On 11/19/2014 12:17 PM, Martinsson Patrik wrote:
This is still the issue with nsssysinit. It currently only works if the the application open sql:/etc/pki/nssdb. Currently firefox doesn't even use the sql database.Hi everyone,I Need some help understanding the usage of the libnsssysinit-library (or a recommended method in handling the scenario described below). First I'll write shortly about our scenario, - We manage around 150 Red Hat Clients (atm v6.6 but in the progress of updating to 7.0) - We use "smartcard-login" for all clients - We have a custom CA that issues our certificates (both to our cards, but also to our "internal services" like mail/etc.). Issues to solve, - Have all kinds of applications trust our CA. - Have all kinds of make us of our pkcs11-module if requested. It's sounds so simple, but it turns out to be a real hassle. What we got so far, - Make puppet distribute our root-ca-certificate to '/etc/pki/ca-trust/source/anchors/' and import the libnssckbi.so into '/etc/pki/nssdb' (/usr/bin/modutil -force -dbdir /etc/pki/nssdb -add 'System CA-trust' -libfile /usr/lib64/libnssckbi.so), execute 'update-ca-trust'. This actually makes everything work as expected, this is an really awesome way for administrators to distribute certificate's that the client should trust by default. Still kind of a hassle, - Getting various applications to use the custom pkcs11-module (google-chrome, firefox are the ones I've tried so far).
You can force the use of sql database with the environment variable ( NSS_DEFAULT_DB_TYPE ), but it still doesn't force opening /etc/pki/nssdb.
So, what we do is that we distribute this custom module within a rpm-package, and in the post-section of the rpm we insert it in /etc/pki/nssdb (/usr/bin/modutil -force -dbdir /etc/pki/nssdb -add NetiD -libfile /usr/lib/libiidp11.so). We then point pam_pkcs11 to /etc/pki/nssdb, and everything as far as pam_pkcs11 is concerned works as expected.
The problem is when firefox/thunderbird/google-chrome
should make use of the smart-card. Today we manually make the same
import as just mentioned into ~/.{mozilla,thunderbird}/.*default/ &
~/.pki/nssdb, but after trying to read up in this area I get the
impression that this last part shouldn't really be necessary since I
should be able to use the libnsssysinit-library instead (which in turn
would load everything that is in the global nssdb).
You can merge the certs and keys from the old database using certutil --merge. Be sure to use the dbm: prefix to access the old database.
This would be great
since it would mean that everything we need to do is make sure that the
libnsssysinit.so is in the users-various-nssdbs (and as soon as we need
to make a change/update/or whatever we just do it to the global one).
But this is were I get stuck.
So some questions,
1 ) Does libnsssysinit.so even work as I think it does ?
2 ) Is it worth switching to the new nssdbformat (sql). Since it isn't
enabled by default as far as i know (atleast not on rhel7, the
'NSS_DEFAULT_DB_TYPE' is not set to sql which makes it default to the
old format) ? It would mean that we need to export that variable
globally to every user (which isn't a problem, I'm just wondering if
that is something we *should* do, or if it's fine the way it is).
I've tried the following,
$> modutil -list -dbdir sql:/etc/pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal Crypto Services
slots: 3 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
slot: NSS Application Slot 00000004
token: NSS system database
2. System CA-trust
library name: libnssckbi.so
slots: 2 slots attached
status: loaded
slot: /etc/pki/ca-trust/source
token: System Trust
slot: /usr/share/pki/ca-trust-source
token: Default Trust
3. NetiD
library name: libiidp11.so
slots: 1 slot attached
status: loaded
slot: Alcor Micro AU9540 00 00
token: XX
The 'System CA-trust' and the 'NetiD' modules are the ones I would like
for every user to have in theirs nssdb's (after i added the
libnsssysinit.so ofc)
So, here's how my locally nssdb looks like,
$> cat /home/username/.pki/nssdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/username/.pki/nssdb' certPrefix=''
keyPrefix='' secmod='secmod.db' flags=
updatedir='/home/username/.local/share/evolution' updateCertPrefix=''
updateKeyPrefix='' updateid='/home/username/.local/share/evolution'
updateTokenDescription='Evolution S/MIME'
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100
slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
askpw=any timeout=30})
$> modutil -list -dbdir sql:/home/username/.pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
-----------------------------------------------------------
So, If I then try to add the libnsssysinit.so to the pkcs11.txt like
this (not really sure if this is the right syntax),
$> cat /home/username/.pki/nssdb/pkcs11.txt
library=libnsssysinit.so
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/username/.pki/nssdb' certPrefix=''
keyPrefix='' secmod='secmod.db' flags=
updatedir='/home/username/.local/share/evolution' updateCertPrefix=''
updateKeyPrefix='' updateid='/home/username/.local/share/evolution'
updateTokenDescription='Evolution S/MIME'
NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100
slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
askpw=any timeout=30})
the output becomes,
$> modutil -list -dbdir sql:/home/username/.pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal Crypto Services
slots: 3 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
slot: NSS Application Slot 00000004
token: NSS system database
-----------------------------------------------------------
Still no go with the libiidp11-module though (in firefox /
google-chrome), and i pointed firefox to use ~/.pki/nssdb and not its
own under the profiledirectory.
Adding the libidp11 module to the pkcs11.txt file shows something
interesting,
$> cat /home/username/.pki/nssdb/pkcs11.txt
library=libnsssysinit.so
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/username/.pki/nssdb' certPrefix=''
keyPrefix='' secmod='secmod.db' flags=
updatedir='/home/username/.local/share/evolution' updateCertPrefix=''
updateKeyPrefix='' updateid='/home/username/.local/share/evolution'
updateTokenDescription='Evolution S/MIME'
NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100
slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
askpw=any timeout=30})
library=libiidp11.so
name=NetiD
the output becomes,
$> modutil -list -dbdir sql:/home/username/.pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal Crypto Services
slots: 3 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
slot: NSS Application Slot 00000004
token: NSS system database
2. NetiD
library name: libiidp11.so
slots: 1 slot attached
status: loaded
slot: Alcor Micro AU9540 00 00
token: Instant EID IP9
3. NetiD
library name: libiidp11.so
slots: 1 slot attached
status: loaded
slot: Alcor Micro AU9540 00 00
token: Instant EID IP9
-----------------------------------------------------------
So now I get the impression that the libnsssysinit.so actually loads the
libiidp11.so from the global nssdb, but at the same time, also loads the
libiidp11.so from the local nssdb. Which doesn't feel right (and firefox
also behaves weirdly with this setup).
So, whats going on here, why is libiidp11 loaded twice ?
Evolution uses the suggested global initialization for NSS, chrome and firefox do not.Another note is that that evolution works as expected with the default setup (that is no libnsssysinit.so imported into the local nssdb), I find this strange but maybe evolution loads /etc/pki/nssdb byu default and firefox/chrome doesnt ? Using strace however shows that all applications open the libnsssysinit.so, so I'm not sure why it works in evolution but not in chrome nor firefox.
Now that being said, it may be useful to have an option in which NSS always loads /etc/pki/nssdb (then optionally loads the local profile later). Modern NSS can load more than one database these days, and does so automatically. It would preferably be a compile time option, so that it would only be set on OSs where that makes sense (like Linux). If you write a bug for this, be sure to CC me.
bob
library= name=NSS Internal PKCS #11 Module parameters="configdir='sql:/etc/pki/nssdb'" NSS=Flags=internal,moduleDBOnly
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
