Bug 426152 - Review Request: openCryptoki - An open-source PKCS#11 implementation
Review Request: openCryptoki - An open-source PKCS#11 implementation
Status: CLOSED DUPLICATE of bug 512954
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
Depends On:
Blocks: 394941
  Show dependency treegraph
Reported: 2007-12-18 15:40 EST by Kent Yoder
Modified: 2009-07-21 11:15 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-05 10:43:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kent Yoder 2007-12-18 15:40:04 EST
Description: openCryptoki is an implementation of the PKCS#11 standard, an API for access to cryptographic hardware.

openCryptoki has already been distributed in RHEL5.1 and prior releases of RHEL.

There is also a feature request to update RHEL5.1's openCryptoki to add support for a new token in https://bugzilla.redhat.com/show_bug.cgi?id=253059.  This is set to be included in RHEL5.2.

Should the Fedora package be based off the latest RHEL SRPM, the RHEL5.1 SRPM, or some other source?  I have no access to RHEL5.2 code yet (if it exists).
Comment 1 Bill Nottingham 2007-12-18 20:46:38 EST
How does this relate to NSS's PKCS#11 support?
Comment 2 Kent Yoder 2007-12-19 11:18:14 EST
NSS should be able to use openCryptoki as a PKCS#11 provider.  For instance
today you can go into firefox, Edit > Preferences > Advanced > Security >
Security Devices, and add openCryptoki as a provider. This then funnels the
crypto and certificate and key storage through openCryptoki.  If you enable the
TPM token, all your certificates will be protected by the TPM at rest.
openCryptoki is also the gateway to s390 hardware crypto, so there you'd get
hardware acceleration.

Comment 3 Bill Nottingham 2007-12-19 12:15:37 EST
Why would we want to funnel all crypto and certificates through a non-NSS mechanism?
Comment 4 Kent Yoder 2007-12-19 12:35:19 EST
  It wouldn't be a non-NSS mechanism, just a different provider.  By default,
NSS contains a software-only PKCS#11 implementation it uses internally. 
openCryptoki is just another implementation of the APIs NSS is using to
interface to this internal implementation to store certificates and do crypto. 
You might want to do this for the reasons I mentioned earlier, to get hardware
acceleration or take advantage of secure keys in the TPM or other hardware.  

  This is not the only use of PKCS#11 by the way, the Java JCE interfaces to
PKCS#11 as well.  As far as I know, NSS doesn't ship a library exposing its
PKCS#11 APIs for other software packages to take advantage of, so without
openCryptoki the JCE could not be hardware accelerated.
Comment 5 Kai Engert (:kaie) 2007-12-19 13:50:21 EST
I guess the question is, is openCryptoki an add-on or a "competitor"?

If I'm understanding correctly, it's an add-on. It sounds like openCryptoki
provides a pkcs#11 abstraction layer for certain hardware, allowing it to be
used with other applications that can talk to pkcs#11 APIs. NSS can do so.

NSS offers a tool "modutil" which can be used to load an external pkcs#11 module
into a set of user preferences (the cert dbs). The binding will be recorded in
file secmod.db which is stored next to your key3.db and cert8.db
Comment 6 Kent Yoder 2007-12-19 14:40:44 EST
Yep, I would consider it an add-on.  Different PKCS#11 implementations will
support different sets of hardware, so many can co-exist.
Comment 7 Jason Tibbitts 2008-07-02 21:50:05 EDT
I'm a bit confused by this ticket.  The last comment was made last year, there
doesn't seem to be any actual package to review, and the only reference is to
another ticket which nobody can actually look at.
Comment 8 Jason Tibbitts 2008-11-05 10:43:27 EST
Well, its been another four months and nobody has stepped up to clear up the confusion.  I'm just going to close this.
Comment 9 Michal Schmidt 2009-07-21 09:36:26 EDT
I've submitted another openCryptoki review request (with an actual package). See bug 512954.
Comment 10 Jason Tibbitts 2009-07-21 11:15:11 EDT

*** This bug has been marked as a duplicate of bug 512954 ***

Note You need to log in before you can comment on or make changes to this bug.