NSS load p11-kit modules by default
Summary
When NSS database is created, PKCS#11 modules configured in the system's p11-kit will be automatically registered and visible to NSS applications.
Owner
- Name: Daiki Ueno
- Email: dueno@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 29
- Last updated: 2018-06-02
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Although Fedora provides a mechanism to configure PKCS#11 modules system wide, allowing the crypto libraries (GnuTLS and OpenSSL) to use PKCS#11 modules in a consistent manner, NSS applications didn't benefit from it as it uses a different configuration mechanism which requires users to register PKCS#11 modules with modutil. This change makes the p11-kit-proxy module (the aggregator of the system PKCS#11 modules) be automatically loaded by NSS and thus provides a consistent user experience with other crypto libraries.
See also:
Benefit to Fedora
This change allows NSS applications to use PKCS#11 modules in the same way as other crypto libraries. That improves user experience of smartcards and HSMs on Fedora.
Scope
- Proposal owners:
- Modify the crypto-policies package to enable p11-kit-proxy in the newly created NSS database.
- Make sure that this change doesn't cause any regression with the existing applications.
- Other developers: N/A (not a System Wide Change)
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- List of deliverables: N/A
- Policies and guidelines: PackageMaintainers/PKCS11 needs changes basically to eliminate NSS specific stuff
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
If the user previously used a conflicting configuration, such as using p11-kit-proxy as a replacement of p11-kit-trust, it will stop working.
How To Test
- install a PKCS#11 module, say softhsm2
- create an NSS database
- list modules registered to the NSS database, and check that there is softhsm2
User Experience
NSS application users are no longer required to register PKCS#11 module manually.
Dependencies
firefox, and possibly sssd's smartcard support
Contingency Plan
- Contingency mechanism: Revert the change in crypto-policies
- Contingency deadline: Beta freeze
- Blocks release? No
- Blocks product? No
Documentation
N/A
Release Notes
It should be sufficient to have a simple sentence mentioning this change.