Globally disable softhsm2 in p11-kit-proxy

The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.

IPA server does neither need nor use SoftHSM2 proxied by p11-kit.

Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

ipaplatform/base/paths.py

@@ -371,6 +371,7 @@ class BasePathNamespace:
     AUTHCONFIG = None
     AUTHSELECT = None
     SYSCONF_NETWORK = None
+    ETC_PKCS11_MODULES_DIR = "/etc/pkcs11/modules"
     # 389 DS related commands.
     DSCREATE = '/usr/sbin/dscreate'
     DSCTL = '/usr/sbin/dsctl'

ipaplatform/base/tasks.py

@@ -306,5 +306,24 @@ class BaseTaskNamespace:
 
         return ipautil.run(cmd, **kwargs)
 
+    def configure_pkcs11_modules(self, fstore):
+        """Disable p11-kit modules
+
+        The p11-kit configuration injects p11-kit-proxy into all NSS
+        databases. Amongst other p11-kit loads SoftHSM2 PKCS#11 provider.
+        This interferes with 389-DS, certmonger, Dogtag and other services.
+        For example certmonger tries to open OpenDNSSEC's SoftHSM2 token,
+        although it doesn't use it at all. It also breaks Dogtag HSM support
+        testing with SoftHSM2.
+
+        IPA server does neither need nor use SoftHSM2 proxied by p11-kit.
+        """
+        raise NotImplementedError
+
+    def restore_pkcs11_modules(self, fstore):
+        """Restore global p11-kit modules for NSS
+        """
+        raise NotImplementedError
+
 
 tasks = BaseTaskNamespace()

ipaplatform/debian/tasks.py

@@ -73,5 +73,11 @@ class DebianTaskNamespace(RedHatTaskNamespace):
         # Debian handles httpd logging differently
         pass
 
+    def configure_pkcs11_modules(self, fstore):
+        # Debian doesn't use p11-kit
+        pass
+
+    def restore_pkcs11_modules(self, fstore):
+        pass
 
 tasks = DebianTaskNamespace()

ipaplatform/redhat/tasks.py

@@ -54,6 +54,14 @@ from ipaplatform.base.tasks import BaseTaskNamespace
 logger = logging.getLogger(__name__)
 
 
+# /etc/pkcs11/modules override
+# base filen ame, module, list of disabled-in
+# 'p11-kit-proxy' disables proxying of module, see man(5) pkcs11.conf
+PKCS11_MODULES = [
+    ('softhsm2', paths.LIBSOFTHSM2_SO, ['p11-kit-proxy']),
+]
+
+
 NM_IPA_CONF = textwrap.dedent("""
     # auto-generated by IPA installer
     [main]
@@ -679,5 +687,55 @@ class RedHatTaskNamespace(BaseTaskNamespace):
             if nm.is_enabled():
                 nm.reload_or_restart()
 
+    def configure_pkcs11_modules(self, fstore):
+        """Disable global p11-kit configuration for NSS
+        """
+        filenames = []
+        for name, module, disabled_in in PKCS11_MODULES:
+            filename = os.path.join(
+                paths.ETC_PKCS11_MODULES_DIR,
+                "{}.module".format(name)
+            )
+            if os.path.isfile(filename):
+                # Only back up if file is not yet backed up and it does not
+                # look like a file that is generated by IPA.
+                with open(filename) as f:
+                    content = f.read()
+                is_ipa_file = "IPA" in content
+                if not is_ipa_file and not fstore.has_file(filename):
+                    logger.debug("Backing up existing '%s'.", filename)
+                    fstore.backup_file(filename)
+
+            with open(filename, "w") as f:
+                f.write("# created by IPA installer\n")
+                f.write("module: {}\n".format(module))
+                # see man(5) pkcs11.conf
+                f.write("disable-in: {}\n".format(", ".join(disabled_in)))
+                os.fchmod(f.fileno(), 0o644)
+            logger.debug("Created PKCS#11 module config '%s'.", filename)
+            filenames.append(filename)
+
+        return filenames
+
+    def restore_pkcs11_modules(self, fstore):
+        """Restore global p11-kit configuration for NSS
+        """
+        filenames = []
+        for name, _module, _disabled_in in PKCS11_MODULES:
+            filename = os.path.join(
+                paths.ETC_PKCS11_MODULES_DIR,
+                "{}.module".format(name)
+            )
+            try:
+                os.unlink(filename)
+            except OSError:
+                pass
+            else:
+                filenames.append(filename)
+
+            if fstore.has_file(filename):
+                fstore.restore_file(filename)
+
+        return filenames
 
 tasks = RedHatTaskNamespace()