Configuring p11-kit

p11-kit, in their own words, "provides a way to load and enumerate PKCS#11 modules. [It] provides a standard configuration setup for installing PKCS#11 modules in such a way that they're discoverable." It provides a central place to coordinate setups with multiple applications and multiple modules.

In practice, this means that applications that are aware of p11-kit (like p11tool) can auto-discover these PKCS#11 modules. Then you no longer need to specify the module path manually (like p11tool --provider /usr/local/primus/lib/libprimusP11.so).

Setting up p11-kit may be needed if your application depends on it.

Architecture graphic from RedHat

Installation

Make sure that the Primus PKCS#11 Provider is installed in /usr/local/primus and is fully configured as per the docs.

Then install the package:

Tool	Debian	RHEL
p11-kit	p11-kit	p11-kit

Configure

1. Create the folder /usr/share/p11-kit/modules/ if it does not yet exist.
2. Create the file /usr/share/p11-kit/modules/primus.module with the following content:

module: libprimusP11.so
priority: 2

# optional allowlist, to limit which programs can use this module
# enable-in: p11-kit, openssl, httpd, nginx

Alternatively, you can use /etc/pkcs11/modules/.

For more options, see man pkcs11.conf.

Verify

Check that p11-kit can see the module:

p11-kit list-modules

Example output:

primus: libprimusP11.so
    library-description: PKCS#11 Library
    library-manufacturer: Securosys SA
    library-version: 2.34
    token: TEST-PARTITION
        manufacturer: Securosys SA
        model: Primus HSM
        serial-number: 1234567890abcdef
        hardware-version: 3.2
        firmware-version: 2.34
        flags:
               rng
               login-required
               user-pin-initialized
               restore-key-not-needed
               clock-on-token
               token-initialized
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.24
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.24
        flags:
               write-protected
               token-initialized
opensc-pkcs11: opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.22

Troubleshooting

Setting module: libprimusP11.so requires libprimusP11.so to be present in your library search path. This has the advantage that the module file is more general, e.g. it is independent of the architecture (lib32 vs. lib64).

If you used the package manager to install the Primus PKCS#11 Provider (i.e., installed via RPM or DEB), then this may have been setup automatically.

To configure this manually (on Debian):

sudo ln -s /usr/local/primus/lib/libprimusP11.so /usr/lib/x86_64-linux-gnu/pkcs11/libprimusP11.so
sudo ln -s /usr/local/primus/lib/libprimusP11.so /usr/lib/x86_64-linux-gnu/libprimusP11.so

RHEL	Debian
/usr/lib64/pkcs11/ or /usr/lib64/	/usr/lib/x86_64-linux-gnu/pkcs11/ or /usr/lib/x86_64-linux-gnu/

If all else fails, try specifying the full path in the module file: module: /usr/local/primus/lib/libprimusP11.so

References

• p11-kit manual
• Blog post: Consistent PKCS #11 support in Red Hat Enterprise Linux 8
• Configuring applications to use cryptographic hardware through PKCS #11