 |
 |
 |
 |
p11-kit wraps PKCS#11 modules to manage
them and customize their functionality so that they are able
to be shared between multiple callers in the same process.
Each caller that uses the
p11_kit_modules_load()
or p11_kit_module_load()
function gets independent wrapped PKCS#11 module(s). This is unless a caller
or module configuration specifies that a module should be used in an
unmanaged fashion.
When modules are managed, the following aspects are wrapped and coordinated:
-
Calls to
C_InitializeandC_Finalizecan be called by multiple callers.The first time that the managed module
C_Initializeis called, the PKCS#11 module's actualC_Initializefunction is called. Subsequent calls by other callers will causep11-kitto increment an internal initialization count, rather than callingC_Initializeagain.Multiple callers can call the managed
C_Initializefunction concurrently from different threads andp11-kitwill guarantee that this managed in a thread-safe manner. -
When the managed module
C_Finalizeis used to finalize a module, each time it is called it decrements the internal initialization count for that module. When the internal initialization count reaches zero, the module's actualC_Finalizefunction is called.Multiple callers can call the managed
C_Finalizefunction concurrently from different threads andp11-kitwill guarantee that this managed in a thread-safe manner. Call to
C_CloseAllSessionsonly close the sessions that the caller of the managed module has opened. This allows theC_CloseAllSessionsfunction to be used without closing sessions for other callers of the same PKCS#11 module.Managed modules have ability to log PKCS#11 method calls for debugging purposes. See the
log-calls = yesmodule configuration option.Managed modules have the ability to be remoted to another machine or isolated in their own process. See the
remote = ...module configuration option.