On Mon, 2014-12-01 at 17:22 -0800, Robert Relyea wrote: > > This is still the issue with nsssysinit. It currently only works if the > the application open sql:/etc/pki/nssdb. Currently firefox doesn't even > use the sql database.
Which has always been a bit of a facepalm realisation: "Hey... we
provide this useful way of having a system database. Oh, but we don't
use it *ourselves*. That would be too cunning."
I was interested in nsssysinit once but I've mostly given up on it now.
It has largely been superseded by p11-kit-trust, which in the NSS case
provides a replacement for libnssckbi.so and gives us consistency across
the entire system regardless of the crypto libraries in use. (This
wasn't in RHEL6; it came in with Fedora 19 so hopefully it's in RHEL7).
For smartcards though (or indeed just general desktop integration and
using the PKCS#11 services from things like GNOME Keyring), NSS is still
lagging behind.
With p11-kit it's trivial for PKCS#11 modules just to register
themselves by dropping a file into /usr/share/p11-kit/modules, and then
they Just Work™ in every tool and application which is p11-kit aware. If
you install the OpenSC package, for example, it'll do just that. As does
gnome-keyring. Unfortunately, it works for everything *except*
applications using NSS.
We should probably make NSS load the p11-kit configured modules
automatically, and then it'll be a first-class citizen on a modern Linux
system again. There is p11-kit-proxy.so which is a single module that
*proxies* all the configured modules in different slots, which makes
that slightly easier...
$ modutil -dbdir sql:`pwd` -add p11-kit-proxy -libfile
/usr/lib64/p11-kit-proxy.so
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Module "p11-kit-proxy" added to database.
$ modutil -list -dbdir sql:`pwd`
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. p11-kit-proxy
library name: /usr/lib64/p11-kit-proxy.so
slots: 9 slots attached
status: loaded
slot: /etc/pki/ca-trust/source
token: System Trust
slot: /usr/share/pki/ca-trust-source
token: Default Trust
slot: SSH Keys
token: SSH Keys
slot: Secret Store
token: Secret Store
slot: Gnome2 Key Storage
token: Gnome2 Key Storage
slot: User Key Storage
token: User Key Storage
slot: Virtual hotplug slot
token:
slot: Feitian SCR301 00 00
token: Red Key (User PIN)
slot: Yubico Yubikey NEO CCID 01 00
token: PIV_II (PIV Card Holder pin)
-----------------------------------------------------------
--
dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
