Graham Leggett wrote:
Hi all,
389ds as shipped by RHEL9 is linked to NSS, which in theory supports PKCS11, but in
practice I can't get to work.
Most specifically, when you display a 389ds NSS database using modutil, you see
p11-kit-proxy (good), but it reports "There are no slots attached to this module”
(bad).
Has anyone got an explanation as to why this might be?
[root@seawitch ~]# modutil -list -dbdir /etc/dirsrv/slapd-seawitch
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri:
pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.79
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri:
pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. p11-kit-proxy
library name: p11-kit-proxy.so
uri:
pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: There are no slots attached to this module
status: loaded
—————————————————————————————
At the very least the system and default CA databases should be visible, but alas no:
[root@seawitch ~]# p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.24
token: System Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.24
flags:
token-initialized
token: Default Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.24
flags:
write-protected
token-initialized
It may be that those two tokens are treated specially in p11-kit. The
upstream would probably be able to explain that.
If, for example, you install the softhsm package then tokens are
visible. It should be the same for any other PKCS#11 device.
On vanilla F36 with DS setup using the quickstart guide.
# dnf -y install softhsm
# modutil -list -dbdir /etc/dirsrv/slapd-localhost/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri:
pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.83
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri:
pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. p11-kit-proxy
library name: p11-kit-proxy.so
uri:
pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: 1 slot attached
status: loaded
slot: SoftHSM slot ID 0x0
token:
uri: pkcs11:manufacturer=SoftHSM%20project;model=SoftHSM%20v2
# /usr/bin/softhsm2-util --init-token --free --pin password --so-pin
password --label "softhsm_token"
Slot 0 has a free/uninitialized token.
# certutil -L -d /etc/dirsrv/slapd-localhost/ -h all
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "softhsm_token":
Server-Cert u,u,u
Self-Signed-CA CT,,
# certutil -A -d /etc/dirsrv/slapd-localhost/ -h softhsm_token -t ,, -a
-i /tmp/cert -n test
# certutil -L -d /etc/dirsrv/slapd-localhost/ -h all
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "softhsm_token":
Server-Cert u,u,u
Self-Signed-CA CT,,
softhsm_token:test ,,
rob