more random patches. who knows.

[patches.git] / openssh-4.4p1pkcs11-0.17.patch

diff -urNp openssh-4.4p1/authfd.c openssh-4.4p1+pkcs11-0.17/authfd.c
--- openssh-4.4p1/authfd.c      2006-09-01 08:38:36.000000000 +0300
+++ openssh-4.4p1+pkcs11-0.17/authfd.c  2006-10-12 13:59:59.000000000 +0200
@@ -669,3 +669,79 @@ decode_reply(int type)
        /* NOTREACHED */
        return 0;
 }
+
+#ifndef SSH_PKCS11_DISABLED
+
+int
+ssh_pkcs11_add_provider (AuthenticationConnection *auth, const char *provider,
+       int protected_authentication, const char *sign_mode, int cert_private)
+{
+       Buffer msg;
+       int type;
+       int code;
+
+       code = SSH_AGENTC_PKCS11_ADD_PROVIDER;
+
+       buffer_init(&msg);
+       buffer_put_char(&msg, code);
+       buffer_put_cstring(&msg, provider);
+       buffer_put_int(&msg, protected_authentication);
+       buffer_put_cstring(&msg, sign_mode == NULL ? "auto" : sign_mode);
+       buffer_put_int(&msg, cert_private);
+
+       if (ssh_request_reply(auth, &msg, &msg) == 0) {
+               buffer_free(&msg);
+               return 0;
+       }
+       type = buffer_get_char(&msg);
+       buffer_free(&msg);
+       return decode_reply(type);
+}
+
+int
+ssh_pkcs11_id (AuthenticationConnection *auth, const pkcs11_identity *id, int remove)
+{
+       Buffer msg;
+       int type;
+       int code;
+
+       code = remove ? SSH_AGENTC_PKCS11_REMOVE_ID : SSH_AGENTC_PKCS11_ADD_ID;
+
+       buffer_init(&msg);
+       buffer_put_char(&msg, code);
+       buffer_put_cstring(&msg, id->id);
+       buffer_put_int(&msg, id->pin_cache_period);
+       buffer_put_cstring(&msg, id->cert_file == NULL ? "" : id->cert_file);
+
+       if (ssh_request_reply(auth, &msg, &msg) == 0) {
+               buffer_free(&msg);
+               return 0;
+       }
+       type = buffer_get_char(&msg);
+       buffer_free(&msg);
+       return decode_reply(type);
+}
+
+int
+ssh_pkcs11_set_ask_pin (AuthenticationConnection *auth, const char *pin_prog)
+{
+       Buffer msg;
+       int type;
+       int code;
+
+       code = SSH_AGENTC_PKCS11_SET_ASK_PIN;
+
+       buffer_init(&msg);
+       buffer_put_char(&msg, code);
+       buffer_put_cstring(&msg, pin_prog);
+
+       if (ssh_request_reply(auth, &msg, &msg) == 0) {
+               buffer_free(&msg);
+               return 0;
+       }
+       type = buffer_get_char(&msg);
+       buffer_free(&msg);
+       return decode_reply(type);
+}
+
+#endif /* SSH_PKCS11_DISABLED */
diff -urNp openssh-4.4p1/authfd.h openssh-4.4p1+pkcs11-0.17/authfd.h
--- openssh-4.4p1/authfd.h      2006-08-05 05:39:39.000000000 +0300
+++ openssh-4.4p1+pkcs11-0.17/authfd.h  2006-10-12 13:57:49.000000000 +0200
@@ -16,6 +16,8 @@
 #ifndef AUTHFD_H
 #define AUTHFD_H
 
+#include "pkcs11.h"
+
 /* Messages for the authentication agent connection. */
 #define SSH_AGENTC_REQUEST_RSA_IDENTITIES      1
 #define SSH_AGENT_RSA_IDENTITIES_ANSWER                2
@@ -49,6 +51,11 @@
 #define SSH2_AGENTC_ADD_ID_CONSTRAINED         25
 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
 
+#define SSH_AGENTC_PKCS11_ADD_PROVIDER         27
+#define SSH_AGENTC_PKCS11_ADD_ID               28
+#define SSH_AGENTC_PKCS11_REMOVE_ID            29
+#define SSH_AGENTC_PKCS11_SET_ASK_PIN          30
+
 #define        SSH_AGENT_CONSTRAIN_LIFETIME            1
 #define        SSH_AGENT_CONSTRAIN_CONFIRM             2
 
@@ -92,4 +99,11 @@ int
 ssh_agent_sign(AuthenticationConnection *, Key *, u_char **, u_int *, u_char *,
     u_int);
 
+#ifndef SSH_PKCS11_DISABLED
+int    ssh_pkcs11_add_provider (AuthenticationConnection *, const char *,
+    int, const char *, int);
+int    ssh_pkcs11_id (AuthenticationConnection *, const pkcs11_identity *, int remove);
+int    ssh_pkcs11_set_ask_pin (AuthenticationConnection *, const char *);
+#endif /* SSH_PKCS11_DISABLED */
+
 #endif                         /* AUTHFD_H */
diff -urNp openssh-4.4p1/ChangeLog.pkcs11 openssh-4.4p1+pkcs11-0.17/ChangeLog.pkcs11
--- openssh-4.4p1/ChangeLog.pkcs11      1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/ChangeLog.pkcs11  2006-10-23 17:36:52.000000000 +0200
@@ -0,0 +1,49 @@
+20061023
+ - (alonbl) Removed logit from ssh-agent, thanks to Denniston, Todd.
+ - (alonbl) Release 0.17
+
+20061020
+ - (alonbl) Major modification of ssh-add command-line parameters.
+   Now, a complete serialized certificate needs to be specified, this
+   in order to allow people to add id without forcing card to be available.
+   But to allow complete silent addition a certificate file also needed.
+   --pkcs11-show-ids is used in order to get a list of resources.
+   --pkcs11-add-id --pkcs11-id <serialized id> \
+      [--pkcs11-cert-file <cert_file>]
+ - (alonbl) PKCS#11 release 0.16
+
+20061012
+ - (alonbl) OpenSC bug workaround.
+ - (alonbl) PKCS#11 release 0.15
+
+20060930
+ - (alonbl) Some pkcs11-helper updates.
+ - (alonbl) Rebase against 4.4p1.
+ - (alonbl) PKCS#11 release 0.14
+
+20060709
+ - (alonbl) PKCS#11 fixed handling multiproviders.
+ - (alonbl) PKCS#11 release 0.13
+
+20060608
+ - (alonbl) PKCS#11 modifed to match X.509-5.5 patch, works OK with focing
+   ssh-rsa id.
+ - (alonbl) PKCS#11 removed --pkcs11-x509-force-ssh argument.
+ - (alonbl) PKCS#11 release 0.12
+
+20060527
+ - (alonbl) PKCS#11 fix issues with gcc-2
+ - (alonbl) PKCS#11 fix issues with openssl-0.9.6 (first) version.
+ - (alonbl) PKCS#11 modified to match X.509-5.4 patch.
+ - (alonbl) PKCS#11 add --pkcs11-x509-force-ssh argument to force ssh id out
+   of X.509 certificate.
+ - (alonbl) PKCS#11 release 0.11
+
+20060419
+ - (alonbl) PKCS#11 fix handling empty attributes.
+ - (alonbl) PKCS#11 release 0.10
+
+20060404
+ - (alonbl) PKCS#11 code sync.
+ - (alonbl) PKCS#11 release 0.09
+
diff -urNp openssh-4.4p1/config.h.in openssh-4.4p1+pkcs11-0.17/config.h.in
--- openssh-4.4p1/config.h.in   2006-09-26 14:03:33.000000000 +0300
+++ openssh-4.4p1+pkcs11-0.17/config.h.in       2006-09-28 16:31:03.000000000 +0300
@@ -1217,6 +1217,12 @@
 /* Use audit debugging module */
 #undef SSH_AUDIT_EVENTS
 
+/* Define if you don't want use PKCS#11 */
+#undef SSH_PKCS11_DISABLED
+
+/* Define if you don't want use X509 with PKCS#11 */
+#undef SSH_PKCS11_X509_DISABLED
+
 /* non-privileged user for privilege separation */
 #undef SSH_PRIVSEP_USER
 
diff -urNp openssh-4.4p1/configure openssh-4.4p1+pkcs11-0.17/configure
--- openssh-4.4p1/configure     2006-09-26 14:03:41.000000000 +0300
+++ openssh-4.4p1+pkcs11-0.17/configure 2006-09-28 16:33:53.000000000 +0300
@@ -1307,6 +1307,7 @@ Optional Features:
   --disable-libutil       disable use of libutil (login() etc.) no
   --disable-pututline     disable use of pututline() etc. (uwtmp) no
   --disable-pututxline    disable use of pututxline() etc. (uwtmpx) no
+  --disable-pkcs11        Disable PKCS#11 support
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -32163,6 +32164,33 @@ if test ! -z "$blibpath" ; then
 echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;}
 fi
 
+ssh_pkcs11="yes"
+ssh_pkcs11_x509="yes"
+# Check whether --enable-pkcs11 was given.
+if test "${enable_pkcs11+set}" = set; then
+  enableval=$enable_pkcs11;
+       if test "x$enableval" = "xno"; then
+               ssh_pkcs11="no"
+       fi
+
+
+fi
+
+if test "x$ssh_pkcs11" = "xno"; then
+
+cat >>confdefs.h <<_ACEOF
+#define SSH_PKCS11_DISABLED 1
+_ACEOF
+
+fi
+if test "x$ssh_x509" = "x"; then
+
+cat >>confdefs.h <<_ACEOF
+#define SSH_PKCS11_X509_DISABLED 1
+_ACEOF
+
+fi
+
 CFLAGS="$CFLAGS $werror_flags"
 
 
@@ -33415,6 +33443,7 @@ echo "       IP address in \$DISPLAY hac
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
+echo "                   PKCS#11 support: $ssh_pkcs11"
 if test ! -z "$USE_RAND_HELPER" ; then
 echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
 fi
diff -urNp openssh-4.4p1/configure.ac openssh-4.4p1+pkcs11-0.17/configure.ac
--- openssh-4.4p1/configure.ac  2006-09-24 22:08:59.000000000 +0300
+++ openssh-4.4p1+pkcs11-0.17/configure.ac      2006-09-28 08:05:35.000000000 +0300
@@ -3912,6 +3912,27 @@ if test ! -z "$blibpath" ; then
        AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
 fi
 
+ssh_pkcs11="yes"
+ssh_pkcs11_x509="yes"
+AC_ARG_ENABLE(pkcs11,
+       [  --disable-pkcs11        Disable PKCS#11 support],
+       [
+       if test "x$enableval" = "xno"; then
+               ssh_pkcs11="no"
+       fi
+       ]
+)
+if test "x$ssh_pkcs11" = "xno"; then
+       AC_DEFINE_UNQUOTED(
+               SSH_PKCS11_DISABLED, 1,
+               [Define if you don't want use PKCS#11])
+fi
+if test "x$ssh_x509" = "x"; then
+       AC_DEFINE_UNQUOTED(
+               SSH_PKCS11_X509_DISABLED, 1,
+               [Define if you don't want use X509 with PKCS#11])
+fi
+
 dnl Adding -Werror to CFLAGS early prevents configure tests from running.
 dnl Add now.
 CFLAGS="$CFLAGS $werror_flags"
@@ -3973,6 +3994,7 @@ echo "       IP address in \$DISPLAY hac
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
+echo "                   PKCS#11 support: $ssh_pkcs11"
 if test ! -z "$USE_RAND_HELPER" ; then
 echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
 fi
diff -urNp openssh-4.4p1/cryptoki.h openssh-4.4p1+pkcs11-0.17/cryptoki.h
--- openssh-4.4p1/cryptoki.h    1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/cryptoki.h        2006-09-28 08:05:35.000000000 +0300
@@ -0,0 +1,35 @@
+/* cryptoki.h include file for PKCS #11. */
+/* $Revision: 1.4 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the 
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+#ifndef ___CRYPTOKI_H_INC___
+#define ___CRYPTOKI_H_INC___
+
+#define CK_PTR *
+
+#define CK_DEFINE_FUNCTION(returnType, name) returnType name
+#define CK_DECLARE_FUNCTION(returnType, name) returnType name
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
+#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
+
+#ifndef NULL_PTR
+#define NULL_PTR 0
+#endif
+
+#include "pkcs11-headers/pkcs11.h"
+
+#endif /* ___CRYPTOKI_H_INC___ */
diff -urNp openssh-4.4p1/cryptoki-win32.h openssh-4.4p1+pkcs11-0.17/cryptoki-win32.h
--- openssh-4.4p1/cryptoki-win32.h      1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/cryptoki-win32.h  2006-09-28 08:05:35.000000000 +0300
@@ -0,0 +1,66 @@
+/* cryptoki.h include file for PKCS #11. */
+/* $Revision: 1.4 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the 
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This is a sample file containing the top level include directives
+ * for building Win32 Cryptoki libraries and applications.
+ */
+
+#ifndef ___CRYPTOKI_H_INC___
+#define ___CRYPTOKI_H_INC___
+
+#pragma pack(push, cryptoki, 1)
+
+/* Specifies that the function is a DLL entry point. */
+#define CK_IMPORT_SPEC __declspec(dllimport)
+
+/* Define CRYPTOKI_EXPORTS during the build of cryptoki libraries. Do
+ * not define it in applications.
+ */
+#ifdef CRYPTOKI_EXPORTS
+/* Specified that the function is an exported DLL entry point. */
+#define CK_EXPORT_SPEC __declspec(dllexport) 
+#else
+#define CK_EXPORT_SPEC CK_IMPORT_SPEC 
+#endif
+
+/* Ensures the calling convention for Win32 builds */
+#define CK_CALL_SPEC __cdecl
+
+#define CK_PTR *
+
+#define CK_DEFINE_FUNCTION(returnType, name) \
+  returnType CK_EXPORT_SPEC CK_CALL_SPEC name
+
+#define CK_DECLARE_FUNCTION(returnType, name) \
+  returnType CK_EXPORT_SPEC CK_CALL_SPEC name
+
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+  returnType CK_IMPORT_SPEC (CK_CALL_SPEC CK_PTR name)
+
+#define CK_CALLBACK_FUNCTION(returnType, name) \
+  returnType (CK_CALL_SPEC CK_PTR name)
+
+#ifndef NULL_PTR
+#define NULL_PTR 0
+#endif
+
+#include "pkcs11-headers/pkcs11.h"
+
+#pragma pack(pop, cryptoki)
+
+#endif /* ___CRYPTOKI_H_INC___ */
diff -urNp openssh-4.4p1/LICENCE openssh-4.4p1+pkcs11-0.17/LICENCE
--- openssh-4.4p1/LICENCE       2006-08-30 20:24:41.000000000 +0300
+++ openssh-4.4p1+pkcs11-0.17/LICENCE   2006-09-28 08:05:35.000000000 +0300
@@ -332,6 +332,9 @@ OpenSSH contains no GPL code.
        * authorization.                                                           *
        ****************************************************************************/
 
+    d) PKCS #11: Cryptographic Token Interface Standard
+
+       This software uses RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
 
 ------
 $OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $
diff -urNp openssh-4.4p1/Makefile.in openssh-4.4p1+pkcs11-0.17/Makefile.in
--- openssh-4.4p1/Makefile.in   2006-09-12 14:54:10.000000000 +0300
+++ openssh-4.4p1+pkcs11-0.17/Makefile.in       2006-09-28 08:05:35.000000000 +0300
@@ -66,6 +66,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
 
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
        canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
+       pkcs11.o pkcs11-helper.o \
        cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
        compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
        log.o match.o md-sha256.o moduli.o nchan.o packet.o \
diff -urNp openssh-4.4p1/pkcs11.c openssh-4.4p1+pkcs11-0.17/pkcs11.c
--- openssh-4.4p1/pkcs11.c      1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/pkcs11.c  2006-10-23 17:35:54.000000000 +0200
@@ -0,0 +1,1139 @@
+/*
+ * Copyright (c) 2005-2006 Alon Bar-Lev.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * The routines in this file deal with providing private key cryptography
+ * using RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
+ *
+ */
+
+#include "includes.h"
+#include <sys/wait.h>
+#include <errno.h>
+
+#if !defined(SSH_PKCS11_DISABLED)
+
+#include "pkcs11-helper.h"
+#include "pkcs11.h"
+#include "openssl/pem.h"
+#include "misc.h"
+
+static
+char *
+ssh_from_x509 (X509 *x509);
+
+static char *s_szSetPINProg = NULL;
+
+static
+unsigned
+_pkcs11_msg_pkcs112openssh (
+       IN const unsigned flags
+) {
+       unsigned openssh_flags;
+
+       switch (flags) {
+               case PKCS11H_LOG_DEBUG2:
+                       openssh_flags = SYSLOG_LEVEL_DEBUG3;
+               break;
+               case PKCS11H_LOG_DEBUG1:
+                       openssh_flags = SYSLOG_LEVEL_DEBUG2;
+               break;
+               case PKCS11H_LOG_INFO:
+                       openssh_flags = SYSLOG_LEVEL_INFO;
+               break;
+               case PKCS11H_LOG_WARN:
+                       openssh_flags = SYSLOG_LEVEL_ERROR;
+               break;
+               case PKCS11H_LOG_ERROR:
+                       openssh_flags = SYSLOG_LEVEL_FATAL;
+               break;
+               default:
+                       openssh_flags = SYSLOG_LEVEL_FATAL;
+               break;
+       }
+
+       return openssh_flags;
+}
+
+static
+unsigned
+_pkcs11_msg_openssh2pkcs11 (
+       IN const unsigned flags
+) {
+       unsigned pkcs11_flags;
+
+       switch (flags) {
+               case SYSLOG_LEVEL_DEBUG3:
+                       pkcs11_flags = PKCS11H_LOG_DEBUG2;
+               break;
+               case SYSLOG_LEVEL_DEBUG2:
+                       pkcs11_flags = PKCS11H_LOG_DEBUG1;
+               break;
+               case SYSLOG_LEVEL_INFO:
+                       pkcs11_flags = PKCS11H_LOG_INFO;
+               break;
+               case SYSLOG_LEVEL_ERROR:
+                       pkcs11_flags = PKCS11H_LOG_WARN;
+               break;
+               case SYSLOG_LEVEL_FATAL:
+                       pkcs11_flags = PKCS11H_LOG_ERROR;
+               break;
+               default:
+                       pkcs11_flags = PKCS11H_LOG_ERROR;
+               break;
+       }
+
+       return pkcs11_flags;
+}
+
+static
+void
+_pkcs11_openssh_log (
+       IN void * const pData,
+       IN unsigned flags,
+       IN const char * const szFormat,
+       IN va_list args
+) {
+       do_log (_pkcs11_msg_pkcs112openssh (flags), szFormat, args);
+}
+
+static
+int
+_pkcs11_ssh_prompt (
+       IN const char * const szType,
+       IN const char * const szPrompt,
+       OUT char * const szInput,
+       IN const int nMaxInput
+) {
+       pid_t pid = -1;
+       int fds[2] = {-1, -1};
+       int fOK = TRUE;
+
+       /*
+        * Make sure we don't reuse PIN
+        */
+       if (fOK) {
+               memset (szInput, 0, nMaxInput);
+       }
+
+       if (fOK && s_szSetPINProg == NULL) {
+               fOK = FALSE;
+       }
+
+       if (fOK && pipe (fds) == -1) {
+               fOK = FALSE;
+       }
+
+       if (fOK && (pid = fork ()) == -1) {
+               fOK = FALSE;
+       }
+
+       if (fOK) {
+               if (pid == 0) {
+                       close (fds[0]);
+                       fds[0] = -1;
+
+                       if (fOK && dup2 (fds[1], 1) == -1) {
+                               fOK = FALSE;
+                       }
+                       if (fOK) {
+                               close (fds[1]);
+                               fds[1] = -1;
+                       }
+
+                       if (fOK) {
+                               execl (
+                                       s_szSetPINProg,
+                                       s_szSetPINProg,
+                                       "-t",
+                                       szType,
+                                       szPrompt,
+                                       NULL
+                               );
+                       }
+
+                       exit (1);
+               }
+               else {
+                       int status;
+                       int r = 0;
+                       
+                       close (fds[1]);
+                       fds[1] = -1;
+
+                       if (fOK) {
+                               while (
+                                       (r=waitpid (pid, &status, 0)) == 0 ||
+                                       (r == -1 && errno == EINTR)
+                               );
+
+                               if (r == -1) {
+                                       fOK = FALSE;
+                               }
+                       }
+
+                       if (fOK && !WIFEXITED (status)) {
+                               fOK = FALSE;
+                       }
+
+                       if (fOK && WEXITSTATUS (status) != 0) {
+                               fOK = FALSE;
+                       }
+                       
+                       if (fOK) {
+                               if (!strcmp (szType, "password")) {
+                                       if ((r = read (fds[0], szInput, nMaxInput)) == -1) {
+                                               fOK = FALSE;
+                                               r = 0;
+                                       }
+                               }
+                               else {
+                                       r = 0;
+                               }
+                               szInput[r] = '\0';
+                       }
+
+                       if (fOK) {
+                               if (strlen (szInput) > 0 && szInput[strlen (szInput)-1] == '\n') {
+                                       szInput[strlen (szInput)-1] = '\0';
+                               }
+                               /*
+                                * for DOS compatability
+                                */
+                               if (strlen (szInput) > 0 && szInput[strlen (szInput)-1] == '\r') {
+                                       szInput[strlen (szInput)-1] = '\0';
+                               }
+                       }
+               }
+       }
+
+       if (fds[0] != -1) {
+               close (fds[0]);
+               fds[0] = -1;
+       }
+
+       if (fds[1] != -1) {
+               close (fds[1]);
+               fds[1] = -1;
+       }
+
+       return fOK;
+}
+
+static
+void
+_pkcs11_ssh_print (
+       IN void * const pData,
+       IN const char * const szFormat,
+       IN ...
