diff options
author | Stef Walter <stefw@gnome.org> | 2013-02-06 21:57:45 +0100 |
---|---|---|
committer | Stef Walter <stefw@gnome.org> | 2013-05-21 10:47:51 +0200 |
commit | 5c19f0cf66495f00ccf69eba1d0915f862a88c8d (patch) | |
tree | e8ae733062507a0a4cc5c134d1fdd62cf055cddd /doc/manual | |
parent | ff853bd7902e271256cada4a1b20a3d46b519b69 (diff) |
p11-kit: Managed PKCS#11 module loading
Support a new managed style module loading for PKCS#11 modules. This
allows us to better coordinate between multiple callers of the same
PKCS#11 modules and provide hooks into their behavior.
This meant redoing the public facing API. The old methods are now
deprecated, marked and documented as such.
Diffstat (limited to 'doc/manual')
-rw-r--r-- | doc/manual/Makefile.am | 2 | ||||
-rw-r--r-- | doc/manual/p11-kit-docs.xml | 2 | ||||
-rw-r--r-- | doc/manual/p11-kit-proxy.xml | 29 | ||||
-rw-r--r-- | doc/manual/p11-kit-sections.txt | 39 | ||||
-rw-r--r-- | doc/manual/p11-kit-sharing.xml | 94 | ||||
-rw-r--r-- | doc/manual/pkcs11.conf.xml | 24 |
6 files changed, 134 insertions, 56 deletions
diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am index c10375a..b5b80f1 100644 --- a/doc/manual/Makefile.am +++ b/doc/manual/Makefile.am @@ -53,6 +53,7 @@ IGNORE_HFILES= \ debug.h \ dict.h \ mock.h \ + modules.h \ pkcs11.h \ pkcs11x.h \ private.h \ @@ -70,6 +71,7 @@ HTML_IMAGES= # e.g. content_files=running.sgml building.sgml changes-2.0.sgml content_files=p11-kit-config.xml p11-kit-sharing.xml \ p11-kit-devel.xml \ + p11-kit-proxy.xml \ p11-kit-trust.xml \ p11-kit.xml \ pkcs11.conf.xml \ diff --git a/doc/manual/p11-kit-docs.xml b/doc/manual/p11-kit-docs.xml index 0397169..5acfb97 100644 --- a/doc/manual/p11-kit-docs.xml +++ b/doc/manual/p11-kit-docs.xml @@ -13,6 +13,7 @@ <xi:include href="p11-kit-config.xml"/> <xi:include href="p11-kit-sharing.xml"/> + <xi:include href="p11-kit-proxy.xml"/> <xi:include href="p11-kit-trust.xml"/> <chapter xml:id="tools"> @@ -28,6 +29,7 @@ <xi:include href="xml/p11-kit-pin.xml"/> <xi:include href="xml/p11-kit-util.xml"/> <xi:include href="xml/p11-kit-future.xml"/> + <xi:include href="xml/p11-kit-deprecated.xml"/> <index id="api-index-full"> <title>API Index</title> diff --git a/doc/manual/p11-kit-proxy.xml b/doc/manual/p11-kit-proxy.xml new file mode 100644 index 0000000..7cc3615 --- /dev/null +++ b/doc/manual/p11-kit-proxy.xml @@ -0,0 +1,29 @@ +<?xml version="1.0"?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [ +]> +<chapter xml:id="sharing"> + <title>Proxy Module</title> + + <para>When an application is aware of the fact that coordination + is necessary between multiple consumers of a PKCS#11 module, and wants + to load standard configured PKCS#11 modules, it can link to + <literal>p11-kit</literal> and use the functions there to provide this + functionality.</para> + + <para>However most current consumers of PKCS#11 are ignorant of + this problem, and do not link to p11-kit. In order to solve this + multiple initialization problem for all applications, + <literal>p11-kit</literal> provides a proxy compatibility + module.</para> + + <para>This proxy module acts like a normal PKCS#11 module, but + internally loads a preconfigured set of PKCS#11 modules and + manages their features as described earlier. Each slot in the configured modules + is exposed as a slot of the <literal>p11-kit</literal> proxy module. The proxy + module is then used as a normal PKCS#11 module would be. It can be loaded by + crypto libraries like NSS and behaves as expected.</para> + + <para>The <literal>C_GetFunctionList</literal> exported entry point of the + proxy module returns a new managed PKCS#11 module each time it is called. These + managed instances are released when the proxy module is unloaded.