From Fedora Project Wiki
(Created page with "= Testing PKCS#11 support =")
 
Line 1: Line 1:
 
= Testing PKCS#11 support =
 
= Testing PKCS#11 support =
 +
 +
The proposed [https://fedoraproject.org/wiki/PackagingDrafts/PKCS11 packaging guidelines] say that any program which can accept SSL certificates from a file should also allow them to come from a PKCS#11 token. This page exists to help packagers understand those guidelines and test their packages.
 +
 +
== But I don't have any PKCS#11 hardware ==
 +
 +
You don't need hardware. There are plenty of PKCS#11 providers which are purely software. These include
 +
 +
* NSS Certificate Database (Firefox, Evolution, Chrome)
 +
* GNOME keyring
 +
* [https://www.opendnssec.org/softhsm/ SoftHSM]
 +
 +
The simplest one to test with is probably GNOME keyring. Obviously not everyone will be running GNOME for their day-to-day usage but it shouldn't be too hard to use GNOME keyring just for a simple test.
 +
 +
== Import certificate ==
 +
 +
The seahorse GUI tool allows you to browse the contents of PKCS#11 tokens and import certificates and keys. If you simply run seahorse under GNOME you should see a 'Gnome2 Key Storage' token listed under the 'Certificates' heading. You can select the 'File'... 'Import' menu item to import a certificate from a file into the GNOME keyring (or indeed any other provider you choose to use).
 +
 +
== Determine the PKCS#11 URI of your certificate ==
 +
 +
Unfortunately, seahorse doesn't show the PKCS#11 URI of the objects when you're browsing [https://bugzilla.gnome.org/show_bug.cgi?id=749071 bug #749071]. So you'll want to use <code>p11tool</code> to list them and find the URI:
 +
<code>
 +
$ p11tool --list-certs --login pkcs11:token=Gnome2%20Key%20Storage
 +
Object 0:
 +
URL: pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aUSER%3aDEFAULT;token=Gnome2%20Key%20Storage;id=%59%ae%17%70%af%e8%af%9f%5b%94%fb%c6%89%f6%f1%4c%11%5c%36%0e;object=Woodhouse%2c%20David;type=cert
 +
Type: X.509 Certificate
 +
Label: Woodhouse, David
 +
ID: 59:ae:17:70:af:e8:af:9f:5b:94:fb:c6:89:f6:f1:4c:11:5c:36:0e
 +
</code>

Revision as of 14:30, 7 May 2015

Testing PKCS#11 support

The proposed packaging guidelines say that any program which can accept SSL certificates from a file should also allow them to come from a PKCS#11 token. This page exists to help packagers understand those guidelines and test their packages.

But I don't have any PKCS#11 hardware

You don't need hardware. There are plenty of PKCS#11 providers which are purely software. These include

  • NSS Certificate Database (Firefox, Evolution, Chrome)
  • GNOME keyring
  • SoftHSM

The simplest one to test with is probably GNOME keyring. Obviously not everyone will be running GNOME for their day-to-day usage but it shouldn't be too hard to use GNOME keyring just for a simple test.

Import certificate

The seahorse GUI tool allows you to browse the contents of PKCS#11 tokens and import certificates and keys. If you simply run seahorse under GNOME you should see a 'Gnome2 Key Storage' token listed under the 'Certificates' heading. You can select the 'File'... 'Import' menu item to import a certificate from a file into the GNOME keyring (or indeed any other provider you choose to use).

Determine the PKCS#11 URI of your certificate

Unfortunately, seahorse doesn't show the PKCS#11 URI of the objects when you're browsing bug #749071. So you'll want to use p11tool to list them and find the URI: $ p11tool --list-certs --login pkcs11:token=Gnome2%20Key%20Storage Object 0: URL: pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aUSER%3aDEFAULT;token=Gnome2%20Key%20Storage;id=%59%ae%17%70%af%e8%af%9f%5b%94%fb%c6%89%f6%f1%4c%11%5c%36%0e;object=Woodhouse%2c%20David;type=cert Type: X.509 Certificate Label: Woodhouse, David ID: 59:ae:17:70:af:e8:af:9f:5b:94:fb:c6:89:f6:f1:4c:11:5c:36:0e