+) {
+       va_list args;
+
+       va_start (args, szFormat);
+       vprintf (szFormat, args);
+       va_end (args);
+}
+
+static
+PKCS11H_BOOL
+_pkcs11_ssh_token_prompt (
+       IN void * const pData1,
+       IN void * const pData2,
+       IN const pkcs11h_token_id_t token,
+       IN const unsigned retry
+) {
+       char szPrompt[1024];
+       char szPIN[1024];
+       
+       snprintf (szPrompt, sizeof (szPrompt), "Please insert token '%s' or cancel", token->display);
+       return _pkcs11_ssh_prompt ("okcancel", szPrompt, szPIN, sizeof (szPIN));
+}
+
+static
+PKCS11H_BOOL
+_pkcs11_ssh_pin_prompt (
+       IN void * const pData1,
+       IN void * const pData2,
+       IN const pkcs11h_token_id_t token,
+       IN const unsigned retry,
+       OUT char * const szPIN,
+       IN const size_t nMaxPIN
+) {
+       char szPrompt[1024];
+
+       snprintf (szPrompt, sizeof (szPrompt), "Please enter PIN for token '%s'", token->display);
+       return _pkcs11_ssh_prompt ("password", szPrompt, szPIN, nMaxPIN);
+}
+
+static
+PKCS11H_BOOL
+_pkcs11_ssh_pin_prompt_cli (
+       IN void * const pData1,
+       IN void * const pData2,
+       IN const pkcs11h_token_id_t token,
+       IN const unsigned retry,
+       OUT char * const szPIN,
+       IN const size_t nMaxPIN
+) {
+       char szPrompt[1024];
+       snprintf (szPrompt, sizeof (szPrompt), "Please enter '%s' PIN or 'cancel': ", token->display);
+       char *p = getpass (szPrompt);
+
+       strncpy (szPIN, p, nMaxPIN);
+       szPIN[nMaxPIN-1] = '\0';
+
+       return strcmp (szPIN, "cancel") != 0;
+}
+
+void
+_pkcs11_do_log (
+       IN LogLevel l,
+       IN const char *f,
+       IN ...
+) {
+       va_list args;
+       va_start (args, f);
+       do_log (l, f, args);
+       va_end (args);
+}
+
+int
+pkcs11_initialize (
+       const int fProtectedAuthentication,
+       const int nPINCachePeriod
+) {
+       CK_RV rv = CKR_OK;
+
+       debug3 (
+               "PKCS#11: pkcs11_initialize - entered fProtectedAuthentication=%d, nPINCachePeriod=%d",
+               fProtectedAuthentication,
+               nPINCachePeriod
+       );
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_initialize ()) != CKR_OK
+       ) {
+               error ("PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_setLogHook (_pkcs11_openssh_log, NULL)) != CKR_OK
+       ) {
+               error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       /*
+        * WARNING!!!
+        * There is no way to get log level,
+        * so set to minimum.
+        * After fix in log.c it can be fixed.
+        */
+       if (rv == CKR_OK) {
+               pkcs11h_setLogLevel (_pkcs11_msg_openssh2pkcs11 (SYSLOG_LEVEL_DEBUG3));
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_setTokenPromptHook (_pkcs11_ssh_token_prompt, NULL)) != CKR_OK
+       ) {
+               error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_setPINPromptHook (_pkcs11_ssh_pin_prompt, NULL)) != CKR_OK
+       ) {
+               error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_setProtectedAuthentication (fProtectedAuthentication)) != CKR_OK
+       ) {
+               error ("PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_setPINCachePeriod (nPINCachePeriod)) != CKR_OK
+       ) {
+               error ("PKCS#11: Cannot set PIN cache period %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       debug3 (
+               "PKCS#11: pkcs11_initialize - return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv == CKR_OK;
+}
+
+void
+pkcs11_terminate () {
+       debug3 ("PKCS#11: pkcs11_terminate - entered");
+
+       pkcs11h_terminate ();
+
+       debug3 ("PKCS#11: pkcs11_terminate - return");
+}
+
+void
+pkcs11_forkFix () {
+       pkcs11h_forkFixup ();
+}
+
+int
+pkcs11_setAskPIN (
+       const char * const pin_prog
+) {
+       if (pin_prog != NULL) {
+               if (s_szSetPINProg != NULL) {
+                       xfree (s_szSetPINProg);
+                       s_szSetPINProg = NULL;
+               }
+
+               s_szSetPINProg = xstrdup (pin_prog);
+       }
+
+       return 1;
+}
+
+int
+pkcs11_addProvider (
+       const char * const provider,
+       const int fProtectedAuthentication,
+       const char * const sign_mode,
+       const int fCertIsPrivate
+) {
+       unsigned maskSignMode = 0;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (provider != NULL);
+       PKCS11H_ASSERT (sign_mode != NULL);
+
+       debug3 (
+               "PKCS#11: pkcs11_addProvider - entered - provider='%s', fProtectedAuthentication=%d, sign_mode='%s', fCertIsPrivate=%d",
+               provider,
+               fProtectedAuthentication ? 1 : 0,
+               sign_mode == NULL ? "default" : sign_mode,
+               fCertIsPrivate ? 1 : 0
+       );
+
+       debug (
+               "PKCS#11: Adding PKCS#11 provider '%s'",
+               provider
+       );
+
+       if (rv == CKR_OK) {
+               if (sign_mode == NULL || !strcmp (sign_mode, "auto")) {
+                       maskSignMode = 0;
+               }
+               else if (!strcmp (sign_mode, "sign")) {
+                       maskSignMode = PKCS11H_SIGNMODE_MASK_SIGN;
+               }
+               else if (!strcmp (sign_mode, "recover")) {
+                       maskSignMode = PKCS11H_SIGNMODE_MASK_RECOVER;
+               }
+               else if (!strcmp (sign_mode, "any")) {
+                       maskSignMode = (
+                               PKCS11H_SIGNMODE_MASK_SIGN |
+                               PKCS11H_SIGNMODE_MASK_RECOVER
+                       );
+               }
+               else {
+                       error ("PKCS#11: Invalid sign mode '%s'", sign_mode);
+                       rv = CKR_ARGUMENTS_BAD;
+               }
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_addProvider (
+                       provider,
+                       provider,
+                       fProtectedAuthentication,
+                       maskSignMode,
+                       PKCS11H_SLOTEVENT_METHOD_AUTO,
+                       0,
+                       fCertIsPrivate
+               )) != CKR_OK
+       ) {
+               error ("PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage (rv));
+       }
+
+       debug3 (
+               "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv == CKR_OK;
+}
+
+pkcs11_identity *
+pkcs11_identity_new () {
+       pkcs11_identity *id = xmalloc (sizeof (struct pkcs11_identity_s));
+       if (id != NULL) {
+               memset (id, 0, sizeof (struct pkcs11_identity_s));
+       }
+       return id;
+}
+
+void
+pkcs11_identity_free (
+       const pkcs11_identity * const id
+) {
+       if (id != NULL) {
+               xfree ((void *)id);
+       }
+}
+
+void
+pkcs11_getKey (
+       IN const pkcs11_identity * const id,
+       OUT Key ** const sshkey,
+       OUT char * const szComment,
+       IN const int nCommentMax
+) {
+       X509 *x509 = NULL;
+       RSA *rsa = NULL;
+       pkcs11h_certificate_id_t certificate_id = NULL;
+       pkcs11h_certificate_t certificate = NULL;
+       pkcs11h_openssl_session_t openssl_session = NULL;
+       size_t temp;
+       CK_RV rv = CKR_OK;
+
+       int fOK = TRUE;
+
+       debug3 (
+               "PKCS#11: pkcs11_getKey - entered - id=%p, sshkey=%p, szComment=%p, nCommentMax=%d",
+               (void *)id,
+               (void *)sshkey,
+               (void *)szComment,
+               nCommentMax
+       );
+
+       PKCS11H_ASSERT (id != NULL);
+       PKCS11H_ASSERT (sshkey!=NULL);
+       PKCS11H_ASSERT (szComment!=NULL);
+
+       debug3 (
+               "PKCS#11: pkcs11_getKey - id - id=%s, pin_cache_period=%d, cert_file=%s",
+               id->id,
+               id->pin_cache_period,
+               id->cert_file
+       );
+
+       PKCS11H_ASSERT (id->id);
+
+       if (
+               fOK &&
+               pkcs11h_certificate_deserializeCertificateId (&certificate_id, id->id)
+       ) {
+               fOK = FALSE;
+               error ("PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (
+               fOK &&
+               id->cert_file != NULL &&
+               id->cert_file[0] != '\x0' 
+       ) {
+               X509 *x509 = NULL;
+               unsigned char *p = NULL;
+               unsigned char *certificate_blob = NULL;
+               size_t certificate_blob_size = 0;
+               FILE *fp = NULL;
+
+               if (
+                       fOK &&
+                       (fp = fopen (id->cert_file, "r")) == NULL
+               ) {
+                       fOK = FALSE;
+                       error ("PKCS#11: Cannot open file '%s'", id->cert_file);
+               }
+
+               if (
+                       fOK &&
+                       !PEM_read_X509 (
+                               fp,
+                               &x509,
+                               NULL,
+                               0
+                       )
+               ) {
+                       x509 = NULL;
+                       fOK = FALSE;
+                       error ("PKCS#11: Cannot read PEM from file '%s'", id->cert_file);
+               }
+
+               if (
+                       fOK &&
+                       (certificate_blob_size = i2d_X509 (x509, NULL)) < 0
+               ) {
+                       fOK = FALSE;
+                       error ("PKCS#11: Cannot read decode certificate");
+               }
+
+               if (
+                       fOK &&
+                       (certificate_blob = (unsigned char *)xmalloc (certificate_blob_size)) == NULL
+               ) {
+                       fOK = FALSE;
+                       error ("PKCS#11: Cannot allocate memory");
+               }
+
+               /*
+                * i2d_X509 increments p!!!
+                */
+               p = certificate_blob;
+
+               if (
+                       fOK &&
+                       (certificate_blob_size = i2d_X509 (x509, &p)) < 0
+               ) {
+                       fOK = FALSE;
+                       error ("PKCS#11: Cannot read decode certificate");
+               }
+
+               if (
+                       fOK &&
+                       pkcs11h_certificate_setCertificateIdCertificateBlob (
+                               certificate_id,
+                               certificate_blob,
+                               certificate_blob_size
+                       ) != CKR_OK
+               ) {
+                       fOK = FALSE;
+                       error ("PKCS#11: Cannot set certificate blob %ld-'%s'", rv, pkcs11h_getMessage (rv));
+               }
+
+               if (x509 != NULL) {
+                       X509_free (x509);
+                       x509 = NULL;
+               }
+
+               if (certificate_blob != NULL) {
+                       xfree (certificate_blob);
+                       certificate_blob = NULL;
+               }
+
+               if (fp != NULL) {
+                       fclose (fp);
+                       fp = NULL;
+               }
+       }
+
+       if (
+               fOK &&
+               (rv = pkcs11h_certificate_create (
+                       certificate_id,
+                       NULL,
+                       PKCS11H_PROMPT_MASK_ALLOW_ALL,
+                       id->pin_cache_period,
+                       &certificate
+               )) != CKR_OK
+       ) {
+               fOK = FALSE;
+               error ("PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (certificate_id != NULL){
+               pkcs11h_certificate_freeCertificateId (certificate_id);
+               certificate_id = NULL;
+       }
+
+       /*
+        * Is called so next certificate_id will
+        * contain a proper description
+        */
+       if (
+               fOK &&
+               (rv = pkcs11h_certificate_getCertificateBlob (
+                       certificate,
+                       NULL,
+                       &temp
+               )) != CKR_OK
+       ) {
+               fOK = FALSE;
+               error ("PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (
+               fOK &&
+               (rv = pkcs11h_certificate_getCertificateId (
+                       certificate,
+                       &certificate_id
+               )) != CKR_OK
+       ) {
+               fOK = FALSE;
+               error ("PKCS#11: Cannot get certificate_id %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (fOK) {
+               strncpy (szComment, certificate_id->displayName, nCommentMax);
+               szComment[nCommentMax - 1] = '\0';
+       }
+
+       if (
+               fOK &&
+               (openssl_session = pkcs11h_openssl_createSession (certificate)) == NULL
+       ) {
+               fOK = FALSE;
+               error ("PKCS#11: Cannot initialize openssl session");
+       }
+
+       if (fOK) {
+               /*
+                * will be release by openssl_session
+                */
+               certificate = NULL;
+       }
+
+       if (
+               fOK &&
+               (rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL
+       ) {
+               fOK = FALSE;
+               error ("PKCS#11: Unable get rsa object");
+       }
+
+       if (
+               fOK &&
+               (x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == NULL
+       ) {
+               fOK = FALSE;
+               error ("PKCS#11: Unable get certificate object");
+       }
+
+       if (fOK) {
+               *sshkey = key_new_private (KEY_UNSPEC);
+               (*sshkey)->rsa = rsa;
+               rsa = NULL;
+#if defined(SSH_PKCS11_X509_DISABLED)
+               (*sshkey)->type = KEY_RSA;
+#else
+               (*sshkey)->type = KEY_X509_RSA;
+               (*sshkey)->x509 = x509;
+               x509 = NULL;
+#endif
+       }
+
+       if (x509 != NULL) {
+               X509_free (x509);
+               x509 = NULL;
+       }
+
+       if (openssl_session != NULL) {
+               pkcs11h_openssl_freeSession (openssl_session);
+               openssl_session = NULL;
+       }
+
+       if (certificate != NULL) {
+               pkcs11h_certificate_freeCertificate (certificate);
+               certificate = NULL;
+       }
+
+       if (certificate_id != NULL) {
+               pkcs11h_certificate_freeCertificateId (certificate_id);
+               certificate_id = NULL;
+       }
+
+       debug3 (
+               "PKCS#11: pkcs11_getKey - return fOK=%d, rv=%ld",
+               fOK ? 1 : 0,
+               rv
+       );
+}
+
+void
+pkcs11_show_ids (
+       const char * const provider,
+       int allow_protected_auth,
+       int cert_is_private
+) {
+       pkcs11h_certificate_id_list_t user_certificates = NULL;
+       pkcs11h_certificate_id_list_t current = NULL;
+       CK_RV rv = CKR_OK;
+
+       if (rv == CKR_OK) {
+               rv = pkcs11h_initialize ();
+       }
+
+       if (rv == CKR_OK) {
+               rv = pkcs11h_setLogHook (_pkcs11_openssh_log, NULL);
+       }
+
+       if (rv == CKR_OK) {
+               pkcs11h_setLogLevel (_pkcs11_msg_openssh2pkcs11 (SYSLOG_LEVEL_DEBUG3));
+       }
+
+       if (rv == CKR_OK) {
+               rv = pkcs11h_setPINPromptHook (_pkcs11_ssh_pin_prompt_cli, NULL);
+       }
+
+       if (rv == CKR_OK) {
+               rv = pkcs11h_setProtectedAuthentication (TRUE);
+       }
+
+       if (rv == CKR_OK) {
+               rv = pkcs11h_addProvider (
+                       provider,
+                       provider,
+                       allow_protected_auth ? TRUE : FALSE,
+                       0,
+                       FALSE,
+                       0,
+                       cert_is_private ? TRUE : FALSE
+               );
+       }
+
+       if (rv == CKR_OK) {
+               rv = pkcs11h_certificate_enumCertificateIds (
+                       PKCS11H_ENUM_METHOD_CACHE_EXIST,
+                       NULL,
+                       PKCS11H_PROMPT_MASK_ALLOW_ALL,
+                       NULL,
+                       &user_certificates
+               );
+       }
+
+       for (current = user_certificates; rv == CKR_OK && current != NULL; current = current->next) {
+               pkcs11h_certificate_t certificate = NULL;
+               X509 *x509 = NULL;
+               char dn[1024] = {0};
+               char *ser = NULL;
+               char *ssh_key = NULL;
+               size_t ser_len = 0;
+
+               if (rv == CKR_OK) {
+                       rv = pkcs11h_certificate_serializeCertificateId (NULL, &ser_len, current->certificate_id);
+               }
+
+               if (
+                       rv == CKR_OK &&
+                       (ser = (char *)xmalloc (ser_len)) == NULL
+               ) {
+                       rv = CKR_HOST_MEMORY;
+               }
+
+               if (rv == CKR_OK) {
+                       rv = pkcs11h_certificate_serializeCertificateId (ser, &ser_len, current->certificate_id);
+               }
+
+               if (rv == CKR_OK) {
+                       rv = pkcs11h_certificate_create (
+                               current->certificate_id,
+                               NULL,
+                               PKCS11H_PROMPT_MASK_ALLOW_ALL,
+                               PKCS11H_PIN_CACHE_INFINITE,
+                               &certificate
+                       );
+               }
+
+               if (
+                       rv == CKR_OK &&
+                       (x509 = pkcs11h_openssl_getX509 (certificate)) == NULL
+               ) {
+                       rv = CKR_FUNCTION_FAILED;
+               }
+
+               if (rv == CKR_OK) {
+                       X509_NAME_oneline (
+                               X509_get_subject_name (x509),
+                               dn,
+                               sizeof (dn)
+                       );
+                       printf (
+                               (
+                                       "\n"
+                                       "********************************************\n"
+                                       "IDENTITY:\n"
+                                       "        DN:            %s\n"
+                                       "        Serialized id: %s\n"
+                                       "\n"
+                                       "        Certificate:\n"
+                               ),
+                               dn,
+                               ser
+                       );
+                       PEM_write_X509 (stdout, x509);
+               }
+
+               if (
+                       rv == CKR_OK &&
+                       (ssh_key = ssh_from_x509 (x509)) != NULL
+               ) {
+                       printf (
+                               (
+                                       "\n"
+                                       "        SSH:\n"
+                                       "%s\n"
+                               ),
+                               ssh_key
+                       );
+
+                       xfree (ssh_key);
+               }
+
+               if (x509 != NULL) {
+                       X509_free (x509);
+                       x509 = NULL;
+               }
+
+               if (certificate != NULL) {
+                       pkcs11h_certificate_freeCertificate (certificate);
+                       certificate = NULL;
+               }
+
+               if (ser != NULL) {
+                       xfree (ser);
+                       ser = NULL;
+               }
+
+               /*
+                * Ignore error
+                */
+               if (rv != CKR_OK) {
+                       error ("PKCS#11: Failed to get id %ld-'%s'", rv, pkcs11h_getMessage (rv));
+                       rv = CKR_OK;
+               }
+       }
+
+       if (user_certificates != NULL) {
+               pkcs11h_certificate_freeCertificateIdList (user_certificates);
+               user_certificates = NULL;
+       }
+
+       pkcs11h_terminate ();
+}
+
+void
+pkcs11_dump_slots (
+       const char * const provider
+) {
+       pkcs11h_standalone_dump_slots (
+               _pkcs11_ssh_print,
+               NULL,
+               provider
+       );
+}
+
+void
+pkcs11_dump_objects (
+       const char * const provider,
+       const char * const slot,
+       const char * const pin
+) {
+       pkcs11h_standalone_dump_objects (
+               _pkcs11_ssh_print,
+               NULL,
+               provider,
+               slot,
+               pin
+       );
+}
+
+/*
+ * The ssh_from_x509 is dirived of Tatu and Markus work.
+ *
+ * Copyright (c) 2006 Alon bar-Lev <alon.barlev@gmail.com>.  All rights reserved.
+ * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ */
+
+#define PUT_32BIT(cp, value) ( \
+       (cp)[0] = (value) >> 24, \
+       (cp)[1] = (value) >> 16, \
+       (cp)[2] = (value) >> 8, \
+       (cp)[3] = (value) )
+
+static
+char *
+ssh_from_x509 (X509 *x509) {
+
+       EVP_PKEY *pubkey = NULL;
+       BIO *bio = NULL, *bio2 = NULL, *bio64 = NULL;
+       unsigned char *blob = NULL, *buffer = NULL;
+       char *ret = NULL;
+       int blobsize = 0, retsize = 0;
+       int bytes_name = 0, bytes_exponent = 0, bytes_modulus = 0;
+       unsigned char *bp;
+       char *p;
+       int n;
+       const char *keyname = NULL;
+       int ok = 1;
+
+       if (ok && (pubkey = X509_get_pubkey (x509)) == NULL) {
+               ok = 0;
+       }
+
+       if (ok && (bio64 = BIO_new (BIO_f_base64 ())) == NULL) {
+               ok = 0;
+       }
+
+       if (ok && (bio = BIO_new (BIO_s_mem ())) == NULL) {
+               ok = 0;
+       }
+
+       if (ok && (bio2 = BIO_push (bio64, bio)) == NULL) {
+               ok = 0;
+       }
+
+       if (ok && pubkey->type != EVP_PKEY_RSA) {
+               ok = 0;
+       }
+
+       if (ok) {
+               keyname = "ssh-rsa";
+       }
+
+       if (ok) {
+               bytes_name = strlen (keyname);
+               bytes_exponent = BN_num_bytes (pubkey->pkey.rsa->e);
+               bytes_modulus = BN_num_bytes (pubkey->pkey.rsa->n);
+               
+               blobsize = (
+                       4 + bytes_name +
+                       4 + (bytes_exponent + 1) +
+                       4 + (bytes_modulus + 1) +
+                       1
+               );
+       }
+ 
+       if (ok && (blob = (unsigned char *)xmalloc (blobsize)) == NULL) {
+               ok = 0;
+       }
+
+       if (ok && (buffer = (unsigned char *)xmalloc (blobsize)) == NULL) {
+               ok = 0;
+       }
+
+       if (ok) {
+               bp = blob;
+               
+               PUT_32BIT (bp, bytes_name), bp += 4;
+               memcpy (bp, keyname, bytes_name), bp += bytes_name;
+
+               BN_bn2bin (pubkey->pkey.rsa->e, buffer);
+               if (buffer[0] & 0x80) {
+                       // highest bit set would indicate a negative number.
+                       // to avoid this, we have to spend an extra byte:
+                       PUT_32BIT (bp, bytes_exponent+1), bp += 4;
+                       *(bp++) = 0;
+               } else {
+                       PUT_32BIT (bp, bytes_exponent), bp += 4;
+               }
+               memcpy (bp, buffer, bytes_exponent), bp += bytes_exponent;
+                       
+               BN_bn2bin (pubkey->pkey.rsa->n, buffer);
+               if (buffer[0] & 0x80) {
+                       PUT_32BIT (bp, bytes_modulus+1), bp += 4;
+                       *(bp++) = 0;
+               } else {
+                       PUT_32BIT( bp, bytes_modulus ), bp += 4;
+               }
+               memcpy (bp, buffer, bytes_modulus), bp += bytes_modulus;
+       }
+
+
+       if (ok && BIO_write (bio2, blob, bp-blob) == -1) {
+               ok = 0;
+       }
+
+       if (ok && BIO_flush (bio2) == -1) {
+               ok = 0;
+       }
+
+       /*
+        * Allocate the newline too... We will remove them later
+        * For MS, allocate return as well.
