1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Sharing PKCS#11 modules: p11-kit</title>
<meta name="generator" content="DocBook XSL Stylesheets Vsnapshot">
<link rel="home" href="index.html" title="p11-kit">
<link rel="up" href="index.html" title="p11-kit">
<link rel="prev" href="config-files.html" title="Configuration Files">
<link rel="next" href="sharing-managed.html" title="Managed modules">
<meta name="generator" content="GTK-Doc V1.34.0 (XML mode)">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="5"><tr valign="middle">
<td width="100%" align="left" class="shortcuts"></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="16" height="16" border="0" alt="Home"></a></td>
<td><img src="up-insensitive.png" width="16" height="16" border="0"></td>
<td><a accesskey="p" href="config-files.html"><img src="left.png" width="16" height="16" border="0" alt="Prev"></a></td>
<td><a accesskey="n" href="sharing-managed.html"><img src="right.png" width="16" height="16" border="0" alt="Next"></a></td>
</tr></table>
<div class="chapter">
<div class="titlepage"><div><div><h1 class="title">
<a name="sharing"></a>Sharing PKCS#11 modules</h1></div></div></div>
<div class="toc"><dl class="toc">
<dt><span class="section"><a href="sharing.html#sharing-problem">Multiple consumers of PKCS#11 in a process</a></span></dt>
<dt><span class="section"><a href="sharing-managed.html">Managed modules</a></span></dt>
</dl></div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="sharing-problem"></a>Multiple consumers of PKCS#11 in a process</h2></div></div></div>
<p>As more and more applications and libraries use PKCS#11 we run
into a very basic problem. The PKCS#11 modules cannot be initialized and
finalized properly without coordination between the various consumers.
</p>
<p>An example: An application might use GnuTLS for
TLS connections, and use libgcr for display of certificates. Both of
these want to load (and initialize) the same PKCS#11 modules. There are
many places where this situation occurs, including large applications
like Evolution which due to their dependencies end up using both NSS and
GnuTLS.</p>
<p>Consumer A loads a PKCS#11 module and uses the module's
C_Initialize function to initialize it, which works as expected.
When consumer B initializes the module (also using C_Initialize),
the error code <code class="literal">CKR_CRYPTOKI_ALREADY_INITIALIZED</code>
is correctly returned. This is normal PKCS#11 specification
defined behavior for when a module is initialized twice in the
same process. If consumer B is aware of this situation they may
choose to ignore this error code.</p>
<p>However when the consumer A is done with its use of the
PKCS#11 module it finalizes the module using the module's
C_Finalize function. This is expected of a well behaved PKCS#11
consumer. This then causes errors and/or crashes for consumer B,
which cannot know that the module has now been finalized out
from underneath it.</p>
<p>It is necessary for the two consumers to coordinate their
initialization and finalization in some fashion. In
<code class="literal">p11-kit</code> we provide this coordination in a
loosely coupled, backwards compatible, and flexible way.</p>
</div>
</div>
<div class="footer">
<hr>Generated by GTK-Doc V1.34.0</div>
</body>
</html>
|
