6271754 pkcs11_softtoken too aggresive in looking for token data files

6415608 SUNW_C_GetMechSession should not call C_Initialize when it is not necessary

12 files changed, 219 insertions, 81 deletions

diff --git a/usr/src/lib/pkcs11/Makefile.softtoken.com b/usr/src/lib/pkcs11/Makefile.softtoken.com
index 0a09b9523d..53e6d0db5c 100644
--- a/usr/src/lib/pkcs11/Makefile.softtoken.com
+++ b/usr/src/lib/pkcs11/Makefile.softtoken.com
@@ -147,7 +147,7 @@ SRCS =	\
 	$(BIGNUM_PSR_SRCS)
 
 LIBS    =       $(DYNLIB)
-LDLIBS  +=      -lc -lmd
+LDLIBS  +=      -lc -lmd -lcryptoutil
 
 MAPDIR  = ../spec/$(TRANSMACH)
 SPECMAPFILE = $(MAPDIR)/mapfile
diff --git a/usr/src/lib/pkcs11/libpkcs11/common/pkcs11SUNWExtensions.c b/usr/src/lib/pkcs11/libpkcs11/common/pkcs11SUNWExtensions.c
index 8ab81a7776..fc2245c6da 100644
--- a/usr/src/lib/pkcs11/libpkcs11/common/pkcs11SUNWExtensions.c
+++ b/usr/src/lib/pkcs11/libpkcs11/common/pkcs11SUNWExtensions.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -36,6 +35,7 @@
 #include <security/cryptoki.h>
 #include <assert.h>
 #include <cryptoutil.h>
+#include <pkcs11Global.h>
 
 static CK_OBJECT_CLASS objclass = CKO_SECRET_KEY;
 static CK_BBOOL falsevalue = FALSE;
@@ -95,9 +95,12 @@ SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech, CK_SESSION_HANDLE_PTR hSession)
 	}
 
 	/* initialize PKCS #11 */
-	rv = C_Initialize(NULL);
-	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
-		return (rv);
+	if (!pkcs11_initialized) {
+		rv = C_Initialize(NULL);
+		if ((rv != CKR_OK) &&
+		    (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
+			return (rv);
+		}
 	}
 
 	/* get slot count */
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAttributeUtil.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAttributeUtil.c
index 29fb40cea1..15369bc9e8 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAttributeUtil.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAttributeUtil.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -1212,7 +1211,7 @@ soft_parse_common_attrs(CK_ATTRIBUTE_PTR template, uchar_t *object_type)
 	/* default boolean attributes */
 	case CKA_TOKEN:
 		if ((*(CK_BBOOL *)template->pValue) == B_TRUE) {
-			if (!soft_token_present)
+			if (!soft_keystore_status(KEYSTORE_INITIALIZED))
 				return (CKR_DEVICE_REMOVED);
 			*object_type |= TOKEN_OBJECT;
 		}
@@ -4579,7 +4578,7 @@ soft_set_common_storage_attribute(soft_object_t *object_p,
 	case CKA_TOKEN:
 		if (copy) {
 			if ((*(CK_BBOOL *)template->pValue) == B_TRUE) {
-				if (!soft_token_present)
+				if (!soft_keystore_status(KEYSTORE_INITIALIZED))
 					return (CKR_DEVICE_REMOVED);
 				object_p->object_type |= TOKEN_OBJECT;
 			}
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
index 6c5acf6875..a6ccf8e5d8 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
@@ -224,6 +224,7 @@ C_Initialize(CK_VOID_PTR pInitArgs)
 	soft_slot.authenticated = 0;
 	soft_slot.userpin_change_needed = 0;
 	soft_slot.token_object_list = NULL;
+	soft_slot.keystore_load_status = KEYSTORE_UNINITIALIZED;
 
 	if ((rv = soft_init_token_session()) != CKR_OK) {
 		(void) pthread_mutex_unlock(&soft_giant_mutex);
@@ -237,27 +238,10 @@ C_Initialize(CK_VOID_PTR pInitArgs)
 		return (CKR_CANT_LOCK);
 	}
 