+        */
+       if (ok) {
+               retsize = strlen (keyname) + 1 + (blobsize * 4 / 3) + (blobsize * 2 / 50) + 10 + 1;
+       }
+
+       if (ok && (ret = xmalloc (retsize)) == NULL) {
+               ok = 0;
+       }
+       
+       if (ok) {
+               strcpy (ret, keyname);
+               strcat (ret, " ");
+       }
+
+       if (ok && (n = BIO_read (bio, ret + strlen (ret), retsize - strlen (ret) - 1)) == -1) {
+               ok = 0;
+       }
+
+       if (ok) {
+               ret[strlen (keyname) + 1 + n] = '\x0';
+       }
+
+       if (ok) {
+               while ((p = strchr (ret, '\n')) != NULL) {
+                       memmove (p, p+1, strlen (p)+1);
+               }
+               while ((p = strchr (ret, '\r')) != NULL) {
+                       memmove (p, p+1, strlen (p)+1);
+               }
+
+       }
+
+       if (bio != NULL) {
+               BIO_free_all (bio);
+               bio = NULL;
+       }
+
+       if (pubkey != NULL) {
+               EVP_PKEY_free (pubkey);
+               pubkey = NULL;
+       }
+
+       if (buffer != NULL) {
+               xfree (buffer);
+               buffer = NULL;
+       }
+
+       if (blob != NULL) {
+               xfree (blob);
+               blob = NULL;
+       }
+
+       if (!ok) {
+               if (ret != NULL) {
+                       xfree (ret);
+                       ret = NULL;
+               }
+       }
+       
+       return ret;
+}
+
+#else
+static void dummy (void) {}
+#endif /* SSH_PKCS11_DISABLED */
diff -urNp openssh-4.4p1/pkcs11.h openssh-4.4p1+pkcs11-0.17/pkcs11.h
--- openssh-4.4p1/pkcs11.h      1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/pkcs11.h  2006-10-12 13:55:28.000000000 +0200
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2005-2006 Alon Bar-Lev.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef SSH_PKCS11_H
+#define SSH_PKCS11_H
+
+#if !defined(SSH_PKCS11_DISABLED)
+
+#include "key.h"
+
+typedef struct pkcs11_identity_s {
+       char *id;
+       int pin_cache_period;
+       char *cert_file;
+} pkcs11_identity;
+
+int
+pkcs11_initialize (
+       const int fProtectedAuthentication,
+       const int nPINCachePeriod
+);
+
+void
+pkcs11_terminate ();
+
+void
+pkcs11_forkFix ();
+
+int
+pkcs11_setAskPIN (
+       const char * const pin_prog
+);
+
+int
+pkcs11_addProvider (
+       const char * const provider,
+       const int fProtectedAuthentication,
+       const char * const sign_mode,
+       const int fCertIsPrivate
+);
+
+pkcs11_identity *
+pkcs11_identity_new ();
+
+void
+pkcs11_identity_free (
+       const pkcs11_identity * const id
+);
+
+void
+pkcs11_getKey (
+       const pkcs11_identity * const id,
+       Key ** const sshkey,
+       char * const szComment,
+       const int nCommentMax
+);
+
+void
+pkcs11_show_ids (
+       const char * const provider,
+       int allow_protected_auth,
+       int cert_is_private
+);
+
+void
+pkcs11_dump_slots (
+       const char * const provider
+);
+
+void
+pkcs11_dump_objects (
+       const char * const provider,
+       const char * const slot,
+       const char * const pin
+);
+       
+#endif                 /* SSH_PKCS11_DISABLED */
+
+#endif                 /* OPENSSH_PKCS11_H */
diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11f.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11f.h
--- openssh-4.4p1/pkcs11-headers/pkcs11f.h      1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11f.h  2006-09-28 08:05:35.000000000 +0300
@@ -0,0 +1,912 @@
+/* pkcs11f.h include file for PKCS #11. */
+/* $Revision: 1.4 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the 
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This header file contains pretty much everything about all the */
+/* Cryptoki function prototypes.  Because this information is */
+/* used for more than just declaring function prototypes, the */
+/* order of the functions appearing herein is important, and */
+/* should not be altered. */
+
+/* General-purpose */
+
+/* C_Initialize initializes the Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
+                            * cast to CK_C_INITIALIZE_ARGS_PTR
+                            * and dereferenced */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about Cryptoki. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_INFO_PTR   pInfo  /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
+                                            * function list */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
+  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
+  CK_ULONG_PTR   pulCount       /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID       slotID,  /* the ID of the slot */
+  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID        slotID,  /* ID of the token's slot */
+  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,          /* ID of token's slot */
+  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
+  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,  /* ID of the token's slot */
+  CK_MECHANISM_TYPE     type,    /* type of mechanism */
+  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
+(
+  CK_SLOT_ID      slotID,    /* ID of the token's slot */
+  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
+  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
+  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
+  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
+  CK_ULONG          ulOldLen,  /* length of the old PIN */
+  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
+  CK_ULONG          ulNewLen   /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,        /* the slot's ID */
+  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
+  CK_VOID_PTR           pApplication,  /* passed to callback */
+  CK_NOTIFY             Notify,        /* callback function */
+  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID     slotID  /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE   hSession,  /* the session's handle */
+  CK_SESSION_INFO_PTR pInfo      /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session. */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,             /* session's handle */
+  CK_BYTE_PTR       pOperationState,      /* gets state */
+  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session. */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR      pOperationState,      /* holds state */
+  CK_ULONG         ulOperationStateLen,  /* holds state length */
+  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
+  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_USER_TYPE      userType,  /* the user type */
+  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
+  CK_ULONG          ulPinLen   /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
+  CK_ULONG          ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy. */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
+  CK_ULONG             ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject    /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
+  CK_ULONG_PTR      pulSize    /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes. */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
+  CK_ULONG          ulCount     /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE    hSession,          /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
+ CK_ULONG             ulMaxObjectCount,  /* max handles to get */
+ CK_ULONG_PTR         pulObjectCount     /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pData,               /* the plaintext data */
+  CK_ULONG          ulDataLen,           /* bytes of plaintext */
+  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pPart,              /* the plaintext data */
+  CK_ULONG          ulPartLen,          /* plaintext data len */
+  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,                /* session handle */
+  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
+  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
+  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
+  CK_BYTE_PTR       pData,              /* gets plaintext */
+  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
+  CK_ULONG          ulEncryptedPartLen,  /* input length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
+  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pData,        /* data to be digested */
+  CK_ULONG          ulDataLen,    /* bytes of data to digest */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* data to be digested */
+  CK_ULONG          ulPartLen  /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested. */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ *signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* the data to sign */
+  CK_ULONG          ulPartLen  /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation, 
+ * returning the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ *  cannot be recovered from the signature (e.g. DSA). */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */ 
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pData,          /* signed data */
+  CK_ULONG          ulDataLen,      /* length of signed data */
+  CK_BYTE_PTR       pSignature,     /* signature */
+  CK_ULONG          ulSignatureLen  /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* signed data */
+  CK_ULONG          ulPartLen  /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pSignature,     /* signature to verify */
+  CK_ULONG          ulSignatureLen  /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* signature to verify */
+  CK_ULONG          ulSignatureLen,  /* signature length */
+  CK_BYTE_PTR       pData,           /* gets signed data */
+  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
+  CK_ULONG             ulCount,     /* # of attrs in template */
+  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,                    /* session
+                                                     * handle */
+  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
+                                                     * mech. */
+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
+                                                     * for pub.
+                                                     * key */
+  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
+                                                     * attrs. */
+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
+                                                     * for priv.
+                                                     * key */
+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
+                                                     * attrs. */
+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
+                                                     * key
+                                                     * handle */
+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
+                                                     * priv. key
+                                                     * handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
+  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
+  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
+  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
+  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object. */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
+  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
+  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
+  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
+  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator. */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pSeed,     /* the seed material */
+  CK_ULONG          ulSeedLen  /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_BYTE_PTR       RandomData,  /* receives the random data */
+  CK_ULONG          ulRandomLen  /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel. */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Functions added in for Cryptoki Version 2.01 or later */
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur. */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FLAGS flags,        /* blocking/nonblocking flag */
+  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
+  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
+);
+#endif
diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11.h
--- openssh-4.4p1/pkcs11-headers/pkcs11.h       1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11.h   2006-09-28 08:05:35.000000000 +0300
@@ -0,0 +1,299 @@
+/* pkcs11.h include file for PKCS #11. */
+/* $Revision: 1.4 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the 
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 6 platform-specific macros must be defined.  These
+ * macros are described below, and typical definitions for them
+ * are also given.  Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a Cryptoki library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 6 macros, the packing convention
+ * for Cryptoki structures should be set.  The Cryptoki
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, this might be done by using the following
+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, this might be done by using
+ * the following preprocessor directive before including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own for this.  You might
+ * not need to do (or be able to do!) anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object.  It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, it might be defined by:
+ *
+ * #define CK_PTR far *
+ *
+ * In a typical UNIX environment, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
+ * an exportable Cryptoki library function definition out of a
+ * return type and a function name.  It should be used in the
+ * following fashion to define the exposed Cryptoki functions in
+ * a Cryptoki library:
+ *
+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * )
+ * {
+ *   ...
+ * }
+ *
+ * If you're using Microsoft Developer Studio 5.0 to define a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllexport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to define a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable Cryptoki library function declaration out of a
+ * return type and a function name.  It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * );
+ *
+ * If you're using Microsoft Developer Studio 5.0 to declare a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllimport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to declare a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a Cryptoki API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name.  It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a Cryptoki API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // Cryptoki API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to access
+ * functions in a Win32 Cryptoki .dll, in might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __declspec(dllimport) (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to access functions in a Win16 Cryptoki .dll, it might
+ * be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV.  It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to do Win32
+ * Cryptoki development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to do Win16 development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should best be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various Cryptoki types and #define'd values are in the
+ * file pkcs11t.h. */
+#include "pkcs11t.h"
+
+#define __PASTE(x,y)      x##y
+
+
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  extern CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points.  That is, for
+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points.  A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's Cryptoki version
+ * and then a whole slew of function pointers to the routines in
+ * the library.  This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  __PASTE(CK_,name) name;
+  
+struct CK_FUNCTION_LIST {
+
+  CK_VERSION    version;  /* Cryptoki version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11t.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11t.h
--- openssh-4.4p1/pkcs11-headers/pkcs11t.h      1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11t.h  2006-09-28 08:05:35.000000000 +0300
@@ -0,0 +1,1685 @@
+/* pkcs11t.h include file for PKCS #11. */
+/* $Revision: 1.6 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* See top of pkcs11.h for information about the macros that
+ * must be defined and the structure-packing conventions that
+ * must be set before including this file. */
+
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+#define CK_TRUE 1
+#define CK_FALSE 0
+
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE CK_FALSE
+#endif
+
+#ifndef TRUE
+#define TRUE CK_TRUE
+#endif
+#endif
+
+/* an unsigned 8-bit value */
+typedef unsigned char     CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE           CK_CHAR;
+
+/* an 8-bit UTF-8 character */
+typedef CK_BYTE           CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE           CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+/* CK_LONG is new for v2.0 */
+typedef long int          CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG          CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION (~0UL)
+#define CK_EFFECTIVELY_INFINITE    0
+
+
+typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
+typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
+typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
+typedef void        CK_PTR   CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session */
+/* handle or object handle */
+#define CK_INVALID_HANDLE 0
+
+
+typedef struct CK_VERSION {
+  CK_BYTE       major;  /* integer portion of version number */
+  CK_BYTE       minor;  /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+  /* manufacturerID and libraryDecription have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_FLAGS      flags;               /* must be zero */
+
+  /* libraryDescription and libraryVersion are new for v2.0 */
+  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
+  CK_VERSION    libraryVersion;          /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR    CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * Cryptoki provides to an application */
+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER       0
+
+
+typedef CK_ULONG          CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+  /* slotDescription and manufacturerID have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
+  CK_FLAGS      flags;
+
+  /* hardwareVersion and firmwareVersion are new for v2.0 */
+  CK_VERSION    hardwareVersion;  /* version of hardware */
+  CK_VERSION    firmwareVersion;  /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag              Mask        Meaning
+ */
+#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
+#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
+#define CKF_HW_SLOT           0x00000004  /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+  /* label, manufacturerID, and model have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_UTF8CHAR   label[32];           /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_UTF8CHAR   model[16];           /* blank padded */
+  CK_CHAR       serialNumber[16];    /* blank padded */
+  CK_FLAGS      flags;               /* see below */
+
+  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
+   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
+   * changed from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
+  CK_ULONG      ulSessionCount;        /* sess. now open */
+  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
+  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
+  CK_ULONG      ulMaxPinLen;           /* in bytes */
+  CK_ULONG      ulMinPinLen;           /* in bytes */
+  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
+  CK_ULONG      ulFreePublicMemory;    /* in bytes */
+  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
+  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
+
+  /* hardwareVersion, firmwareVersion, and time are new for
+   * v2.0 */
+  CK_VERSION    hardwareVersion;       /* version of hardware */
+  CK_VERSION    firmwareVersion;       /* version of firmware */
+  CK_CHAR       utcTime[16];           /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ *      Bit Flag                    Mask        Meaning
+ */
+#define CKF_RNG                     0x00000001  /* has random #
+                                                 * generator */
+#define CKF_WRITE_PROTECTED         0x00000002  /* token is
+                                                 * write-
+                                                 * protected */
+#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
+                                                 * login */
+#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
+                                                 * PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state */
+#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
+
+/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
+ * that the token has some sort of clock.  The time on that
+ * clock is returned in the token info structure */
+#define CKF_CLOCK_ON_TOKEN          0x00000040
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the Cryptoki library itself */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
+
+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign) */
+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
+
+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
+ * token has been initialized using C_InitializeToken or an
+ * equivalent mechanism outside the scope of PKCS #11.
+ * Calling C_InitializeToken when this flag is set will cause
+ * the token to be reinitialized. */
+#define CKF_TOKEN_INITIALIZED       0x00000400
+
+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
+ * true, the token supports secondary authentication for
+ * private key objects. This flag is deprecated in v2.11 and
+   onwards. */
+#define CKF_SECONDARY_AUTHENTICATION  0x00000800
+
+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect user login PIN has been entered at least once
+ * since the last successful authentication. */
+#define CKF_USER_PIN_COUNT_LOW       0x00010000
+
+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect user PIN will it to become locked. */
+#define CKF_USER_PIN_FINAL_TRY       0x00020000
+
+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
+ * user PIN has been locked. User login to the token is not
+ * possible. */
+#define CKF_USER_PIN_LOCKED          0x00040000
+
+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the user PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
+
+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect SO login PIN has been entered at least once since
+ * the last successful authentication. */
+#define CKF_SO_PIN_COUNT_LOW         0x00100000
+
+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect SO PIN will it to become locked. */
+#define CKF_SO_PIN_FINAL_TRY         0x00200000
+
+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
+ * PIN has been locked. SO login to the token is not possible.
+ */
+#define CKF_SO_PIN_LOCKED            0x00400000
+
+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the SO PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
+ * identifies a session */
+typedef CK_ULONG          CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
+
+
+/* CK_USER_TYPE enumerates the types of Cryptoki users */
+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO    0
+/* Normal user */
+#define CKU_USER  1
+/* Context specific (added in v2.20) */
+#define CKU_CONTEXT_SPECIFIC   2
+
+/* CK_STATE enumerates the session states */
+/* CK_STATE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_STATE;
+#define CKS_RO_PUBLIC_SESSION  0
+#define CKS_RO_USER_FUNCTIONS  1
+#define CKS_RW_PUBLIC_SESSION  2
+#define CKS_RW_USER_FUNCTIONS  3
+#define CKS_RW_SO_FUNCTIONS    4
+
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+  CK_SLOT_ID    slotID;
+  CK_STATE      state;
+  CK_FLAGS      flags;          /* see below */
+
+  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulDeviceError;  /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ *      Bit Flag                Mask        Meaning
+ */
+#define CKF_RW_SESSION          0x00000002  /* session is r/w */
+#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object  */
+typedef CK_ULONG          CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that Cryptoki recognizes.  It is defined
+ * as follows: */
+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+/* CKO_HW_FEATURE is new for v2.10 */
+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
+/* CKO_MECHANISM is new for v2.20 */
+#define CKO_DATA              0x00000000
+#define CKO_CERTIFICATE       0x00000001
+#define CKO_PUBLIC_KEY        0x00000002
+#define CKO_PRIVATE_KEY       0x00000003
+#define CKO_SECRET_KEY        0x00000004
+#define CKO_HW_FEATURE        0x00000005
+#define CKO_DOMAIN_PARAMETERS 0x00000006
+#define CKO_MECHANISM         0x00000007
+#define CKO_VENDOR_DEFINED    0x80000000
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
+ * value that identifies the hardware feature type of an object
+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
+typedef CK_ULONG          CK_HW_FEATURE_TYPE;
+
+/* The following hardware feature types are defined */
+/* CKH_USER_INTERFACE is new for v2.20 */
+#define CKH_MONOTONIC_COUNTER  0x00000001
+#define CKH_CLOCK           0x00000002
+#define CKH_USER_INTERFACE  0x00000003
+#define CKH_VENDOR_DEFINED  0x80000000
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA             0x00000000
+#define CKK_DSA             0x00000001
+#define CKK_DH              0x00000002
+
+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
+#define CKK_ECDSA           0x00000003
+#define CKK_EC              0x00000003
+#define CKK_X9_42_DH        0x00000004
+#define CKK_KEA             0x00000005
+
+#define CKK_GENERIC_SECRET  0x00000010
+#define CKK_RC2             0x00000011
+#define CKK_RC4             0x00000012
+#define CKK_DES             0x00000013
+#define CKK_DES2            0x00000014
+#define CKK_DES3            0x00000015
+
+/* all these key types are new for v2.0 */
+#define CKK_CAST            0x00000016
+#define CKK_CAST3           0x00000017
+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
+#define CKK_CAST5           0x00000018
+#define CKK_CAST128         0x00000018
+#define CKK_RC5             0x00000019
+#define CKK_IDEA            0x0000001A
+#define CKK_SKIPJACK        0x0000001B
+#define CKK_BATON           0x0000001C
+#define CKK_JUNIPER         0x0000001D
+#define CKK_CDMF            0x0000001E
+#define CKK_AES             0x0000001F
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKK_BLOWFISH        0x00000020
+#define CKK_TWOFISH         0x00000021
+
+#define CKK_VENDOR_DEFINED  0x80000000
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type */
+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG          CK_CERTIFICATE_TYPE;
+
+/* The following certificate types are defined: */
+/* CKC_X_509_ATTR_CERT is new for v2.10 */
+/* CKC_WTLS is new for v2.20 */
+#define CKC_X_509           0x00000000
+#define CKC_X_509_ATTR_CERT 0x00000001
+#define CKC_WTLS            0x00000002
+#define CKC_VENDOR_DEFINED  0x80000000
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type */
+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
+
+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
+   consists of an array of values. */
+#define CKF_ARRAY_ATTRIBUTE    0x40000000
+
+/* The following attribute types are defined: */
+#define CKA_CLASS              0x00000000
+#define CKA_TOKEN              0x00000001
+#define CKA_PRIVATE            0x00000002
+#define CKA_LABEL              0x00000003
+#define CKA_APPLICATION        0x00000010
+#define CKA_VALUE              0x00000011
+
+/* CKA_OBJECT_ID is new for v2.10 */
+#define CKA_OBJECT_ID          0x00000012
+
+#define CKA_CERTIFICATE_TYPE   0x00000080
+#define CKA_ISSUER             0x00000081
+#define CKA_SERIAL_NUMBER      0x00000082
+
+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
+ * for v2.10 */
+#define CKA_AC_ISSUER          0x00000083
+#define CKA_OWNER              0x00000084
+#define CKA_ATTR_TYPES         0x00000085
+
+/* CKA_TRUSTED is new for v2.11 */
+#define CKA_TRUSTED            0x00000086
+
+/* CKA_CERTIFICATE_CATEGORY ...
+ * CKA_CHECK_VALUE are new for v2.20 */
+#define CKA_CERTIFICATE_CATEGORY        0x00000087
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
+#define CKA_URL                         0x00000089
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
+#define CKA_CHECK_VALUE                 0x00000090
+
+#define CKA_KEY_TYPE           0x00000100
+#define CKA_SUBJECT            0x00000101
+#define CKA_ID                 0x00000102
+#define CKA_SENSITIVE          0x00000103
+#define CKA_ENCRYPT            0x00000104
+#define CKA_DECRYPT            0x00000105
+#define CKA_WRAP               0x00000106
+#define CKA_UNWRAP             0x00000107
+#define CKA_SIGN               0x00000108
+#define CKA_SIGN_RECOVER       0x00000109
+#define CKA_VERIFY             0x0000010A
+#define CKA_VERIFY_RECOVER     0x0000010B
+#define CKA_DERIVE             0x0000010C
+#define CKA_START_DATE         0x00000110
+#define CKA_END_DATE           0x00000111
+#define CKA_MODULUS            0x00000120
+#define CKA_MODULUS_BITS       0x00000121
+#define CKA_PUBLIC_EXPONENT    0x00000122
+#define CKA_PRIVATE_EXPONENT   0x00000123
+#define CKA_PRIME_1            0x00000124
+#define CKA_PRIME_2            0x00000125
+#define CKA_EXPONENT_1         0x00000126
+#define CKA_EXPONENT_2         0x00000127
+#define CKA_COEFFICIENT        0x00000128
+#define CKA_PRIME              0x00000130
+#define CKA_SUBPRIME           0x00000131
+#define CKA_BASE               0x00000132
+
+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
+#define CKA_PRIME_BITS         0x00000133
+#define CKA_SUBPRIME_BITS      0x00000134
+#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
+/* (To retain backwards-compatibility) */
+
+#define CKA_VALUE_BITS         0x00000160
+#define CKA_VALUE_LEN          0x00000161
+
+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
+ * and CKA_EC_POINT are new for v2.0 */
+#define CKA_EXTRACTABLE        0x00000162
+#define CKA_LOCAL              0x00000163
+#define CKA_NEVER_EXTRACTABLE  0x00000164
+#define CKA_ALWAYS_SENSITIVE   0x00000165
+
+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
+#define CKA_KEY_GEN_MECHANISM  0x00000166
+
+#define CKA_MODIFIABLE         0x00000170
+
+/* CKA_ECDSA_PARAMS is deprecated in v2.11,
+ * CKA_EC_PARAMS is preferred. */
+#define CKA_ECDSA_PARAMS       0x00000180
+#define CKA_EC_PARAMS          0x00000180
+
+#define CKA_EC_POINT           0x00000181
+
+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
+ * are new for v2.10. Deprecated in v2.11 and onwards. */
+#define CKA_SECONDARY_AUTH     0x00000200
+#define CKA_AUTH_PIN_FLAGS     0x00000201
+
+/* CKA_ALWAYS_AUTHENTICATE ...
+ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
+#define CKA_ALWAYS_AUTHENTICATE  0x00000202
+
+#define CKA_WRAP_WITH_TRUSTED    0x00000210
+#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
+#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
+
+/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
+ * are new for v2.10 */
+#define CKA_HW_FEATURE_TYPE    0x00000300
+#define CKA_RESET_ON_INIT      0x00000301
+#define CKA_HAS_RESET          0x00000302
+
+/* The following attributes are new for v2.20 */
+#define CKA_PIXEL_X                     0x00000400
+#define CKA_PIXEL_Y                     0x00000401
+#define CKA_RESOLUTION                  0x00000402
+#define CKA_CHAR_ROWS                   0x00000403
+#define CKA_CHAR_COLUMNS                0x00000404
+#define CKA_COLOR                       0x00000405
+#define CKA_BITS_PER_PIXEL              0x00000406
+#define CKA_CHAR_SETS                   0x00000480
+#define CKA_ENCODING_METHODS            0x00000481
+#define CKA_MIME_TYPES                  0x00000482
+#define CKA_MECHANISM_TYPE              0x00000500
+#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
+#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
+#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
+#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
+
+#define CKA_VENDOR_DEFINED     0x80000000
+
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute */
+typedef struct CK_ATTRIBUTE {
+  CK_ATTRIBUTE_TYPE type;
+  CK_VOID_PTR       pValue;
+
+  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG          ulValueLen;  /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
+  CK_CHAR       month[2];  /* the month ("01" - "12") */
+  CK_CHAR       day[2];    /* the day   ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type */
+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
+#define CKM_RSA_PKCS                   0x00000001
+#define CKM_RSA_9796                   0x00000002
+#define CKM_RSA_X_509                  0x00000003
+
+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
+ * are new for v2.0.  They are mechanisms which hash and sign */
+#define CKM_MD2_RSA_PKCS               0x00000004
+#define CKM_MD5_RSA_PKCS               0x00000005
+#define CKM_SHA1_RSA_PKCS              0x00000006
+
+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
+ * CKM_RSA_PKCS_OAEP are new for v2.10 */
+#define CKM_RIPEMD128_RSA_PKCS         0x00000007
+#define CKM_RIPEMD160_RSA_PKCS         0x00000008
+#define CKM_RSA_PKCS_OAEP              0x00000009
+
+/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
+ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
+#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
+#define CKM_RSA_X9_31                  0x0000000B
+#define CKM_SHA1_RSA_X9_31             0x0000000C
+#define CKM_RSA_PKCS_PSS               0x0000000D
+#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
+
+#define CKM_DSA_KEY_PAIR_GEN           0x00000010
+#define CKM_DSA                        0x00000011
+#define CKM_DSA_SHA1                   0x00000012
+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
+#define CKM_DH_PKCS_DERIVE             0x00000021
+
+/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
+ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
+ * v2.11 */
+#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
+#define CKM_X9_42_DH_DERIVE            0x00000031
+#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
+#define CKM_X9_42_MQV_DERIVE           0x00000033
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_RSA_PKCS            0x00000040
+#define CKM_SHA384_RSA_PKCS            0x00000041
+#define CKM_SHA512_RSA_PKCS            0x00000042
+#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
+#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
+#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
+
+#define CKM_RC2_KEY_GEN                0x00000100
+#define CKM_RC2_ECB                    0x00000101
+#define CKM_RC2_CBC                    0x00000102
+#define CKM_RC2_MAC                    0x00000103
+
+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
+#define CKM_RC2_MAC_GENERAL            0x00000104
+#define CKM_RC2_CBC_PAD                0x00000105
+
+#define CKM_RC4_KEY_GEN                0x00000110
+#define CKM_RC4                        0x00000111
+#define CKM_DES_KEY_GEN                0x00000120
+#define CKM_DES_ECB                    0x00000121
+#define CKM_DES_CBC                    0x00000122
+#define CKM_DES_MAC                    0x00000123
+
+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
+#define CKM_DES_MAC_GENERAL            0x00000124
+#define CKM_DES_CBC_PAD                0x00000125
+
+#define CKM_DES2_KEY_GEN               0x00000130
+#define CKM_DES3_KEY_GEN               0x00000131
+#define CKM_DES3_ECB                   0x00000132
+#define CKM_DES3_CBC                   0x00000133
+#define CKM_DES3_MAC                   0x00000134
+
+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
+#define CKM_DES3_MAC_GENERAL           0x00000135
+#define CKM_DES3_CBC_PAD               0x00000136
+#define CKM_CDMF_KEY_GEN               0x00000140
+#define CKM_CDMF_ECB                   0x00000141
+#define CKM_CDMF_CBC                   0x00000142
+#define CKM_CDMF_MAC                   0x00000143
+#define CKM_CDMF_MAC_GENERAL           0x00000144
+#define CKM_CDMF_CBC_PAD               0x00000145
+
+/* the following four DES mechanisms are new for v2.20 */
+#define CKM_DES_OFB64                  0x00000150
+#define CKM_DES_OFB8                   0x00000151
+#define CKM_DES_CFB64                  0x00000152
+#define CKM_DES_CFB8                   0x00000153
+
+#define CKM_MD2                        0x00000200
+
+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD2_HMAC                   0x00000201
+#define CKM_MD2_HMAC_GENERAL           0x00000202
+
+#define CKM_MD5                        0x00000210
+
+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD5_HMAC                   0x00000211
+#define CKM_MD5_HMAC_GENERAL           0x00000212
+
+#define CKM_SHA_1                      0x00000220
+
+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
+#define CKM_SHA_1_HMAC                 0x00000221
+#define CKM_SHA_1_HMAC_GENERAL         0x00000222
+
+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
+#define CKM_RIPEMD128                  0x00000230
+#define CKM_RIPEMD128_HMAC             0x00000231
+#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
+#define CKM_RIPEMD160                  0x00000240
+#define CKM_RIPEMD160_HMAC             0x00000241
+#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256                     0x00000250
+#define CKM_SHA256_HMAC                0x00000251
+#define CKM_SHA256_HMAC_GENERAL        0x00000252
+#define CKM_SHA384                     0x00000260
+#define CKM_SHA384_HMAC                0x00000261
+#define CKM_SHA384_HMAC_GENERAL        0x00000262
+#define CKM_SHA512                     0x00000270
+#define CKM_SHA512_HMAC                0x00000271
+#define CKM_SHA512_HMAC_GENERAL        0x00000272
+
+/* All of the following mechanisms are new for v2.0 */
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST_KEY_GEN               0x00000300
+#define CKM_CAST_ECB                   0x00000301
+#define CKM_CAST_CBC                   0x00000302
+#define CKM_CAST_MAC                   0x00000303
+#define CKM_CAST_MAC_GENERAL           0x00000304
+#define CKM_CAST_CBC_PAD               0x00000305
+#define CKM_CAST3_KEY_GEN              0x00000310
+#define CKM_CAST3_ECB                  0x00000311
+#define CKM_CAST3_CBC                  0x00000312
+#define CKM_CAST3_MAC                  0x00000313
+#define CKM_CAST3_MAC_GENERAL          0x00000314
+#define CKM_CAST3_CBC_PAD              0x00000315
+#define CKM_CAST5_KEY_GEN              0x00000320
+#define CKM_CAST128_KEY_GEN            0x00000320
+#define CKM_CAST5_ECB                  0x00000321
+#define CKM_CAST128_ECB                0x00000321
+#define CKM_CAST5_CBC                  0x00000322
+#define CKM_CAST128_CBC                0x00000322
+#define CKM_CAST5_MAC                  0x00000323
+#define CKM_CAST128_MAC                0x00000323
+#define CKM_CAST5_MAC_GENERAL          0x00000324
+#define CKM_CAST128_MAC_GENERAL        0x00000324
+#define CKM_CAST5_CBC_PAD              0x00000325
+#define CKM_CAST128_CBC_PAD            0x00000325
+#define CKM_RC5_KEY_GEN                0x00000330
+#define CKM_RC5_ECB                    0x00000331
+#define CKM_RC5_CBC                    0x00000332
+#define CKM_RC5_MAC                    0x00000333
+#define CKM_RC5_MAC_GENERAL            0x00000334
+#define CKM_RC5_CBC_PAD                0x00000335
+#define CKM_IDEA_KEY_GEN               0x00000340
+#define CKM_IDEA_ECB                   0x00000341
+#define CKM_IDEA_CBC                   0x00000342
+#define CKM_IDEA_MAC                   0x00000343
+#define CKM_IDEA_MAC_GENERAL           0x00000344
+#define CKM_IDEA_CBC_PAD               0x00000345
+#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
+#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
+#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
+#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
+#define CKM_XOR_BASE_AND_DATA          0x00000364
+#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
+#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
+#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
+#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
+
+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
+ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
+#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
+#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
+#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
+#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
+
+/* CKM_TLS_PRF is new for v2.20 */
+#define CKM_TLS_PRF                    0x00000378
+
+#define CKM_SSL3_MD5_MAC               0x00000380
+#define CKM_SSL3_SHA1_MAC              0x00000381
+#define CKM_MD5_KEY_DERIVATION         0x00000390
+#define CKM_MD2_KEY_DERIVATION         0x00000391
+#define CKM_SHA1_KEY_DERIVATION        0x00000392
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_KEY_DERIVATION      0x00000393
+#define CKM_SHA384_KEY_DERIVATION      0x00000394
+#define CKM_SHA512_KEY_DERIVATION      0x00000395
+
+#define CKM_PBE_MD2_DES_CBC            0x000003A0
+#define CKM_PBE_MD5_DES_CBC            0x000003A1
+#define CKM_PBE_MD5_CAST_CBC           0x000003A2
+#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
+#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
+#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
+#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
+#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
+#define CKM_PBE_SHA1_RC4_128           0x000003A6
+#define CKM_PBE_SHA1_RC4_40            0x000003A7
+#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
+#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
+#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
+#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
+
+/* CKM_PKCS5_PBKD2 is new for v2.10 */
+#define CKM_PKCS5_PBKD2                0x000003B0
+
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
+
+/* WTLS mechanisms are new for v2.20 */
+#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0
+#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2
+#define CKM_WTLS_PRF                        0x000003D3
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5
+
+#define CKM_KEY_WRAP_LYNKS             0x00000400
+#define CKM_KEY_WRAP_SET_OAEP          0x00000401
+
+/* CKM_CMS_SIG is new for v2.20 */
+#define CKM_CMS_SIG                    0x00000500
+
+/* Fortezza mechanisms */
+#define CKM_SKIPJACK_KEY_GEN           0x00001000
+#define CKM_SKIPJACK_ECB64             0x00001001
+#define CKM_SKIPJACK_CBC64             0x00001002
+#define CKM_SKIPJACK_OFB64             0x00001003
+#define CKM_SKIPJACK_CFB64             0x00001004
+#define CKM_SKIPJACK_CFB32             0x00001005
+#define CKM_SKIPJACK_CFB16             0x00001006
+#define CKM_SKIPJACK_CFB8              0x00001007
+#define CKM_SKIPJACK_WRAP              0x00001008
+#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
+#define CKM_SKIPJACK_RELAYX            0x0000100a
+#define CKM_KEA_KEY_PAIR_GEN           0x00001010
+#define CKM_KEA_KEY_DERIVE             0x00001011
+#define CKM_FORTEZZA_TIMESTAMP         0x00001020
+#define CKM_BATON_KEY_GEN              0x00001030
+#define CKM_BATON_ECB128               0x00001031
+#define CKM_BATON_ECB96                0x00001032
+#define CKM_BATON_CBC128               0x00001033
+#define CKM_BATON_COUNTER              0x00001034
+#define CKM_BATON_SHUFFLE              0x00001035
+#define CKM_BATON_WRAP                 0x00001036
+
+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
+ * CKM_EC_KEY_PAIR_GEN is preferred */
+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
+#define CKM_EC_KEY_PAIR_GEN            0x00001040
+
+#define CKM_ECDSA                      0x00001041
+#define CKM_ECDSA_SHA1                 0x00001042
+
+/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
+ * are new for v2.11 */
+#define CKM_ECDH1_DERIVE               0x00001050
+#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
+#define CKM_ECMQV_DERIVE               0x00001052
+
+#define CKM_JUNIPER_KEY_GEN            0x00001060
+#define CKM_JUNIPER_ECB128             0x00001061
+#define CKM_JUNIPER_CBC128             0x00001062
+#define CKM_JUNIPER_COUNTER            0x00001063
+#define CKM_JUNIPER_SHUFFLE            0x00001064
+#define CKM_JUNIPER_WRAP               0x00001065
+#define CKM_FASTHASH                   0x00001070
+
+/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
+ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
+ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
+ * new for v2.11 */
+#define CKM_AES_KEY_GEN                0x00001080
+#define CKM_AES_ECB                    0x00001081
+#define CKM_AES_CBC                    0x00001082
+#define CKM_AES_MAC                    0x00001083
+#define CKM_AES_MAC_GENERAL            0x00001084
+#define CKM_AES_CBC_PAD                0x00001085
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKM_BLOWFISH_KEY_GEN           0x00001090
+#define CKM_BLOWFISH_CBC               0x00001091
+#define CKM_TWOFISH_KEY_GEN            0x00001092
+#define CKM_TWOFISH_CBC                0x00001093
+
+
+/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
+#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100
+#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101
+#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102
+#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103
+#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
+#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
+
+#define CKM_DSA_PARAMETER_GEN          0x00002000
+#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
+#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
+
+#define CKM_VENDOR_DEFINED             0x80000000
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism  */
+typedef struct CK_MECHANISM {
+  CK_MECHANISM_TYPE mechanism;
+  CK_VOID_PTR       pParameter;
+
+  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG          ulParameterLen;  /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism */
+typedef struct CK_MECHANISM_INFO {
+    CK_ULONG    ulMinKeySize;
+    CK_ULONG    ulMaxKeySize;
+    CK_FLAGS    flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ *      Bit Flag               Mask        Meaning */
+#define CKF_HW                 0x00000001  /* performed by HW */
+
+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
+ * and CKF_DERIVE are new for v2.0.  They specify whether or not
+ * a mechanism can be used for a particular task */
+#define CKF_ENCRYPT            0x00000100
+#define CKF_DECRYPT            0x00000200
+#define CKF_DIGEST             0x00000400
+#define CKF_SIGN               0x00000800
+#define CKF_SIGN_RECOVER       0x00001000
+#define CKF_VERIFY             0x00002000
+#define CKF_VERIFY_RECOVER     0x00004000
+#define CKF_GENERATE           0x00008000
+#define CKF_GENERATE_KEY_PAIR  0x00010000
+#define CKF_WRAP               0x00020000
+#define CKF_UNWRAP             0x00040000
+#define CKF_DERIVE             0x00080000
+
+/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
+ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
+ * describe a token's EC capabilities not available in mechanism
+ * information. */
+#define CKF_EC_F_P             0x00100000
+#define CKF_EC_F_2M            0x00200000
+#define CKF_EC_ECPARAMETERS    0x00400000
+#define CKF_EC_NAMEDCURVE      0x00800000
+#define CKF_EC_UNCOMPRESS      0x01000000
+#define CKF_EC_COMPRESS        0x02000000
+
+#define CKF_EXTENSION          0x80000000 /* FALSE for this version */
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+
+/* CK_RV is a value that identifies the return value of a
+ * Cryptoki function */
+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_RV;
+
+#define CKR_OK                                0x00000000
+#define CKR_CANCEL                            0x00000001
+#define CKR_HOST_MEMORY                       0x00000002
+#define CKR_SLOT_ID_INVALID                   0x00000003
+
+/* CKR_FLAGS_INVALID was removed for v2.0 */
+
+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
+#define CKR_GENERAL_ERROR                     0x00000005
+#define CKR_FUNCTION_FAILED                   0x00000006
+
+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
+ * and CKR_CANT_LOCK are new for v2.01 */
+#define CKR_ARGUMENTS_BAD                     0x00000007
+#define CKR_NO_EVENT                          0x00000008
+#define CKR_NEED_TO_CREATE_THREADS            0x00000009
+#define CKR_CANT_LOCK                         0x0000000A
+
+#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
+#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
+#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
+#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
+#define CKR_DATA_INVALID                      0x00000020
+#define CKR_DATA_LEN_RANGE                    0x00000021
+#define CKR_DEVICE_ERROR                      0x00000030
+#define CKR_DEVICE_MEMORY                     0x00000031
+#define CKR_DEVICE_REMOVED                    0x00000032
+#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
+#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
+#define CKR_FUNCTION_CANCELED                 0x00000050
+#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
+
+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
+#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
+
+#define CKR_KEY_HANDLE_INVALID                0x00000060
+
+/* CKR_KEY_SENSITIVE was removed for v2.0 */
+
+#define CKR_KEY_SIZE_RANGE                    0x00000062
+#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
+
+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
+ * v2.0 */
+#define CKR_KEY_NOT_NEEDED                    0x00000064
+#define CKR_KEY_CHANGED                       0x00000065
+#define CKR_KEY_NEEDED                        0x00000066
+#define CKR_KEY_INDIGESTIBLE                  0x00000067
+#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
+#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
+#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
+
+#define CKR_MECHANISM_INVALID                 0x00000070
+#define CKR_MECHANISM_PARAM_INVALID           0x00000071
+
+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
+ * were removed for v2.0 */
+#define CKR_OBJECT_HANDLE_INVALID             0x00000082
+#define CKR_OPERATION_ACTIVE                  0x00000090
+#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
+#define CKR_PIN_INCORRECT                     0x000000A0
+#define CKR_PIN_INVALID                       0x000000A1
+#define CKR_PIN_LEN_RANGE                     0x000000A2
+
+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
+#define CKR_PIN_EXPIRED                       0x000000A3
+#define CKR_PIN_LOCKED                        0x000000A4
+
+#define CKR_SESSION_CLOSED                    0x000000B0
+#define CKR_SESSION_COUNT                     0x000000B1
+#define CKR_SESSION_HANDLE_INVALID            0x000000B3
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
+#define CKR_SESSION_READ_ONLY                 0x000000B5
+#define CKR_SESSION_EXISTS                    0x000000B6
+
+/* CKR_SESSION_READ_ONLY_EXISTS and
+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
+#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
+#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
+
+#define CKR_SIGNATURE_INVALID                 0x000000C0
+#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
+#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
+#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
+#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
+#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
+#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
+#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
+#define CKR_USER_NOT_LOGGED_IN                0x00000101
+#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
+#define CKR_USER_TYPE_INVALID                 0x00000103
+
+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
+ * are new to v2.01 */
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
+#define CKR_USER_TOO_MANY_TYPES               0x00000105
+
+#define CKR_WRAPPED_KEY_INVALID               0x00000110
+#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
+#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
+#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
+#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
+
+/* These are new to v2.0 */
+#define CKR_RANDOM_NO_RNG                     0x00000121
+
+/* These are new to v2.11 */
+#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
+
+/* These are new to v2.0 */
+#define CKR_BUFFER_TOO_SMALL                  0x00000150
+#define CKR_SAVED_STATE_INVALID               0x00000160
+#define CKR_INFORMATION_SENSITIVE             0x00000170
+#define CKR_STATE_UNSAVEABLE                  0x00000180
+
+/* These are new to v2.01 */
+#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
+#define CKR_MUTEX_BAD                         0x000001A0
+#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
+
+/* This is new to v2.20 */
+#define CKR_FUNCTION_REJECTED                 0x00000200
+
+#define CKR_VENDOR_DEFINED                    0x80000000
+
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_NOTIFICATION   event,
+  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
+);
+
+
+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
+ * version and pointers of appropriate types to all the
+ * Cryptoki functions */
+/* CK_FUNCTION_LIST is new for v2.0 */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize */
+typedef struct CK_C_INITIALIZE_ARGS {
+  CK_CREATEMUTEX CreateMutex;
+  CK_DESTROYMUTEX DestroyMutex;
+  CK_LOCKMUTEX LockMutex;
+  CK_UNLOCKMUTEX UnlockMutex;
+  CK_FLAGS flags;
+  CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag                           Mask       Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
+#define CKF_OS_LOCKING_OK                  0x00000002
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK     1
+
+/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_MGF_TYPE  is used to indicate the Message
+ * Generation Function (MGF) applied to a message block when
+ * formatting a message block for the PKCS #1 OAEP encryption
+ * scheme. */
+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
+
+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
+
+/* The following MGFs are defined */
+/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
+ * are new for v2.20 */
+#define CKG_MGF1_SHA1         0x00000001
+#define CKG_MGF1_SHA256       0x00000002
+#define CKG_MGF1_SHA384       0x00000003
+#define CKG_MGF1_SHA512       0x00000004
+
+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
+ * of the encoding parameter when formatting a message block
+ * for the PKCS #1 OAEP encryption scheme. */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
+
+/* The following encoding parameter sources are defined */
+#define CKZ_DATA_SPECIFIED    0x00000001
+
+/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
+ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_OAEP mechanism. */
+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+        CK_MECHANISM_TYPE hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+        CK_VOID_PTR pSourceData;
+        CK_ULONG ulSourceDataLen;
+} CK_RSA_PKCS_OAEP_PARAMS;
+
+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
+ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_PSS mechanism(s). */
+typedef struct CK_RSA_PKCS_PSS_PARAMS {
+        CK_MECHANISM_TYPE    hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_ULONG             sLen;
+} CK_RSA_PKCS_PSS_PARAMS;
+
+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+/* CK_EC_KDF_TYPE is new for v2.11. */
+typedef CK_ULONG CK_EC_KDF_TYPE;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL                 0x00000001
+#define CKD_SHA1_KDF             0x00000002
+
+/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
+ * where each party contributes one key pair.
