2141356 – p11-kit and certutil token interference

Bug 2141356 - p11-kit and certutil token interference

Summary: p11-kit and certutil token interference

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nss
Sub Component:
Version:	35
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Bob Relyea
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-09 14:58 UTC by Rob Crittenden
Modified:	2022-11-09 16:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2022-11-09 16:57:54 UTC
Type:	Bug
Embargoed:
Dependent Products:
Flags:	fedora-admin-xmlrpc: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FC-655	0	None	None	None	2022-11-09 15:06:42 UTC

Description Rob Crittenden 2022-11-09 14:58:15 UTC

On a system with two NSS databases and a token configured via p11-kit there can be unnecessary password prompting.

The scenario is:

- Install the softhsm2 package. It will be registered with p11-kit
- Create a new softhsm2 token (softhsm-util --init-token --free --pin password --so-pin password --label "softhsm_token")
- Create a new NSS database
- Generate a self-signed CA on the new softhsm_token in the NSS database
- export that certificate to a text file using certutil
- Create a second NSS database
- Import the exported CA certificate
- certutil -L -d /path/to/second/db -n CA

This will prompt for the softhsm_token in order to determine if the private key is available.

This second database doesn't know or care about the token, it just needs access to the CA certificate for trust purposes. It should not need read access to the token.

It isn't possible to disable the p11-kit-proxy per-database using:

# modutil -disable p11-kit-proxy -dbdir /etc/dirsrv/slapd-EXAMPLE-TEST

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Slot "SoftHSM slot ID 0x2baa5eb4" disabled.
Slot "SoftHSM slot ID 0x39ecd5cb" disabled.
Slot "SoftHSM slot ID 0x2" disabled.
ERROR: Failed to update module "p11-kit-proxy"

Disabling a specific slot fails in the same way.

The only way to prevent p11-kit interference between different NSS databases is to disable a token entirely in p11-kit via:

# cat /etc/pkcs11/modules/softhsm2.module
module: /usr/lib64/pkcs11/libsofthsm2.so
disable-in: p11-kit-proxy

Comment 1 Bob Relyea 2022-11-09 16:57:54 UTC

Ithe proxy server is always configured when installed. If you don't want a token to be installed globally, you need to install it with modutil in just the databases you want to use it with.

So our step 1) is a  global step. If you instead installed it with modutil in your first database, everything will work as you expected.

(Work around hack note: If you really did want the module installed globally, but you want to do some little thing on the side, you can disable all global operations by setting: export NSS_IGNORE_SYSTEM_POLICY=1. NOTE: this also turns off system policy as well, so it's not really a solution if you are wanting to run multiple servers where one server is not using the HSM, but it's probably OK for a setup script).

Note You need to log in before you can comment on or make changes to this bug.