Re: gnome-keyring Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED

On 01/20/2011 09:26 AM, Joe Orton wrote:
> Ultimately I don't think it will ever be sane to have random libraries 
> opening random PKCS#11 modules and hoping it will work. 

Yes, you're probably right.

>  I would presume 
> we need to converge on having something like:
>  libraries --> PKCS#11 proxy module -> daemon -> real PKCS#11 modules

Sadly the daemon runs into another fundamental limitation of PKCS#11.
I'm all too familiar with it in gnome-keyring.

One cannot load multiple arbitrary pkcs11 modules into a single process
(the daemon) and then proxy the requests from other clients to the
daemon and the loaded modules.

The visibility of session objects are per process, not per session
handle. Therefore a session object created by client A in a pkcs11
module loaded in the daemon will be visible to client B. This would be
a security issue, and big violation of pkcs11. gnome-keyring-daemon gets
around this with embarrassing hacks that are implemented in each of its
internal pkcs11 modules.

That said, your concept has a lot of merit. The idea of a having a
pkcs11 proxy module is a good one, which could solve refcounting and
other issues like a system configuration file. That is, without a
deamon. I'm going to play with the idea a bit and try out a proof of

Will keep the list posted...



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]