</para> +</chapter> diff --git a/doc/manual/p11-kit-sections.txt b/doc/manual/p11-kit-sections.txt index dc85f2d..84f084d 100644 --- a/doc/manual/p11-kit-sections.txt +++ b/doc/manual/p11-kit-sections.txt @@ -52,15 +52,22 @@ p11_kit_pin_file_callback <SECTION> <FILE>p11-kit</FILE> -p11_kit_initialize_registered -p11_kit_finalize_registered -p11_kit_registered_modules -p11_kit_registered_module_to_name -p11_kit_registered_name_to_module -p11_kit_registered_option -p11_kit_initialize_module -p11_kit_load_initialize_module -p11_kit_finalize_module +P11_KIT_MODULE_CRITICAL +P11_KIT_MODULE_UNMANAGED +p11_kit_modules_load_and_initialize +p11_kit_modules_finalize_and_release +p11_kit_modules_load +p11_kit_modules_initialize +p11_kit_modules_finalize +p11_kit_modules_release +p11_kit_module_load +p11_kit_module_initialize +p11_kit_module_finalize +p11_kit_module_release +p11_kit_module_for_name +p11_kit_module_get_name +p11_kit_module_get_flags +p11_kit_config_option </SECTION> <SECTION> @@ -104,3 +111,17 @@ p11_kit_iter_get_object p11_kit_iter_load_attributes p11_kit_iter_free </SECTION> + +<SECTION> +<FILE>p11-kit-deprecated</FILE> +p11_kit_initialize_registered +p11_kit_finalize_registered +p11_kit_registered_modules +p11_kit_registered_module_to_name +p11_kit_registered_name_to_module +p11_kit_registered_option +p11_kit_initialize_module +p11_kit_load_initialize_module +p11_kit_finalize_module +P11_KIT_DEPRECATED_FOR +</SECTION> diff --git a/doc/manual/p11-kit-sharing.xml b/doc/manual/p11-kit-sharing.xml index e692e3d..01b3c8b 100644 --- a/doc/manual/p11-kit-sharing.xml +++ b/doc/manual/p11-kit-sharing.xml @@ -42,52 +42,52 @@ loosely coupled, backwards compatible, and flexible way.</para> </section> - <section xml:id="sharing-initialize"> - <title>Solution: p11-kit</title> - - <para><literal>p11-kit</literal> provides functions to - coordinate initialization and finalization of any PKCS#11 - module. A module may be initialized any number of times using - the p11_kit_initialize_module() function. The first time that - p11_kit_initialize_module() is called for a module, that module's - C_Initialize function is used. Later invocations for the same - module cause p11-kit to increment an internal initialization - count, rather than calling C_Initialize again.</para> - - <para>The p11_kit_finalize_module() is used to finalize a module. - Each time it is called it decrements the internal initialization - count for that module. When the internal initialization count - reaches zero, the module's C_Finalize function is called.</para> - - <para>This is done in a thread-safe manner. These functions can - be used on modules that the consumer loads themselves.</para> - </section> - - <section xml:id="sharing-module"> - <title>Solution: proxy module</title> - - <para>When an application is aware of the fact that coordination - is necessary between multiple consumers of a PKCS#11 module, it - can link to p11-kit and use the functions there to provide - this coordination.</para> - - <para>However most current consumers of PKCS#11 are ignorant of - this problem, and do not link to p11-kit. In order to solve this - multiple initialization problem for all applications, - <literal>p11-kit</literal> provides a proxy compatibility - module.</para> - - <para>This proxy module acts like a normal PKCS#11 module, but - internally loads a preconfigured set of PKCS#11 modules and - coordinates their initialization and finalization. Each slot - in the configured modules is exposed as a slot of the - <literal>p11-kit</literal> proxy module. The proxy module is - then used as a normal PKCS#11 module would be. It can be loaded by - crypto libraries like NSS and behaves as expected.</para> - - <para>The proxy module bends the PKCS#11 rules slightly. It does - not return the <literal>CKR_CRYPTOKI_ALREADY_INITIALIZED</literal> - error code as specified in PKCS#11. However this is a small - price to pay for this compatibility.