NSS load p11-kit modules by default
When NSS database is created, PKCS#11 modules configured in the system's p11-kit will be automatically registered and visible to NSS applications.
- Name: Daiki Ueno
- Email: email@example.com
- Release notes owner:
- Targeted release: Fedora 29
- Last updated: 2019-08-29
- Tracker bug: #1592206
- Release Notes tracking: #184
Fedora provides a mechanism to configure PKCS#11 modules system wide, allowing the crypto libraries (GnuTLS and OpenSSL) to use PKCS#11 modules in a consistent manner. Until now NSS applications haven't benefit from it as NSS uses a different configuration mechanism which requires users to register PKCS#11 modules in NSS databases. This change makes the manual procedure unnecessary, by registering the p11-kit-proxy module (the aggregator of the system PKCS#11 modules) in NSS databases with the default configuration.
Benefit to Fedora
This change allows NSS applications to use PKCS#11 modules in the same way as other crypto libraries, bringing consistency in PKCS#11 driver registration across the OS. That improves user experience of smartcards and HSMs on Fedora.
- Proposal owners:
- Enable p11-kit-proxy in the newly created NSS database, through the crypto-policies package.
- Modify the opensc package not to register itself to the NSS database upon installation.
- Other developers:
- Make sure that this change doesn't cause any regression with the existing applications.
- Release engineering: #7548
- List of deliverables: N/A
- Policies and guidelines: PackageMaintainers/PKCS11 needs changes basically to eliminate NSS specific stuff
- Trademark approval: N/A (not needed for this Change)
Uncommon/undocumented scenarios may be affected, in particular if the user previously used a configuration which conflicts with this change. In addition to that, support for the third party / proprietary PKCS#11 modules is out of scope of this proposal. That is, if the user had previously installed a p11-kit configuration file for such modules, it could stop working. Even then, she can remove the configuration file and manually register the module through the application (e.g., Firefox's preferences).
- bugzilla.redhat.com - 2019-08-27 p11-kit-trust breaks pkcs11 client-certificate authentication with Firefox
How To Test
- Install a PKCS#11 module, say softhsm or opensc. These modules should be ready to use after installing the packages with DNF. To use them as HSM you need to initialize a token with softhsm2-util or attach a hardware device supported by OpenSC, such as Nitrokey (see the wiki for details).
- Start Firefox and check if the module is listed in Preferences -> Privacy & Security -> Security Devices...
- Create an NSS database: certutil -d sql:nssdb -N --empty-password
- List modules registered to the NSS database: modutil -dbdir sql:nssdb -list
- Check that the output includes the PKCS#11 module installed on the step 1:
Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.36 slots: 2 slots attached status: loaded [...] 2. p11-kit-proxy library name: p11-kit-proxy.so uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1 slots: 5 slots attached status: loaded [...] slot: SoftHSM slot ID 0x0 token: uri: pkcs11:manufacturer=SoftHSM%20project;model=SoftHSM%20v2 -----------------------------------------------------------
The users of NSS applications (e.g. firefox and sssd) would be able to use supported smartcards and HSMs without further configuration.
firefox, and possibly sssd's smartcard support
- Contingency mechanism: Revert the change in nss, p11-kit, or crypto-policies
- Contingency deadline: Beta freeze
- Blocks release? No
- Blocks product? No
No new documentation needed, but the existing documentation should be modified to remove the special cases of NSS.
It should be sufficient to have a simple sentence mentioning this change and how to opt-out from it.
- Release Notes tracking: #184