When an application is aware of the fact that coordination
is necessary between multiple consumers of a PKCS#11 module, and wants
to load standard configured PKCS#11 modules, it can link to
p11-kit
and use the functions there to provide this
functionality.
However most current consumers of PKCS#11 are ignorant of
this problem, and do not link to p11-kit. In order to solve this
multiple initialization problem for all applications,
p11-kit
provides a proxy compatibility
module.
This proxy module acts like a normal PKCS#11 module, but
internally loads a preconfigured set of PKCS#11 modules and
manages their features as described earlier. Each slot in the configured modules
is exposed as a slot of the p11-kit
proxy module. The proxy
module is then used as a normal PKCS#11 module would be. It can be loaded by
crypto libraries like NSS and behaves as expected.
The C_GetFunctionList
,
C_GetInterfaceList
and C_GetInterface
exported entry points of the proxy module returns a new managed PKCS#11 module
each time it is called. These managed instances are released when the proxy
module is unloaded.