On 11/19/2014 12:17 PM, Martinsson Patrik wrote:
This is still the issue with nsssysinit. It currently only works if the the application open sql:/etc/pki/nssdb. Currently firefox doesn't even use the sql database.Hi everyone,I Need some help understanding the usage of the libnsssysinit-library (or a recommended method in handling the scenario described below). First I'll write shortly about our scenario, - We manage around 150 Red Hat Clients (atm v6.6 but in the progress of updating to 7.0) - We use "smartcard-login" for all clients - We have a custom CA that issues our certificates (both to our cards, but also to our "internal services" like mail/etc.). Issues to solve, - Have all kinds of applications trust our CA. - Have all kinds of make us of our pkcs11-module if requested. It's sounds so simple, but it turns out to be a real hassle. What we got so far, - Make puppet distribute our root-ca-certificate to '/etc/pki/ca-trust/source/anchors/' and import the libnssckbi.so into '/etc/pki/nssdb' (/usr/bin/modutil -force -dbdir /etc/pki/nssdb -add 'System CA-trust' -libfile /usr/lib64/libnssckbi.so), execute 'update-ca-trust'. This actually makes everything work as expected, this is an really awesome way for administrators to distribute certificate's that the client should trust by default. Still kind of a hassle, - Getting various applications to use the custom pkcs11-module (google-chrome, firefox are the ones I've tried so far).
You can force the use of sql database with the environment variable ( NSS_DEFAULT_DB_TYPE ), but it still doesn't force opening /etc/pki/nssdb.
So, what we do is that we distribute this custom module within a rpm-package, and in the post-section of the rpm we insert it in /etc/pki/nssdb (/usr/bin/modutil -force -dbdir /etc/pki/nssdb -add NetiD -libfile /usr/lib/libiidp11.so). We then point pam_pkcs11 to /etc/pki/nssdb, and everything as far as pam_pkcs11 is concerned works as expected.
Unfortunately these apps do not use nsssysinit. Once you've set the sql environment variable, you can force them to use nssysinit putting the attached pkcs11.txt file in the profile directory.The problem is when firefox/thunderbird/google-chrome should make use of the smart-card. Today we manually make the same import as just mentioned into ~/.{mozilla,thunderbird}/.*default/ & ~/.pki/nssdb, but after trying to read up in this area I get the impression that this last part shouldn't really be necessary since I should be able to use the libnsssysinit-library instead (which in turn would load everything that is in the global nssdb).
You can merge the certs and keys from the old database using certutil --merge. Be sure to use the dbm: prefix to access the old database.
The user can change the local pkcs11.txt, but not the global one, so libnsssysinit.so tries to load from both.This would be great since it would mean that everything we need to do is make sure that the libnsssysinit.so is in the users-various-nssdbs (and as soon as we need to make a change/update/or whatever we just do it to the global one). But this is were I get stuck. So some questions, 1 ) Does libnsssysinit.so even work as I think it does ? 2 ) Is it worth switching to the new nssdbformat (sql). Since it isn't enabled by default as far as i know (atleast not on rhel7, the 'NSS_DEFAULT_DB_TYPE' is not set to sql which makes it default to the old format) ? It would mean that we need to export that variable globally to every user (which isn't a problem, I'm just wondering if that is something we *should* do, or if it's fine the way it is). I've tried the following, $> modutil -list -dbdir sql:/etc/pki/nssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal Crypto Services slots: 3 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB slot: NSS Application Slot 00000004 token: NSS system database 2. System CA-trust library name: libnssckbi.so slots: 2 slots attached status: loaded slot: /etc/pki/ca-trust/source token: System Trust slot: /usr/share/pki/ca-trust-source token: Default Trust 3. NetiD library name: libiidp11.so slots: 1 slot attached status: loaded slot: Alcor Micro AU9540 00 00 token: XX The 'System CA-trust' and the 'NetiD' modules are the ones I would like for every user to have in theirs nssdb's (after i added the libnsssysinit.so ofc) So, here's how my locally nssdb looks like, $> cat /home/username/.pki/nssdb/pkcs11.txt library= name=NSS Internal PKCS #11 Module parameters=configdir='sql:/home/username/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='/home/username/.local/share/evolution' updateCertPrefix='' updateKeyPrefix='' updateid='/home/username/.local/share/evolution' updateTokenDescription='Evolution S/MIME' NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) $> modutil -list -dbdir sql:/home/username/.pki/nssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB ----------------------------------------------------------- So, If I then try to add the libnsssysinit.so to the pkcs11.txt like this (not really sure if this is the right syntax), $> cat /home/username/.pki/nssdb/pkcs11.txt library=libnsssysinit.so name=NSS Internal PKCS #11 Module parameters=configdir='sql:/home/username/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='/home/username/.local/share/evolution' updateCertPrefix='' updateKeyPrefix='' updateid='/home/username/.local/share/evolution' updateTokenDescription='Evolution S/MIME' NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) the output becomes, $> modutil -list -dbdir sql:/home/username/.pki/nssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal Crypto Services slots: 3 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB slot: NSS Application Slot 00000004 token: NSS system database ----------------------------------------------------------- Still no go with the libiidp11-module though (in firefox / google-chrome), and i pointed firefox to use ~/.pki/nssdb and not its own under the profiledirectory. Adding the libidp11 module to the pkcs11.txt file shows something interesting, $> cat /home/username/.pki/nssdb/pkcs11.txt library=libnsssysinit.so name=NSS Internal PKCS #11 Module parameters=configdir='sql:/home/username/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='/home/username/.local/share/evolution' updateCertPrefix='' updateKeyPrefix='' updateid='/home/username/.local/share/evolution' updateTokenDescription='Evolution S/MIME' NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) library=libiidp11.so name=NetiD the output becomes, $> modutil -list -dbdir sql:/home/username/.pki/nssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal Crypto Services slots: 3 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB slot: NSS Application Slot 00000004 token: NSS system database 2. NetiD library name: libiidp11.so slots: 1 slot attached status: loaded slot: Alcor Micro AU9540 00 00 token: Instant EID IP9 3. NetiD library name: libiidp11.so slots: 1 slot attached status: loaded slot: Alcor Micro AU9540 00 00 token: Instant EID IP9 ----------------------------------------------------------- So now I get the impression that the libnsssysinit.so actually loads the libiidp11.so from the global nssdb, but at the same time, also loads the libiidp11.so from the local nssdb. Which doesn't feel right (and firefox also behaves weirdly with this setup). So, whats going on here, why is libiidp11 loaded twice ?
Evolution uses the suggested global initialization for NSS, chrome and firefox do not.Another note is that that evolution works as expected with the default setup (that is no libnsssysinit.so imported into the local nssdb), I find this strange but maybe evolution loads /etc/pki/nssdb byu default and firefox/chrome doesnt ? Using strace however shows that all applications open the libnsssysinit.so, so I'm not sure why it works in evolution but not in chrome nor firefox.
Now that being said, it may be useful to have an option in which NSS always loads /etc/pki/nssdb (then optionally loads the local profile later). Modern NSS can load more than one database these days, and does so automatically. It would preferably be a compile time option, so that it would only be set on OSs where that makes sense (like Linux). If you write a bug for this, be sure to CC me.
bob
library= name=NSS Internal PKCS #11 Module parameters="configdir='sql:/etc/pki/nssdb'" NSS=Flags=internal,moduleDBOnly
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto