Crypto Glue: Integration Status
Contents
This is an effort to use and promote PKCS#11 as glue between crypto libraries and security applications on the open source desktop. See the main page for how this integration is taking place. Here's a list of various apps, and how we have, can, or want to integrate them.
Empathy
Empathy automatically uses p11-kit to lookup certificate anchors in Gnome Keyring. It also uses it to store pinned certificate exceptions in Gnome Keyring.
Complete:
- Empathy automatically uses libgcr to lookup certificate anchors and pinned certificates in Gnome Keyring. libgcr uses p11-kit, PKCS#11 and trust assertions to do these lookups.
- Empthay stores pinned certificates in Gnome Keyring.
Want:
- Once Wocky is ported to GIO TLS then we'll be able to refactor things so that Empathy nolonger has to use libgcr to do lookups directly. Storage of pinned certificates would continue to go through libgcr.
- Once Empathy has support for client certificates, we should lookup those client certificates via p11-kit.
Epiphany
Complete:
- Epiphany uses GIO TLS for its TLS interactions.
Want:
- Waiting for GIO TLS PKCS#11 support.
Evolution
Complete:
- Evolution uses NSS and PKCS#11 to lookup certificates and keys, and thus can use the p11-kit-proxy.so module.
- Can also use it as a source of certificate authority anchors.
- Gnome Keyring 3.1.x or later is installed, then with below config, Evolution will automatically recognize system anchor certificates stored in gnome-keyring as valid CA's for websites.
Config:
- Run the following command:
echo "library=/usr/lib/p11-kit-proxy.so name=p11-kit NSS=trustOrder=50" >> ~/.pki/nss/pkcs11.txt
If you're running a 64-bit system you'll likely need to replace the path /usr/lib with /usr/lib64.
To do:
- Patch for Evolution so that it automatically adds the p11-kit provider to NSS if not there.
GLib / GIO TLS
Complete:
Support for !GTlsDatabase has been merged into Glib for 2.30
Support for a PKCS#11 backend is complete, and has been merged.
- The new PKCS#11 backend uses PKCS#11 URIs as certificate handles. These can be used for configuration.
Want:
GIO TLS client certificate support needs to be reworked a bit before using keys and cerificates
Gcr / Gck
Complete:
- The Gcr library (Crypto UI Library) now uses p11-kit to lookup which PKCS#11 modules are installed and should be used.
- The Gck library (GObject based PKCS#11 bindings) exposes p11-kit, and PKCS#11 URIs.
Want:
- Add support to gcr-viewer for importing keys.
Gnome Keyring
Complete:
- Gnome Keyring installs a p11-kit config file for its PKCS#11 module.
Want:
- Complete the PKCS#11 storage modules in gnome keyring.
Firefox
Complete:
- Firefox uses NSS and PKCS#11 to lookup certificates and keys, and can use the p11-kit-proxy.so module.
- Can also use it as a source of certificate authority anchors.
- Gnome Keyring 3.1.x or later is installed, then with below config, Firefox will automatically recognize system anchor certificates stored in gnome-keyring as valid CA's for websites.
Config:
Install the nss-tools package.
- Run the following command:
modutil -add p11-kit -libfile /usr/lib/p11-kit-proxy.so -mechanisms RSA:DSA -dbdir ~/.mozilla/firefox/*.default/
If you're running a 64-bit system you'll likely need to replace the path /usr/lib with /usr/lib64.
Google Chrome
Complete:
- Chrome uses NSS and PKCS#11 to lookup certificates and keys, and can use the p11-kit-proxy.so module.
- Can also use it as a source of certificate authority anchors.
- Gnome Keyring 3.1.x or later is installed, then with below config, Chrome will automatically recognize system anchor certificates stored in gnome-keyring as valid CA's for websites.
Config:
- Run the following command:
echo "library=/usr/lib/p11-kit-proxy.so name=p11-kit NSS=trustOrder=50" >> ~/.pki/nss/pkcs11.txt
If you're running a 64-bit system you'll likely need to replace the path /usr/lib with /usr/lib64.
NSS libsoftokn3
If you want certificates and keys stored in NSS to be available to other p11-kit using applications, then you would do the following. This is orthogonal to the above integration steps.
Config:
- Run the following command:
echo "module: module: /usr/lib/libsoftokn3.so x-init-reserved: configdir='sql:/data/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''" > ~/.pkcs11/modules/nss
If you're running a 64-bit system you'll likely need to replace the path /usr/lib with /usr/lib64.