Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0.beta
Affects Version/s: None
Component/s: pkcs11-provider
Labels:

Fixed in Build:
pkcs11-provider-0.5-4.el10
Epic Link:
CRYPTO-13082
sprint_count:
1

Pool Team:

rhel-sst-security-crypto
Sub-System Group:

ssg_security

Internal Target Milestone:
28
Story Points:
2
Target Version:

rhel-10.0.beta
Product Documentation Required:
Yes
Sprint:
Crypto24Q3

Acceptance Criteria:

Hide

AC1) pkcs11-provider installs its configuration file pkcs11-provider.conf into OPENSSLDIR (/etc/pki/tls/) upon installation.

AC2) Configuration file contains just the activation and enabling the provider section.

Show
AC1) pkcs11-provider installs its configuration file pkcs11-provider.conf into OPENSSLDIR (/etc/pki/tls/) upon installation. AC2) Configuration file contains just the activation and enabling the provider section.
Preliminary Testing:
Pass
Test Link:
https://pkgs.devel.redhat.com/cgit/tests/pkcs11-provider/tree/Sanity/default-configuration
Errata Link:
https://errata.engineering.redhat.com/advisory/133067
Gating Tests:

Enabled
Test Coverage:

Automated

Release Note Type:
Feature
Release Note Text:

Hide
.Added custom configuration for `pkcs11-provider`

The `pkcs11-provider` allows direct access to hardware tokens by using `pkcs11` URIs from OpenSSL programs. Upon installation, the `pkcs11-provider` is automatically enabled and loads tokens detected by the `pcscd` daemon by using the `p11-kit` driver by default. As a result, you can use tokens available to the system if you provide a key URI by using the `pkcs11` URI specification to an application that supports that format by installing the package without the need to further change OpenSSL configuration. Uninstalling the package also removes the OpenSSL configuration snippet, which prevents errors when OpenSSL parses the configuration files.

Show
.Added custom configuration for `pkcs11-provider` The `pkcs11-provider` allows direct access to hardware tokens by using `pkcs11` URIs from OpenSSL programs. Upon installation, the `pkcs11-provider` is automatically enabled and loads tokens detected by the `pcscd` daemon by using the `p11-kit` driver by default. As a result, you can use tokens available to the system if you provide a key URI by using the `pkcs11` URI specification to an application that supports that format by installing the package without the need to further change OpenSSL configuration. Uninstalling the package also removes the OpenSSL configuration snippet, which prevents errors when OpenSSL parses the configuration files.
Release Note Status:
Done

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Goal

when pkcs11-provider is installed provide an easy way to enable it in openssl, ideally by deploying a snippet file in the openssl config
Acceptance Criteria
Verify pkcs1-provider can be easily enabled

NOTE: this requires a little bit of testing to find out what is the best solution.

is triggering

RHEL-56502 OpenLDAP should leak the SSL ctx and not try to free it in a destructor

Planning

links to

c10s MR

RHBA-2024:133067 pkcs11-provider bug fix and enhancement update

Test Requirement (RHSEC-6959)

Assignee:: Simo Sorce

Reporter:: Simo Sorce

Contributors:: Sahana Prasad Hebbur Narasimha Prasad

Developer:: Simo Sorce

QA Contact:: Ondrej Moris

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/03/19 3:59 PM

Updated:: 2024/11/07 12:48 PM

Target end:: 2024/09/09

Details

Description

Goal

Acceptance Criteria

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates