Hi, I've been looking at the PKCS#11 engine and evaluating if we can use it with a specific HSM. It (mostly) works, but I've some questions about the code. I hope this is the right place to ask. I am using openssl-0.9.8l. Here goes.
Q1: Does the engine support being used from multiple threads? I've been looking at the C_Initialize calls, and all of them pass NULL_PTR as a parameter. That, according to the PKCS#11 spec, means: "The application ... will not be accessing the library concurrently from multiple threads, and so the library need not worry about performing any type of locking for the sake of thread-safety." So I guess we are not supposed to call it from multiple threads, is this correct? If we wanted to add multithread support, will supplying the right parameters to C_Initialize be enough? It does seem to work, but is any additional locking required? As far as I can see, there is some locking for the engine's internal structures, so it should be OK, but still a confirmation would be great. Q2: Why does the engine call C_Destroy object on finalization? If I am reading the code right, it tries to destroy public/private key objects, which is not generally a good idea. Those are usually token objects, probably generated from another application, so they should be left as is, I think. Am I missing something or is there a reason for this? I've traced this cal sequence which (occasionally?) results in private keys being deleted from our HSM. If I comment out the destroy_rsa_key_objects call, keys are not deleted. pk_11_finish->pk11_free_all_sessions->destroy_rsa_key_objects-> pk11_destroy_rsa_object_pub|priv Q3: Is there a way to completely disable the automatic slot selection? (without re-writing the code, of course). The 'SLOT' command seems like the way to go, but it doesn't quite work. It sets the SLOTID global to the integer specified, but that is only used for OP_CIPHER/DIGEST, and I want to use it for all operations (OP_RSA/OP_RAND). Another thing is that the SLOTID is not necessarily an integer, it might be a handle (it is with the HSM we are testing). I've been through the 'OpenSSL PKCS#11 engine' presentation, which does explain quite a few things, but I couldn't find the answers to my questions. Any help/hints where to look are much appreciated.
