[389-users] Re: 389ds and PKCS11 - how does 389ds read certificates/keys from p11kit?

Rob Crittenden Mon, 03 Oct 2022 06:06:43 -0700

Graham Leggett wrote:
> Hi all,
> 
> 389ds as shipped by RHEL9 is linked to NSS, which in theory supports PKCS11, 
> but in practice I can't get to work.
> 
> Most specifically, when you display a 389ds NSS database using modutil, you 
> see p11-kit-proxy (good), but it reports "There are no slots attached to this 
> module” (bad).
> 
> Has anyone got an explanation as to why this might be?
> 
> [root@seawitch ~]# modutil -list -dbdir /etc/dirsrv/slapd-seawitch
> 
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>   1. NSS Internal PKCS #11 Module
>          uri: 
> pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.79
>        slots: 2 slots attached
>       status: loaded
> 
>        slot: NSS Internal Cryptographic Services
>       token: NSS Generic Crypto Services
>         uri: 
> pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
> 
>        slot: NSS User Private Key and Certificate Services
>       token: NSS Certificate DB
>         uri: 
> pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
> 
>   2. p11-kit-proxy
>       library name: p11-kit-proxy.so
>          uri: 
> pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
>        slots: There are no slots attached to this module
>       status: loaded
> —————————————————————————————
> 
> At the very least the system and default CA databases should be visible, but 
> alas no:
> 
> [root@seawitch ~]# p11-kit list-modules 
> p11-kit-trust: p11-kit-trust.so
>     library-description: PKCS#11 Kit Trust Module
>     library-manufacturer: PKCS#11 Kit
>     library-version: 0.24
>     token: System Trust
>         manufacturer: PKCS#11 Kit
>         model: p11-kit-trust
>         serial-number: 1
>         hardware-version: 0.24
>         flags:
>                token-initialized
>     token: Default Trust
>         manufacturer: PKCS#11 Kit
>         model: p11-kit-trust
>         serial-number: 1
>         hardware-version: 0.24
>         flags:
>                write-protected
>                token-initialized


It may be that those two tokens are treated specially in p11-kit. The
upstream would probably be able to explain that.

If, for example, you install the softhsm package then tokens are
visible. It should be the same for any other PKCS#11 device.

On vanilla F36 with DS setup using the quickstart guide.

# dnf -y install softhsm
# modutil -list -dbdir /etc/dirsrv/slapd-localhost/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
           uri:
pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.83
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri:
pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. p11-kit-proxy
        library name: p11-kit-proxy.so
           uri:
pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
         slots: 1 slot attached
        status: loaded

         slot: SoftHSM slot ID 0x0
        token:
          uri: pkcs11:manufacturer=SoftHSM%20project;model=SoftHSM%20v2

# /usr/bin/softhsm2-util --init-token --free --pin password --so-pin
password --label "softhsm_token"
Slot 0 has a free/uninitialized token.
# certutil -L -d /etc/dirsrv/slapd-localhost/ -h all

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

Enter Password or Pin for "softhsm_token":
Server-Cert                                                  u,u,u
Self-Signed-CA                                               CT,,

# certutil -A -d /etc/dirsrv/slapd-localhost/ -h softhsm_token -t ,, -a
-i /tmp/cert -n test
# certutil -L -d /etc/dirsrv/slapd-localhost/ -h all

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

Enter Password or Pin for "softhsm_token":
Server-Cert                                                  u,u,u
Self-Signed-CA                                               CT,,
softhsm_token:test                                           ,,

rob
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[389-users] Re: 389ds and PKCS11 - how does 389ds read certificates/keys from p11kit?

Reply via email to