p11-kit module file not installed

[dwmw2]

On systems with p11-kit (which should be all modern Linux distributions), PKCS#11 provider modules should be installing a module file which registers the provider with the system and automatically makes it available to well-behaved applications (which includes GnuTLS and the OpenSSL engine_pkcs11, and will soon include NSS too).

Please ensure that running make install installs an appropriate module file into the directory indicated by pkg-config --variable p11_module_configs p11-kit-1

[jariq]

IMO this is packaging related recommendation that needs to be considered by individual package creators. If included in standard build procedure what would be the correct approach with more than one build of SoftHSM? I guess that distribution package would create /etc/pkcs11/modules/softhsm2.conf file and what file would you expect to be created by a local build installed in /usr/local directory?

[pspacek]

Maybe I'm missing something, but ... IMHO the build should generate appropriate file for that particular version (with paths used by "configure" script). That way distros can simply use the file (assuming that distro allows to install only 1 version of library at time, which holds e.g. for all Fedora/RHEL/CentOS...).

[dwmw2]

@pspacek Yes, that's fairly much how I imagined it would work.

[jariq]

@pspacek I am not sure I understand. Are you saying that if I first build SoftHSM with Botan crypto backend and /usr/local/softhsm-botan/ prefix and right after that I build SoftHSM with OpenSSL crypto backend and /usr/local/softhsm-openssl/ prefix then I should end with a single p11-kit module file pointing to the PKCS#11 library that was installed as the last one (library in /usr/local/softhsm-openssl/ in this case) ?

[dwmw2]

Yes. That is typically how things like this work, when they install/register themselves as "plugins" to be found automatically by another piece of software.

[jariq]

So if your patch gets included and generated module file will be adopted by distributions then every local build will mess with the file created by the distribution package?

[dwmw2]

Yes. Just like when I have a plugin for something like Pidgin, it installs itself to the correct directory so it gets used. And if I eschew the distribution's provided version of that plugin and rebuild my own for some reason, it installs over the distribution's one.

We can make it optional though, if you prefer.

[jariq]

Great idea. Please make it optional if you can.

[dwmw2]

Now with --disable-p11-kit to turn it off. Of course now it's optional perhaps I should look at also making it install the module to the system's configured p11_module_path (e.g. /usr/lib64/pkcs11 on Fedora) and even setting DEFAULT_PKCS11_LIB to be the p11-kit proxy module, so the system's configured PKCS#11 modules are automatically visible? Perhaps later... :)

[bellgrim]

Thank you for the patch. Should it also be possible to configure / override the p11_module_path? E.g. if you want to install in another location than the one given by p11-kit.

[bellgrim]

Fixed with #233 and #248

[dwmw2]

Should it also be possible to configure / override the p11_module_path? E.g. if you want to install in another location than the one given by p11-kit.

There's not a lot of point in installing to a location where p11-kit isn't going to find it :)

I suppose p11-kit will look in $HOME/.config/pkcs11/modules/ too, and perhaps it makes a little bit of sense to put module files there? But that is user configuration, and I'm not sure that make install, even when run as a given user, should be doing that automatically.