+ */
+typedef struct CK_ECDH1_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_ECDH1_DERIVE_PARAMS;
+
+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
+
+
+/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
+typedef struct CK_ECDH2_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_ECDH2_DERIVE_PARAMS;
+
+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_ECMQV_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_ECMQV_DERIVE_PARAMS;
+
+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
+
+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
+
+/* The following X9.42 DH key derivation functions are defined
+   (besides CKD_NULL already defined : */
+#define CKD_SHA1_KDF_ASN1        0x00000003
+#define CKD_SHA1_KDF_CONCATENATE 0x00000004
+
+/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
+ * contributes one key pair */
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_X9_42_DH1_DERIVE_PARAMS;
+
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
+
+/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
+ * mechanisms, where each party contributes two key pairs */
+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_X9_42_DH2_DERIVE_PARAMS;
+
+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_X9_42_MQV_DERIVE_PARAMS;
+
+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism */
+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
+typedef struct CK_KEA_DERIVE_PARAMS {
+  CK_BBOOL      isSender;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pRandomB;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
+ * holds the effective keysize */
+typedef CK_ULONG          CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism */
+typedef struct CK_RC2_CBC_PARAMS {
+  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+
+  CK_BYTE       iv[8];            /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism */
+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms */
+/* CK_RC5_PARAMS is new for v2.0 */
+typedef struct CK_RC5_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism */
+/* CK_RC5_CBC_PARAMS is new for v2.0 */
+typedef struct CK_RC5_CBC_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+  CK_BYTE_PTR   pIv;         /* pointer to IV */
+  CK_ULONG      ulIvLen;     /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism */
+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulWordsize;   /* wordsize in bits */
+  CK_ULONG      ulRounds;     /* number of rounds */
+  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
+ * the MAC */
+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[8];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[16];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+  CK_ULONG      ulPasswordLen;
+  CK_BYTE_PTR   pPassword;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+  CK_ULONG      ulPAndGLen;
+  CK_ULONG      ulQLen;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pPrimeP;
+  CK_BYTE_PTR   pBaseG;
+  CK_BYTE_PTR   pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+  CK_SKIPJACK_PRIVATE_WRAP_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism */
+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+  CK_ULONG      ulOldWrappedXLen;
+  CK_BYTE_PTR   pOldWrappedX;
+  CK_ULONG      ulOldPasswordLen;
+  CK_BYTE_PTR   pOldPassword;
+  CK_ULONG      ulOldPublicDataLen;
+  CK_BYTE_PTR   pOldPublicData;
+  CK_ULONG      ulOldRandomLen;
+  CK_BYTE_PTR   pOldRandomA;
+  CK_ULONG      ulNewPasswordLen;
+  CK_BYTE_PTR   pNewPassword;
+  CK_ULONG      ulNewPublicDataLen;
+  CK_BYTE_PTR   pNewPublicData;
+  CK_ULONG      ulNewRandomLen;
+  CK_BYTE_PTR   pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+  CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+  CK_BYTE_PTR      pInitVector;
+  CK_UTF8CHAR_PTR  pPassword;
+  CK_ULONG         ulPasswordLen;
+  CK_BYTE_PTR      pSalt;
+  CK_ULONG         ulSaltLen;
+  CK_ULONG         ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism */
+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+  CK_BYTE       bBC;     /* block contents byte */
+  CK_BYTE_PTR   pX;      /* extra data */
+  CK_ULONG      ulXLen;  /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
+  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_RANDOM_DATA {
+  CK_BYTE_PTR  pClientRandom;
+  CK_ULONG     ulClientRandomLen;
+  CK_BYTE_PTR  pServerRandom;
+  CK_ULONG     ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+  CK_SSL3_RANDOM_DATA RandomInfo;
+  CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hClientMacSecret;
+  CK_OBJECT_HANDLE hServerMacSecret;
+  CK_OBJECT_HANDLE hClientKey;
+  CK_OBJECT_HANDLE hServerKey;
+  CK_BYTE_PTR      pIVClient;
+  CK_BYTE_PTR      pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_BBOOL                bIsExport;
+  CK_SSL3_RANDOM_DATA     RandomInfo;
+  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+/* CK_TLS_PRF_PARAMS is new for version 2.20 */
+typedef struct CK_TLS_PRF_PARAMS {
+  CK_BYTE_PTR  pSeed;
+  CK_ULONG     ulSeedLen;
+  CK_BYTE_PTR  pLabel;
+  CK_ULONG     ulLabelLen;
+  CK_BYTE_PTR  pOutput;
+  CK_ULONG_PTR pulOutputLen;
+} CK_TLS_PRF_PARAMS;
+
+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
+
+/* WTLS is new for version 2.20 */
+typedef struct CK_WTLS_RANDOM_DATA {
+  CK_BYTE_PTR pClientRandom;
+  CK_ULONG    ulClientRandomLen;
+  CK_BYTE_PTR pServerRandom;
+  CK_ULONG    ulServerRandomLen;
+} CK_WTLS_RANDOM_DATA;
+
+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
+
+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
+  CK_MECHANISM_TYPE   DigestMechanism;
+  CK_WTLS_RANDOM_DATA RandomInfo;
+  CK_BYTE_PTR         pVersion;
+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_WTLS_PRF_PARAMS {
+  CK_MECHANISM_TYPE DigestMechanism;
+  CK_BYTE_PTR       pSeed;
+  CK_ULONG          ulSeedLen;
+  CK_BYTE_PTR       pLabel;
+  CK_ULONG          ulLabelLen;
+  CK_BYTE_PTR       pOutput;
+  CK_ULONG_PTR      pulOutputLen;
+} CK_WTLS_PRF_PARAMS;
+
+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hMacSecret;
+  CK_OBJECT_HANDLE hKey;
+  CK_BYTE_PTR      pIV;
+} CK_WTLS_KEY_MAT_OUT;
+
+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_PARAMS {
+  CK_MECHANISM_TYPE       DigestMechanism;
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_ULONG                ulSequenceNumber;
+  CK_BBOOL                bIsExport;
+  CK_WTLS_RANDOM_DATA     RandomInfo;
+  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_WTLS_KEY_MAT_PARAMS;
+
+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
+
+/* CMS is new for version 2.20 */
+typedef struct CK_CMS_SIG_PARAMS {
+  CK_OBJECT_HANDLE      certificateHandle;
+  CK_MECHANISM_PTR      pSigningMechanism;
+  CK_MECHANISM_PTR      pDigestMechanism;
+  CK_UTF8CHAR_PTR       pContentType;
+  CK_BYTE_PTR           pRequestedAttributes;
+  CK_ULONG              ulRequestedAttributesLen;
+  CK_BYTE_PTR           pRequiredAttributes;
+  CK_ULONG              ulRequiredAttributesLen;
+} CK_CMS_SIG_PARAMS;
+
+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+  CK_BYTE_PTR pData;
+  CK_ULONG    ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+  CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key */
+/* CK_EXTRACT_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
+ * indicate the Pseudo-Random Function (PRF) used to generate
+ * key bits using PKCS #5 PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
+
+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
+
+/* The following PRFs are defined in PKCS #5 v2.0. */
+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
+
+
+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
+ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
+ * source of the salt value when deriving a key using PKCS #5
+ * PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
+
+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
+
+/* The following salt value sources are defined in PKCS #5 v2.0. */
+#define CKZ_SALT_SPECIFIED        0x00000001
+
+/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
+ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
+ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
+typedef struct CK_PKCS5_PBKD2_PARAMS {
+        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
+        CK_VOID_PTR                                pSaltSourceData;
+        CK_ULONG                                   ulSaltSourceDataLen;
+        CK_ULONG                                   iterations;
+        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+        CK_VOID_PTR                                pPrfData;
+        CK_ULONG                                   ulPrfDataLen;
+        CK_UTF8CHAR_PTR                            pPassword;
+        CK_ULONG_PTR                               ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS;
+
+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
+
+#endif
diff -urNp openssh-4.4p1/pkcs11-helper.c openssh-4.4p1+pkcs11-0.17/pkcs11-helper.c
--- openssh-4.4p1/pkcs11-helper.c       1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/pkcs11-helper.c   2006-10-22 17:11:50.000000000 +0200
@@ -0,0 +1,11337 @@
+/*
+ * Copyright (c) 2005-2006 Alon Bar-Lev <alon.barlev@gmail.com>
+ * All rights reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses.  You may choose to be licensed under the terms of the GNU
+ * General Public License (GPL) Version 2, or the OpenIB.org BSD license.
+ *
+ * GNU General Public License (GPL) Version 2
+ * ===========================================
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING[.GPL2] included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ * OpenIB.org BSD license
+ * =======================
+ * Redistribution and use in source and binary forms, with or without modifi-
+ * cation, are permitted provided that the following conditions are met:
+ *
+ *   o  Redistributions of source code must retain the above copyright notice,
+ *      this list of conditions and the following disclaimer.
+ *
+ *   o  Redistributions in binary form must reproduce the above copyright no-
+ *      tice, this list of conditions and the following disclaimer in the do-
+ *      cumentation and/or other materials provided with the distribution.
+ *
+ *   o  The names of the contributors may not be used to endorse or promote
+ *      products derived from this software without specific prior written
+ *      permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LI-
+ * ABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUEN-
+ * TIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEV-
+ * ER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABI-
+ * LITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * The routines in this file deal with providing private key cryptography
+ * using RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
+ *
+ */
+
+/*
+ * Changelog
+ *
+ * 2006.09.24
+ *     - (alonbl) Fix invalid certificate max size handling (Zeljko Vrba).
+ *     - (alonbl) Added object serialization.
+ *     - (alonbl) Added user data to hooks.
+ *     - (alonbl) Added a force login method.
+ *     - (alonbl) Added support for gnutls in addition to openssl.
+ *     - (alonbl) Fixup threading lock issues.
+ *     - (alonbl) Added support for duplicate serial tokens, based on label.
+ *     - (alonbl) Added workaround for OpenSC cards, OpenSC bug#108, thanks to Kaupo Arulo.
+ *     - (alonbl) Added a methods to lock session between two sign/decrypt operations.
+ *     - (alonbl) Modified openssl interface.
+ *     - (alonbl) Release 01.02.
+ *
+ * 2006.06.26
+ *     - (alonbl) Fix handling mutiple providers.
+ *     - (alonbl) Release 01.01.
+ *
+ * 2006.05.14
+ *     - (alonbl) First stable release.
+ *     - (alonbl) Release 01.00.
+ *
+ */
+
+#include "pkcs11-helper-config.h"
+
+#if defined(ENABLE_PKCS11H_HELPER)
+
+#include "pkcs11-helper.h"
+
+/*===========================================
+ * Constants
+ */
+
+#if defined(USE_PKCS11H_OPENSSL)
+
+#if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
+# define RSA_get_default_method RSA_get_default_openssl_method
+#else
+# ifdef HAVE_ENGINE_GET_DEFAULT_RSA
+#  include <openssl/engine.h>
+#  if OPENSSL_VERSION_NUMBER < 0x0090704fL
+#   define BROKEN_OPENSSL_ENGINE
+#  endif
+# endif
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#if !defined(RSA_PKCS1_PADDING_SIZE)
+#define RSA_PKCS1_PADDING_SIZE 11
+#endif
+#endif
+
+#endif
+
+#define PKCS11H_INVALID_SLOT_ID                ((CK_SLOT_ID)-1)
+#define PKCS11H_INVALID_SESSION_HANDLE ((CK_SESSION_HANDLE)-1)
+#define PKCS11H_INVALID_OBJECT_HANDLE  ((CK_OBJECT_HANDLE)-1)
+
+#define PKCS11H_DEFAULT_SLOTEVENT_POLL         5000
+#define PKCS11H_DEFAULT_MAX_LOGIN_RETRY                3
+#define PKCS11H_DEFAULT_PIN_CACHE_PERIOD       PKCS11H_PIN_CACHE_INFINITE
+
+#define PKCS11H_SERIALIZE_INVALID_CHARS        "\\/\"'%&#@!?$* <>{}[]()`|"
+
+enum _pkcs11h_private_op_e {
+       _pkcs11h_private_op_sign=0,
+       _pkcs11h_private_op_sign_recover,
+       _pkcs11h_private_op_decrypt
+};
+
+/*===========================================
+ * Macros
+ */
+
+#define PKCS11H_MSG_LEVEL_TEST(flags) (((unsigned int)flags) <= s_pkcs11h_loglevel)
+
+#if defined(HAVE_CPP_VARARG_MACRO_ISO) && !defined(__LCLINT__)
+# define PKCS11H_LOG(flags, ...) do { if (PKCS11H_MSG_LEVEL_TEST(flags)) _pkcs11h_log((flags), __VA_ARGS__); } while (FALSE)
+# ifdef ENABLE_PKCS11H_DEBUG
+#  define PKCS11H_DEBUG(flags, ...) do { if (PKCS11H_MSG_LEVEL_TEST(flags)) _pkcs11h_log((flags), __VA_ARGS__); } while (FALSE)
+# else
+#  define PKCS11H_DEBUG(flags, ...)
+# endif
+#elif defined(HAVE_CPP_VARARG_MACRO_GCC) && !defined(__LCLINT__)
+# define PKCS11H_LOG(flags, args...) do { if (PKCS11H_MSG_LEVEL_TEST(flags)) _pkcs11h_log((flags), args); } while (FALSE)
+# ifdef ENABLE_PKCS11H_DEBUG
+#  define PKCS11H_DEBUG(flags, args...) do { if (PKCS11H_MSG_LEVEL_TEST(flags)) _pkcs11h_log((flags), args); } while (FALSE)
+# else
+#  define PKCS11H_DEBUG(flags, args...)
+# endif
+#else
+# define PKCS11H_LOG _pkcs11h_log
+# define PKCS11H_DEBUG _pkcs11h_log
+#endif
+
+/*===========================================
+ * Types
+ */
+
+struct pkcs11h_provider_s;
+struct pkcs11h_session_s;
+struct pkcs11h_data_s;
+typedef struct pkcs11h_provider_s *pkcs11h_provider_t;
+typedef struct pkcs11h_session_s *pkcs11h_session_t;
+typedef struct pkcs11h_data_s *pkcs11h_data_t;
+
+#if defined(USE_PKCS11H_OPENSSL)
+
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+typedef unsigned char *pkcs11_openssl_d2i_t;
+#else
+typedef const unsigned char *pkcs11_openssl_d2i_t;
+#endif
+
+#endif
+
+#if defined(ENABLE_PKCS11H_THREADING)
+
+#define PKCS11H_COND_INFINITE  0xffffffff
+
+#if defined(WIN32)
+#define PKCS11H_THREAD_NULL    NULL
+typedef HANDLE pkcs11h_cond_t;
+typedef HANDLE pkcs11h_mutex_t;
+typedef HANDLE pkcs11h_thread_t;
+#else
+#define PKCS11H_THREAD_NULL    0l
+typedef pthread_mutex_t pkcs11h_mutex_t;
+typedef pthread_t pkcs11h_thread_t;
+
+typedef struct {
+       pthread_cond_t cond;
+       pthread_mutex_t mut;
+} pkcs11h_cond_t;
+
+typedef struct __pkcs11h_threading_mutex_entry_s {
+       struct __pkcs11h_threading_mutex_entry_s *next;
+       pkcs11h_mutex_t *p_mutex;
+       PKCS11H_BOOL locked;
+} *__pkcs11h_threading_mutex_entry_t;
+#endif
+
+typedef void * (*pkcs11h_thread_start_t)(void *);
+
+typedef struct {
+       pkcs11h_thread_start_t start;
+       void *data;
+} __pkcs11h_thread_data_t;
+
+#endif                         /* ENABLE_PKCS11H_THREADING */
+
+struct pkcs11h_provider_s {
+       pkcs11h_provider_t next;
+
+       PKCS11H_BOOL enabled;
+       char reference[1024];
+       char manufacturerID[sizeof (((CK_TOKEN_INFO *)NULL)->manufacturerID)+1];
+       
+#if defined(WIN32)
+       HANDLE handle;
+#else
+       void *handle;
+#endif
+
+       CK_FUNCTION_LIST_PTR f;
+       PKCS11H_BOOL should_finalize;
+       PKCS11H_BOOL allow_protected_auth;
+       PKCS11H_BOOL cert_is_private;
+       unsigned mask_sign_mode;
+       int slot_event_method;
+       int slot_poll_interval;
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+       pkcs11h_thread_t slotevent_thread;
+#endif
+};
+
+struct pkcs11h_session_s {
+       pkcs11h_session_t next;
+
+       int reference_count;
+       PKCS11H_BOOL valid;
+
+       pkcs11h_provider_t provider;
+
+       pkcs11h_token_id_t token_id;
+
+       CK_SESSION_HANDLE session_handle;
+
+       PKCS11H_BOOL allow_protected_auth_supported;
+       int pin_cache_period;
+       time_t pin_expire_time;
+
+#if defined(ENABLE_PKCS11H_ENUM)
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+       pkcs11h_certificate_id_list_t cached_certs;
+       PKCS11H_BOOL touch;
+#endif
+#endif
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       pkcs11h_mutex_t mutex;
+#endif
+};
+
+#if defined (ENABLE_PKCS11H_CERTIFICATE)
+
+struct pkcs11h_certificate_s {
+
+       pkcs11h_certificate_id_t id;
+       int pin_cache_period;
+       PKCS11H_BOOL pin_cache_populated_to_session;
+
+       unsigned mask_sign_mode;
+
+       pkcs11h_session_t session;
+       CK_OBJECT_HANDLE key_handle;
+
+       PKCS11H_BOOL operation_active;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       pkcs11h_mutex_t mutex;
+#endif
+
+       unsigned mask_prompt;
+       void * user_data;
+};
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+struct pkcs11h_data_s {
+       PKCS11H_BOOL initialized;
+       int pin_cache_period;
+
+       pkcs11h_provider_t providers;
+       pkcs11h_session_t sessions;
+
+       struct {
+               void * log_data;
+               void * slotevent_data;
+               void * token_prompt_data;
+               void * pin_prompt_data;
+               pkcs11h_hook_log_t log;
+               pkcs11h_hook_slotevent_t slotevent;
+               pkcs11h_hook_token_prompt_t token_prompt;
+               pkcs11h_hook_pin_prompt_t pin_prompt;
+       } hooks;
+
+       PKCS11H_BOOL allow_protected_auth;
+       unsigned max_retries;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       struct {
+               pkcs11h_mutex_t global;
+               pkcs11h_mutex_t session;
+               pkcs11h_mutex_t cache;
+       } mutexes;
+#endif
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+       struct {
+               PKCS11H_BOOL initialized;
+               PKCS11H_BOOL should_terminate;
+               PKCS11H_BOOL skip_event;
+               pkcs11h_cond_t cond_event;
+               pkcs11h_thread_t thread;
+       } slotevent;
+#endif
+};
+
+#if defined(ENABLE_PKCS11H_OPENSSL)
+struct pkcs11h_openssl_session_s {
+       int reference_count;
+       PKCS11H_BOOL initialized;
+       X509 *x509;
+       RSA_METHOD smart_rsa;
+       int (*orig_finish)(RSA *rsa);
+       pkcs11h_certificate_t certificate;
+       pkcs11h_hook_openssl_cleanup_t cleanup_hook;
+};
+#endif
+
+/*======================================================================*
+ * MEMORY INTERFACE
+ *======================================================================*/
+
+static
+CK_RV
+_pkcs11h_mem_malloc (
+       OUT const void * * const p,
+       IN const size_t s
+);
+static
+CK_RV
+_pkcs11h_mem_free (
+       IN const void * * const p
+);
+static
+CK_RV
+_pkcs11h_mem_strdup (
+       OUT const char * * const dest,
+       IN const char * const src
+);
+static
+CK_RV
+_pkcs11h_mem_duplicate (
+       OUT const void * * const dest,
+       OUT size_t * const dest_size,
+       IN const void * const src,
+       IN const size_t mem_size
+);
+
+#if defined(ENABLE_PKCS11H_THREADING)
+/*======================================================================*
+ * THREADING INTERFACE
+ *======================================================================*/
+
+static
+void
+_pkcs11h_threading_sleep (
+       IN const unsigned milli
+);
+static
+CK_RV
+_pkcs11h_threading_mutexInit (
+       OUT pkcs11h_mutex_t * const mutex
+);
+static
+CK_RV
+_pkcs11h_threading_mutexLock (
+       IN OUT pkcs11h_mutex_t *const mutex
+);
+static
+CK_RV
+_pkcs11h_threading_mutexRelease (
+       IN OUT pkcs11h_mutex_t *const mutex
+);
+static
+CK_RV
+_pkcs11h_threading_mutexFree (
+       IN OUT pkcs11h_mutex_t *const mutex
+);
+#if !defined(WIN32)
+static
+void
+__pkcs1h_threading_mutexLockAll ();
+static
+void
+__pkcs1h_threading_mutexReleaseAll ();
+#endif
+static
+CK_RV
+_pkcs11h_threading_condSignal (
+       IN OUT pkcs11h_cond_t *const cond
+);
+static
+CK_RV
+_pkcs11h_threading_condInit (
+       OUT pkcs11h_cond_t * const cond
+);
+static
+CK_RV
+_pkcs11h_threading_condWait (
+       IN OUT pkcs11h_cond_t *const cond,
+       IN const unsigned milli
+);
+static
+CK_RV
+_pkcs11h_threading_condFree (
+       IN OUT pkcs11h_cond_t *const cond
+);
+static
+CK_RV
+_pkcs11h_threading_threadStart (
+       OUT pkcs11h_thread_t * const thread,
+       IN pkcs11h_thread_start_t const start,
+       IN void * data
+);
+static
+CK_RV
+_pkcs11h_threading_threadJoin (
+       IN pkcs11h_thread_t * const thread
+);
+#endif                         /* ENABLE_PKCS11H_THREADING */
+
+/*======================================================================*
+ * COMMON INTERNAL INTERFACE
+ *======================================================================*/
+
+static
+void
+_pkcs11h_util_fixupFixedString (
+       OUT char * const target,                        /* MUST BE >= length+1 */
+       IN const char * const source,
+       IN const size_t length                          /* FIXED STRING LENGTH */
+);
+static
+CK_RV
+_pkcs11h_util_hexToBinary (
+       OUT unsigned char * const target,
+       IN const char * const source,
+       IN OUT size_t * const p_target_size
+);
+static
+CK_RV
+_pkcs11h_util_binaryToHex (
+       OUT char * const target,
+       IN const size_t target_size,
+       IN const unsigned char * const source,
+       IN const size_t source_size
+);
+CK_RV
+_pkcs11h_util_escapeString (
+       IN OUT char * const target,
+       IN const char * const source,
+       IN size_t * const max,
+       IN const char * const invalid_chars
+);
+static
+CK_RV
+_pkcs11h_util_unescapeString (
+       IN OUT char * const target,
+       IN const char * const source,
+       IN size_t * const max
+);
+static
+void
+_pkcs11h_log (
+       IN const unsigned flags,
+       IN const char * const format,
+       IN ...
