How to setup "p11-kit-proxy" to allow public access to certificates?

Daiki Ueno ueno at gnu.org
Wed Oct 12 09:27:13 UTC 2022 

Hello Steve,

Steve Ross <sross at forcepointgov.com> writes:

> I am trying to include some Network Security Services (NSS) functionality  while also
> using "p11-kit-proxy", but (so far) I'm unable to do so.  In particular, I want to make
> NSS treat X.509 certificates on a smart card as public, so that the user can access them
> without first providing a PIN for the card.   I'm hoping that someone on this list can
> provide some direction to me.
>
> In the past, before using "p11-kit-proxy", I could accomplish adding a PKCS #11
> module to the system database, and also making the module treat the certificates as
> "public", by using a command like:
>
>  $ modutil -add opensc -mechanisms FRIENDLY -libfile
>  /usr/lib64/pkcs11/opensc-pkcs.so -dbdir sql:/etc/pki/nssdb
>
> where the command added the "opensc" library to the output of "modutil -list" and
> where the "-mechanisms FRIENDLY" option added an "NSS=" line to the file
> "/etc/pki/nssdb/pkcs11.txt" like:
>
>  library=opensc-pkcs11.so
>  name=opensc
>  NSS=slotParams={0x00000001=[slotFlags=PublicCerts ] 0x00000002=
>  [slotFlags=PublicCerts ]  }
>
> With this configuration, when I execute a "certutil" command to manipulate
> certificates, the command (as expected) provides a response without first prompting
> for a PIN for the token.
>
> However, when my system is using "p11-kit-proxy",  the module entry of "opensc" no
> longer appears in the output of "modutil -list"; instead the entry is "p11-kit-proxy". 
> How would I configure "p11-kit-proxy" to pass along the "PublicCerts" setting to the
> module(s) for which it is the proxy?
>
> Would I add a name/value pair to the file
> "/usr/share/p11-kit/modules/opensc.module"?  If so, what name/value pair?  (I'm
> actually not using the OpenSC module, but another PKCS #11 module.)
>
> I have tried directly editing the files of "/etc/pki/nssdb/pkcs11.txt"  and
> "/etc/crypto-policies/back-ends/nss.config" to add the "NSS=..." line, but "certutil" still
> prompts for a PIN.

I think this is a reasonable use-case, though I'm afraid p11-kit-proxy
currently doesn't directly support it.  The plan is to support it
through a PKCS #11 profile object (CKP_PUBLIC_CERTIFICATES_TOKEN[1])
attached to the token, which tells NSS that the token is for general
access[2].

Here is an open issue[3], which I think is a low-hanging fruit though we
need to think about how to express mapping between slots and profile
objects in the configuration.  Maybe something like:

  profile-public-certificates-token: <PKCS #11 URL for slot>

Any suggestions would be appreciated.

Footnotes:
[1]  https://docs.oasis-open.org/pkcs11/pkcs11-profiles/v3.0/os/pkcs11-profiles-v3.0-os.html#_Toc10196664

[2]  https://searchfox.org/mozilla-central/rev/e94c6cb9649bfe4e6a3888460f41bcd4fe30a6ca/security/nss/lib/pk11wrap/pk11slot.c#1798

[3]  https://github.com/p11-glue/p11-kit/issues/250

Regards,
-- 
Daiki Ueno

More information about the p11-glue mailing list