Configuring p11-kit
p11-kit
, in their own words,
"provides a way to load and enumerate PKCS#11 modules.
[It] provides a standard configuration setup for installing PKCS#11 modules in such a way that they're discoverable."
It provides a central place to coordinate setups with multiple applications and multiple modules.
In practice, this means that applications that are aware of p11-kit
(like p11tool
) can auto-discover these PKCS#11 modules.
You no longer need to specify the module path manually (like p11tool --provider /usr/local/primus/lib/libprimusP11.so
).
Setting up p11-kit
may be needed if your application depends on it.
Architecture graphic from RedHat
Installation
Make sure that the Primus PKCS#11 Provider is installed in /usr/local/primus
and is fully configured as per the docs.
Then install the package:
Debian | RHEL | |
---|---|---|
p11-kit | p11-kit | p11-kit |
Configure
- Create the folder
/usr/share/p11-kit/modules/
if it does not yet exist. - Create the file
/usr/share/p11-kit/modules/primus.module
with the following content:
module: libprimusP11.so
priority: 2
# optional allowlist, to limit which programs can use this module
# enable-in: p11-kit, openssl, httpd, nginx
Alternatively, you can use /etc/pkcs11/modules/
.
For more options, see man pkcs11.conf
.
Verify
Check that p11-kit
can see the module:
p11-kit list-modules
Example output:
primus: libprimusP11.so
library-description: PKCS#11 Library
library-manufacturer: Securosys SA
library-version: 2.34
token: TEST-PARTITION
manufacturer: Securosys SA
model: Primus HSM
serial-number: 1234567890abcdef
hardware-version: 3.2
firmware-version: 2.34
flags:
rng
login-required
user-pin-initialized
restore-key-not-needed
clock-on-token
token-initialized
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.24
token: System Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.24
flags:
write-protected
token-initialized
opensc-pkcs11: opensc-pkcs11.so
library-description: OpenSC smartcard framework
library-manufacturer: OpenSC Project
library-version: 0.22
Troubleshooting
Setting module: libprimusP11.so
requires libprimusP11.so
to be present in your library search path.
This has the advantage that the module file is more general, e.g. it is independent of the architecture (lib32 vs. lib64).
If you used the package manager to install the Primus PKCS#11 Provider (i.e., installed via RPM or DEB), then this may have been setup automatically.
To configure this manually (on Debian):
sudo ln -s /usr/local/primus/lib/libprimusP11.so /usr/lib/x86_64-linux-gnu/pkcs11/libprimusP11.so
sudo ln -s /usr/local/primus/lib/libprimusP11.so /usr/lib/x86_64-linux-gnu/libprimusP11.so
RHEL | Debian |
---|---|
/usr/lib64/pkcs11/ or /usr/lib64/ | /usr/lib/x86_64-linux-gnu/pkcs11/ or /usr/lib/x86_64-linux-gnu/ |
If all else fails, try specifying the full path in the module file: module: /usr/local/primus/lib/libprimusP11.so