+)
+#ifdef __GNUC__
+    __attribute__ ((format (printf, 2, 3)))
+#endif
+    ;
+
+static
+CK_RV
+_pkcs11h_session_getSlotList (
+       IN const pkcs11h_provider_t provider,
+       IN const CK_BBOOL token_present,
+       OUT CK_SLOT_ID_PTR * const pSlotList,
+       OUT CK_ULONG_PTR pulCount
+);
+static
+CK_RV
+_pkcs11h_session_getObjectAttributes (
+       IN const pkcs11h_session_t session,
+       IN const CK_OBJECT_HANDLE object,
+       IN OUT const CK_ATTRIBUTE_PTR attrs,
+       IN const unsigned count
+);
+static
+CK_RV
+_pkcs11h_session_freeObjectAttributes (
+       IN OUT const CK_ATTRIBUTE_PTR attrs,
+       IN const unsigned count
+);
+static
+CK_RV
+_pkcs11h_session_findObjects (
+       IN const pkcs11h_session_t session,
+       IN const CK_ATTRIBUTE * const filter,
+       IN const CK_ULONG filter_attrs,
+       OUT CK_OBJECT_HANDLE **const p_objects,
+       OUT CK_ULONG *p_objects_found
+);
+static
+CK_RV
+_pkcs11h_token_getTokenId (
+       IN const CK_TOKEN_INFO_PTR info,
+       OUT pkcs11h_token_id_t * const p_token_id
+);
+static
+CK_RV
+_pkcs11h_token_newTokenId (
+       OUT pkcs11h_token_id_t * const token_id
+);
+static
+CK_RV
+_pkcs11h_session_getSessionByTokenId (
+       IN const pkcs11h_token_id_t token_id,
+       OUT pkcs11h_session_t * const p_session
+);
+static
+CK_RV
+_pkcs11h_session_release (
+       IN const pkcs11h_session_t session
+);
+static
+CK_RV
+_pkcs11h_session_reset (
+       IN const pkcs11h_session_t session,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT CK_SLOT_ID * const p_slot
+);
+static
+CK_RV
+_pkcs11h_session_getObjectById (
+       IN const pkcs11h_session_t session,
+       IN const CK_OBJECT_CLASS class,
+       IN const CK_BYTE_PTR id,
+       IN const size_t id_size,
+       OUT CK_OBJECT_HANDLE * const p_handle
+);
+static
+CK_RV
+_pkcs11h_session_validate (
+       IN const pkcs11h_session_t session
+);
+static
+CK_RV
+_pkcs11h_session_touch (
+       IN const pkcs11h_session_t session
+);
+static
+CK_RV
+_pkcs11h_session_login (
+       IN const pkcs11h_session_t session,
+       IN const PKCS11H_BOOL public_only,
+       IN const PKCS11H_BOOL readonly,
+       IN void * const user_data,
+       IN const unsigned mask_prompt
+);
+static
+CK_RV
+_pkcs11h_session_logout (
+       IN const pkcs11h_session_t session
+);
+
+static
+void
+_pkcs11h_hooks_default_log (
+       IN void * const global_data,
+       IN const unsigned flags,
+       IN const char * const format,
+       IN va_list args
+);
+
+static
+PKCS11H_BOOL
+_pkcs11h_hooks_default_token_prompt (
+       IN void * const global_data,
+       IN void * const user_data,
+       IN const pkcs11h_token_id_t token,
+       IN const unsigned retry
+);
+
+static
+PKCS11H_BOOL
+_pkcs11h_hooks_default_pin_prompt (
+       IN void * const global_data,
+       IN void * const user_data,
+       IN const pkcs11h_token_id_t token,
+       IN const unsigned retry,
+       OUT char * const pin,
+       IN const size_t pin_max
+);
+
+#if !defined(WIN32)
+#if defined(ENABLE_PKCS11H_THREADING)
+static
+void
+__pkcs11h_threading_atfork_prepare  ();
+static
+void
+__pkcs11h_threading_atfork_parent ();
+static
+void
+__pkcs11h_threading_atfork_child ();
+#endif
+static
+CK_RV
+_pkcs11h_forkFixup ();
+#endif
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+/*======================================================================*
+ * CERTIFICATE INTERFACE
+ *======================================================================*/
+
+static
+time_t
+_pkcs11h_certificate_getExpiration (
+       IN const unsigned char * const certificate,
+       IN const size_t certificate_size
+);
+static
+PKCS11H_BOOL
+_pkcs11h_certificate_isBetterCertificate (
+       IN const unsigned char * const current,
+       IN const size_t current_size,
+       IN const unsigned char * const newone,
+       IN const size_t newone_size
+);
+static
+CK_RV
+_pkcs11h_certificate_newCertificateId (
+       OUT pkcs11h_certificate_id_t * const certificate_id
+);
+static
+CK_RV
+_pkcs11h_certificate_getDN (
+       IN const unsigned char * const blob,
+       IN const size_t blob_size,
+       OUT char * const dn,
+       IN const size_t dn_size
+);
+static
+CK_RV
+_pkcs11h_certificate_loadCertificate (
+       IN const pkcs11h_certificate_t certificate
+);
+static
+CK_RV
+_pkcs11h_certificate_updateCertificateIdDescription (
+       IN OUT pkcs11h_certificate_id_t certificate_id
+);
+static
+CK_RV
+_pkcs11h_certificate_getKeyAttributes (
+       IN const pkcs11h_certificate_t certificate
+);
+static
+CK_RV
+_pkcs11h_certificate_validateSession (
+       IN const pkcs11h_certificate_t certificate
+);
+static
+CK_RV
+_pkcs11h_certificate_resetSession (
+       IN const pkcs11h_certificate_t certificate,
+       IN const PKCS11H_BOOL public_only,
+       IN const PKCS11H_BOOL session_mutex_locked
+);
+static
+CK_RV
+_pkcs11h_certificate_doPrivateOperation (
+       IN const pkcs11h_certificate_t certificate,
+       IN const enum _pkcs11h_private_op_e op,
+       IN const CK_MECHANISM_TYPE mech_type,
+       IN const unsigned char * const source,
+       IN const size_t source_size,
+       OUT unsigned char * const target,
+       IN OUT size_t * const p_target_size
+);
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#if defined(ENABLE_PKCS11H_LOCATE)
+/*======================================================================*
+ * LOCATE INTERFACE
+ *======================================================================*/
+
+static
+CK_RV
+_pkcs11h_locate_getTokenIdBySlotId (
+       IN const char * const slot,
+       OUT pkcs11h_token_id_t * const p_token_id
+);
+static
+CK_RV
+_pkcs11h_locate_getTokenIdBySlotName (
+       IN const char * const name,
+       OUT pkcs11h_token_id_t * const p_token_id
+);
+static
+CK_RV
+_pkcs11h_locate_getTokenIdByLabel (
+       IN const char * const label,
+       OUT pkcs11h_token_id_t * const p_token_id
+);
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+
+static
+CK_RV
+_pkcs11h_locate_getCertificateIdByLabel (
+       IN const pkcs11h_session_t session,
+       IN OUT const pkcs11h_certificate_id_t certificate_id,
+       IN const char * const label
+);
+static
+CK_RV
+_pkcs11h_locate_getCertificateIdBySubject (
+       IN const pkcs11h_session_t session,
+       IN OUT const pkcs11h_certificate_id_t certificate_id,
+       IN const char * const subject
+);
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+#endif                         /* ENABLE_PKCS11H_LOCATE */
+
+#if defined(ENABLE_PKCS11H_ENUM)
+/*======================================================================*
+ * ENUM INTERFACE
+ *======================================================================*/
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+
+static
+CK_RV
+_pkcs11h_certificate_enumSessionCertificates (
+       IN const pkcs11h_session_t session,
+       IN void * const user_data,
+       IN const unsigned mask_prompt
+);
+static
+CK_RV
+_pkcs11h_certificate_splitCertificateIdList (
+       IN const pkcs11h_certificate_id_list_t cert_id_all,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
+);
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#endif                         /* ENABLE_PKCS11H_ENUM */
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+/*======================================================================*
+ * SLOTEVENT INTERFACE
+ *======================================================================*/
+
+static
+unsigned long
+_pkcs11h_slotevent_checksum (
+       IN const unsigned char * const p,
+       IN const size_t s
+);
+static
+void *
+_pkcs11h_slotevent_provider (
+       IN void *p
+);
+static
+void *
+_pkcs11h_slotevent_manager (
+       IN void *p
+);
+static
+CK_RV
+_pkcs11h_slotevent_init ();
+static
+CK_RV
+_pkcs11h_slotevent_notify ();
+static
+CK_RV
+_pkcs11h_slotevent_terminate ();
+
+#endif                         /* ENABLE_PKCS11H_SLOTEVENT */
+
+#if defined(ENABLE_PKCS11H_OPENSSL)
+/*======================================================================*
+ * OPENSSL INTERFACE
+ *======================================================================*/
+
+static
+int
+_pkcs11h_openssl_finish (
+       IN OUT RSA *rsa
+);
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+static
+int
+_pkcs11h_openssl_dec (
+       IN int flen,
+       IN unsigned char *from,
+       OUT unsigned char *to,
+       IN OUT RSA *rsa,
+       IN int padding
+);
+static
+int
+_pkcs11h_openssl_sign (
+       IN int type,
+       IN unsigned char *m,
+       IN unsigned int m_len,
+       OUT unsigned char *sigret,
+       OUT unsigned int *siglen,
+       IN OUT RSA *rsa
+);
+#else
+static
+int
+_pkcs11h_openssl_dec (
+       IN int flen,
+       IN const unsigned char *from,
+       OUT unsigned char *to,
+       IN OUT RSA *rsa,
+       IN int padding
+);
+static
+int
+_pkcs11h_openssl_sign (
+       IN int type,
+       IN const unsigned char *m,
+       IN unsigned int m_len,
+       OUT unsigned char *sigret,
+       OUT unsigned int *siglen,
+       IN OUT const RSA *rsa
+);
+#endif
+static
+pkcs11h_openssl_session_t
+_pkcs11h_openssl_get_openssl_session (
+       IN OUT const RSA *rsa
+);  
+static
+pkcs11h_certificate_t
+_pkcs11h_openssl_get_pkcs11h_certificate (
+       IN OUT const RSA *rsa
+);  
+#endif                         /* ENABLE_PKCS11H_OPENSSL */
+
+/*==========================================
+ * Static data
+ */
+
+#if defined(ENABLE_PKCS11H_THREADING)
+#if !defined(WIN32)
+static struct {
+       pkcs11h_mutex_t mutex;
+       __pkcs11h_threading_mutex_entry_t head;
+} __s_pkcs11h_threading_mutex_list = {
+       PTHREAD_MUTEX_INITIALIZER,
+       NULL
+};
+#endif
+#endif
+
+pkcs11h_data_t s_pkcs11h_data = NULL;
+unsigned int s_pkcs11h_loglevel = PKCS11H_LOG_INFO;
+
+/*======================================================================*
+ * PUBLIC INTERFACE
+ *======================================================================*/
+
+const char *
+pkcs11h_getMessage (
+       IN const CK_RV rv
+) {
+       switch (rv) {
+               case CKR_OK: return "CKR_OK";
+               case CKR_CANCEL: return "CKR_CANCEL";
+               case CKR_HOST_MEMORY: return "CKR_HOST_MEMORY";
+               case CKR_SLOT_ID_INVALID: return "CKR_SLOT_ID_INVALID";
+               case CKR_GENERAL_ERROR: return "CKR_GENERAL_ERROR";
+               case CKR_FUNCTION_FAILED: return "CKR_FUNCTION_FAILED";
+               case CKR_ARGUMENTS_BAD: return "CKR_ARGUMENTS_BAD";
+               case CKR_NO_EVENT: return "CKR_NO_EVENT";
+               case CKR_NEED_TO_CREATE_THREADS: return "CKR_NEED_TO_CREATE_THREADS";
+               case CKR_CANT_LOCK: return "CKR_CANT_LOCK";
+               case CKR_ATTRIBUTE_READ_ONLY: return "CKR_ATTRIBUTE_READ_ONLY";
+               case CKR_ATTRIBUTE_SENSITIVE: return "CKR_ATTRIBUTE_SENSITIVE";
+               case CKR_ATTRIBUTE_TYPE_INVALID: return "CKR_ATTRIBUTE_TYPE_INVALID";
+               case CKR_ATTRIBUTE_VALUE_INVALID: return "CKR_ATTRIBUTE_VALUE_INVALID";
+               case CKR_DATA_INVALID: return "CKR_DATA_INVALID";
+               case CKR_DATA_LEN_RANGE: return "CKR_DATA_LEN_RANGE";
+               case CKR_DEVICE_ERROR: return "CKR_DEVICE_ERROR";
+               case CKR_DEVICE_MEMORY: return "CKR_DEVICE_MEMORY";
+               case CKR_DEVICE_REMOVED: return "CKR_DEVICE_REMOVED";
+               case CKR_ENCRYPTED_DATA_INVALID: return "CKR_ENCRYPTED_DATA_INVALID";
+               case CKR_ENCRYPTED_DATA_LEN_RANGE: return "CKR_ENCRYPTED_DATA_LEN_RANGE";
+               case CKR_FUNCTION_CANCELED: return "CKR_FUNCTION_CANCELED";
+               case CKR_FUNCTION_NOT_PARALLEL: return "CKR_FUNCTION_NOT_PARALLEL";
+               case CKR_FUNCTION_NOT_SUPPORTED: return "CKR_FUNCTION_NOT_SUPPORTED";
+               case CKR_KEY_HANDLE_INVALID: return "CKR_KEY_HANDLE_INVALID";
+               case CKR_KEY_SIZE_RANGE: return "CKR_KEY_SIZE_RANGE";
+               case CKR_KEY_TYPE_INCONSISTENT: return "CKR_KEY_TYPE_INCONSISTENT";
+               case CKR_KEY_NOT_NEEDED: return "CKR_KEY_NOT_NEEDED";
+               case CKR_KEY_CHANGED: return "CKR_KEY_CHANGED";
+               case CKR_KEY_NEEDED: return "CKR_KEY_NEEDED";
+               case CKR_KEY_INDIGESTIBLE: return "CKR_KEY_INDIGESTIBLE";
+               case CKR_KEY_FUNCTION_NOT_PERMITTED: return "CKR_KEY_FUNCTION_NOT_PERMITTED";
+               case CKR_KEY_NOT_WRAPPABLE: return "CKR_KEY_NOT_WRAPPABLE";
+               case CKR_KEY_UNEXTRACTABLE: return "CKR_KEY_UNEXTRACTABLE";
+               case CKR_MECHANISM_INVALID: return "CKR_MECHANISM_INVALID";
+               case CKR_MECHANISM_PARAM_INVALID: return "CKR_MECHANISM_PARAM_INVALID";
+               case CKR_OBJECT_HANDLE_INVALID: return "CKR_OBJECT_HANDLE_INVALID";
+               case CKR_OPERATION_ACTIVE: return "CKR_OPERATION_ACTIVE";
+               case CKR_OPERATION_NOT_INITIALIZED: return "CKR_OPERATION_NOT_INITIALIZED";
+               case CKR_PIN_INCORRECT: return "CKR_PIN_INCORRECT";
+               case CKR_PIN_INVALID: return "CKR_PIN_INVALID";
+               case CKR_PIN_LEN_RANGE: return "CKR_PIN_LEN_RANGE";
+               case CKR_PIN_EXPIRED: return "CKR_PIN_EXPIRED";
+               case CKR_PIN_LOCKED: return "CKR_PIN_LOCKED";
+               case CKR_SESSION_CLOSED: return "CKR_SESSION_CLOSED";
+               case CKR_SESSION_COUNT: return "CKR_SESSION_COUNT";
+               case CKR_SESSION_HANDLE_INVALID: return "CKR_SESSION_HANDLE_INVALID";
+               case CKR_SESSION_PARALLEL_NOT_SUPPORTED: return "CKR_SESSION_PARALLEL_NOT_SUPPORTED";
+               case CKR_SESSION_READ_ONLY: return "CKR_SESSION_READ_ONLY";
+               case CKR_SESSION_EXISTS: return "CKR_SESSION_EXISTS";
+               case CKR_SESSION_READ_ONLY_EXISTS: return "CKR_SESSION_READ_ONLY_EXISTS";
+               case CKR_SESSION_READ_WRITE_SO_EXISTS: return "CKR_SESSION_READ_WRITE_SO_EXISTS";
+               case CKR_SIGNATURE_INVALID: return "CKR_SIGNATURE_INVALID";
+               case CKR_SIGNATURE_LEN_RANGE: return "CKR_SIGNATURE_LEN_RANGE";
+               case CKR_TEMPLATE_INCOMPLETE: return "CKR_TEMPLATE_INCOMPLETE";
+               case CKR_TEMPLATE_INCONSISTENT: return "CKR_TEMPLATE_INCONSISTENT";
+               case CKR_TOKEN_NOT_PRESENT: return "CKR_TOKEN_NOT_PRESENT";
+               case CKR_TOKEN_NOT_RECOGNIZED: return "CKR_TOKEN_NOT_RECOGNIZED";
+               case CKR_TOKEN_WRITE_PROTECTED: return "CKR_TOKEN_WRITE_PROTECTED";
+               case CKR_UNWRAPPING_KEY_HANDLE_INVALID: return "CKR_UNWRAPPING_KEY_HANDLE_INVALID";
+               case CKR_UNWRAPPING_KEY_SIZE_RANGE: return "CKR_UNWRAPPING_KEY_SIZE_RANGE";
+               case CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT: return "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT";
+               case CKR_USER_ALREADY_LOGGED_IN: return "CKR_USER_ALREADY_LOGGED_IN";
+               case CKR_USER_NOT_LOGGED_IN: return "CKR_USER_NOT_LOGGED_IN";
+               case CKR_USER_PIN_NOT_INITIALIZED: return "CKR_USER_PIN_NOT_INITIALIZED";
+               case CKR_USER_TYPE_INVALID: return "CKR_USER_TYPE_INVALID";
+               case CKR_USER_ANOTHER_ALREADY_LOGGED_IN: return "CKR_USER_ANOTHER_ALREADY_LOGGED_IN";
+               case CKR_USER_TOO_MANY_TYPES: return "CKR_USER_TOO_MANY_TYPES";
+               case CKR_WRAPPED_KEY_INVALID: return "CKR_WRAPPED_KEY_INVALID";
+               case CKR_WRAPPED_KEY_LEN_RANGE: return "CKR_WRAPPED_KEY_LEN_RANGE";
+               case CKR_WRAPPING_KEY_HANDLE_INVALID: return "CKR_WRAPPING_KEY_HANDLE_INVALID";
+               case CKR_WRAPPING_KEY_SIZE_RANGE: return "CKR_WRAPPING_KEY_SIZE_RANGE";
+               case CKR_WRAPPING_KEY_TYPE_INCONSISTENT: return "CKR_WRAPPING_KEY_TYPE_INCONSISTENT";
+               case CKR_RANDOM_SEED_NOT_SUPPORTED: return "CKR_RANDOM_SEED_NOT_SUPPORTED";
+               case CKR_RANDOM_NO_RNG: return "CKR_RANDOM_NO_RNG";
+               case CKR_DOMAIN_PARAMS_INVALID: return "CKR_DOMAIN_PARAMS_INVALID";
+               case CKR_BUFFER_TOO_SMALL: return "CKR_BUFFER_TOO_SMALL";
+               case CKR_SAVED_STATE_INVALID: return "CKR_SAVED_STATE_INVALID";
+               case CKR_INFORMATION_SENSITIVE: return "CKR_INFORMATION_SENSITIVE";
+               case CKR_STATE_UNSAVEABLE: return "CKR_STATE_UNSAVEABLE";
+               case CKR_CRYPTOKI_NOT_INITIALIZED: return "CKR_CRYPTOKI_NOT_INITIALIZED";
+               case CKR_CRYPTOKI_ALREADY_INITIALIZED: return "CKR_CRYPTOKI_ALREADY_INITIALIZED";
+               case CKR_MUTEX_BAD: return "CKR_MUTEX_BAD";
+               case CKR_MUTEX_NOT_LOCKED: return "CKR_MUTEX_NOT_LOCKED";
+               case CKR_FUNCTION_REJECTED: return "CKR_FUNCTION_REJECTED";
+               case CKR_VENDOR_DEFINED: return "CKR_VENDOR_DEFINED";
+               default: return "Unknown PKCS#11 error";
+       }
+}
+
+CK_RV
+pkcs11h_initialize () {
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_initialize entry"
+       );
+
+       pkcs11h_terminate ();
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_malloc ((void*)&s_pkcs11h_data, sizeof (struct pkcs11h_data_s));
+       }
+
+#if defined(USE_PKCS11H_OPENSSL) || defined(ENABLE_PKCS11H_OPENSSL)
+       OpenSSL_add_all_digests ();
+#endif
+#if defined(USE_PKCS11H_GNUTLS)
+       if (
+               rv == CKR_OK &&
+               gnutls_global_init () != GNUTLS_E_SUCCESS
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#endif
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_threading_mutexInit (&s_pkcs11h_data->mutexes.global); 
+       }
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_threading_mutexInit (&s_pkcs11h_data->mutexes.session); 
+       }
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_threading_mutexInit (&s_pkcs11h_data->mutexes.cache); 
+       }
+#if !defined(WIN32)
+       if (
+               rv == CKR_OK &&
+               pthread_atfork (
+                       __pkcs11h_threading_atfork_prepare,
+                       __pkcs11h_threading_atfork_parent,
+                       __pkcs11h_threading_atfork_child
+               )
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#endif
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (rv == CKR_OK) {
+               s_pkcs11h_data->max_retries = PKCS11H_DEFAULT_MAX_LOGIN_RETRY;
+               s_pkcs11h_data->allow_protected_auth = TRUE;
+               s_pkcs11h_data->pin_cache_period = PKCS11H_DEFAULT_PIN_CACHE_PERIOD;
+               s_pkcs11h_data->initialized = TRUE;
+       }
+
+       if (rv == CKR_OK) {
+               pkcs11h_setLogHook (_pkcs11h_hooks_default_log, NULL);
+               pkcs11h_setTokenPromptHook (_pkcs11h_hooks_default_token_prompt, NULL);
+               pkcs11h_setPINPromptHook (_pkcs11h_hooks_default_pin_prompt, NULL);
+       }
+       
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_initialize return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_terminate () {
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_terminate entry"
+       );
+
+       if (s_pkcs11h_data != NULL) {
+               pkcs11h_provider_t current_provider = NULL;
+
+               PKCS11H_DEBUG (
+                       PKCS11H_LOG_DEBUG1,
+                       "PKCS#11: Removing providers"
+               );
+
+               for (
+                       current_provider = s_pkcs11h_data->providers;
+                       current_provider != NULL;
+                       current_provider = current_provider->next
+               ) {
+                       pkcs11h_removeProvider (current_provider->reference);
+               }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.cache);
+               _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.session);
+               _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global);
+#endif
+
+               PKCS11H_DEBUG (
+                       PKCS11H_LOG_DEBUG1,
+                       "PKCS#11: Releasing sessions"
+               );
+
+               while (s_pkcs11h_data->sessions != NULL) {
+                       pkcs11h_session_t current = s_pkcs11h_data->sessions;
+                       s_pkcs11h_data->sessions = s_pkcs11h_data->sessions->next;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+                       _pkcs11h_threading_mutexLock (&current->mutex);
+#endif
+
+                       current->valid = FALSE;
+
+                       if (current->reference_count != 0) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Warning: Found session with references"
+                               );
+                       }
+
+                       if (current->token_id != NULL) {
+                               pkcs11h_token_freeTokenId (current->token_id);
+                               current->token_id = NULL;
+                       }
+
+#if defined(ENABLE_PKCS11H_ENUM)
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+                       pkcs11h_certificate_freeCertificateIdList (current->cached_certs);
+#endif
+#endif
+
+                       current->provider = NULL;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+                       _pkcs11h_threading_mutexFree (&current->mutex);
+#endif
+
+                       _pkcs11h_mem_free ((void *)&current);
+               }
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+               PKCS11H_DEBUG (
+                       PKCS11H_LOG_DEBUG1,
+                       "PKCS#11: Terminating slotevent"
+               );
+
+               _pkcs11h_slotevent_terminate ();
+#endif
+               PKCS11H_DEBUG (
+                       PKCS11H_LOG_DEBUG1,
+                       "PKCS#11: Marking as uninitialized"
+               );
+               
+               s_pkcs11h_data->initialized = FALSE;
+
+               while (s_pkcs11h_data->providers != NULL) {
+                       pkcs11h_provider_t current = s_pkcs11h_data->providers;
+                       s_pkcs11h_data->providers = s_pkcs11h_data->providers->next;
+
+                       _pkcs11h_mem_free ((void *)&current);
+               }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               _pkcs11h_threading_mutexFree (&s_pkcs11h_data->mutexes.cache);
+               _pkcs11h_threading_mutexFree (&s_pkcs11h_data->mutexes.global); 
+               _pkcs11h_threading_mutexFree (&s_pkcs11h_data->mutexes.session); 
+#endif
+
+#if defined(USE_PKCS11H_GNUTLS)
+               gnutls_global_deinit ();
+#endif
+
+               _pkcs11h_mem_free ((void *)&s_pkcs11h_data);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_terminate return"
+       );
+
+       return CKR_OK;
+}
+
+void
+pkcs11h_setLogLevel (
+       IN const unsigned flags
+) {
+       s_pkcs11h_loglevel = flags;
+}
+
+unsigned
+pkcs11h_getLogLevel () {
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+
+       return s_pkcs11h_loglevel;
+}
+
+CK_RV
+pkcs11h_setLogHook (
+       IN const pkcs11h_hook_log_t hook,
+       IN void * const global_data
+) {
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (hook!=NULL);
+
+       s_pkcs11h_data->hooks.log = hook;
+       s_pkcs11h_data->hooks.log_data = global_data;
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_setSlotEventHook (
+       IN const pkcs11h_hook_slotevent_t hook,
+       IN void * const global_data
+) {
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (hook!=NULL);
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+       s_pkcs11h_data->hooks.slotevent = hook;
+       s_pkcs11h_data->hooks.slotevent_data = global_data;
+
+       return _pkcs11h_slotevent_init ();
+#else
+       (void)global_data;
+
+       return CKR_FUNCTION_NOT_SUPPORTED;
+#endif
+}
+
+CK_RV
+pkcs11h_setPINPromptHook (
+       IN const pkcs11h_hook_pin_prompt_t hook,
+       IN void * const global_data
+) {
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (hook!=NULL);
+
+       s_pkcs11h_data->hooks.pin_prompt = hook;
+       s_pkcs11h_data->hooks.pin_prompt_data = global_data;
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_setTokenPromptHook (
+       IN const pkcs11h_hook_token_prompt_t hook,
+       IN void * const global_data
+) {
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (hook!=NULL);
+
+       s_pkcs11h_data->hooks.token_prompt = hook;
+       s_pkcs11h_data->hooks.token_prompt_data = global_data;
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_setPINCachePeriod (
+       IN const int pin_cache_period
+) {
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+
+       s_pkcs11h_data->pin_cache_period = pin_cache_period;
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_setMaxLoginRetries (
+       IN const unsigned max_retries
+) {
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+
+       s_pkcs11h_data->max_retries = max_retries;
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_setProtectedAuthentication (
+       IN const PKCS11H_BOOL allow_protected_auth
+) {
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+
+       s_pkcs11h_data->allow_protected_auth = allow_protected_auth;
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_addProvider (
+       IN const char * const reference,
+       IN const char * const provider_location,
+       IN const PKCS11H_BOOL allow_protected_auth,
+       IN const unsigned mask_sign_mode,
+       IN const int slot_event_method,
+       IN const int slot_poll_interval,
+       IN const PKCS11H_BOOL cert_is_private
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+#if defined(WIN32)
+       int mypid = 0;
+#else
+       pid_t mypid = getpid ();
+#endif
+       pkcs11h_provider_t provider = NULL;
+       CK_C_GetFunctionList gfl = NULL;
+       CK_INFO info;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (provider_location!=NULL);
+       /*PKCS11H_ASSERT (szSignMode!=NULL); NOT NEEDED*/
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_addProvider entry pid=%d, reference='%s', provider_location='%s', allow_protected_auth=%d, mask_sign_mode=%08x, cert_is_private=%d",
+               mypid,
+               reference,
+               provider_location,
+               allow_protected_auth ? 1 : 0,
+               mask_sign_mode,
+               cert_is_private ? 1 : 0
+       );
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG1,
+               "PKCS#11: Adding provider '%s'-'%s'",
+               reference,
+               provider_location
+       );
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_mem_malloc ((void *)&provider, sizeof (struct pkcs11h_provider_s))) == CKR_OK
+       ) {
+               strncpy (
+                       provider->reference,
+                       reference,
+                       sizeof (provider->reference)-1
+               );
+               provider->reference[sizeof (provider->reference)-1] = '\x0';
+               strncpy (
+                       provider->manufacturerID,
+                       (
+                               strlen (provider_location) < sizeof (provider->manufacturerID) ?
