Fixing NSS and p11-kit in Fedora (and beyond)

David Woodhouse dwmw2 at
Fri May 8 05:50:08 PDT 2015

On Thu, 2014-12-11 at 09:12 +0000, David Woodhouse wrote:
> I'd love to have a Fedora Feature in F22 for PKCS#11, where 
> keys+certs from installed PKCS#11 modules are expected to Just Work™ 
> in all applications that can use certificates. Using consistent 
> PKCS#11 URIs where appropriate.

This isn't a Fedora Feature, but as of yesterday we do have packaging
guidelines in Fedora which state that:

 - Packages using X.509 certificates SHOULD support PKCS#11
 - Packages using PKCS#11 SHOULD load the p11-kit modules by default
 - Packages using PKCS#11 SHOULD accept RFC7512 URIs to specify objects

Fedora 22 has fixes for pkcs11-helper and engine_pkcs11, so it's only
really NSS that we have yet to fix.

For the use of RFC7512 PKCS#11 URIs I have filed and started a
thread at

For loading the correct tokens, I have filed and started a
thread at

I'd quite like to get NSS fixed, but I'm not entirely averse to just
going through Fedora packages and switching them to build against
GnuTLS or OpenSSL instead, if NSS is going to prove too resistant to
getting fixed :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list