Bug 248722¹ has been open since 2004 requesting a system-wide configuration for PKCS#11 modules. At the time, such a thing didn't exist.
These days it does. Modern systems ship with p11-kit², which exists precisely to fill that gap and provide "a standard discoverable configuration for installed PKCS#11 modules." In the interest of consistency, the Fedora Linux distribution now has packaging guidelines³ which say that any software which uses X.509 certificates SHOULD support PKCS#11, SHOULD load the correct PKCS#11 providers according to the system configuration, and SHOULD allow objects to be specified using a PKCS#11 URI according to RFC7512. Although it happens to be Fedora which is first, we obviously expect other distributions and operating systems to follow suit — in practice, even if not with official packaging policy mandates. I'd very much like those guidelines *not* to implicitly translate to "build your package against a crypto library other than NSS". I've already found cases where the bugs⁴ I'm filing can by fixed just by building the package against GnuTLS instead, but I'm reluctant to push for that. I've already started a separate thread about supporting RFC7512 URIs as object specifiers; this one is about loading the right modules... There are a number of potential approaches to this, some discussed at http://lists.freedesktop.org/archives/p11-glue/2014-December/000528.html Probably the best option is to make nss_InitModules() automatically load p11-kit-proxy.so as an additional provider. Here's a straw man patch which attempts that: --- nss/lib/nss/nssinit.c~ 2014-10-10 17:56:55.000000000 +0100 +++ nss/lib/nss/nssinit.c 2014-12-11 16:26:58.113699892 +0000 @@ -435,7 +435,13 @@ loser: SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); PR_smprintf_free(moduleSpec); if (module) { - if (module->loaded) rv=SECSuccess; + if (module->loaded) { + SECMODModule *mod2 = SECMOD_LoadModule("library=/usr/lib64/p11-kit-proxy.so",module,PR_FALSE); + if (mod2) { + SECMOD_DestroyModule(mod2); + } + rv=SECSuccess; + } SECMOD_DestroyModule(module); } } Does this seem like the right approach? Under precisely what circumstances should we be doing it — should it be affected by the noModDB and noCertDB flags? It's also possible for users to add a module to their p11-kit configuration which exposes the per-user NSS DB from ~/.pki/nssdb so that it's consistently visible in all applications. We may wish to give some consideration to how that would work when it is being loaded into an NSS application which might have its own database in another directory (some broken applications like Firefox still don't use ~/.pki/nssdb ☹) or indeed in the *same* directory (like Chrome does). -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation ¹ https://bugzilla.mozilla.org/show_bug.cgi?id=248722 ² http://p11-glue.freedesktop.org/p11-kit.html ³ https://fedoraproject.org/wiki/PackagingDrafts/SSLCertificateHandling ⁴ https://bugzilla.redhat.com/showdependencytree.cgi?id=PKCS11
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
