This file is indexed.

/etc/pkcs11proxyd/pkcs11proxyd.conf is in caml-crush-server 1.0.7-1build1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
netplex {
  controller {
    max_level = "debug";    (* Log level *)

    (* configure "admin" socket directory, default "/tmp/.netplex" *)
    socket_directory = "/var/lib/pkcs11proxyd/.netplex";

    logging {
      (* type can either be "stderr" or "syslog" *)
      type = "syslog";      (* Log to stderr *)
    };
  };
  service {
    name = "PKCS#11 Filtering Proxy";
    (* These parameters can be used to change UID/GID of worker processes *)
    user = "Debian-pkcs11proxyd";
    group = "Debian-pkcs11proxyd";

    (* Do NOT change conn_limit, this would be a serious SECURITY ISSUE *)
    conn_limit = 1;

    protocol {
      (* This section creates the socket *)
      name = "rpc_pkcs11";

      (* Set Unix socket permissions:*)
      (*
      local_chmod = "0o777";
      *)

      (* Socket can either be TCP or UNIX *)
      address {
        (* Default here is TCP localhost on port 4444 *)
        type = "internet";
        bind = "127.0.0.1:4444";

        (*
        type = "local";
        path = "/var/run/pkcs11proxyd.socket";
        *)
      };
    };
    processor {
      (* This section specifies how to process data of the socket *)
      type = "rpc_pkcs11";

      (* libnames param is used when the proxy is compiled WITHOUT filtering support *)
      (* syntax is: libnames="<module_name>:<path_to_middleware>;<...>:<...>;"; *)
      (*
      libnames="softhsm:/usr/local/lib/softhsm/libsofthsm.so;opencryptoki:/usr/lib/libopencryptoki.so;";
      *)

      (* filter_config is used to supply the filtering configuration when compiled in *)
      filter_config="/etc/pkcs11proxyd/filter.conf";

      (*************** TLS support begin ***********************)
      (* use_ssl = false to disable SSL support on server side *)
      (* use_ssl = true to enable SSL support on server side   *)
      use_ssl = false;

      (* TLS support for Caml Crush compiled with OCamlnet 4.x *)
      (* Uncomment to enable TLS when using OCamlnet 4.x *)
      (*
      tls {
        (* Ciphersuites, GnuTLS syntax *)
        (* TLS 1.2, PFS-only suites, no DSS, no CAMELLIA *)
        algorithms = "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC";

        (* Uncomment to enable DHE parameters, used for PFS *)
        (*
        dh_params {
          (* Pre-computed DH parameters *)
          pkcs3_file = "/etc/pkcs11proxyd/dhparams.pem";
          (* Run-time created DH parameters, warning: this takes a long time *)
          (*bits = 2048;*)
        };
        *)
        x509 {
         key {
           crt_file = "server.pem";
           key_file = "server.key";
         };
         trust {
           crt_file = "cacert.pem";
         };
        }
      };
      *)
      (***************TLS support end  *************************)
    };
    workload_manager {
      type = "dynamic";
      max_jobs_per_thread = 1;  (* Everything else is senseless *)
      min_free_jobs_capacity = 1;
      max_free_jobs_capacity = 1;
      max_threads = 100;
    };
  }
}