Modules

Modules — Module loading and initializing

Functions

Types and Values

Description

PKCS#11 modules are used by crypto libraries and applications to access crypto objects (like keys and certificates) and to perform crypto operations.

In order for applications to behave consistently with regard to the user's installed PKCS#11 modules, each module must be configured so that applications or libraries know that they should load it.

When multiple consumers of a module (such as libraries or applications) are in the same process, coordination of the initialization and finalization of PKCS#11 modules is required. To do this modules are managed by p11-kit. This means that various unsafe methods are coordinated between callers. Unmanaged modules are simply the raw PKCS#11 module pointers without p11-kit getting in the way. It is highly recommended that the default managed behavior is used.

The functions here provide support for initializing configured modules. The p11_kit_modules_load() function should be used to load and initialize the configured modules. When done, the p11_kit_modules_release() function should be used to release those modules and associated resources.

In addition p11_kit_config_option() can be used to access other parts of the module configuration.

If a consumer wishes to load an arbitrary PKCS#11 module that's not configured use p11_kit_module_load() to do so. And use p11_kit_module_release() to later release it.

Modules are represented by a pointer to their CK_FUNCTION_LIST entry points.

Functions

p11_kit_modules_load_and_initialize ()

CK_FUNCTION_LIST **
p11_kit_modules_load_and_initialize (int flags);

Load and initialize configured modules.

If a critical module fails to load or initialize then the function will return NULL. Non-critical modules will be skipped and not included in the returned module list.

Use p11_kit_modules_finalize_and_release() when you're done with the modules returned by this function.

The flags allowed by this function, as well as their meaning, are the same as with p11_kit_modules_load().

Parameters

flags

flags to use to load the modules

 

Returns

a NULL terminated list of modules, or NULL on failure


p11_kit_modules_finalize_and_release ()

void
p11_kit_modules_finalize_and_release (CK_FUNCTION_LIST **modules);

Finalize and then release the a set of loaded PKCS#11 modules.

The modules may be either managed or unmanaged. The array containing the module pointers is also freed by this function.

Modules are released even if their finalization returns an error code. Managed modules will not be actually finalized or released until all callers using them have done so.

For managed modules the C_Finalize function is overridden so that multiple callers can finalize the same modules. In addition for managed modules multiple callers can finalize from different threads, and still guarantee consistent thread-safe behavior.

For unmanaged modules if multiple callers try to finalize a module, then one of the calls will return CKR_CRYPTOKI_NOT_INITIALIZED according to the PKCS#11 specification. In addition there are no guarantees that thread-safe behavior will occur if multiple callers initialize from different threads.

Parameters

modules

the modules to release

 

p11_kit_modules_load ()

CK_FUNCTION_LIST **
p11_kit_modules_load (const char *reserved,
                      int flags);

Load the configured PKCS#11 modules.

If flags contains the P11_KIT_MODULE_UNMANAGED flag, then the modules will be not be loaded in 'managed' mode regardless of its configuration. This is not recommended for general usage.

If flags contains the P11_KIT_MODULE_CRITICAL flag then the modules will all be treated as 'critical', regardless of the module configuration. This means that a failure to load any module will cause this function to fail.

For unmanaged modules there is no guarantee to the state of the modules. Other callers may be using the modules. Using unmanaged modules haphazardly is not recommended for this reason. Some modules (such as those configured with RPC) cannot be loaded in unmanaged mode, and will be skipped.

If flags contains the P11_KIT_MODULE_TRUSTED flag then only the marked as trusted modules will be loaded.

Use p11_kit_modules_release() to release the modules returned by this function.

If this function fails, then an error message will be available via the p11_kit_message() function.

Parameters

reserved

set to NULL

 

flags

flags to use to load the module

 

Returns

a null terminated list of modules represented as PKCS#11 function lists, or NULL on failure


p11_kit_modules_initialize ()

CK_RV
p11_kit_modules_initialize (CK_FUNCTION_LIST **modules,
                            p11_kit_destroyer failure_callback);

Initialize all the modules in the modules list by calling their C_Initialize function.

For managed modules the C_Initialize function is overridden so that multiple callers can initialize the same modules. In addition for managed modules multiple callers can initialize from different threads, and still guarantee consistent thread-safe behavior.

