Re: gnome-keyring Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED
- From: Stef Walter <stefw collabora co uk>
- To: Nikos Mavrogiannopoulos <nmav gnutls org>
- Cc: "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
- Subject: Re: gnome-keyring Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED
- Date: Wed, 19 Jan 2011 09:24:17 -0600
On 01/19/2011 02:52 AM, Nikos Mavrogiannopoulos wrote:
> On 01/19/2011 03:41 AM, Stef Walter wrote:
>> With the integration of PKCS#11 into various places we're running into
>> the problem of initializing a library multiple times. When PKCS#11 was
>> used in isolated cases this wasn't a problem.
>>
>> Each library (eg: gnutls, libgcr, glib-networking, pakchois, etc.) is
>> trying to load a PKCS#11 module and run CK_Initialize. The modules then
>> return CKR_ALREADY_INITIALIZED for that process.
>>
>> In my opinion most users of PKCS#11 (unless they have very special
>> requirements) should treat CKR_ALREADY_INITIALIZED as a success status.
>> Does that make sense?
>
> It makes. However would that then mean that the CK_Finalize function
> shouldn't be called if this error code is detected?
I assume not.
However all of this is still somewhat undefined during finalization, and
it seems like we need to find a solution.
Imagine that one consumer A of a PKCS#11 module (like a library)
initializes successfully early, and then consumer B initializes with
CKR_ALREADY_INITIALIZED. If consumer A decides early on that it's done
with the PKCS#11 module, and decides to call CK_Finalize, then consumer
B loses access to the module.
One solution would be to recommend against using CK_Finalize from libraries.
It seems that PKCS#11 is lacking some sort of reference counting on
initialize/finalize.
Cheers,
Stef
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]