How to setup "p11-kit-proxy" to allow public access to certificates?
sross at forcepointgov.com
Tue Sep 27 23:02:18 UTC 2022
I am trying to include some Network Security Services (NSS)
functionality while also using "p11-kit-proxy", but (so far) I'm unable
to do so. In particular, I want to make NSS treat X.509 certificates on
a smart card as public, so that the user can access them without first
providing a PIN for the card. I'm hoping that someone on this list can
provide some direction to me.
In the past, before using "p11-kit-proxy", I could accomplish adding a
PKCS #11 module to the system database, and also making the module treat
the certificates as "public", by using a command like:
$ modutil -add opensc -mechanisms FRIENDLY -libfile
/usr/lib64/pkcs11/opensc-pkcs.so -dbdir sql:/etc/pki/nssdb
where the command added the "opensc" library to the output of "modutil
-list" and where the "-mechanisms FRIENDLY" option added an "NSS=" line
to the file "/etc/pki/nssdb/pkcs11.txt" like:
0x00000002=[slotFlags=PublicCerts ] }
With this configuration, when I execute a "certutil" command to
manipulate certificates, the command (as expected) provides a response
without first prompting for a PIN for the token.
However, when my system is using "p11-kit-proxy", the module entry of
"opensc" no longer appears in the output of "modutil -list"; instead the
entry is "p11-kit-proxy". How would I configure "p11-kit-proxy" to pass
along the "PublicCerts" setting to the module(s) for which it is the proxy?
Would I add a name/value pair to the file
"/usr/share/p11-kit/modules/opensc.module"? If so, what name/value
pair? (I'm actually not using the OpenSC module, but another PKCS #11
I have tried directly editing the files of "/etc/pki/nssdb/pkcs11.txt"
and "/etc/crypto-policies/back-ends/nss.config" to add the "NSS=..."
line, but "certutil" still prompts for a PIN.
Thanks for any suggestions,
-- Steve Ross
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the p11-glue