From Fedora Project Wiki
Line 20: Line 20:
  
 
Unfortunately, seahorse doesn't show the PKCS#11 URI of the objects when you're browsing [https://bugzilla.gnome.org/show_bug.cgi?id=749071 bug #749071]. So you'll want to use <code>p11tool</code> to list them and find the URI:
 
Unfortunately, seahorse doesn't show the PKCS#11 URI of the objects when you're browsing [https://bugzilla.gnome.org/show_bug.cgi?id=749071 bug #749071]. So you'll want to use <code>p11tool</code> to list them and find the URI:
<code>
+
<pre>
 
$ p11tool --list-certs --login pkcs11:token=Gnome2%20Key%20Storage
 
$ p11tool --list-certs --login pkcs11:token=Gnome2%20Key%20Storage
 
Object 0:
 
Object 0:
Line 27: Line 27:
 
Label: Woodhouse, David
 
Label: Woodhouse, David
 
ID: 59:ae:17:70:af:e8:af:9f:5b:94:fb:c6:89:f6:f1:4c:11:5c:36:0e
 
ID: 59:ae:17:70:af:e8:af:9f:5b:94:fb:c6:89:f6:f1:4c:11:5c:36:0e
</code>
+
</pre>
 +
 
 +
The interesting part there is the URL. In fact a lot of the information there is redundant; all you probably need is the <code>token</code> and <code>id</code> parts:
 +
 
 +
<pre>pkcs11:token=Gnome2%20Key%20Storage;id=%59%ae%17%70%af%e8%af%9f%5b%94%fb%c6%89%f6%f1%4c%11%5c%36%0e</pre>

Revision as of 14:34, 7 May 2015

Testing PKCS#11 support

The proposed packaging guidelines say that any program which can accept SSL certificates from a file should also allow them to come from a PKCS#11 token. This page exists to help packagers understand those guidelines and test their packages.

But I don't have any PKCS#11 hardware

You don't need hardware. There are plenty of PKCS#11 providers which are purely software. These include

  • NSS Certificate Database (Firefox, Evolution, Chrome)
  • GNOME keyring
  • SoftHSM

The simplest one to test with is probably GNOME keyring. Obviously not everyone will be running GNOME for their day-to-day usage but it shouldn't be too hard to use GNOME keyring just for a simple test.

Import certificate

The seahorse GUI tool allows you to browse the contents of PKCS#11 tokens and import certificates and keys. If you simply run seahorse under GNOME you should see a 'Gnome2 Key Storage' token listed under the 'Certificates' heading. You can select the 'File'... 'Import' menu item to import a certificate from a file into the GNOME keyring (or indeed any other provider you choose to use).

Determine the PKCS#11 URI of your certificate

Unfortunately, seahorse doesn't show the PKCS#11 URI of the objects when you're browsing bug #749071. So you'll want to use p11tool to list them and find the URI:

$ p11tool --list-certs --login pkcs11:token=Gnome2%20Key%20Storage
Object 0:
	URL: pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aUSER%3aDEFAULT;token=Gnome2%20Key%20Storage;id=%59%ae%17%70%af%e8%af%9f%5b%94%fb%c6%89%f6%f1%4c%11%5c%36%0e;object=Woodhouse%2c%20David;type=cert
	Type: X.509 Certificate
	Label: Woodhouse, David
	ID: 59:ae:17:70:af:e8:af:9f:5b:94:fb:c6:89:f6:f1:4c:11:5c:36:0e

The interesting part there is the URL. In fact a lot of the information there is redundant; all you probably need is the token and id parts:

pkcs11:token=Gnome2%20Key%20Storage;id=%59%ae%17%70%af%e8%af%9f%5b%94%fb%c6%89%f6%f1%4c%11%5c%36%0e