![]() |
![]() |
![]() |
p11-kit | ![]() |
---|
When an application is aware of the fact that coordination is necessary between multiple consumers of a PKCS#11 module, it can link to p11-kit and use the functions there to provide this coordination.
However most current consumers of PKCS#11 are ignorant of
this problem, and do not link to p11-kit. In order to solve this
multiple initialization problem for all applications,
p11-kit
provides a proxy compatibility
module.
This proxy module acts like a normal PKCS#11 module, but
internally loads a preconfigured set of PKCS#11 modules and
coordinates their initialization and finalization. Each slot
in the configured modules is exposed as a slot of the
p11-kit
proxy module. The proxy module is
then used as a normal PKCS#11 module would be. It can be loaded by
crypto libraries like NSS and behaves as expected.
The proxy module bends the PKCS#11 rules slightly. It does
not return the CKR_CRYPTOKI_ALREADY_INITIALIZED
error code as specified in PKCS#11. However this is a small
price to pay for this compatibility.