Top |
CK_FUNCTION_LIST ** | p11_kit_modules_load_and_initialize () |
void | p11_kit_modules_finalize_and_release () |
CK_FUNCTION_LIST ** | p11_kit_modules_load () |
CK_RV | p11_kit_modules_initialize () |
CK_RV | p11_kit_modules_finalize () |
void | p11_kit_modules_release () |
CK_FUNCTION_LIST * | p11_kit_module_load () |
CK_RV | p11_kit_module_initialize () |
CK_RV | p11_kit_module_finalize () |
void | p11_kit_module_release () |
CK_FUNCTION_LIST * | p11_kit_module_for_name () |
char * | p11_kit_module_get_name () |
int | p11_kit_module_get_flags () |
char * | p11_kit_module_get_filename () |
char * | p11_kit_config_option () |
PKCS#11 modules are used by crypto libraries and applications to access crypto objects (like keys and certificates) and to perform crypto operations.
In order for applications to behave consistently with regard to the user's installed PKCS#11 modules, each module must be configured so that applications or libraries know that they should load it.
When multiple consumers of a module (such as libraries or applications) are in the same process, coordination of the initialization and finalization of PKCS#11 modules is required. To do this modules are managed by p11-kit. This means that various unsafe methods are coordinated between callers. Unmanaged modules are simply the raw PKCS#11 module pointers without p11-kit getting in the way. It is highly recommended that the default managed behavior is used.
The functions here provide support for initializing configured modules. The
p11_kit_modules_load()
function should be used to load and initialize
the configured modules. When done, the p11_kit_modules_release()
function
should be used to release those modules and associated resources.
In addition p11_kit_config_option()
can be used to access other parts
of the module configuration.
If a consumer wishes to load an arbitrary PKCS#11 module that's not
configured use p11_kit_module_load()
to do so. And use p11_kit_module_release()
to later release it.
Modules are represented by a pointer to their CK_FUNCTION_LIST
entry points.
CK_FUNCTION_LIST **
p11_kit_modules_load_and_initialize (int flags
);
Load and initialize configured modules.
If a critical module fails to load or initialize then the function will
return NULL
. Non-critical modules will be skipped
and not included in the returned module list.
Use p11_kit_modules_finalize_and_release()
when you're done with the
modules returned by this function.
The flags
allowed by this function, as well as their meaning, are the
same as with p11_kit_modules_load()
.
void
p11_kit_modules_finalize_and_release (CK_FUNCTION_LIST **modules
);
Finalize and then release the a set of loaded PKCS#11 modules.
The modules may be either managed or unmanaged. The array containing the module pointers is also freed by this function.
Modules are released even if their finalization returns an error code. Managed modules will not be actually finalized or released until all callers using them have done so.
For managed modules the C_Finalize
function
is overridden so that multiple callers can finalize the same
modules. In addition for managed modules multiple callers can
finalize from different threads, and still guarantee consistent
thread-safe behavior.
For unmanaged modules if multiple callers try to finalize
a module, then one of the calls will return
CKR_CRYPTOKI_NOT_INITIALIZED
according to the
PKCS#11 specification. In addition there are no guarantees that
thread-safe behavior will occur if multiple callers initialize from
different threads.
CK_FUNCTION_LIST ** p11_kit_modules_load (const char *reserved
,int flags
);
Load the configured PKCS#11 modules.
If flags
contains the P11_KIT_MODULE_UNMANAGED
flag, then the
modules will be not be loaded in 'managed' mode regardless of its
configuration. This is not recommended for general usage.
If flags
contains the P11_KIT_MODULE_CRITICAL
flag then the
modules will all be treated as 'critical', regardless of the module
configuration. This means that a failure to load any module will
cause this function to fail.
For unmanaged modules there is no guarantee to the state of the modules. Other callers may be using the modules. Using unmanaged modules haphazardly is not recommended for this reason. Some modules (such as those configured with RPC) cannot be loaded in unmanaged mode, and will be skipped.
If flags
contains the P11_KIT_MODULE_TRUSTED
flag then only the
marked as trusted modules will be loaded.
Use p11_kit_modules_release()
to release the modules returned by
this function.
If this function fails, then an error message will be available via the
p11_kit_message()
function.
CK_RV p11_kit_modules_initialize (CK_FUNCTION_LIST **modules
,p11_kit_destroyer failure_callback
);
Initialize all the modules in the modules
list by calling their
C_Initialize
function.
For managed modules the C_Initialize
function
is overridden so that multiple callers can initialize the same
modules. In addition for managed modules multiple callers can
initialize from different threads, and still guarantee consistent
thread-safe behavior.
For unmanaged modules if multiple callers try to initialize
a module, then one of the calls will return
CKR_CRYPTOKI_ALREADY_INITIALIZED
according to the
PKCS#11 specification. In addition there are no guarantees that
thread-safe behavior will occur if multiple callers initialize from
different threads.
When a module fails to initialize it is removed from the modules
list.
If the failure_callback
is not NULL
then it is called with the modules that
fail to initialize. For example, you may pass p11_kit_module_release()
as a failure_callback
if the modules
list was loaded wit p11_kit_modules_load()
.
The return value will return the failure code of the last critical
module that failed to initialize. Non-critical module failures do not affect
the return value. If no critical modules failed to initialize then the
return value will be CKR_OK
.
When modules are removed, the list will be NULL
terminated at the
appropriate place so it can continue to be used as a modules list.
This function does not accept a CK_C_INITIALIZE_ARGS
argument.