-	/* Get keystore version because it might not be 1 at this time */
-	if (soft_keystore_get_version(&soft_slot.ks_version, B_FALSE) !=
-	    0) {
-		soft_token_present = B_FALSE;
-	}
-
-	if (soft_token_present) {
-		/* Load all the public token objects from keystore */
-		if ((rv = soft_get_token_objects_from_keystore(
-		    PUB_TOKENOBJS)) != CKR_OK) {
-			(void) pthread_mutex_destroy(&soft_slot.slot_mutex);
-			(void) soft_destroy_token_session();
-			(void) pthread_mutex_unlock(&soft_giant_mutex);
-			return (rv);
-		} else {
-			/*
-			 * Invalidate public token objects until the
-			 * C_OpenSession is called.
-			 */
-			soft_validate_token_objects(B_FALSE);
-		}
+	/* Initialize the keystore lock */
+	if (pthread_mutex_init(&soft_slot.keystore_mutex, NULL) != 0) {
+		(void) pthread_mutex_unlock(&soft_giant_mutex);
+		return (CKR_CANT_LOCK);
 	}
 
 	(void) pthread_mutex_unlock(&soft_giant_mutex);
@@ -361,6 +345,7 @@ finalize_common(boolean_t force, CK_VOID_PTR pReserved) {
 	 */
 	soft_delete_all_in_core_token_objects(ALL_TOKEN);
 	(void) pthread_mutex_destroy(&soft_slot.slot_mutex);
+	(void) pthread_mutex_destroy(&soft_slot.keystore_mutex);
 	(void) soft_destroy_token_session();
 
 	/*
@@ -372,6 +357,8 @@ finalize_common(boolean_t force, CK_VOID_PTR pReserved) {
 		free(delay_free_obj);
 		delay_free_obj = tmpo;
 	}
+
+	soft_slot.keystore_load_status = KEYSTORE_UNINITIALIZED;
 	(void) pthread_mutex_destroy(&obj_delay_freed.obj_to_be_free_mutex);
 
 	delay_free_ses = ses_delay_freed.first;
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.c
index c9426be05f..a641fc9527 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -48,8 +47,6 @@
 #include "softOps.h"
 
 soft_session_t token_session;
-boolean_t soft_token_present = B_FALSE;
-
 
 /*
  * Generate a 16-byte Initialization Vector (IV).
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.h b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.h
index 87a02479ae..d62fe19c96 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.h
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystore.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -40,8 +39,6 @@ extern "C" {
 #define	PBKD2_ITERATIONS (1000)
 #define	PWD_BUFFER_SIZE	1024
 
-extern boolean_t soft_token_present;
-
 /*
  * The following structure is the object header
  * in the keystore.
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c
index 87153034cc..41430eed08 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -46,6 +45,7 @@
 #include <cryptoutil.h>
 #include "softGlobal.h"
 #include "softObject.h"
+#include "softSession.h"
 #include "softKeystore.h"
 #include "softKeystoreUtil.h"
 
@@ -69,7 +69,7 @@
  * below.  If either order of the fields or their data type changed,
  * you must make sure the ALL the pre-define values are still valid
  *
- * 1) PKCS#11 release number.  It's 2.11 in this release (uchar_t[32])
+ * 1) PKCS#11 release number.  It's 2.20 in this release (uchar_t[32])
  * 2) keystore version number: used for synchronizing when different
  *    processes access the keystore at the same time.  It is incremented
  *    when there is a change to the keystore. (uint_32)
@@ -159,6 +159,7 @@ static char		keystore_path[MAXPATHLEN];
 static boolean_t	keystore_path_initialized = B_FALSE;
 static int		desc_fd = 0;
 
