Fedora provides a mechanism to configure PKCS#11 modules system wide,
allowing crypto libraries (GnuTLS and OpenSSL) to use PKCS#11 modules in a
consistent manner. Until now, NSS applications haven’t benefited from it as
NSS uses a different configuration mechanism which requires users to
register PKCS#11 modules in NSS databases. Fedora 29 makes this manual
procedure unnecessary by registering the
p11-kit-proxy module (system
PKCS#11 module aggregator) in NSS databases with the default configuration.
This allows NSS applciations to use PKCS#11 modules the same as other crypto
libraries, enabling consistency in PKCS#11 driver registration across the
system. Consequently, users will see improvements in smart card and
hardware security module (HSM) use in Fedora.