+                               provider_location :
+                               provider_location+strlen (provider_location)-sizeof (provider->manufacturerID)+1
+                       ),
+                       sizeof (provider->manufacturerID)-1
+               );
+               provider->manufacturerID[sizeof (provider->manufacturerID)-1] = '\x0';
+               provider->allow_protected_auth = allow_protected_auth;
+               provider->mask_sign_mode = mask_sign_mode;
+               provider->slot_event_method = slot_event_method;
+               provider->slot_poll_interval = slot_poll_interval;
+               provider->cert_is_private = cert_is_private;
+       }
+               
+       if (rv == CKR_OK) {
+#if defined(WIN32)
+               provider->handle = LoadLibraryA (provider_location);
+#else
+               provider->handle = dlopen (provider_location, RTLD_NOW);
+#endif
+               if (provider->handle == NULL) {
+                       rv = CKR_FUNCTION_FAILED;
+               }
+       }
+
+       if (rv == CKR_OK) {
+#if defined(WIN32)
+               gfl = (CK_C_GetFunctionList)GetProcAddress (
+                       provider->handle,
+                       "C_GetFunctionList"
+               );
+#else
+               /*
+                * Make compiler happy!
+                */
+               void *p = dlsym (
+                       provider->handle,
+                       "C_GetFunctionList"
+               );
+               memmove (
+                       &gfl, 
+                       &p,
+                       sizeof (void *)
+               );
+#endif
+               if (gfl == NULL) {
+                       rv = CKR_FUNCTION_FAILED;
+               }
+       }
+
+       if (rv == CKR_OK) {
+               rv = gfl (&provider->f);
+       }
+
+       if (rv == CKR_OK) {
+               if ((rv = provider->f->C_Initialize (NULL)) != CKR_OK) {
+                       if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED) {
+                               rv = CKR_OK;
+                       }
+               }
+               else {
+                       provider->should_finalize = TRUE;
+               }
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = provider->f->C_GetInfo (&info)) == CKR_OK
+       ) {
+               _pkcs11h_util_fixupFixedString (
+                       provider->manufacturerID,
+                       (char *)info.manufacturerID,
+                       sizeof (info.manufacturerID)
+               );
+       }
+
+       if (rv == CKR_OK) {
+               provider->enabled = TRUE;
+       }
+
+       if (provider != NULL) {
+               if (s_pkcs11h_data->providers == NULL) {
+                       s_pkcs11h_data->providers = provider;
+               }
+               else {
+                       pkcs11h_provider_t last = NULL;
+       
+                       for (
+                               last = s_pkcs11h_data->providers;
+                               last->next != NULL;
+                               last = last->next
+                       );
+                       last->next = provider;
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
+               mutex_locked = FALSE;
+       }
+#endif
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+       _pkcs11h_slotevent_notify ();
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG1,
+               "PKCS#11: Provider '%s' added rv=%ld-'%s'",
+               reference,
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_addProvider return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_removeProvider (
+       IN const char * const reference
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       pkcs11h_session_t current_session = NULL;
+#endif
+       pkcs11h_provider_t provider = NULL;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (reference!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_removeProvider entry reference='%s'",
+               reference
+       );
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG1,
+               "PKCS#11: Removing provider '%s'",
+               reference
+       );
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.cache);
+       _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.session);
+       _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global);
+
+       for (
+               current_session = s_pkcs11h_data->sessions;
+               current_session != NULL;
+               current_session = current_session->next
+       ) {
+               _pkcs11h_threading_mutexLock (&current_session->mutex);
+       }
+#endif
+
+       provider = s_pkcs11h_data->providers;
+       while (
+               rv == CKR_OK &&
+               provider != NULL &&
+               strcmp (reference, provider->reference)
+       ) {
+               provider = provider->next;
+       }
+
+       if (rv == CKR_OK && provider == NULL) {
+               rv = CKR_OBJECT_HANDLE_INVALID;
+       }
+
+       if (rv == CKR_OK) {
+               provider->enabled = FALSE;
+               provider->reference[0] = '\0';
+
+               if (provider->should_finalize) {
+                       provider->f->C_Finalize (NULL);
+                       provider->should_finalize = FALSE;
+               }
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+               _pkcs11h_slotevent_notify ();
+               
+               /*
+                * Wait until manager join this thread
+                * this happens saldom so I can poll
+                */
+               while (provider->slotevent_thread != PKCS11H_THREAD_NULL) {
+                       _pkcs11h_threading_sleep (500);
+               }
+#endif
+
+               if (provider->f != NULL) {
+                       provider->f = NULL;
+               }
+
+               if (provider->handle != NULL) {
+#if defined(WIN32)
+                       FreeLibrary (provider->handle);
+#else
+                       dlclose (provider->handle);
+#endif
+                       provider->handle = NULL;
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       for (
+               current_session = s_pkcs11h_data->sessions;
+               current_session != NULL;
+               current_session = current_session->next
+       ) {
+               _pkcs11h_threading_mutexRelease (&current_session->mutex);
+       }
+
+       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.cache);
+       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.session);
+       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
+#endif
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_removeProvider return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_forkFixup () {
+#if defined(WIN32)
+       return CKR_OK;
+#else
+#if defined(ENABLE_PKCS11H_THREADING)
+       return CKR_OK;
+#else
+       return _pkcs11h_forkFixup ();
+#endif
+#endif
+}
+
+CK_RV
+pkcs11h_plugAndPlay () {
+#if defined(WIN32)
+       int mypid = 0;
+#else
+       pid_t mypid = getpid ();
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_forkFixup entry pid=%d",
+               mypid
+       );
+
+       if (s_pkcs11h_data != NULL && s_pkcs11h_data->initialized) {
+               pkcs11h_provider_t current;
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+               PKCS11H_BOOL slot_event_active = FALSE;
+#endif
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global);
+#endif
+               for (
+                       current = s_pkcs11h_data->providers;
+                       current != NULL;
+                       current = current->next
+               ) {
+                       if (current->enabled) {
+                               current->f->C_Finalize (NULL);
+                       }
+               }
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+               if (s_pkcs11h_data->slotevent.initialized) {
+                       slot_event_active = TRUE;
+                       _pkcs11h_slotevent_terminate ();
+               }
+#endif
+
+               for (
+                       current = s_pkcs11h_data->providers;
+                       current != NULL;
+                       current = current->next
+               ) {
+                       if (current->enabled) {
+                               current->f->C_Initialize (NULL);
+                       }
+               }
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+               if (slot_event_active) {
+                       _pkcs11h_slotevent_init ();
+               }
+#endif
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
+#endif
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_forkFixup return"
+       );
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_token_freeTokenId (
+       IN pkcs11h_token_id_t token_id
+) {
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (token_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=%p",
+               (void *)token_id
+       );
+
+       _pkcs11h_mem_free ((void *)&token_id);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_freeTokenId return"
+       );
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_token_duplicateTokenId (
+       OUT pkcs11h_token_id_t * const to,
+       IN const pkcs11h_token_id_t from
+) {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (to!=NULL);
+       PKCS11H_ASSERT (from!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_duplicateTokenId entry to=%p form=%p",
+               (void *)to,
+               (void *)from
+       );
+
+       *to = NULL;
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_duplicate (
+                       (void*)to,
+                       NULL,
+                       from,
+                       sizeof (struct pkcs11h_token_id_s)
+               );
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_duplicateTokenId return rv=%ld-'%s', *to=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*to
+       );
+       
+       return rv;
+}
+
+PKCS11H_BOOL
+pkcs11h_token_sameTokenId (
+       IN const pkcs11h_token_id_t a,
+       IN const pkcs11h_token_id_t b
+) {
+       PKCS11H_ASSERT (a!=NULL);
+       PKCS11H_ASSERT (b!=NULL);
+
+       return (
+               !strcmp (a->manufacturerID, b->manufacturerID) &&
+               !strcmp (a->model, b->model) &&
+               !strcmp (a->serialNumber, b->serialNumber) &&
+               !strcmp (a->label, b->label)
+       );
+}
+
+#if defined(ENABLE_PKCS11H_SERIALIZATION)
+
+CK_RV
+pkcs11h_token_serializeTokenId (
+       OUT char * const sz,
+       IN OUT size_t *max,
+       IN const pkcs11h_token_id_t token_id
+) {
+       const char *sources[5];
+       CK_RV rv = CKR_OK;
+       size_t n;
+       int e;
+
+       /*PKCS11H_ASSERT (sz!=NULL); Not required*/
+       PKCS11H_ASSERT (max!=NULL);
+       PKCS11H_ASSERT (token_id!=NULL);
+
+       { /* Must be after assert */
+               sources[0] = token_id->manufacturerID;
+               sources[1] = token_id->model;
+               sources[2] = token_id->serialNumber;
+               sources[3] = token_id->label;
+               sources[4] = NULL;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_serializeTokenId entry sz=%p, *max=%u, token_id=%p",
+               sz,
+               sz != NULL ? *max : 0,
+               (void *)token_id
+       );
+
+       n = 0;
+       for (e=0;rv == CKR_OK && sources[e] != NULL;e++) {
+               size_t t;
+               rv = _pkcs11h_util_escapeString (NULL, sources[e], &t, PKCS11H_SERIALIZE_INVALID_CHARS);
+               n+=t;
+       }
+
+       if (sz != NULL) {
+               if (*max < n) {
+                       rv = CKR_ATTRIBUTE_VALUE_INVALID;
+               }
+               else {
+                       n = 0;
+                       for (e=0;sources[e] != NULL;e++) {
+                               size_t t = *max-n;
+                               _pkcs11h_util_escapeString (sz+n, sources[e], &t, PKCS11H_SERIALIZE_INVALID_CHARS);
+                               n+=t;
+                               sz[n-1] = '/';
+                       }
+                       sz[n-1] = '\x0';
+               }
+       }
+
+       *max = n;
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_serializeTokenId return rv=%ld-'%s', *max=%u, sz='%s'",
+               rv,
+               pkcs11h_getMessage (rv),
+               *max,
+               sz
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_token_deserializeTokenId (
+       OUT pkcs11h_token_id_t *p_token_id,
+       IN const char * const sz
+) {
+#define __PKCS11H_TARGETS_NUMBER 4
+       struct {
+               char *p;
+               size_t s;
+       } targets[__PKCS11H_TARGETS_NUMBER];
+
+       pkcs11h_token_id_t token_id = NULL;
+       char *p1 = NULL;
+       char *_sz = NULL;
+       int e;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (p_token_id!=NULL);
+       PKCS11H_ASSERT (sz!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'",
+               (void *)p_token_id,
+               sz
+       );
+
+       *p_token_id = NULL;
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_strdup (
+                       (void *)&_sz,
+                       sz
+               );
+       }
+
+       if (rv == CKR_OK) {
+               p1 = _sz;
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_token_newTokenId (&token_id)) == CKR_OK
+       ) {
+               targets[0].p = token_id->manufacturerID;
+               targets[0].s = sizeof (token_id->manufacturerID);
+               targets[1].p = token_id->model;
+               targets[1].s = sizeof (token_id->model);
+               targets[2].p = token_id->serialNumber;
+               targets[2].s = sizeof (token_id->serialNumber);
+               targets[3].p = token_id->label;
+               targets[3].s = sizeof (token_id->label);
+       }
+
+       for (e=0;rv == CKR_OK && e < __PKCS11H_TARGETS_NUMBER;e++) {
+               size_t l;
+               char *p2 = NULL;
+
+               /*
+                * Don't search for last
+                * separator
+                */
+               if (rv == CKR_OK) {
+                       if (e != __PKCS11H_TARGETS_NUMBER-1) {
+                               p2 = strchr (p1, '/');
+                               if (p2 == NULL) {
+                                       rv = CKR_ATTRIBUTE_VALUE_INVALID;
+                               }
+                               else {
+                                       *p2 = '\x0';
+                               }
+                       }
+               }
+
+               if (rv == CKR_OK) {
+                       _pkcs11h_util_unescapeString (
+                               NULL,
+                               p1,
+                               &l
+                       );
+               }
+
+               if (rv == CKR_OK) {
+                       if (l > targets[e].s) {
+                               rv = CKR_ATTRIBUTE_VALUE_INVALID;
+                       }
+               }
+
+               if (rv == CKR_OK) {
+                       l = targets[e].s;
+                       _pkcs11h_util_unescapeString (
+                               targets[e].p,
+                               p1,
+                               &l
+                       );
+               }
+
+               if (rv == CKR_OK) {
+                       p1 = p2+1;
+               }
+       }
+
+       if (rv == CKR_OK) {
+               strncpy (
+                       token_id->display,
+                       token_id->label,
+                       sizeof (token_id->display)
+               );
+       }
+
+       if (rv == CKR_OK) {
+               *p_token_id = token_id;
+               token_id = NULL;
+       }
+
+       if (_sz != NULL) {
+               _pkcs11h_mem_free ((void *)&_sz);
+       }
+
+       if (token_id != NULL) {
+               pkcs11h_token_freeTokenId (token_id);
+       }
+
+       return rv;
+#undef __PKCS11H_TARGETS_NUMBER
+}
+
+#endif                         /* ENABLE_PKCS11H_SERIALIZATION */
+
+/*======================================================================*
+ * MEMORY INTERFACE
+ *======================================================================*/
+
+static
+CK_RV
+_pkcs11h_mem_malloc (
+       OUT const void * * const p,
+       IN const size_t s
+) {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (p!=NULL);
+       PKCS11H_ASSERT (s!=0);
+
+       *p = NULL;
+
+       if (s > 0) {
+               if (
+                       (*p = (void *)PKCS11H_MALLOC (s)) == NULL
+               ) {
+                       rv = CKR_HOST_MEMORY;
+               }
+               else {
+                       memset ((void *)*p, 0, s);
+               }
+       }
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_mem_free (
+       IN const void * * const  p
+) {
+       PKCS11H_ASSERT (p!=NULL);
+
+       PKCS11H_FREE ((void *)*p);
+       *p = NULL;
+
+       return CKR_OK;
+}
+
+static
+CK_RV
+_pkcs11h_mem_strdup (
+       OUT const char * * const dest,
+       IN const char * const src
+) {
+       return _pkcs11h_mem_duplicate (
+               (void *)dest,
+               NULL,
+               src,
+               strlen (src)+1
+       );
+}
+
+static
+CK_RV
+_pkcs11h_mem_duplicate (
+       OUT const void * * const dest,
+       OUT size_t * const p_dest_size,
+       IN const void * const src,
+       IN const size_t mem_size
+) {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (dest!=NULL);
+       /*PKCS11H_ASSERT (dest_size!=NULL); NOT NEEDED*/
+       PKCS11H_ASSERT (!(mem_size!=0&&src==NULL));
+
+       *dest = NULL;
+       if (p_dest_size != NULL) {
+               *p_dest_size = 0;
+       }
+
+       if (src != NULL) {
+               if (
+                       rv == CKR_OK &&
+                       (rv = _pkcs11h_mem_malloc (dest, mem_size)) == CKR_OK
+               ) {
+                       if (p_dest_size != NULL) {
+                               *p_dest_size = mem_size;
+                       }
+                       memmove ((void*)*dest, src, mem_size);
+               }
+       }
+
+       return rv;
+}
+
+#if defined(ENABLE_PKCS11H_THREADING)
+/*======================================================================*
+ * THREADING INTERFACE
+ *======================================================================*/
+
+static
+void
+_pkcs11h_threading_sleep (
+       IN const unsigned milli
+) {
+#if defined(WIN32)
+       Sleep (milli);
+#else
+       usleep (milli*1000);
+#endif
+}
+
+static
+CK_RV
+_pkcs11h_threading_mutexInit (
+       OUT pkcs11h_mutex_t * const mutex
+) {
+       CK_RV rv = CKR_OK;
+#if defined(WIN32)
+       if (
+               rv == CKR_OK &&
+               (*mutex = CreateMutex (NULL, FALSE, NULL)) == NULL
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#else
+       {
+               __pkcs11h_threading_mutex_entry_t entry = NULL;
+               PKCS11H_BOOL mutex_locked = FALSE;
+
+               if (
+                       rv == CKR_OK &&
+                       (rv = _pkcs11h_threading_mutexLock (&__s_pkcs11h_threading_mutex_list.mutex)) == CKR_OK
+               ) {
+                       mutex_locked = TRUE;
+               }
+               
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_mem_malloc (
+                               (void *)&entry,
+                               sizeof (struct __pkcs11h_threading_mutex_entry_s)
+                       );
+               }
+
+               if (
+                       rv == CKR_OK &&
+                       pthread_mutex_init (mutex, NULL)
+               ) {
+                       rv = CKR_FUNCTION_FAILED;
+               }
+
+               if (rv == CKR_OK) {
+                       entry->p_mutex = mutex;
+                       entry->next = __s_pkcs11h_threading_mutex_list.head;
+                       __s_pkcs11h_threading_mutex_list.head = entry;
+                       entry = NULL;
+               }
+
+               if (entry != NULL) {
+                       _pkcs11h_mem_free ((void *)&entry);
+               }
+
+               if (mutex_locked) {
+                       _pkcs11h_threading_mutexRelease (&__s_pkcs11h_threading_mutex_list.mutex);
+                       mutex_locked = FALSE;
+               }
+       }
+#endif
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_threading_mutexLock (
+       IN OUT pkcs11h_mutex_t *const mutex
+) {
+       CK_RV rv = CKR_OK;
+#if defined(WIN32)
+       if (
+               rv == CKR_OK &&
+               WaitForSingleObject (*mutex, INFINITE) == WAIT_FAILED
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#else
+       if (
+               rv == CKR_OK &&
+               pthread_mutex_lock (mutex)
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#endif
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_threading_mutexRelease (
+       IN OUT pkcs11h_mutex_t *const mutex
+) {
+       CK_RV rv = CKR_OK;
+#if defined(WIN32)
+       if (
+               rv == CKR_OK &&
+               !ReleaseMutex (*mutex)
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#else
+       if (
+               rv == CKR_OK &&
+               pthread_mutex_unlock (mutex)
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#endif
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_threading_mutexFree (
+       IN OUT pkcs11h_mutex_t *const mutex
+) {
+#if defined(WIN32)
+       if (*mutex != NULL) {
+               CloseHandle (*mutex);
+               *mutex = NULL;
+       }
+#else
+       {
+               __pkcs11h_threading_mutex_entry_t last = NULL;
+               __pkcs11h_threading_mutex_entry_t entry = NULL;
+               PKCS11H_BOOL mutex_locked = FALSE;
+
+               if (_pkcs11h_threading_mutexLock (&__s_pkcs11h_threading_mutex_list.mutex) == CKR_OK) {
+                       mutex_locked = TRUE;
+               }
+
+               entry =  __s_pkcs11h_threading_mutex_list.head;
+               while (
+                       entry != NULL &&
+                       entry->p_mutex != mutex
+               ) {
+                       last = entry;
+                       entry = entry->next;
+               }
+
+               if (entry != NULL) {
+                       if (last == NULL) {
+                               __s_pkcs11h_threading_mutex_list.head = entry->next;
+                       }
+                       else {
+                               last->next = entry->next;
+                       }
+                       _pkcs11h_mem_free ((void *)&entry);
+               }
+
+               pthread_mutex_destroy (mutex);
+
+               if (mutex_locked) {
+                       _pkcs11h_threading_mutexRelease (&__s_pkcs11h_threading_mutex_list.mutex);
+                       mutex_locked = FALSE;
+               }
+       }
+#endif
+       return CKR_OK;
+}
+
+#if !defined(WIN32)
+/*
+ * This function is required in order
+ * to lock all mutexes before fork is called,
+ * and to avoid dedlocks.
