This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1272423 - Softhsm PKCS#11 module not visible to NSS becasue it is not in the search path
Softhsm PKCS#11 module not visible to NSS becasue it is not in the search path
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: softhsm (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Paul Wouters
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-16 07:25 EDT by Sumit Bose
Modified: 2016-09-28 11:17 EDT (History)
4 users (show)

See Also:
Fixed In Version: softhsm-2.1.0-1.fc24 softhsm-2.1.0-1.fc23 softhsm-2.1.0-1.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-05 01:00:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sumit Bose 2015-10-16 07:25:47 EDT
Description of problem:
Although the softhsm PKCS#11 module is added to the system's default NSS database /etc/pki/nssdb it cannot be accessed by NSS utilities because it is not in the standard library search path.


Version-Release number of selected component (if applicable):
softhsm-2.0.0b1-3.fc22

How reproducible:


Steps to Reproduce:
1. modutil lists the softhsm module but reports no token
# softhsm2-util --init-token --slot 0 --label 'Test Token' --so-pin 12345678 --pin 123456
The token has been initialized.
# modutil -dbdir /etc/pki/nssdb -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. SoftHSM PKCS #11 Module
        library name: libsofthsm2.so
         slots: There are no slots attached to this module
        status: Not loaded
-----------------------------------------------------------

2. strace shows that libsofthsm2.so is not found
# strace -f -eopen modutil -dbdir /etc/pki/nssdb -list 2>&1 | grep softhsm                                                                                                 
open("/lib64/tls/x86_64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/tls/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/x86_64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/x86_64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libsofthsm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
        library name: libsofthsm2.so

3. After linking softhsm2.so to /usr/lib64 modutil works as expected:
# ln -s /usr/lib64/pkcs11/libsofthsm2.so /usr/lib64
# modutil -dbdir /etc/pki/nssdb -list                                                                                                                                      

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. SoftHSM PKCS #11 Module
        library name: libsofthsm2.so
         slots: 2 slots attached
        status: loaded

         slot: SoftHSM slot 0
        token: Test Token

         slot: SoftHSM slot 1
        token: 
-----------------------------------------------------------


Additional info:
It looks like most other packages with PKCS#11 modules like coolkey or opensc make the modules available in /usr/lib64/pkcs11 and /usr/lib64 by linking one to the other.

opencryptoki creates a file with the library path in /etc/ld.so.conf.d and calls ldconfig during installation. But adding /usr/lib64/pkcs11 here might not be a good idea since the directory is used by other packages as well.
Comment 1 Paul Wouters 2016-05-16 10:58:49 EDT
I do not need the softlink when using softhsm-2.0.0rc1-3.fc23.x86_64

Can you check if this is now also resolved for you?
Comment 2 Paul Wouters 2016-05-16 11:03:52 EDT
oops. test error. configured the fix.
Comment 3 Fedora Update System 2016-06-21 22:23:23 EDT
softhsm-2.1.0-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-40cd1f94ba
Comment 4 Fedora Update System 2016-06-22 08:32:46 EDT
softhsm-2.1.0-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c43dd0091f
Comment 5 Fedora Update System 2016-06-22 08:33:08 EDT
softhsm-2.1.0-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-376bda6d1d
Comment 6 Fedora Update System 2016-06-22 18:56:25 EDT
softhsm-2.1.0-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-40cd1f94ba
Comment 7 Fedora Update System 2016-06-22 18:59:26 EDT
softhsm-2.1.0-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c43dd0091f
Comment 8 Fedora Update System 2016-06-22 19:02:32 EDT
softhsm-2.1.0-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-376bda6d1d
Comment 9 Fedora Update System 2016-07-05 01:00:01 EDT
softhsm-2.1.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2016-07-05 04:25:29 EDT
softhsm-2.1.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-07-05 10:22:09 EDT
softhsm-2.1.0-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 David Woodhouse 2016-09-28 09:30:23 EDT
Grrr. Sumit, this bug is bogus. NSS is broken and should be using the system-configured tokens. This was really just another symptom of bug 1173577

Please don't propagate the broken workarounds for NSS.
Comment 13 Sumit Bose 2016-09-28 11:17:51 EDT
David, I agree with you. But my point was since the softhsm package calls 'softhsm2-pk11install -p %{nssdb} 'name=%{softhsm_module} library=libsofthsm2.so' in %post it should end up in a working state.

Maybe it would make sense to open tickets to remove the explicit addition of PKCS#11 modules to /etc/pki/nssdb in the softhsm and other packages for PKCS#11 modules?

Note You need to log in before you can comment on or make changes to this bug.