</para> + <section xml:id="sharing-managed"> + <title>Managed modules</title> + + <para><literal>p11-kit</literal> wraps PKCS#11 modules to manage + them and customize their functionality so that they are able + to be shared between multiple callers in the same process.</para> + + <para>Each caller that uses the + <link linkend="p11-kit-modules-load"><function>p11_kit_modules_load()</function></link> + or <link linkend="p11-kit-module-load"><function>p11_kit_module_load()</function></link> + function gets independent wrapped PKCS#11 module(s). This is unless a caller + or module configuration specifies that a module should be used in an + unmanaged fashion.</para> + + <para>When modules are managed, the following aspects are wrapped and + coordinated:</para> + + <itemizedlist> + <listitem> + <para>Calls to <literal>C_Initialize</literal> and + <literal>C_Finalize</literal> can be called by multiple + callers.</para> + + <para>The first time that the managed module + <literal>C_Initialize</literal> is called, the PKCS#11 module's actual + <literal>C_Initialize</literal> function is called. Subsequent calls by + other callers will cause <literal>p11-kit</literal> to increment an + internal initialization count, rather than calling + <literal>C_Initialize</literal> again.</para> + + <para>Multiple callers can call the managed + <literal>C_Initialize</literal> function concurrently from different + threads and <literal>p11-kit</literal> will guarantee that this managed + in a thread-safe manner.</para> + </listitem> + <listitem> + <para>When the managed module <literal>C_Finalize</literal> is used + to finalize a module, each time it is called it decrements the internal + initialization count for that module. When the internal initialization + count reaches zero, the module's actual <literal>C_Finalize</literal> + function is called.</para> + + <para>Multiple callers can call the managed <literal>C_Finalize</literal> + function concurrently from different threads and <literal>p11-kit</literal> + will guarantee that this managed in a thread-safe manner.</para> + </listitem> + </itemizedlist> </section> </chapter> diff --git a/doc/manual/pkcs11.conf.xml b/doc/manual/pkcs11.conf.xml index 1814377..1051ee1 100644 --- a/doc/manual/pkcs11.conf.xml +++ b/doc/manual/pkcs11.conf.xml @@ -128,6 +128,16 @@ x-custom : text </listitem> </varlistentry> <varlistentry> + <term><option>managed:</option></term> + <listitem> + <para>Set to <literal>no</literal> if the module is not to be managed by + p11-kit. Making a module unmanaged is not recommended, and will cause + problems if multiple callers in a single process share a PKCS#11 module.</para> + + <para>This argument is optonal and defaults to <literal>yes</literal>.</para> + </listitem> + </varlistentry> + <varlistentry> <term><option>priority:</option></term> <listitem> <para>The value should be an integer. When lists of modules are @@ -172,6 +182,20 @@ x-custom : text <literal>none</literal>, <literal>merge</literal>, <literal>only</literal>.</para></listitem> </varlistentry> + <varlistentry> + <term><option>managed:</option></term> + <listitem> + <para>Set to <literal>yes</literal> or <literal>no</literal> to + force all modules to be managed or unmanaged by p11-kit. Setting this + setting in a global configuration file will override the + <literal>managed</literal> setting in the individual module configuration + files. Making modules unmanaged is not recommended, and will cause + problems if multiple callers in a single process share a PKCS#11 + module.</para> + + <para>This argument is optonal.</para> + </listitem> + </varlistentry> </variablelist> <para>Other fields may be present, but it is recommended that field names |