+
 static char *
 get_user_home_sunw_path(char *home_path)
 {
@@ -619,7 +620,6 @@ open_and_lock_keystore_desc(mode_t mode, boolean_t do_create_keystore,
 			break;
 	}
 	if (fd < 0) {
-		soft_token_present = B_FALSE;
 		if ((errno == ENOENT) && (do_create_keystore)) {
 			if (create_keystore() < 0) {
 				goto done;
@@ -640,8 +640,6 @@ open_and_lock_keystore_desc(mode_t mode, boolean_t do_create_keystore,
 		(void) fcntl(fd, F_SETFD, FD_CLOEXEC);
 	}
 
-	soft_token_present = B_TRUE;
-
 	if (lock_held) {
 		/* already hold the lock */
 		return (fd);
@@ -1079,7 +1077,6 @@ soft_keystore_unlock_object(int fd)
 int
 soft_keystore_get_version(uint_t *version, boolean_t lock_held)
 {
-
 	int fd, ret_val = 0;
 	uint_t buf;
 
@@ -2957,3 +2954,151 @@ cleanup:
 	(void) close(fd);
 	return (ret_val);
 }
+
+/*
+ * This checks if the keystore file exists
+ */
+
+static int
+soft_keystore_exists()
+{
+	int ret;
+	struct stat fn_stat;
+	char *fname, ks_desc_file[MAXPATHLEN];
+
+	fname = get_desc_file_path(ks_desc_file);
+	ret = stat(fname, &fn_stat);
+	if (ret == 0)
+		return (0);
+	return (errno);
+}
+
+/*
+ *	FUNCTION: soft_keystore_init
+ *
+ *	ARGUMENTS:
+ *		desired_state:  The keystore state the caller would like
+ *				it to be.
+ *
+ *	RETURN VALUE:
+ *		Returns the state the function is in.  If it succeeded, it
+ *		will be the same as the desired, if not it will be
+ *		KEYSTORE_UNAVAILABLE.
+ *
+ *	DESCRIPTION:
+ *		This function will only load as much keystore data as is
+ *		requested at that time. This is for performace by delaying the
+ *		reading of token objects until they are needed or never at
+ *		all if they are not used.
+ *
+ *		It is only called by soft_keystore_status() when the
+ *		"desired_state" is not the the current load state of keystore.
+ *
+ */
+int
+soft_keystore_init(int desired_state)
+{
+	int ret;
+
+	(void) pthread_mutex_lock(&soft_slot.keystore_mutex);
+
+	/*
+	 * If more than one session tries to initialize the keystore, the
+	 * second and other following sessions that were waiting for the lock
+	 * will quickly exit if their requirements are satisfied.
+	 */
+	if (desired_state <= soft_slot.keystore_load_status) {
+		(void) pthread_mutex_unlock(&soft_slot.keystore_mutex);
+		return (soft_slot.keystore_load_status);
+	}
+
+	/*
+	 * With 'keystore_load_status' giving the current state of the
+	 * process, this switch will bring it up to the desired state if
+	 * possible.
+	 */
+
+	switch (soft_slot.keystore_load_status) {
+	case KEYSTORE_UNINITIALIZED:
+		ret = soft_keystore_exists();
+		if (ret == 0)
+			soft_slot.keystore_load_status = KEYSTORE_PRESENT;
+		else if (ret == ENOENT)
+			if (create_keystore() == 0)
+				soft_slot.keystore_load_status =
+				    KEYSTORE_PRESENT;
+			else {
+				soft_slot.keystore_load_status =
+				    KEYSTORE_UNAVAILABLE;
+				cryptoerror(LOG_ERR,
+				    "pkcs11_softtoken: "
+				    "Cannot create keystore.");
+				break;
+			}
+
+		if (desired_state <= KEYSTORE_PRESENT)
+			break;
+
+	/* FALLTHRU */
+	case KEYSTORE_PRESENT:
+		if (soft_keystore_get_version(&soft_slot.ks_version, B_FALSE)
+		    != 0) {
+			soft_slot.keystore_load_status = KEYSTORE_UNAVAILABLE;
+			cryptoerror(LOG_ERR,
+			    "pkcs11_softtoken: Keystore version failure.");
+			break;
+		}
+
+		soft_slot.keystore_load_status = KEYSTORE_VERSION_OK;
+		if (desired_state <= KEYSTORE_VERSION_OK)
+			break;
+
+	/* FALLTHRU */
+	case KEYSTORE_VERSION_OK:
+		/* Load all the public token objects from keystore */
+		if (soft_get_token_objects_from_keystore(PUB_TOKENOBJS)
+		    != CKR_OK) {
+			(void) soft_destroy_token_session();
+			soft_slot.keystore_load_status = KEYSTORE_UNAVAILABLE;
+			cryptoerror(LOG_ERR,
+			    "pkcs11_softtoken: Cannot initialize keystore.");
+			break;
+		}
+
+		soft_slot.keystore_load_status = KEYSTORE_INITIALIZED;
+	};
+
+	(void) pthread_mutex_unlock(&soft_slot.keystore_mutex);
+	return (soft_slot.keystore_load_status);
+}
+
+/*
+ *	FUNCTION: soft_keystore_status
+ *
+ *	ARGUMENTS:
+ *		desired_state:  The keystore state the caller would like
+ *				it to be.
+ *
+ *	RETURN VALUE:
+ *		B_TRUE if keystore is ready and at the desired state.
+ *		B_FALSE if keystore had an error and is not available.
+ *
+ *	DESCRIPTION:
+ *		The calling function wants to make sure the keystore load
+ *		status to in a state it requires.  If it is not at that
+ *		state it will call the load function.
+ *		If keystore is at the desired state or has just been
+ *		loaded to that state, it will return TRUE.  If there has been
+ *		load failure, it will return FALSE.
+ *
+ */
+boolean_t
+soft_keystore_status(int desired_state)
+{
+
+	if (soft_slot.keystore_load_status == KEYSTORE_UNAVAILABLE)
+		return (B_FALSE);
+
+	return ((desired_state <= soft_slot.keystore_load_status) ||
+	    (soft_keystore_init(desired_state) == desired_state));
+}
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.h b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.h
index 09166bcfb6..1642932ab7 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.h
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -39,6 +38,13 @@ extern "C" {
 
