New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use p11-kit to register and use PKCS#11 provider #3208
Comments
Comment from cheimes (@tiran) at 2019-01-22 07:47:48 The p11-kit-proxy provider is automatically and globally injected into every NSSDB by modutil output
p11-kit info (as normal user)
pk11-kit info (as root)
|
Comment from cheimes (@tiran) at 2019-01-22 07:47:49 Metadata Update from @tiran:
|
Comment from cheimes (@tiran) at 2019-01-22 07:51:26 I think that p11-kit proxy only proxies configured PKCS11 provides:
|
Comment from abbra (@abbra) at 2019-04-25 03:03:26 For now, we are pushing freeipa/freeipa#3063 to FreeIPA to globally disable p11-kit proxying of SoftHSM module on IPA masters. |
Extend module_exists() to look in the `p11-kit list-modules` output as well as the modutil output for loaded PKCS#11 modules. When adding a module, check to see if it is already loaded with that name and library and treat it as a no-op if so. Fixes: dogtagpki#3208 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Extend module_exists() to look in the `p11-kit list-modules` output as well as the modutil output for loaded PKCS#11 modules. When adding a module, check to see if it is already loaded with that name and library and treat it as a no-op if so. Fixes: dogtagpki#3208 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Extend module_exists() to look in the `p11-kit list-modules` output as well as the modutil output for loaded PKCS#11 modules. When adding a module, check to see if it is already loaded with that name and library and treat it as a no-op if so. Fixes: dogtagpki#3208 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Extend module_exists() to look in the `p11-kit list-modules` output as well as the modutil output for loaded PKCS#11 modules. When adding a module, check to see if it is already loaded with that name and library and treat it as a no-op if so. Fixes: dogtagpki#3208 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
This issue was migrated from Pagure Issue #3091. Originally filed by cheimes (@tiran) on 2019-01-22 07:14:24:
Fedora 29 has enabled p11-kit-proxy module globally, https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules . The p11-kit-proxy module loads and provides other PKCS11 libraries such as softhsm2. Since a PKCS11 provider should not be enabled twice, modutil refuses to add a module to Dogtag's NSSDB without additional confirmation. For example Dogtag installation with pki_hsm_enable and SoftHSM2 fails with error message:
For Fedora 29 and probably also RHEL 8, Dogtag should no longer add PKCS11 modules to its own NSSDB. Instead it should rely on system wide registration and configuration of PKCS11 modules by p11-kit.
The text was updated successfully, but these errors were encountered: