Replace Coolkey with OpenSC
Summary
There are more PKCS#11 libraries providing drivers for the same smart cards in the system. For the next releases, we would like to promote OpenSC as a default PKCS#11 provider in place where Coolkey driver is used these days, which will extend a list of supported smart cards and make use of the most of the OpenSC.
Owner
- Name: Jakub Jelen
- Email: jjelen@redhat.com
- Release notes owner:
Current status
Detailed Description
Currently, there are several PKCS#11 modules available in Fedora. Some of them provide the same functionality as the others. Currently, the majority of upstream work around smart cards is done in the OpenSC project supporting all the major cards we are interested to have in Fedora, and maintains a lively community. On the other side, there is no significant development efforts in Coolkey project, which is currently used by default in some applications (NSS).
In both projects, the provided PKCS#11 libraries are dynamically loaded modules, following the same API and ABI, so existing applications need not to depend directly on either package. The transition can be as smooth as the change of the path in the configurations, if required. The only exceptions are NSS (Coolkey installs its module to the NSS database), ESC and pesign (explicit requires should be removed).
$ dnf repoquery --whatrequires coolkey esc-0:1.1.0-30.fc25.x86_64 pesign-0:0.112-4.fc25.x86_64
We would like to
- Get rid of explicit requires (pesign, esc)
- Switch the default PKCS#11 module in applications from Coolkey to OpenSC (NSS, ESC, pesign, ...?)
- Retire the Coolkey package from Fedora (estimated in Fedora 27+)
During last months we worked with NSS team to implement and test missing features in OpenSC to follow CoolKey driver and specification behavior, so that Firefox and other NSS applications utilize opensc without regressions.
Benefit to Fedora
Having multiple PKCS#11 provider libraries can be confusing for users especially when used over proxy, such as p11-kit. In this case the tokens could show up multiple times with different functionality.
There is no significant development going on in Coolkey anymore, unlike with OpenSC, which has very active upstream, both delivering new drivers for new cards frequently and fixing reported problems promptly.
Scope
- Proposal owners:
- For Fedora 26, we want to switch all applications to OpenSC and leave Coolkey as a backup. We will unregister coolkey from NSS database and register OpenSC instead.
- For Fedora 27, we would like to retire coolkey package, if there will not show up any problem with the transition in previous phase.
- Other developers:
- The other packages using PKCS#11 should make sure they work with OpenSC, if they were depending on coolkey directly for future releases (will be communicated with affected package owners).
- Release engineering: N/A
Upgrade/compatibility impact
Previously installed Fedora will have Coolkey registered in NSS database (if installed). The upgrade path needs to ensure that the coolkey will be removed from database and OpenSC installed instead (Coolkey recommends OpenSC).
All the cards supported by Coolkey should be supported by OpenSC by now (CAC patch applied).
How To Test
- Make sure you have installed the packages below:
opensc,coolkeyandnss-tools
- Have a supported smart card (nitrokey, yubikey)
- The command
modutil -list -dbdir /etc/pki/nssdb- should not list
CoolKey PKCS #11 Module - should list
OpenSC PKCS #11 Module
- should not list
- The command
p11tool --list-tokensshould list the inserted card once - Any of your application using Smart Cards/PKCS#11 should work with
/usr/lib64/pkcs11/opensc-pkcs11.soPKCS#11 module instead of/usr/lib64/pkcs11/libcoolkeypk11.so
User Experience
N/A (not a System Wide Change)
Dependencies
The dependency on Coolkey package should be dropped or changed to OpenSC.
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? product
Documentation
N/A (not a System Wide Change)
Release Notes
Fedora 26 is not shipping Coolkey PKCS#11 module in NSS database by default. Instead, there will be OpenSC PKCS#11 module, which supports more different Smart Cards. Coolkey package will be removed in Fedora 27. If other applications were using Coolkey, they should be able to switch to OpenSC.
In case you still need Coolkey in the NSS DB, you can add it manually using modutil -dbdir /etc/pki/nssdb -add "CoolKey PKCS #11 Module (manual)" -libfile libcoolkeypk11.so -force (the different name is used to prevent automatic removals when updating coolkey package).