NSS load p11-kit modules by default
When NSS database is created, the PKCS#11 modules configured in the system's p11-kit will be automatically registered and visible to applications.
- Name: Daiki Ueno
- Email: firstname.lastname@example.org
- Release notes owner:
- Targeted release: Fedora 29
- Last updated: 2018-06-01
- Tracker bug: <will be assigned by the Wrangler>
While Fedora provides a way of configuring PKCS#11 modules on the system through p11-kit, NSS applications by default didn't benefit from it and the users had to register necessary modules with modutil manually. Making NSS also aware of the system configuration will bring them a consistent user experience regarding PKCS#11 and smartcards.
Benefit to Fedora
NSS applications can use PKCS#11 modules without special configuration procedure to NSS.
- Proposal owners:
- Modify the crypto-policies package to enable p11-kit-proxy in the newly created NSS database. - Make sure that this change doesn't cause any regression with the existing applications.
- Other developers: N/A (not a System Wide Change)
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- List of deliverables: N/A
- Policies and guidelines: PackageMaintainers/PKCS11
- Trademark approval: N/A (not needed for this Change)
If the user previously used a conflicting configuration, such as using p11-kit-proxy as a replacement of p11-kit-trust, it will stop working.
How To Test
- install a PKCS#11 module, say softhsm2
- create an NSS database
- list modules registered to the NSS database, and check that there is softhsm2
NSS application users are no longer required to register PKCS#11 module manually.
- Contingency mechanism: Revert the change in crypto-policies
- Contingency deadline: Beta freeze
- Blocks release? No
- Blocks product? No
It should be sufficient to have a simple sentence mentioning this change.