For unmanaged modules if multiple callers try to initialize a module, then one of the calls will return CKR_CRYPTOKI_ALREADY_INITIALIZED according to the PKCS#11 specification. In addition there are no guarantees that thread-safe behavior will occur if multiple callers initialize from different threads.

When a module fails to initialize it is removed from the modules list. If the failure_callback is not NULL then it is called with the modules that fail to initialize. For example, you may pass p11_kit_module_release() as a failure_callback if the modules list was loaded wit p11_kit_modules_load().

The return value will return the failure code of the last critical module that failed to initialize. Non-critical module failures do not affect the return value. If no critical modules failed to initialize then the return value will be CKR_OK.

When modules are removed, the list will be NULL terminated at the appropriate place so it can continue to be used as a modules list.

This function does not accept a CK_C_INITIALIZE_ARGS argument. Custom initialization arguments cannot be supported when multiple consumers load the same module.

Parameters

modules

a NULL terminated list of modules

 

failure_callback

called with modules that fail to initialize

 

Returns

CKR_OK or the failure code of the last critical module that failed to initialize.


p11_kit_modules_finalize ()

CK_RV
p11_kit_modules_finalize (CK_FUNCTION_LIST **modules);

Finalize each module in the modules list by calling its C_Finalize function. Regardless of failures, all modules will have their C_Finalize function called.

If a module returns a failure from its C_Finalize method it will be returned. If multiple modules fail, the last failure will be returned.

For managed modules the C_Finalize function is overridden so that multiple callers can finalize the same modules. In addition for managed modules multiple callers can finalize from different threads, and still guarantee consistent thread-safe behavior.

For unmanaged modules if multiple callers try to finalize a module, then one of the calls will return CKR_CRYPTOKI_NOT_INITIALIZED according to the PKCS#11 specification. In addition there are no guarantees that thread-safe behavior will occur if multiple callers finalize from different threads.

Parameters

modules

a NULL terminated list of modules

 

Returns

CKR_OK or the failure code of the last module that failed to finalize


p11_kit_modules_release ()

void
p11_kit_modules_release (CK_FUNCTION_LIST **modules);

Release the a set of loaded PKCS#11 modules.

The modules may be either managed or unmanaged. The array containing the module pointers is also freed by this function.

Managed modules will not be actually released until all callers using them have done so. If the modules were initialized, they should have been finalized first.

Parameters

modules

the modules to release

 

p11_kit_module_load ()

CK_FUNCTION_LIST *
p11_kit_module_load (const char *module_path,
                     int flags);

Load an arbitrary PKCS#11 module from a dynamic library file, and initialize it. Normally using the p11_kit_modules_load() function is preferred.

A full file path or just (path/)filename relative to P11_MODULE_PATH are accepted.

Using this function to load modules allows coordination between multiple callers of the same module in a single process. If flags contains the P11_KIT_MODULE_UNMANAGED flag, then the modules will be not be loaded in 'managed' mode and not be coordinated. This is not recommended for general usage.

Subsequent calls to this function for the same module will result in an initialization count being incremented for the module. It is safe (although usually unnecessary) to use this function on registered modules.

The module should be released with p11_kit_module_release().

If this function fails, then an error message will be available via the p11_kit_message() function.

Parameters

module_path

relative or full file path of module library

 

flags

flags to use when loading the module

 

Returns

the loaded module PKCS#11 functions or NULL on failure


p11_kit_module_initialize ()

CK_RV
p11_kit_module_initialize (CK_FUNCTION_LIST *module);

Initialize a PKCS#11 module by calling its C_Initialize function.

For managed modules the C_Initialize function is overridden so that multiple callers can initialize the same modules. In addition for managed modules multiple callers can initialize from different threads, and still guarantee consistent thread-safe behavior.

For unmanaged modules if multiple callers try to initialize a module, then one of the calls will return CKR_CRYPTOKI_ALREADY_INITIALIZED according to the PKCS#11 specification. In addition there are no guarantees that thread-safe behavior will occur if multiple callers initialize from different threads.

