Monday, October 3, 2022

[389-users] Re: 389ds and PKCS11 - how does 389ds read certificates/keys from p11kit?

Hi Graham,

389ds relies on the NSS framework, 
so IMHO the question should be how to use p11-kit-trust with NSS..

I cannot help you much on this point as your question reached the limit of my knowledge about NSS,  but if no one else has a better answer here are some hint:
while looking on the web, I found several pages that may interest you::
  - https://www.dogtagpki.org/wiki/NSS_Fedora_Development
   (The contact link may help you to get a more precise answer)
  - https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules 
(And especially the "How to test" section that may interest you/
 
Apparently p11-kit-proxy allows you to install and use p11kit module
 but you also have to also install these module with modutil to be able to use this feature (maybe trying to load p11-kit-trust in nss with modutil will do the trick  (but that is just a wild guess))

Good luck !
  Pierre





On Sun, Oct 2, 2022 at 7:07 PM Graham Leggett <minfrin@sharp.fm> wrote:
Hi all,

389ds as shipped by RHEL9 is linked to NSS, which in theory supports PKCS11, but in practice I can't get to work.

Most specifically, when you display a 389ds NSS database using modutil, you see p11-kit-proxy (good), but it reports "There are no slots attached to this module" (bad).

Has anyone got an explanation as to why this might be?

[root@seawitch ~]# modutil -list -dbdir /etc/dirsrv/slapd-seawitch

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.79
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. p11-kit-proxy
        library name: p11-kit-proxy.so
           uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
         slots: There are no slots attached to this module
        status: loaded
—————————————————————————————

At the very least the system and default CA databases should be visible, but alas no:

[root@seawitch ~]# p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.24
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.24
        flags:
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.24
        flags:
               write-protected
               token-initialized

Regards,
Graham

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--
--

389 Directory Server Development Team

No comments:

Post a Comment