I have an HSM that’s not exactly fully supported by the default CCID driver (needs an old modified source-unavailable CCID driver, the manufacturer is technically not breaking the LGPL license, I checked), but it provides a .so file that can be loaded via p11-kit-proxy, and it works wonderfully in Firefox and Thunderbird for S/MIME signature. But I cannot use the HSM to sign PDFs in Okular.
p11tool --list-tokens shows the following:
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 1:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
Label: Default Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 2:
URL: pkcs11:model=TimeCos%2FPK;manufacturer=Watchdata%20Corp.;serial=WD08624881;token=Meghadeep%20Roy%20Chowdhury%00%00%00%00%00%00%00%00%00
Label: Meghadeep Roy Chowdhury
Type: Hardware token
Flags: RNG, Requires login, External PIN
Manufacturer: Watchdata Corp.
Model: TimeCos/PK
Serial: WD08624881
Module: /usr/lib/WatchData/ProxKey/lib/libwdpkcs_SignatureP11.so
modutil -dbdir sql:.pki/nssdb -list shows the following:
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.117
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. p11-kit-proxy
library name: p11-kit-proxy.so
uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: 3 slots attached
status: loaded
slot: WatchData IC CARD Reader/Writer 0
token: Meghadeep Roy Chowdhury
uri: pkcs11:token=Meghadeep%20Roy%20Chowdhury;manufacturer=Watchdata%20Corp.;serial=WD08624881;model=TimeCos%2FPK
slot: WatchData IC CARD Reader/Writer 1
token:
uri: pkcs11:
slot: WatchData IC CARD Reader/Writer 2
token:
uri: pkcs11:
-----------------------------------------------------------
I have configured Okular to use the custom nssdb at ~/.pki/nssdb, but I still cannot sign any PDFs. I have even tried using the Thunderbird’s nssdb because I could confirm it worked, but Okular still cannot load any certs from the HSM, or sign any PDFs.