Re: gnome-keyring Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED
- From: Nikos Mavrogiannopoulos <nmav gnutls org>
- To: Stef Walter <stefw collabora co uk>
- Cc: "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
- Subject: Re: gnome-keyring Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED
- Date: Thu, 20 Jan 2011 15:49:20 +0100
On Wed, Jan 19, 2011 at 7:29 PM, Stef Walter <stefw collabora co uk> wrote:
>>> Imagine that one consumer A of a PKCS#11 module (like a library)
>>> initializes successfully early, and then consumer B initializes with
>>> CKR_ALREADY_INITIALIZED. If consumer A decides early on that it's done
>>> with the PKCS#11 module, and decides to call CK_Finalize, then consumer
>>> B loses access to the module.
>> Indeed but this is something that cannot be avoided.
> So again we need to figure out what the solution is for
> interoperability? Never calling CK_Finalize from a library?
This is pretty impossible. A library should deinitialize all the resources
used if requested to. Should we suggest a wrapper over pkcs #11 that
handles those issues? The tinyest that I know of is pakchois and
is pretty much raw PKCS #11 with the additional code to handle safe
initialization
and safe forking() - (at least the version included in gnutls).
How easy is for libgck using pakchois as a backend? Or is libgck
small and independent of gnome for gnutls to use as a replacement
for pakchois?
regards,
Nikos
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
