Hi Graham,
389ds relies on the NSS framework,
I cannot help you much on this point as your question reached the limit of my knowledge about NSS, but if no one else has a better answer here are some hint:
389ds relies on the NSS framework,
so IMHO the question should be how to use p11-kit-trust with NSS..
I cannot help you much on this point as your question reached the limit of my knowledge about NSS, but if no one else has a better answer here are some hint:
while looking on the web, I found several pages that may interest you::
- https://www.dogtagpki.org/wiki/NSS_Fedora_Development
(The contact link may help you to get a more precise answer)
- https://www.dogtagpki.org/wiki/NSS_Fedora_Development
(The contact link may help you to get a more precise answer)
- https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules
(And especially the "How to test" section that may interest you/
(And especially the "How to test" section that may interest you/
Apparently p11-kit-proxy allows you to install and use p11kit module
but you also have to also install these module with modutil to be able to use this feature (maybe trying to load p11-kit-trust in nss with modutil will do the trick (but that is just a wild guess))
Good luck !
but you also have to also install these module with modutil to be able to use this feature (maybe trying to load p11-kit-trust in nss with modutil will do the trick (but that is just a wild guess))
Good luck !
Pierre
On Sun, Oct 2, 2022 at 7:07 PM Graham Leggett <minfrin@xxxxxxxx> wrote:
Hi all,
389ds as shipped by RHEL9 is linked to NSS, which in theory supports PKCS11, but in practice I can't get to work.
Most specifically, when you display a 389ds NSS database using modutil, you see p11-kit-proxy (good), but it reports "There are no slots attached to this module” (bad).
Has anyone got an explanation as to why this might be?
[root@seawitch ~]# modutil -list -dbdir /etc/dirsrv/slapd-seawitch
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.79
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. p11-kit-proxy
library name: p11-kit-proxy.so
uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: There are no slots attached to this module
status: loaded
—————————————————————————————
At the very least the system and default CA databases should be visible, but alas no:
[root@seawitch ~]# p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.24
token: System Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.24
flags:
token-initialized
token: Default Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.24
flags:
write-protected
token-initialized
Regards,
Graham
—
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
389 Directory Server Development Team
389 Directory Server Development Team
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue