On Mon, Jun 04, 2018 at 02:12:58PM +0200, Jan Kurik wrote:
= Proposed System Wide Change: NSS load p11-kit modules by default =
* Daiki Ueno <dueno at redhat dot com>
When NSS database is created, PKCS#11 modules configured in the
system's p11-kit will be automatically registered and visible to NSS
== Detailed description ==
Fedora provides a mechanism to configure PKCS#11 modules system wide,
allowing the crypto libraries (GnuTLS and OpenSSL) to use PKCS#11
modules in a consistent manner. Until now NSS applications haven't
benefit from it as NSS uses a different configuration mechanism which
requires users to register PKCS#11 modules in NSS databases. This
change makes the manual procedure unnecessary, by registering the
p11-kit-proxy module (the aggregator of the system PKCS#11 modules) in
NSS databases with the default configuration.
The "how to test section" doesn't have too many details.
1. install a PKCS#11 module, say softhsm
2. create an NSS database
3. list modules registered to the NSS database, and check that there is softhsm
*Please* provide explicit instructions how to create the softhsm
module, how to do the other steps, and how to verify that it works.
It would also be great if you could provide analogous instructions
for a _hardware_ module.
The easier we make this to test for a people who don't have prior
knowledge, the higher the chances of success.