From Fedora Project Wiki
(Created page with "Category:Packaging_guidelines_drafts === Summary === * Packages providing PKCS#11 modules SHOULD also provide a corresponding file in <code>/etc/pkcs11/modules</code> in ac...") |
|||
Line 3: | Line 3: | ||
=== Summary === | === Summary === | ||
* Packages | ==== Client applications ==== | ||
* Packages which use SSL certificates/keys from a file or elsewhere SHOULD also support using certs/keys from PKCS#11 tokens. | |||
* Where PKCS#11 objects are specified in a way which is visible to the user ''(e.g. on the command line)'', objects SHOULD be specified in the form of a PKCS#11 URI as as described at http://tools.ietf.org/html/draft-pechanec-pkcs11uri-16 and http://p11-glue.freedesktop.org/pkcs11-uris.html . | |||
* Packages which can use PKCS#11 tokens SHOULD automatically use the tokens which are present in the system's p11-kit configuration, rather than needing to have a PKCS#11 provider explicitly specified. | |||
==== PKCS#11 Providers ==== | |||
* Packages providing PKCS#11 modules SHOULD also provide a corresponding module file in the directory specified by <code>pkg-config p11-kit-1 --variable p11_module_configs</code> ''(currently <code>/usr/share/p11-kit/modules</code>)'' so that the new module is automatically visible in well-behaved applications. | |||
* PKCS#11 modules SHOULD silently fail to load if their corresponding hardware is not present, or in the case of pure software tokens such as SoftHSM if there is no storage configured for the user in question. | * PKCS#11 modules SHOULD silently fail to load if their corresponding hardware is not present, or in the case of pure software tokens such as SoftHSM if there is no storage configured for the user in question. | ||
=== Rationale === | === Rationale === |
Revision as of 12:58, 15 December 2014
Summary
Client applications
- Packages which use SSL certificates/keys from a file or elsewhere SHOULD also support using certs/keys from PKCS#11 tokens.
- Where PKCS#11 objects are specified in a way which is visible to the user (e.g. on the command line), objects SHOULD be specified in the form of a PKCS#11 URI as as described at http://tools.ietf.org/html/draft-pechanec-pkcs11uri-16 and http://p11-glue.freedesktop.org/pkcs11-uris.html .
- Packages which can use PKCS#11 tokens SHOULD automatically use the tokens which are present in the system's p11-kit configuration, rather than needing to have a PKCS#11 provider explicitly specified.
PKCS#11 Providers
- Packages providing PKCS#11 modules SHOULD also provide a corresponding module file in the directory specified by
pkg-config p11-kit-1 --variable p11_module_configs
(currently/usr/share/p11-kit/modules
) so that the new module is automatically visible in well-behaved applications.
- PKCS#11 modules SHOULD silently fail to load if their corresponding hardware is not present, or in the case of pure software tokens such as SoftHSM if there is no storage configured for the user in question.
Rationale
PKCS#11 is much too hard to set up and use. With p11-kit it gets a little saner. You can import certs into your tokens with the seahorse GUI, and choose available certs with GUI widgets like the GcrComboSelector.
For non-GUI users, you can also run p11tool --list-all
to list all the available key/cert objects along with their URLs, and you can provide those URLs to compliant applications.