Re: gnome-keyring Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED

From: Joe Orton <jorton redhat com>
To: gnome-keyring-list gnome org
Subject: Re: gnome-keyring Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED
Date: Thu, 20 Jan 2011 15:26:23 +0000

On Tue, Jan 18, 2011 at 08:41:42PM -0600, Stef Walter wrote:
> With the integration of PKCS#11 into various places we're running into
> the problem of initializing a library multiple times. When PKCS#11 was
> used in isolated cases this wasn't a problem.
> 
> Each library (eg: gnutls, libgcr, glib-networking, pakchois, etc.) is
> trying to load a PKCS#11 module and run CK_Initialize. The modules then
> return CKR_ALREADY_INITIALIZED for that process.

Ultimately I don't think it will ever be sane to have random libraries 
opening random PKCS#11 modules and hoping it will work.  I would presume 
we need to converge on having something like:

 libraries --> PKCS#11 proxy module -> daemon -> real PKCS#11 modules

The proxy module can maintain process-global state to refcount 
multiple-callers init/fini sequences correctly.  Possibly it will 
violate the PKCS#11 spec to allow multiple C_Initialize calls to succeed 
within the process, but if so, stuff PKCS#11, it's pretty broken in this 
respect.  Prescribing that libraries never call C_Finalize to work 
around this seems like a worse violation.

I would expect that having some kind of central daemon model is going to 
be necessary (or at least very useful) to serialize access to real 
smartcards anyway.

Regards, Joe

Follow-Ups:
- Re: gnome-keyring Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED
  - From: Stef Walter

References:
- gnome-keyring Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED
  - From: Stef Walter

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]