Hi everyone,
I Need some help understanding the usage of the libnsssysinit-library
(or a recommended method in handling the scenario described below).
First I'll write shortly about our scenario,
- We manage around 150 Red Hat Clients (atm v6.6 but in the progress of
updating to 7.0)
- We use "smartcard-login" for all clients
- We have a custom CA that issues our certificates (both to our cards,
but also to our "internal services" like mail/etc.).
Issues to solve,
- Have all kinds of applications trust our CA.
- Have all kinds of make us of our pkcs11-module if requested.
It's sounds so simple, but it turns out to be a real hassle.
What we got so far,
- Make puppet distribute our root-ca-certificate to
'/etc/pki/ca-trust/source/anchors/' and import the libnssckbi.so into
'/etc/pki/nssdb' (/usr/bin/modutil -force -dbdir /etc/pki/nssdb -add
'System CA-trust' -libfile /usr/lib64/libnssckbi.so), execute
'update-ca-trust'. This actually makes everything work as expected, this
is an really awesome way for administrators to distribute certificate's
that the client should trust by default.
Still kind of a hassle,
- Getting various applications to use the custom pkcs11-module
(google-chrome, firefox are the ones I've tried so far).
So, what we do is that we distribute this custom module within a
rpm-package, and in the post-section of the rpm we insert it
in /etc/pki/nssdb (/usr/bin/modutil -force -dbdir /etc/pki/nssdb -add
NetiD -libfile /usr/lib/libiidp11.so). We then point pam_pkcs11
to /etc/pki/nssdb, and everything as far as pam_pkcs11 is concerned
works as expected. The problem is when firefox/thunderbird/google-chrome
should make use of the smart-card. Today we manually make the same
import as just mentioned into ~/.{mozilla,thunderbird}/.*default/ &
~/.pki/nssdb, but after trying to read up in this area I get the
impression that this last part shouldn't really be necessary since I
should be able to use the libnsssysinit-library instead (which in turn
would load everything that is in the global nssdb). This would be great
since it would mean that everything we need to do is make sure that the
libnsssysinit.so is in the users-various-nssdbs (and as soon as we need
to make a change/update/or whatever we just do it to the global one).
But this is were I get stuck.
So some questions,
1 ) Does libnsssysinit.so even work as I think it does ?
2 ) Is it worth switching to the new nssdbformat (sql). Since it isn't
enabled by default as far as i know (atleast not on rhel7, the
'NSS_DEFAULT_DB_TYPE' is not set to sql which makes it default to the
old format) ? It would mean that we need to export that variable
globally to every user (which isn't a problem, I'm just wondering if
that is something we *should* do, or if it's fine the way it is).
I've tried the following,
$> modutil -list -dbdir sql:/etc/pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal Crypto Services
slots: 3 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
slot: NSS Application Slot 00000004
token: NSS system database
2. System CA-trust
library name: libnssckbi.so
slots: 2 slots attached
status: loaded
slot: /etc/pki/ca-trust/source
token: System Trust
slot: /usr/share/pki/ca-trust-source
token: Default Trust
3. NetiD
library name: libiidp11.so
slots: 1 slot attached
status: loaded
slot: Alcor Micro AU9540 00 00
token: XX
The 'System CA-trust' and the 'NetiD' modules are the ones I would like
for every user to have in theirs nssdb's (after i added the
libnsssysinit.so ofc)
So, here's how my locally nssdb looks like,
$> cat /home/username/.pki/nssdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/username/.pki/nssdb' certPrefix=''
keyPrefix='' secmod='secmod.db' flags=
updatedir='/home/username/.local/share/evolution' updateCertPrefix=''
updateKeyPrefix='' updateid='/home/username/.local/share/evolution'
updateTokenDescription='Evolution S/MIME'
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100
slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
askpw=any timeout=30})
$> modutil -list -dbdir sql:/home/username/.pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
-----------------------------------------------------------
So, If I then try to add the libnsssysinit.so to the pkcs11.txt like
this (not really sure if this is the right syntax),
$> cat /home/username/.pki/nssdb/pkcs11.txt
library=libnsssysinit.so
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/username/.pki/nssdb' certPrefix=''
keyPrefix='' secmod='secmod.db' flags=
updatedir='/home/username/.local/share/evolution' updateCertPrefix=''
updateKeyPrefix='' updateid='/home/username/.local/share/evolution'
updateTokenDescription='Evolution S/MIME'
NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100
slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
askpw=any timeout=30})
the output becomes,
$> modutil -list -dbdir sql:/home/username/.pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal Crypto Services
slots: 3 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
slot: NSS Application Slot 00000004
token: NSS system database
-----------------------------------------------------------
Still no go with the libiidp11-module though (in firefox /
google-chrome), and i pointed firefox to use ~/.pki/nssdb and not its
own under the profiledirectory.
Adding the libidp11 module to the pkcs11.txt file shows something
interesting,
$> cat /home/username/.pki/nssdb/pkcs11.txt
library=libnsssysinit.so
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/username/.pki/nssdb' certPrefix=''
keyPrefix='' secmod='secmod.db' flags=
updatedir='/home/username/.local/share/evolution' updateCertPrefix=''
updateKeyPrefix='' updateid='/home/username/.local/share/evolution'
updateTokenDescription='Evolution S/MIME'
NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100
slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
askpw=any timeout=30})
library=libiidp11.so
name=NetiD
the output becomes,
$> modutil -list -dbdir sql:/home/username/.pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal Crypto Services
slots: 3 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
slot: NSS Application Slot 00000004
token: NSS system database
2. NetiD
library name: libiidp11.so
slots: 1 slot attached
status: loaded
slot: Alcor Micro AU9540 00 00
token: Instant EID IP9
3. NetiD
library name: libiidp11.so
slots: 1 slot attached
status: loaded
slot: Alcor Micro AU9540 00 00
token: Instant EID IP9
-----------------------------------------------------------
So now I get the impression that the libnsssysinit.so actually loads the
libiidp11.so from the global nssdb, but at the same time, also loads the
libiidp11.so from the local nssdb. Which doesn't feel right (and firefox
also behaves weirdly with this setup).
So, whats going on here, why is libiidp11 loaded twice ?
Another note is that that evolution works as expected with the default
setup (that is no libnsssysinit.so imported into the local nssdb), I
find this strange but maybe evolution loads /etc/pki/nssdb byu default
and firefox/chrome doesnt ? Using strace however shows that all
applications open the libnsssysinit.so, so I'm not sure why it works in
evolution but not in chrome nor firefox.
Maybe someone could clear this up for me ?
Long mail, a lot of questions, but I'm just trying to figure out whats
going on "under the hood" and how to simply distribute our pkcs11module
to our users without having them import it manually (we have scritps
doing this for us today, but it still feels kind of "hacky", and I would
like to just make sure that all the local nssdb's (today 2-3) just loads
libnsssysinit.so and loads the modules from the global nssdb).
Best regards,
Patrik Martinsson
Sweden
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
