NitroHSM support for Dogtag

99-pkiuser-pcsc.rules

/* polkit rule to allow 'pkiuser' to access NitroHSM PCSC interface
 *
 * file name: /etc/polkit-1/rules.d/99-pkiuser-pcsc.rules
 *
 * Resources:
 *  - https://access.redhat.com/blogs/766093/posts/1976313
 *  - https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html
 *
 * Installation:
 *  # dnf install opensc pcsc-lite pcsc-tools
 *  # cp 99-pkiuser-pcsc.rules /etc/polkit-1/rules.d/99-pkiuser-pcsc.rules
 *
 * Verify access to NitroHSM.
 *  # pcsc_scan
 *  # sudo -u pkiuser -- opensc-tool --list-readers
 *  # sudo -u pkiuser -- pkcs11-tool --list-slots
 *
 * Reset NitroHSM (WARNING: deletes all objects)
 *  # sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 1234567
 *
 * Install FreeIPA:
 *  # ipa-server-install --hsm-enable --hsm-libfile=/usr/lib64/opensc-pkcs11.so --hsm-modulename=nitrohsm --token-name='UserPIN (SmartCard-HSM)' --token-password=1234567
 *
 */

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "pkiuser") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader").startsWith("Nitrokey Nitrokey HSM") &&
        subject.user == "pkiuser") {
            return polkit.Result.YES;
    }
});

Please share the information on either a new gist or better as an upstream ticket on https://pagure.io/freeipa