This function does not accept a CK_C_INITIALIZE_ARGS argument. Custom initialization arguments cannot be supported when multiple consumers load the same module.

Parameters

module

the module to initialize

 

Returns

CKR_OK or a failure code


p11_kit_module_finalize ()

CK_RV
p11_kit_module_finalize (CK_FUNCTION_LIST *module);

Finalize a PKCS#11 module by calling its C_Finalize function.

For managed modules the C_Finalize function is overridden so that multiple callers can finalize the same modules. In addition for managed modules multiple callers can finalize from different threads, and still guarantee consistent thread-safe behavior.

For unmanaged modules if multiple callers try to finalize a module, then one of the calls will return CKR_CRYPTOKI_NOT_INITIALIZED according to the PKCS#11 specification. In addition there are no guarantees that thread-safe behavior will occur if multiple callers finalize from different threads.

Parameters

module

the module to finalize

 

Returns

CKR_OK or a failure code


p11_kit_module_release ()

void
p11_kit_module_release (CK_FUNCTION_LIST *module);

Release the a loaded PKCS#11 modules.

The module may be either managed or unmanaged. The C_Finalize function will be called if no other callers are using this module.

Parameters

module

the module to release

 

p11_kit_module_for_name ()

CK_FUNCTION_LIST *
p11_kit_module_for_name (CK_FUNCTION_LIST **modules,
                         const char *name);

Look through the list of modules and return the module whose name matches.

Only configured modules have names. Configured modules are loaded by p11_kit_modules_load(). The module passed to this function can be either managed or unmanaged.

The return value is not copied or duplicated in anyway. It is still 'owned' by the modules list.

Parameters

modules

a list of modules to look through

 

name

the name of the module to find

 

Returns

the module which matches the name, or NULL if no match.


p11_kit_module_get_name ()

char *
p11_kit_module_get_name (CK_FUNCTION_LIST *module);

Get the configured name of the PKCS#11 module.

Configured modules are loaded by p11_kit_modules_load(). The module passed to this function can be either managed or unmanaged. Non configured modules will return NULL.

Use free() to release the return value when you're done with it.

Parameters

module

pointer to a loaded module

 

Returns

a newly allocated string containing the module name, or

NULL if the module is not a configured module

p11_kit_module_get_flags ()

int
p11_kit_module_get_flags (CK_FUNCTION_LIST *module);

Get the flags for this module.

The P11_KIT_MODULE_UNMANAGED flag will be set if the module is not managed by p11-kit. It is a raw PKCS#11 module function list.

The P11_KIT_MODULE_CRITICAL flag will be set if the module is configured to be critical, and not be skipped over if it fails to initialize or load. This flag is also set for modules that are not configured, but have been loaded in another fashion.

Parameters

module

the module

 

Returns

the flags for the module


p11_kit_module_get_filename ()

char *
p11_kit_module_get_filename (CK_FUNCTION_LIST *module);

Get the configured name of the PKCS#11 module.

Configured modules are loaded by p11_kit_modules_load(). The module passed to this function can be either managed or unmanaged. Non configured modules will return NULL.

Use free() to release the return value when you're done with it.

Parameters

module

pointer to a loaded module

 

Returns

a newly allocated string containing the module name, or

NULL if the module is not a configured module

p11_kit_config_option ()

char *
p11_kit_config_option (CK_FUNCTION_LIST *module,
                       const char *option);

Retrieve the value for a configured option.

If module is NULL, then the global option with the given name will be retrieved. Otherwise module should point to a configured loaded module. If no such option or configured module exists, then NULL will be returned.

Use free() to release the returned value.

Parameters

module

the module to retrieve the option for, or NULL for global options

 

option

the option to retrieve

 

Returns

the option value or NULL

Types and Values

P11_KIT_MODULE_CRITICAL

#define P11_KIT_MODULE_CRITICAL 1

Flag to load a module in 'critical' mode. Failure to load a critical module will prevent all other modules from loading. A failure when loading a non-critical module skips that module.


P11_KIT_MODULE_UNMANAGED

#define P11_KIT_MODULE_UNMANAGED 1

Module is loaded in non 'managed' mode. This is not recommended, disables many features, and prevents coordination between multiple callers of the same module.