Use p11-kit to register and use PKCS#11 provider

[SilleBille]

This issue was migrated from Pagure Issue #3091.Originally filed by cheimes on 2019-01-22

Fedora 29 has enabled p11-kit-proxy module globally, https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules . The p11-kit-proxy module loads and provides other PKCS#11 libraries such as softhsm2. Since a PKCS#11 provider should not be enabled twice, modutil refuses to add a module to Dogtag's NSSDB without additional confirmation. For example Dogtag installation with pki_hsm_enable and SoftHSM2 fails with error message:

2019-01-22T09:42:56Z DEBUG stdout=
WARNING: Manually adding a module while p11-kit is enabled could cause
duplicate module registration in your security database. It is suggested 
to configure the module through p11-kit configuration file instead.

Type 'q <enter>' to abort, or <enter> to continue: 
Log file: /var/log/pki/pki-ca-spawn.20190122094255.log
Loading deployment configuration from /tmp/tmpmx0co0hr.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed: Command failed: modutil -dbdir /etc/pki/pki-tomcat/alias -nocertdb -add softhsm2 -libfile /usr/lib64/pkcs11/libsofthsm2.so -force

Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20190122094255.log

2019-01-22T09:42:56Z DEBUG stderr=ERROR: Failed to add module "softhsm2". Probable cause : "Unknown PKCS #11 error.".
pkispawn      : ERROR    ....... subprocess.CalledProcessError:  Command '['modutil', '-dbdir', '/etc/pki/pki-tomcat/alias', '-nocertdb', '-add', 'softhsm2', '-libfile', '/usr/lib64/pkcs11/libsofthsm2.so', '-force']' returned non-zero exit status 22.!

2019-01-22T09:42:56Z CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpmx0co0hr'] returned non-zero exit status 1: 'ERROR: Failed to add module "softhsm2". Probable cause : "Unknown PKCS #11 error.".\npkispawn      : ERROR    ....... subprocess.CalledProcessError:  Command \'[\'modutil\', \'-dbdir\', \'/etc/pki/pki-tomcat/alias\', \'-nocertdb\', \'-add\', \'softhsm2\', \'-libfile\', \'/usr/lib64/pkcs11/libsofthsm2.so\', \'-force\']\' returned non-zero exit status 22.!\n')

For Fedora 29 and probably also RHEL 8, Dogtag should no longer add PKCS#11 modules to its own NSSDB. Instead it should rely on system wide registration and configuration of PKCS#11 modules by p11-kit.

[SilleBille]

Posted by cheimes on 2019-01-22:

The p11-kit-proxy provider is automatically and globally injected into every NSSDB by /etc/crypto-policies/back-ends/nss.config. There is currently no way to disable p11-kit-proxy for a NSSDB instance.

modutil output

$ certutil -d . -f passwd -N 
$ cat pkcs11.txt 
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='.' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
$ modutil -dbdir . -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.41
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. p11-kit-proxy
        library name: p11-kit-proxy.so
           uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
         slots: 1 slot attached
        status: loaded

         slot: Yubico Yubikey NEO OTP+U2F+CCID 00 00
        token: PIV_II
          uri: pkcs11:token=PIV_II;manufacturer=piv_II;serial=00000000;model=PKCS%2315%20emulated

p11-kit info (as normal user)

$ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
opensc: opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.19
    token: PIV_II
        manufacturer: piv_II
        model: PKCS#15 emulated
        serial-number: 00000000
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized

pk11-kit info (as root)

# p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
opensc: opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.19
    token: PIV_II
        manufacturer: piv_II
        model: PKCS#15 emulated
        serial-number: 00000000
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized
softhsm2: /usr/lib64/pkcs11/libsofthsm2.so
    library-description: Implementation of PKCS11
    library-manufacturer: SoftHSM
    library-version: 2.5
    token: pkitoken
        manufacturer: SoftHSM project
        model: SoftHSM v2
        serial-number: 0f7c15eb65ad6510
        hardware-version: 2.5
        firmware-version: 2.5
        flags:
               rng
               login-required
               user-pin-initialized
               restore-key-not-needed
               token-initialized
    token: 
        manufacturer: SoftHSM project
        model: SoftHSM v2
        serial-number: 
        hardware-version: 2.5
        firmware-version: 2.5
        flags:
               rng
               login-required
               restore-key-not-needed
               so-pin-locked
               so-pin-to-be-changed

[SilleBille]

Posted by cheimes on 2019-01-22:

I think that p11-kit proxy only proxies configured PKCS#11 provides:

$ ls /usr/share/p11-kit/modules/
opensc.module  p11-kit-trust.module  softhsm2.module

[SilleBille]

Posted by abbra on 2019-04-25:

For now, we are pushing https://github.com/freeipa/freeipa/pull/3063 to FreeIPA to globally disable p11-kit proxying of SoftHSM module on IPA masters.