 #include <sys/types.h>
 
+/* Keystore State values */
+#define	KEYSTORE_UNINITIALIZED	0
+#define	KEYSTORE_PRESENT	1
+#define	KEYSTORE_VERSION_OK	2
+#define	KEYSTORE_INITIALIZED	3
+#define	KEYSTORE_UNAVAILABLE	4
+
 typedef enum {
 	ALL_TOKENOBJS = 0,
 	PUB_TOKENOBJS = 1,
@@ -68,7 +74,6 @@ typedef struct ks_obj {
 	struct ks_obj *next;
 } ks_obj_t;
 
-
 /*
  * Prototype for functions in softKeystore.c
  */
@@ -94,6 +99,7 @@ int soft_keystore_del_obj(ks_obj_handle_t *ks_handle, boolean_t lock_held);
 int soft_keystore_get_pin_salt(char **salt);
 CK_RV soft_keystore_pin_initialized(boolean_t *initialized, char **hashed_pin,
     boolean_t lock_held);
+boolean_t soft_keystore_status(int desired_state);
 
 #ifdef __cplusplus
 }
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softObjectUtil.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softObjectUtil.c
index 758c35854a..6dcc201459 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softObjectUtil.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softObjectUtil.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -270,6 +269,10 @@ soft_add_object(CK_ATTRIBUTE_PTR pTemplate,  CK_ULONG ulCount,
 
