Fedora 29 has enabled p11-kit-proxy module globally, https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules . The p11-kit-proxy module loads and provides other PKCS#11 libraries such as softhsm2. Since a PKCS#11 provider should not be enabled twice, modutil refuses to add a module to Dogtag's NSSDB without additional confirmation. For example Dogtag installation with pki_hsm_enable and SoftHSM2 fails with error message:
2019-01-22T09:42:56Z DEBUG stdout= WARNING: Manually adding a module while p11-kit is enabled could cause duplicate module registration in your security database. It is suggested to configure the module through p11-kit configuration file instead. Type 'q <enter>' to abort, or <enter> to continue: Log file: /var/log/pki/pki-ca-spawn.20190122094255.log Loading deployment configuration from /tmp/tmpmx0co0hr. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed: Command failed: modutil -dbdir /etc/pki/pki-tomcat/alias -nocertdb -add softhsm2 -libfile /usr/lib64/pkcs11/libsofthsm2.so -force Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20190122094255.log 2019-01-22T09:42:56Z DEBUG stderr=ERROR: Failed to add module "softhsm2". Probable cause : "Unknown PKCS #11 error.". pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['modutil', '-dbdir', '/etc/pki/pki-tomcat/alias', '-nocertdb', '-add', 'softhsm2', '-libfile', '/usr/lib64/pkcs11/libsofthsm2.so', '-force']' returned non-zero exit status 22.! 2019-01-22T09:42:56Z CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpmx0co0hr'] returned non-zero exit status 1: 'ERROR: Failed to add module "softhsm2". Probable cause : "Unknown PKCS #11 error.".\npkispawn : ERROR ....... subprocess.CalledProcessError: Command \'[\'modutil\', \'-dbdir\', \'/etc/pki/pki-tomcat/alias\', \'-nocertdb\', \'-add\', \'softhsm2\', \'-libfile\', \'/usr/lib64/pkcs11/libsofthsm2.so\', \'-force\']\' returned non-zero exit status 22.!\n')
For Fedora 29 and probably also RHEL 8, Dogtag should no longer add PKCS#11 modules to its own NSSDB. Instead it should rely on system wide registration and configuration of PKCS#11 modules by p11-kit.
The p11-kit-proxy provider is automatically and globally injected into every NSSDB by /etc/crypto-policies/back-ends/nss.config. There is currently no way to disable p11-kit-proxy for a NSSDB instance.
/etc/crypto-policies/back-ends/nss.config
$ certutil -d . -f passwd -N $ cat pkcs11.txt library= name=NSS Internal PKCS #11 Module parameters=configdir='.' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) $ modutil -dbdir . -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.41 slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 2. p11-kit-proxy library name: p11-kit-proxy.so uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1 slots: 1 slot attached status: loaded slot: Yubico Yubikey NEO OTP+U2F+CCID 00 00 token: PIV_II uri: pkcs11:token=PIV_II;manufacturer=piv_II;serial=00000000;model=PKCS%2315%20emulated
$ p11-kit list-modules p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 token: System Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: write-protected token-initialized token: Default Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: write-protected token-initialized opensc: opensc-pkcs11.so library-description: OpenSC smartcard framework library-manufacturer: OpenSC Project library-version: 0.19 token: PIV_II manufacturer: piv_II model: PKCS#15 emulated serial-number: 00000000 flags: rng login-required user-pin-initialized token-initialized
# p11-kit list-modules p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 token: System Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: token-initialized token: Default Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: write-protected token-initialized opensc: opensc-pkcs11.so library-description: OpenSC smartcard framework library-manufacturer: OpenSC Project library-version: 0.19 token: PIV_II manufacturer: piv_II model: PKCS#15 emulated serial-number: 00000000 flags: rng login-required user-pin-initialized token-initialized softhsm2: /usr/lib64/pkcs11/libsofthsm2.so library-description: Implementation of PKCS11 library-manufacturer: SoftHSM library-version: 2.5 token: pkitoken manufacturer: SoftHSM project model: SoftHSM v2 serial-number: 0f7c15eb65ad6510 hardware-version: 2.5 firmware-version: 2.5 flags: rng login-required user-pin-initialized restore-key-not-needed token-initialized token: manufacturer: SoftHSM project model: SoftHSM v2 serial-number: hardware-version: 2.5 firmware-version: 2.5 flags: rng login-required restore-key-not-needed so-pin-locked so-pin-to-be-changed
Metadata Update from @cheimes: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
I think that p11-kit proxy only proxies configured PKCS#11 provides:
$ ls /usr/share/p11-kit/modules/ opensc.module p11-kit-trust.module softhsm2.module
For now, we are pushing https://github.com/freeipa/freeipa/pull/3063 to FreeIPA to globally disable p11-kit proxying of SoftHSM module on IPA masters.
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3208
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.