gnome-keyring p11-unity [was: Re: Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED]

[Stef Walter <stefw collabora co uk>]

On 01/20/2011 11:16 AM, Stef Walter wrote:
> That said, your concept has a lot of merit. The idea of a having a
> pkcs11 proxy module is a good one, which could solve refcounting and
> other issues like a system configuration file. That is, without a
> deamon. I'm going to play with the idea a bit and try out a proof of
> concept.

I've put together a PKCS#11 proxy module which loads other modules and
manages them properly with refcounts as Joe suggested.

It combines all the slots from the modules into one module with multiple
slots. Currently it loads all the modules in /usr/lib/pkcs11 but that's
just because I haven't had a chance to implement a config system (based
on discussion on this list).

The name p11-unity was something that I found scribbled on Nikos and my
discussion notes from a meeting last year.

p11-unity is a PKCS#11 proxy module, and works in a 'drop in' fashion
with PKCS#11 consumers like NSS. But I think p11-unity should also
expose functions like a library. These functions would allow access to
the list of loaded modules, and other config information. p11-unity
could also implement stuff like PKCS#11 URI support.

It has no dependencies outside of standard stuff like libc, dlopen,
pthreads. This makes adoption easier.

So to summarize by using something like p11-unity we would get:

 * Solve the refcount initialization problem when multiple PKCS#11
   consumers in a process want to use the same PKCS#11 module.
 * Drop in usage with current PKCS#11 consumers, like NSS.
 * Single implementation of PKCS#11 system configuration.
 * Can expose more powerful library functions for accessing details
   about a module's config (eg: algorithm selection)

I've put it up on my git repo, but it should probably live on
freedesktop.org or something like that eventually:

http://thewalter.net/git/cgit.cgi/p11-unity/

How does this sound?

Cheers,

Stef