Solution: proxy module

When an application is aware of the fact that coordination is necessary between multiple consumers of a PKCS#11 module, it can link to p11-kit and use the functions there to provide this coordination.

However most current consumers of PKCS#11 are ignorant of this problem, and do not link to p11-kit. In order to solve this multiple initialization problem for all applications, p11-kit provides a proxy compatibility module.

This proxy module acts like a normal PKCS#11 module, but internally loads a preconfigured set of PKCS#11 modules and coordinates their initialization and finalization. Each slot in the configured modules is exposed as a slot of the p11-kit proxy module. The proxy module is then used as a normal PKCS#11 module would be. It can be loaded by crypto libraries like NSS and behaves as expected.

The proxy module bends the PKCS#11 rules slightly. It does not return the CKR_CRYPTOKI_ALREADY_INITIALIZED error code as specified in PKCS#11. However this is a small price to pay for this compatibility.