Hi Graham, 389ds relies on the NSS framework, so IMHO the question should be how to use p11-kit-trust with NSS..
I cannot help you much on this point as your question reached the limit of my knowledge about NSS, but if no one else has a better answer here are some hint: while looking on the web, I found several pages that may interest you:: - https://www.dogtagpki.org/wiki/NSS_Fedora_Development (The contact link may help you to get a more precise answer) - https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules (And especially the "How to test" section that may interest you/ Apparently p11-kit-proxy allows you to install and use p11kit module but you also have to also install these module with modutil to be able to use this feature (maybe trying to load p11-kit-trust in nss with modutil will do the trick (but that is just a wild guess)) Good luck ! Pierre On Sun, Oct 2, 2022 at 7:07 PM Graham Leggett <[email protected]> wrote: > Hi all, > > 389ds as shipped by RHEL9 is linked to NSS, which in theory supports > PKCS11, but in practice I can't get to work. > > Most specifically, when you display a 389ds NSS database using modutil, > you see p11-kit-proxy (good), but it reports "There are no slots attached > to this module” (bad). > > Has anyone got an explanation as to why this might be? > > [root@seawitch ~]# modutil -list -dbdir /etc/dirsrv/slapd-seawitch > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > uri: > pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.79 > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > uri: > pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > uri: > pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 > > 2. p11-kit-proxy > library name: p11-kit-proxy.so > uri: > pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1 > slots: There are no slots attached to this module > status: loaded > ————————————————————————————— > > At the very least the system and default CA databases should be visible, > but alas no: > > [root@seawitch ~]# p11-kit list-modules > p11-kit-trust: p11-kit-trust.so > library-description: PKCS#11 Kit Trust Module > library-manufacturer: PKCS#11 Kit > library-version: 0.24 > token: System Trust > manufacturer: PKCS#11 Kit > model: p11-kit-trust > serial-number: 1 > hardware-version: 0.24 > flags: > token-initialized > token: Default Trust > manufacturer: PKCS#11 Kit > model: p11-kit-trust > serial-number: 1 > hardware-version: 0.24 > flags: > write-protected > token-initialized > > Regards, > Graham > — > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- -- 389 Directory Server Development Team
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