 	/* Write the new token object to the keystore */
 	if (IS_TOKEN_OBJECT(new_objp)) {
+		if (!soft_keystore_status(KEYSTORE_INITIALIZED)) {
+			rv = CKR_DEVICE_REMOVED;
+			goto fail_cleanup2;
+		}
 		new_objp->version = 1;
 		rv = soft_put_object_to_keystore(new_objp);
 		if (rv != CKR_OK) {
@@ -634,7 +637,8 @@ search_for_objects(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
 	 * into the token, all public and private objects in the keystore
 	 * are searched.
 	 */
-	if (((token_flag_val) || (!token_specified)) && (soft_token_present)) {
+	if (((token_flag_val) || (!token_specified)) &&
+	    soft_keystore_status(KEYSTORE_INITIALIZED)) {
 		/* acquire token session lock */
 		(void) pthread_mutex_lock(&soft_slot.slot_mutex);
 		rv = refresh_token_objects();
@@ -922,8 +926,7 @@ soft_delete_all_in_core_token_objects(token_obj_type_t type)
 }
 
 /*
- * Mark all the token objects in the global list
- * to be valid.
+ * Mark all the token objects in the global list to be valid.
  */
 void
 soft_validate_token_objects(boolean_t validate)
@@ -932,6 +935,7 @@ soft_validate_token_objects(boolean_t validate)
 	soft_object_t *objp;
 
 	(void) pthread_mutex_lock(&soft_slot.slot_mutex);
+
 	objp = soft_slot.token_object_list;
 
 	while (objp) {
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSession.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSession.c
index cca7281e11..2585cc055e 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSession.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSession.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -321,7 +320,8 @@ C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin,
 	if (rv != CKR_OK)
 		return (rv);
 
-	if (!soft_token_present) {
+	/* Check the load status of keystore */
+	if (!soft_keystore_status(KEYSTORE_VERSION_OK)) {
 		SES_REFRELE(session_p, lock_held);
 		return (CKR_DEVICE_REMOVED);
 	}
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSession.h b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSession.h
index 7236219a24..b13181daf4 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSession.h
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSession.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -111,6 +110,8 @@ typedef struct slot {
 	boolean_t	authenticated;	/* Has C_Login called */
 	boolean_t	userpin_change_needed; /* set if PIN expired */
 	pthread_mutex_t	slot_mutex;
+	pthread_mutex_t	keystore_mutex; /* Protects keystore_load_status */
+	uint_t		keystore_load_status; /* Keystore load status */
 	/* points to in-core token object list */
 	struct object	*token_object_list;
 } slot_t;
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSlotToken.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSlotToken.c
index d0fafc97b8..e3201c2d3c 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSlotToken.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSlotToken.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -287,7 +286,7 @@ C_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
 	    64);
 	(void) strncpy((char *)pInfo->manufacturerID, SOFT_MANUFACTURER_ID, 32);
 	pInfo->flags = 0;
-	if (soft_token_present) {
+	if (soft_keystore_status(KEYSTORE_PRESENT)) {
 		pInfo->flags |= CKF_TOKEN_PRESENT;
 	}
 	pInfo->hardwareVersion.major = HARDWARE_VERSION_MAJOR;
@@ -318,7 +317,7 @@ C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
 	if (pInfo == NULL)
 		return (CKR_ARGUMENTS_BAD);
 
-	if (!soft_token_present)
+	if (!soft_keystore_status(KEYSTORE_VERSION_OK))
 		return (CKR_DEVICE_REMOVED);
 
 	/* Provide information about a token in the provided buffer */
@@ -493,7 +492,7 @@ C_SetPIN(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin,
 	if (rv != CKR_OK)
 		return (rv);
 
-	if (!soft_token_present) {
+	if (!soft_keystore_status(KEYSTORE_VERSION_OK)) {
 		SES_REFRELE(session_p, lock_held);
 		return (CKR_DEVICE_REMOVED);
 	}