Red Hat Bugzilla – Bug 426152
Review Request: openCryptoki - An open-source PKCS#11 implementation
Last modified: 2009-07-21 11:15:11 EDT
Description: openCryptoki is an implementation of the PKCS#11 standard, an API for access to cryptographic hardware.
openCryptoki has already been distributed in RHEL5.1 and prior releases of RHEL.
There is also a feature request to update RHEL5.1's openCryptoki to add support for a new token in https://bugzilla.redhat.com/show_bug.cgi?id=253059. This is set to be included in RHEL5.2.
Should the Fedora package be based off the latest RHEL SRPM, the RHEL5.1 SRPM, or some other source? I have no access to RHEL5.2 code yet (if it exists).
How does this relate to NSS's PKCS#11 support?
NSS should be able to use openCryptoki as a PKCS#11 provider. For instance
today you can go into firefox, Edit > Preferences > Advanced > Security >
Security Devices, and add openCryptoki as a provider. This then funnels the
crypto and certificate and key storage through openCryptoki. If you enable the
TPM token, all your certificates will be protected by the TPM at rest.
openCryptoki is also the gateway to s390 hardware crypto, so there you'd get
Why would we want to funnel all crypto and certificates through a non-NSS mechanism?
It wouldn't be a non-NSS mechanism, just a different provider. By default,
NSS contains a software-only PKCS#11 implementation it uses internally.
openCryptoki is just another implementation of the APIs NSS is using to
interface to this internal implementation to store certificates and do crypto.
You might want to do this for the reasons I mentioned earlier, to get hardware
acceleration or take advantage of secure keys in the TPM or other hardware.
This is not the only use of PKCS#11 by the way, the Java JCE interfaces to
PKCS#11 as well. As far as I know, NSS doesn't ship a library exposing its
PKCS#11 APIs for other software packages to take advantage of, so without
openCryptoki the JCE could not be hardware accelerated.
I guess the question is, is openCryptoki an add-on or a "competitor"?
If I'm understanding correctly, it's an add-on. It sounds like openCryptoki
provides a pkcs#11 abstraction layer for certain hardware, allowing it to be
used with other applications that can talk to pkcs#11 APIs. NSS can do so.
NSS offers a tool "modutil" which can be used to load an external pkcs#11 module
into a set of user preferences (the cert dbs). The binding will be recorded in
file secmod.db which is stored next to your key3.db and cert8.db
Yep, I would consider it an add-on. Different PKCS#11 implementations will
support different sets of hardware, so many can co-exist.
I'm a bit confused by this ticket. The last comment was made last year, there
doesn't seem to be any actual package to review, and the only reference is to
another ticket which nobody can actually look at.
Well, its been another four months and nobody has stepped up to clear up the confusion. I'm just going to close this.
I've submitted another openCryptoki review request (with an actual package). See bug 512954.
*** This bug has been marked as a duplicate of bug 512954 ***