(Created page with "= Testing PKCS#11 support =") |
|||
| Line 1: | Line 1: | ||
= Testing PKCS#11 support = | = Testing PKCS#11 support = | ||
The proposed [https://fedoraproject.org/wiki/PackagingDrafts/PKCS11 packaging guidelines] say that any program which can accept SSL certificates from a file should also allow them to come from a PKCS#11 token. This page exists to help packagers understand those guidelines and test their packages. | |||
== But I don't have any PKCS#11 hardware == | |||
You don't need hardware. There are plenty of PKCS#11 providers which are purely software. These include | |||
* NSS Certificate Database (Firefox, Evolution, Chrome) | |||
* GNOME keyring | |||
* [https://www.opendnssec.org/softhsm/ SoftHSM] | |||
The simplest one to test with is probably GNOME keyring. Obviously not everyone will be running GNOME for their day-to-day usage but it shouldn't be too hard to use GNOME keyring just for a simple test. | |||
== Import certificate == | |||
The seahorse GUI tool allows you to browse the contents of PKCS#11 tokens and import certificates and keys. If you simply run seahorse under GNOME you should see a 'Gnome2 Key Storage' token listed under the 'Certificates' heading. You can select the 'File'... 'Import' menu item to import a certificate from a file into the GNOME keyring (or indeed any other provider you choose to use). | |||
== Determine the PKCS#11 URI of your certificate == | |||
Unfortunately, seahorse doesn't show the PKCS#11 URI of the objects when you're browsing [https://bugzilla.gnome.org/show_bug.cgi?id=749071 bug #749071]. So you'll want to use <code>p11tool</code> to list them and find the URI: | |||
<code> | |||
$ p11tool --list-certs --login pkcs11:token=Gnome2%20Key%20Storage | |||
Object 0: | |||
URL: pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aUSER%3aDEFAULT;token=Gnome2%20Key%20Storage;id=%59%ae%17%70%af%e8%af%9f%5b%94%fb%c6%89%f6%f1%4c%11%5c%36%0e;object=Woodhouse%2c%20David;type=cert | |||
Type: X.509 Certificate | |||
Label: Woodhouse, David | |||
ID: 59:ae:17:70:af:e8:af:9f:5b:94:fb:c6:89:f6:f1:4c:11:5c:36:0e | |||
</code> | |||
Revision as of 14:30, 7 May 2015
Testing PKCS#11 support
The proposed packaging guidelines say that any program which can accept SSL certificates from a file should also allow them to come from a PKCS#11 token. This page exists to help packagers understand those guidelines and test their packages.
But I don't have any PKCS#11 hardware
You don't need hardware. There are plenty of PKCS#11 providers which are purely software. These include
- NSS Certificate Database (Firefox, Evolution, Chrome)
- GNOME keyring
- SoftHSM
The simplest one to test with is probably GNOME keyring. Obviously not everyone will be running GNOME for their day-to-day usage but it shouldn't be too hard to use GNOME keyring just for a simple test.
Import certificate
The seahorse GUI tool allows you to browse the contents of PKCS#11 tokens and import certificates and keys. If you simply run seahorse under GNOME you should see a 'Gnome2 Key Storage' token listed under the 'Certificates' heading. You can select the 'File'... 'Import' menu item to import a certificate from a file into the GNOME keyring (or indeed any other provider you choose to use).
Determine the PKCS#11 URI of your certificate
Unfortunately, seahorse doesn't show the PKCS#11 URI of the objects when you're browsing bug #749071. So you'll want to use p11tool to list them and find the URI:
$ p11tool --list-certs --login pkcs11:token=Gnome2%20Key%20Storage
Object 0:
URL: pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aUSER%3aDEFAULT;token=Gnome2%20Key%20Storage;id=%59%ae%17%70%af%e8%af%9f%5b%94%fb%c6%89%f6%f1%4c%11%5c%36%0e;object=Woodhouse%2c%20David;type=cert
Type: X.509 Certificate
Label: Woodhouse, David
ID: 59:ae:17:70:af:e8:af:9f:5b:94:fb:c6:89:f6:f1:4c:11:5c:36:0e