Proxy Module

When an application is aware of the fact that coordination is necessary between multiple consumers of a PKCS#11 module, and wants to load standard configured PKCS#11 modules, it can link to p11-kit and use the functions there to provide this functionality.

However most current consumers of PKCS#11 are ignorant of this problem, and do not link to p11-kit. In order to solve this multiple initialization problem for all applications, p11-kit provides a proxy compatibility module.

This proxy module acts like a normal PKCS#11 module, but internally loads a preconfigured set of PKCS#11 modules and manages their features as described earlier. Each slot in the configured modules is exposed as a slot of the p11-kit proxy module. The proxy module is then used as a normal PKCS#11 module would be. It can be loaded by crypto libraries like NSS and behaves as expected.

The C_GetFunctionList exported entry point of the proxy module returns a new managed PKCS#11 module each time it is called. These managed instances are released when the proxy module is unloaded.