Use p11-kit to register and use PKCS#11 provider

[pki-bot]

This issue was migrated from Pagure Issue #3091. Originally filed by cheimes (@tiran) on 2019-01-22 07:14:24:

• Assigned to nobody

---

Fedora 29 has enabled p11-kit-proxy module globally, https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules . The p11-kit-proxy module loads and provides other PKCS11 libraries such as softhsm2. Since a PKCS11 provider should not be enabled twice, modutil refuses to add a module to Dogtag's NSSDB without additional confirmation. For example Dogtag installation with pki_hsm_enable and SoftHSM2 fails with error message:

2019-01-22T09:42:56Z DEBUG stdout=
WARNING: Manually adding a module while p11-kit is enabled could cause
duplicate module registration in your security database. It is suggested 
to configure the module through p11-kit configuration file instead.

Type 'q <enter>' to abort, or <enter> to continue: 
Log file: /var/log/pki/pki-ca-spawn.20190122094255.log
Loading deployment configuration from /tmp/tmpmx0co0hr.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed: Command failed: modutil -dbdir /etc/pki/pki-tomcat/alias -nocertdb -add softhsm2 -libfile /usr/lib64/pkcs11/libsofthsm2.so -force

Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20190122094255.log

2019-01-22T09:42:56Z DEBUG stderr=ERROR: Failed to add module "softhsm2". Probable cause : "Unknown PKCS 11 error.".
pkispawn      : ERROR    ....... subprocess.CalledProcessError:  Command '['modutil', '-dbdir', '/etc/pki/pki-tomcat/alias', '-nocertdb', '-add', 'softhsm2', '-libfile', '/usr/lib64/pkcs11/libsofthsm2.so', '-force']' returned non-zero exit status 22.!

2019-01-22T09:42:56Z CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpmx0co0hr'] returned non-zero exit status 1: 'ERROR: Failed to add module "softhsm2". Probable cause : "Unknown PKCS 11 error.".\npkispawn      : ERROR    ....... subprocess.CalledProcessError:  Command \'[\'modutil\', \'-dbdir\', \'/etc/pki/pki-tomcat/alias\', \'-nocertdb\', \'-add\', \'softhsm2\', \'-libfile\', \'/usr/lib64/pkcs11/libsofthsm2.so\', \'-force\']\' returned non-zero exit status 22.!\n')

For Fedora 29 and probably also RHEL 8, Dogtag should no longer add PKCS11 modules to its own NSSDB. Instead it should rely on system wide registration and configuration of PKCS11 modules by p11-kit.

[pki-bot]

Comment from cheimes (@tiran) at 2019-01-22 07:47:48

The p11-kit-proxy provider is automatically and globally injected into every NSSDB by /etc/crypto-policies/back-ends/nss.config. There is currently no way to disable p11-kit-proxy for a NSSDB instance.

modutil output

$ certutil -d . -f passwd -N 
$ cat pkcs11.txt 
library=
name=NSS Internal PKCS 11 Module
parameters=configdir='.' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
$ modutil -dbdir . -list

Listing of PKCS 11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS 11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.41
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. p11-kit-proxy
        library name: p11-kit-proxy.so
           uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
         slots: 1 slot attached
        status: loaded

         slot: Yubico Yubikey NEO OTP+U2F+CCID 00 00
        token: PIV_II
          uri: pkcs11:token=PIV_II;manufacturer=piv_II;serial=00000000;model=PKCS%2315%20emulated

p11-kit info (as normal user)

$ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS11 Kit Trust Module
    library-manufacturer: PKCS11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
    token: Default Trust
        manufacturer: PKCS11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
opensc: opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.19
    token: PIV_II
        manufacturer: piv_II
        model: PKCS15 emulated
        serial-number: 00000000
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized

pk11-kit info (as root)

# p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS11 Kit Trust Module
    library-manufacturer: PKCS11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               token-initialized
    token: Default Trust
        manufacturer: PKCS11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
opensc: opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.19
    token: PIV_II
        manufacturer: piv_II
        model: PKCS15 emulated
        serial-number: 00000000
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized
softhsm2: /usr/lib64/pkcs11/libsofthsm2.so
    library-description: Implementation of PKCS11
    library-manufacturer: SoftHSM
    library-version: 2.5
    token: pkitoken
        manufacturer: SoftHSM project
        model: SoftHSM v2
        serial-number: 0f7c15eb65ad6510
        hardware-version: 2.5
        firmware-version: 2.5
        flags:
               rng
               login-required
               user-pin-initialized
               restore-key-not-needed
               token-initialized
    token: 
        manufacturer: SoftHSM project
        model: SoftHSM v2
        serial-number: 
        hardware-version: 2.5
        firmware-version: 2.5
        flags:
               rng
               login-required
               restore-key-not-needed
               so-pin-locked
               so-pin-to-be-changed

[pki-bot]

Comment from cheimes (@tiran) at 2019-01-22 07:47:49

Metadata Update from @tiran:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field type adjusted to None
• Custom field version adjusted to None

[pki-bot]

Comment from cheimes (@tiran) at 2019-01-22 07:51:26

I think that p11-kit proxy only proxies configured PKCS11 provides:

$ ls /usr/share/p11-kit/modules/
opensc.module  p11-kit-trust.module  softhsm2.module

[pki-bot]

Comment from abbra (@abbra) at 2019-04-25 03:03:26

For now, we are pushing freeipa/freeipa#3063 to FreeIPA to globally disable p11-kit proxying of SoftHSM module on IPA masters.