Custom initialization arguments cannot be supported when multiple consumers
load the same module.
CK_RV
p11_kit_modules_finalize (CK_FUNCTION_LIST **modules
);
Finalize each module in the modules
list by calling its
C_Finalize
function. Regardless of failures, all
modules
will have their C_Finalize
function called.
If a module returns a failure from its C_Finalize
method it will be returned. If multiple modules fail, the last failure
will be returned.
For managed modules the C_Finalize
function
is overridden so that multiple callers can finalize the same
modules. In addition for managed modules multiple callers can
finalize from different threads, and still guarantee consistent
thread-safe behavior.
For unmanaged modules if multiple callers try to finalize
a module, then one of the calls will return
CKR_CRYPTOKI_NOT_INITIALIZED
according to the
PKCS#11 specification. In addition there are no guarantees that
thread-safe behavior will occur if multiple callers finalize from
different threads.
void
p11_kit_modules_release (CK_FUNCTION_LIST **modules
);
Release the a set of loaded PKCS#11 modules.
The modules may be either managed or unmanaged. The array containing the module pointers is also freed by this function.
Managed modules will not be actually released until all callers using them have done so. If the modules were initialized, they should have been finalized first.
CK_FUNCTION_LIST * p11_kit_module_load (const char *module_path
,int flags
);
Load an arbitrary PKCS#11 module from a dynamic library file, and
initialize it. Normally using the p11_kit_modules_load()
function
is preferred.
A full file path or just (path/)filename relative to P11_MODULE_PATH are accepted.
Using this function to load modules allows coordination between multiple
callers of the same module in a single process. If flags
contains the
P11_KIT_MODULE_UNMANAGED
flag, then the modules will be not be loaded
in 'managed' mode and not be coordinated. This is not recommended
for general usage.
Subsequent calls to this function for the same module will result in an initialization count being incremented for the module. It is safe (although usually unnecessary) to use this function on registered modules.
The module should be released with p11_kit_module_release()
.
If this function fails, then an error message will be available via the
p11_kit_message()
function.
CK_RV
p11_kit_module_initialize (CK_FUNCTION_LIST *module
);
Initialize a PKCS#11 module by calling its C_Initialize
function.
For managed modules the C_Initialize
function
is overridden so that multiple callers can initialize the same
modules. In addition for managed modules multiple callers can
initialize from different threads, and still guarantee consistent
thread-safe behavior.
For unmanaged modules if multiple callers try to initialize
a module, then one of the calls will return
CKR_CRYPTOKI_ALREADY_INITIALIZED
according to the
PKCS#11 specification. In addition there are no guarantees that
thread-safe behavior will occur if multiple callers initialize from
different threads.
This function does not accept a CK_C_INITIALIZE_ARGS
argument.
Custom initialization arguments cannot be supported when multiple consumers
load the same module.
CK_RV
p11_kit_module_finalize (CK_FUNCTION_LIST *module
);
Finalize a PKCS#11 module by calling its C_Finalize
function.
For managed modules the C_Finalize
function
is overridden so that multiple callers can finalize the same
modules. In addition for managed modules multiple callers can
finalize from different threads, and still guarantee consistent
thread-safe behavior.
For unmanaged modules if multiple callers try to finalize
a module, then one of the calls will return
CKR_CRYPTOKI_NOT_INITIALIZED
according to the
PKCS#11 specification. In addition there are no guarantees that
thread-safe behavior will occur if multiple callers finalize from
different threads.
void
p11_kit_module_release (CK_FUNCTION_LIST *module
);
Release the a loaded PKCS#11 modules.
The module may be either managed or unmanaged. The C_Finalize
function will be called if no other callers are using this module.
CK_FUNCTION_LIST * p11_kit_module_for_name (CK_FUNCTION_LIST **modules
,const char *name
);
Look through the list of modules
and return the module whose name
matches.
Only configured modules have names. Configured modules are loaded by
p11_kit_modules_load()
. The module passed to this function can be either
managed or unmanaged.
The return value is not copied or duplicated in anyway. It is still
'owned' by the modules
list.
char *
p11_kit_module_get_name (CK_FUNCTION_LIST *module
);
Get the configured name of the PKCS#11 module.
Configured modules are loaded by p11_kit_modules_load()
. The module
passed to this function can be either managed or unmanaged. Non
configured modules will return NULL
.
Use free()
to release the return value when you're done with it.
int
p11_kit_module_get_flags (CK_FUNCTION_LIST *module
);
Get the flags for this module.
The P11_KIT_MODULE_UNMANAGED
flag will be set if the module is not
managed by p11-kit. It is a raw PKCS#11 module function list.
The P11_KIT_MODULE_CRITICAL
flag will be set if the module is configured
to be critical, and not be skipped over if it fails to initialize or
load. This flag is also set for modules that are not configured, but have
been loaded in another fashion.
char *
p11_kit_module_get_filename (CK_FUNCTION_LIST *module
);
Get the configured name of the PKCS#11 module.
Configured modules are loaded by p11_kit_modules_load()
. The module
passed to this function can be either managed or unmanaged. Non
configured modules will return NULL
.
Use free()
to release the return value when you're done with it.
char * p11_kit_config_option (CK_FUNCTION_LIST *module
,const char *option
);
Retrieve the value for a configured option.
If module
is NULL
, then the global option with the given name will
be retrieved. Otherwise module
should point to a configured loaded module.
If no such option
or configured module
exists, then NULL
will be returned.
Use free()
to release the returned value.