Hello Steve,
Steve Ross <sr...@forcepointgov.com> writes:
> I am trying to include some Network Security Services (NSS) functionality
> while also
> using "p11-kit-proxy", but (so far) I'm unable to do so. In particular, I
> want to make
> NSS treat X.509 certificates on a smart card as public, so that the user can
> access them
> without first providing a PIN for the card. I'm hoping that someone on this
> list can
> provide some direction to me.
>
> In the past, before using "p11-kit-proxy", I could accomplish adding a PKCS
> #11
> module to the system database, and also making the module treat the
> certificates as
> "public", by using a command like:
>
> $ modutil -add opensc -mechanisms FRIENDLY -libfile
> /usr/lib64/pkcs11/opensc-pkcs.so -dbdir sql:/etc/pki/nssdb
>
> where the command added the "opensc" library to the output of "modutil -list"
> and
> where the "-mechanisms FRIENDLY" option added an "NSS=" line to the file
> "/etc/pki/nssdb/pkcs11.txt" like:
>
> library=opensc-pkcs11.so
> name=opensc
> NSS=slotParams={0x00000001=[slotFlags=PublicCerts ] 0x00000002=
> [slotFlags=PublicCerts ] }
>
> With this configuration, when I execute a "certutil" command to manipulate
> certificates, the command (as expected) provides a response without first
> prompting
> for a PIN for the token.
>
> However, when my system is using "p11-kit-proxy", the module entry of
> "opensc" no
> longer appears in the output of "modutil -list"; instead the entry is
> "p11-kit-proxy".
> How would I configure "p11-kit-proxy" to pass along the "PublicCerts" setting
> to the
> module(s) for which it is the proxy?
>
> Would I add a name/value pair to the file
> "/usr/share/p11-kit/modules/opensc.module"? If so, what name/value pair?
> (I'm
> actually not using the OpenSC module, but another PKCS #11 module.)
>
> I have tried directly editing the files of "/etc/pki/nssdb/pkcs11.txt" and
> "/etc/crypto-policies/back-ends/nss.config" to add the "NSS=..." line, but
> "certutil" still
> prompts for a PIN.
I think this is a reasonable use-case, though I'm afraid p11-kit-proxy
currently doesn't directly support it. The plan is to support it
through a PKCS #11 profile object (CKP_PUBLIC_CERTIFICATES_TOKEN[1])
attached to the token, which tells NSS that the token is for general
access[2].
Here is an open issue[3], which I think is a low-hanging fruit though we
need to think about how to express mapping between slots and profile
objects in the configuration. Maybe something like:
profile-public-certificates-token: <PKCS #11 URL for slot>
Any suggestions would be appreciated.
Footnotes:
[1]
https://docs.oasis-open.org/pkcs11/pkcs11-profiles/v3.0/os/pkcs11-profiles-v3.0-os.html#_Toc10196664
[2]
https://searchfox.org/mozilla-central/rev/e94c6cb9649bfe4e6a3888460f41bcd4fe30a6ca/security/nss/lib/pk11wrap/pk11slot.c#1798
[3] https://github.com/p11-glue/p11-kit/issues/250
Regards,
--
Daiki Ueno