+ * The loop is required because there is no
+ * way to lock all mutex in one system call...
+ */
+static
+void
+__pkcs1h_threading_mutexLockAll () {
+       __pkcs11h_threading_mutex_entry_t entry = NULL;
+       PKCS11H_BOOL mutex_locked = FALSE;
+       PKCS11H_BOOL all_mutexes_locked = FALSE;
+
+       if (_pkcs11h_threading_mutexLock (&__s_pkcs11h_threading_mutex_list.mutex) == CKR_OK) {
+               mutex_locked = TRUE;
+       }
+
+       for (
+               entry = __s_pkcs11h_threading_mutex_list.head;
+               entry != NULL;
+               entry = entry->next
+       ) {
+               entry->locked = FALSE;
+       }
+
+       while (!all_mutexes_locked) {
+               PKCS11H_BOOL ok = TRUE;
+               
+               for (
+                       entry = __s_pkcs11h_threading_mutex_list.head;
+                       entry != NULL && ok;
+                       entry = entry->next
+               ) {
+                       if (!pthread_mutex_trylock (entry->p_mutex)) {
+                               entry->locked = TRUE;
+                       }
+                       else {
+                               ok = FALSE;
+                       }
+               }
+
+               if (!ok) {
+                       for (
+                               entry = __s_pkcs11h_threading_mutex_list.head;
+                               entry != NULL;
+                               entry = entry->next
+                       ) {
+                               if (entry->locked == TRUE) {
+                                       pthread_mutex_unlock (entry->p_mutex);
+                                       entry->locked = FALSE;
+                               }
+                       }
+
+                       _pkcs11h_threading_mutexRelease (&__s_pkcs11h_threading_mutex_list.mutex);
+                       _pkcs11h_threading_sleep (1000);
+                       _pkcs11h_threading_mutexLock (&__s_pkcs11h_threading_mutex_list.mutex);
+               }
+               else {
+                       all_mutexes_locked  = TRUE;
+               }
+       }
+
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&__s_pkcs11h_threading_mutex_list.mutex);
+               mutex_locked = FALSE;
+       }
+}
+
+static
+void
+__pkcs1h_threading_mutexReleaseAll () {
+       __pkcs11h_threading_mutex_entry_t entry = NULL;
+       PKCS11H_BOOL mutex_locked = FALSE;
+
+       if (_pkcs11h_threading_mutexLock (&__s_pkcs11h_threading_mutex_list.mutex) == CKR_OK) {
+               mutex_locked = TRUE;
+       }
+
+       for (
+               entry = __s_pkcs11h_threading_mutex_list.head;
+               entry != NULL;
+               entry = entry->next
+       ) {
+               pthread_mutex_unlock (entry->p_mutex);
+               entry->locked = FALSE;
+       }
+
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&__s_pkcs11h_threading_mutex_list.mutex);
+               mutex_locked = FALSE;
+       }
+}
+#endif
+
+CK_RV
+_pkcs11h_threading_condSignal (
+       IN OUT pkcs11h_cond_t *const cond
+) {
+       CK_RV rv = CKR_OK;
+#if defined(WIN32)
+       if (
+               rv == CKR_OK &&
+               !SetEvent (*cond)
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#else
+       if (
+               rv == CKR_OK &&
+               (
+                       pthread_mutex_lock (&cond->mut) ||
+                       pthread_cond_signal (&cond->cond) ||
+                       pthread_mutex_unlock (&cond->mut)
+               )
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#endif
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_threading_condInit (
+       OUT pkcs11h_cond_t * const cond
+) {
+       CK_RV rv = CKR_OK;
+#if defined(WIN32)
+       if (
+               rv == CKR_OK &&
+               (*cond = CreateEvent (NULL, FALSE, FALSE, NULL)) == NULL
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#else
+       if (
+               rv == CKR_OK &&
+               (
+                       pthread_mutex_init (&cond->mut, NULL) ||
+                       pthread_cond_init (&cond->cond, NULL) ||
+                       pthread_mutex_lock (&cond->mut)
+               )
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#endif
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_threading_condWait (
+       IN OUT pkcs11h_cond_t *const cond,
+       IN const unsigned milli
+) {
+       CK_RV rv = CKR_OK;
+
+#if defined(WIN32)
+       DWORD dwMilli;
+
+       if (milli == PKCS11H_COND_INFINITE) {
+               dwMilli = INFINITE;
+       }
+       else {
+               dwMilli = milli;
+       }
+
+       if (
+               rv == CKR_OK &&
+               WaitForSingleObject (*cond, dwMilli) == WAIT_FAILED
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#else
+       if (milli == PKCS11H_COND_INFINITE) {
+               if (
+                       rv == CKR_OK &&
+                       pthread_cond_wait (&cond->cond, &cond->mut)
+               ) {
+                       rv = CKR_FUNCTION_FAILED;
+               }
+       }
+       else {
+               struct timeval now;
+               struct timespec timeout;
+
+               if (
+                       rv == CKR_OK &&
+                       gettimeofday (&now, NULL)
+               ) {
+                       rv = CKR_FUNCTION_FAILED;
+               }
+               
+               if (rv == CKR_OK) {
+                       timeout.tv_sec = now.tv_sec + milli/1000;
+                       timeout.tv_nsec = now.tv_usec*1000 + milli%1000;
+               }
+               
+               if (
+                       rv == CKR_OK &&
+                       pthread_cond_timedwait (&cond->cond, &cond->mut, &timeout)
+               ) {
+                       rv = CKR_FUNCTION_FAILED;
+               }
+       }
+#endif
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_threading_condFree (
+       IN OUT pkcs11h_cond_t *const cond
+) {
+#if defined(WIN32)
+       CloseHandle (*cond);
+       *cond = NULL;
+#else
+       pthread_mutex_unlock (&cond->mut);
+#endif
+       return CKR_OK;
+}
+
+#if defined(WIN32)
+static
+unsigned
+__stdcall
+__pkcs11h_thread_start (void *p) {
+       __pkcs11h_thread_data_t *_data = (__pkcs11h_thread_data_t *)p;
+       unsigned ret;
+
+       ret = (unsigned)_data->start (_data->data);
+
+       _pkcs11h_mem_free ((void *)&_data);
+
+       return ret;
+}
+#else
+static
+void *
+__pkcs11h_thread_start (void *p) {
+       __pkcs11h_thread_data_t *_data = (__pkcs11h_thread_data_t *)p;
+       void *ret;
+       int i;
+
+       /*
+        * Ignore any signal in
+        * this thread
+        */
+       for (i=1;i<16;i++) {
+               signal (i, SIG_IGN);
+       }
+
+       ret = _data->start (_data->data);
+
+       _pkcs11h_mem_free ((void *)&_data);
+
+       return ret;
+}
+#endif
+
+static
+CK_RV
+_pkcs11h_threading_threadStart (
+       OUT pkcs11h_thread_t * const thread,
+       IN pkcs11h_thread_start_t const start,
+       IN void * data
+) {
+       __pkcs11h_thread_data_t *_data = NULL;
+       CK_RV rv = CKR_OK;
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_malloc (
+                       (void *)&_data,
+                       sizeof (__pkcs11h_thread_data_t)
+               );
+       }
+
+       if (rv == CKR_OK) {
+               _data->start = start;
+               _data->data = data;
+       }
+
+#if defined(WIN32)
+       {
+               unsigned tmp;
+
+               if (
+                       rv == CKR_OK &&
+                       (*thread = (HANDLE)_beginthreadex (
+                               NULL,
+                               0,
+                               __pkcs11h_thread_start,
+                               _data,
+                               0,
+                               &tmp
+                       )) == NULL
+               ) {
+                       rv = CKR_FUNCTION_FAILED;
+               }
+       }
+#else
+       if (
+               rv == CKR_OK &&
+               pthread_create (thread, NULL, __pkcs11h_thread_start, _data)
+       ) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+#endif
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_threading_threadJoin (
+       IN pkcs11h_thread_t * const thread
+) {
+#if defined(WIN32)
+       WaitForSingleObject (*thread, INFINITE);
+       CloseHandle (*thread);
+       *thread = NULL;
+#else
+       pthread_join (*thread, NULL);
+       *thread = 0l;
+#endif
+       return CKR_OK;
+}
+
+#endif         /* ENABLE_PKCS11H_THREADING */
+
+/*======================================================================*
+ * COMMON INTERNAL INTERFACE
+ *======================================================================*/
+
+static
+void
+_pkcs11h_util_fixupFixedString (
+       OUT char * const target,                        /* MUST BE >= length+1 */
+       IN const char * const source,
+       IN const size_t length                          /* FIXED STRING LENGTH */
+) {
+       char *p;
+
+       PKCS11H_ASSERT (source!=NULL);
+       PKCS11H_ASSERT (target!=NULL);
+       
+       p = target+length;
+       memmove (target, source, length);
+       *p = '\0';
+       p--;
+       while (p >= target && *p == ' ') {
+               *p = '\0';
+               p--;
+       }
+}
+
+static
+CK_RV
+_pkcs11h_util_hexToBinary (
+       OUT unsigned char * const target,
+       IN const char * const source,
+       IN OUT size_t * const p_target_size
+) {
+       size_t target_max_size;
+       const char *p;
+       char buf[3] = {'\0', '\0', '\0'};
+       int i = 0;
+
+       PKCS11H_ASSERT (source!=NULL);
+       PKCS11H_ASSERT (target!=NULL);
+       PKCS11H_ASSERT (p_target_size!=NULL);
+
+       target_max_size = *p_target_size;
+       p = source;
+       *p_target_size = 0;
+
+       while (*p != '\x0' && *p_target_size < target_max_size) {
+               if (isxdigit ((unsigned char)*p)) {
+                       buf[i%2] = *p;
+
+                       if ((i%2) == 1) {
+                               unsigned v;
+                               if (sscanf (buf, "%x", &v) != 1) {
+                                       v = 0;
+                               }
+                               target[*p_target_size] = v & 0xff;
+                               (*p_target_size)++;
+                       }
+
+                       i++;
+               }
+               p++;
+       }
+
+       if (*p != '\x0') {
+               return CKR_ATTRIBUTE_VALUE_INVALID;
+       }
+       else {
+               return CKR_OK;
+       }
+}
+
+static
+CK_RV
+_pkcs11h_util_binaryToHex (
+       OUT char * const target,
+       IN const size_t target_size,
+       IN const unsigned char * const source,
+       IN const size_t source_size
+) {
+       static const char *x = "0123456789ABCDEF";
+       size_t i;
+
+       PKCS11H_ASSERT (target!=NULL);
+       PKCS11H_ASSERT (source!=NULL);
+
+       if (target_size < source_size * 2 + 1) {
+               return CKR_ATTRIBUTE_VALUE_INVALID;
+       }
+
+       for (i=0;i<source_size;i++) {
+               target[i*2] =   x[(source[i]&0xf0)>>4];
+               target[i*2+1] = x[(source[i]&0x0f)>>0];
+       }
+       target[source_size*2] = '\x0';
+
+       return CKR_OK;
+}
+
+CK_RV
+_pkcs11h_util_escapeString (
+       IN OUT char * const target,
+       IN const char * const source,
+       IN size_t * const max,
+       IN const char * const invalid_chars
+) {
+       static const char *x = "0123456789ABCDEF";
+       CK_RV rv = CKR_OK;
+       const char *s = source;
+       char *t = target;
+       size_t n = 0;
+
+       /*PKCS11H_ASSERT (target!=NULL); Not required*/
+       PKCS11H_ASSERT (source!=NULL);
+       PKCS11H_ASSERT (max!=NULL);
+
+       while (rv == CKR_OK && *s != '\x0') {
+
+               if (*s == '\\' || strchr (invalid_chars, *s) || !isgraph (*s)) {
+                       if (t != NULL) {
+                               if (n+4 > *max) {
+                                       rv = CKR_ATTRIBUTE_VALUE_INVALID;
+                               }
+                               else {
+                                       t[0] = '\\';
+                                       t[1] = 'x';
+                                       t[2] = x[(*s&0xf0)>>4];
+                                       t[3] = x[(*s&0x0f)>>0];
+                                       t+=4;
+                               }
+                       }
+                       n+=4;
+               }
+               else {
+                       if (t != NULL) {
+                               if (n+1 > *max) {
+                                       rv = CKR_ATTRIBUTE_VALUE_INVALID;
+                               }
+                               else {
+                                       *t = *s;
+                                       t++;
+                               }
+                       }
+                       n+=1;
+               }
+
+               s++;
+       }
+
+       if (t != NULL) {
+               if (n+1 > *max) {
+                       rv = CKR_ATTRIBUTE_VALUE_INVALID;
+               }
+               else {
+                       *t = '\x0';
+                       t++;
+               }
+       }
+       n++;
+
+       *max = n;
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_util_unescapeString (
+       IN OUT char * const target,
+       IN const char * const source,
+       IN size_t * const max
+) {
+       CK_RV rv = CKR_OK;
+       const char *s = source;
+       char *t = target;
+       size_t n = 0;
+
+       /*PKCS11H_ASSERT (target!=NULL); Not required*/
+       PKCS11H_ASSERT (source!=NULL);
+       PKCS11H_ASSERT (max!=NULL);
+
+       while (rv == CKR_OK && *s != '\x0') {
+               if (*s == '\\') {
+                       if (t != NULL) {
+                               if (n+1 > *max) {
+                                       rv = CKR_ATTRIBUTE_VALUE_INVALID;
+                               }
+                               else {
+                                       char b[3];
+                                       unsigned u;
+                                       b[0] = s[2];
+                                       b[1] = s[3];
+                                       b[2] = '\x0';
+                                       sscanf (b, "%08x", &u);
+                                       *t = u&0xff;
+                                       t++;
+                               }
+                       }
+                       s+=4;
+               }
+               else {
+                       if (t != NULL) {
+                               if (n+1 > *max) {
+                                       rv = CKR_ATTRIBUTE_VALUE_INVALID;
+                               }
+                               else {
+                                       *t = *s;
+                                       t++;
+                               }
+                       }
+                       s++;
+               }
+
+               n+=1;
+       }
+
+       if (t != NULL) {
+               if (n+1 > *max) {
+                       rv = CKR_ATTRIBUTE_VALUE_INVALID;
+               }
+               else {
+                       *t = '\x0';
+                       t++;
+               }
+       }
+       n++;
+
+       *max = n;
+
+       return rv;
+}
+
+static
+void
+_pkcs11h_log (
+       IN const unsigned flags,
+       IN const char * const format,
+       IN ...
+) {
+       va_list args;
+
+       PKCS11H_ASSERT (format!=NULL);
+
+       va_start (args, format);
+
+       if (
+               s_pkcs11h_data != NULL &&
+               s_pkcs11h_data->initialized
+       ) { 
+               if (PKCS11H_MSG_LEVEL_TEST (flags)) {
+                       if (s_pkcs11h_data->hooks.log == NULL) {
+                               _pkcs11h_hooks_default_log (
+                                       NULL,
+                                       flags,
+                                       format,
+                                       args
+                               );
+                       }
+                       else {
+                               s_pkcs11h_data->hooks.log (
+                                       s_pkcs11h_data->hooks.log_data,
+                                       flags,
+                                       format,
+                                       args
+                               );
+                       }
+               }
+       }
+
+       va_end (args);
+}
+
+static
+CK_RV
+_pkcs11h_session_getSlotList (
+       IN const pkcs11h_provider_t provider,
+       IN const CK_BBOOL token_present,
+       OUT CK_SLOT_ID_PTR * const pSlotList,
+       OUT CK_ULONG_PTR pulCount
+) {
+       CK_SLOT_ID_PTR _slots = NULL;
+       CK_ULONG _slotnum = 0;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (provider!=NULL);
+       PKCS11H_ASSERT (pSlotList!=NULL);
+       PKCS11H_ASSERT (pulCount!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_getSlotList entry provider=%p, token_present=%d, pSlotList=%p, pulCount=%p",
+               (void *)provider,
+               token_present,
+               (void *)pSlotList,
+               (void *)pulCount
+       );
+
+       *pSlotList = NULL;
+       *pulCount = 0;
+
+       if (
+               rv == CKR_OK &&
+               !provider->enabled
+       ) {
+               rv = CKR_CRYPTOKI_NOT_INITIALIZED;
+       }
+
+       if (rv == CKR_OK) {
+               rv = provider->f->C_GetSlotList (
+                       token_present,
+                       NULL_PTR,
+                       &_slotnum
+               );
+       }
+
+       if (rv == CKR_OK && _slotnum > 0) {
+               rv = _pkcs11h_mem_malloc ((void *)&_slots, _slotnum * sizeof (CK_SLOT_ID));
+       }
+
+       if (rv == CKR_OK && _slotnum > 0) {
+               rv = provider->f->C_GetSlotList (
+                       token_present,
+                       _slots,
+                       &_slotnum
+               );
+       }
+
+       if (rv == CKR_OK) {
+               *pSlotList = _slots;
+               _slots = NULL;
+               *pulCount = _slotnum;
+       }
+
+       if (_slots != NULL) {
+               _pkcs11h_mem_free ((void *)&_slots);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_getSlotList return rv=%ld-'%s' *pulCount=%ld",
+               rv,
+               pkcs11h_getMessage (rv),
+               *pulCount
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_session_getObjectAttributes (
+       IN const pkcs11h_session_t session,
+       IN const CK_OBJECT_HANDLE object,
+       IN OUT const CK_ATTRIBUTE_PTR attrs,
+       IN const unsigned count
+) {
+       /*
+        * THREADING:
+        * session->mutex must be locked
+        */
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (session!=NULL);
+       PKCS11H_ASSERT (attrs!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_getObjectAttributes entry session=%p, object=%ld, attrs=%p, count=%u",
+               (void *)session,
+               object,
+               (void *)attrs,
+               count
+       );
+
+       if (
+               rv == CKR_OK &&
+               (rv = session->provider->f->C_GetAttributeValue (
+                       session->session_handle,
+                       object,
+                       attrs,
+                       count
+               )) == CKR_OK
+       ) {
+               unsigned i;
+               for (i=0;rv == CKR_OK && i<count;i++) {
+                       if (attrs[i].ulValueLen == (CK_ULONG)-1) {
+                               rv = CKR_ATTRIBUTE_VALUE_INVALID;
+                       }
+                       else if (attrs[i].ulValueLen == 0) {
+                               attrs[i].pValue = NULL;
+                       }
+                       else {
+                               rv = _pkcs11h_mem_malloc (
+                                       (void *)&attrs[i].pValue,
+                                       attrs[i].ulValueLen
+                               );
+                       }
+               }
+       }
+
+       if (rv == CKR_OK) {
+               rv = session->provider->f->C_GetAttributeValue (
+                       session->session_handle,
+                       object,
+                       attrs,
+                       count
+               );
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_getObjectAttributes return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_session_freeObjectAttributes (
+       IN OUT const CK_ATTRIBUTE_PTR attrs,
+       IN const unsigned count
+) {
+       unsigned i;
+
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (attrs!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=%p, count=%u",
+               (void *)attrs,
+               count
+       );
+
+       for (i=0;i<count;i++) {
+               if (attrs[i].pValue != NULL) {
+                       _pkcs11h_mem_free ((void *)&attrs[i].pValue);
+                       attrs[i].pValue = NULL;
+               }
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_freeObjectAttributes return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_session_findObjects (
+       IN const pkcs11h_session_t session,
+       IN const CK_ATTRIBUTE * const filter,
+       IN const CK_ULONG filter_attrs,
+       OUT CK_OBJECT_HANDLE **const p_objects,
+       OUT CK_ULONG *p_objects_found
+) {
+       /*
+        * THREADING:
+        * session->mutex must be locked
+        */
+       PKCS11H_BOOL should_FindObjectsFinal = FALSE;
+
+       CK_OBJECT_HANDLE *objects = NULL;
+       CK_ULONG objects_size = 0;
+       CK_OBJECT_HANDLE objects_buffer[100];
+       CK_ULONG objects_found;
+       CK_OBJECT_HANDLE oLast = PKCS11H_INVALID_OBJECT_HANDLE;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (session!=NULL);
+       PKCS11H_ASSERT (!(filter==NULL && filter_attrs!=0) || filter!=NULL);
+       PKCS11H_ASSERT (p_objects!=NULL);
+       PKCS11H_ASSERT (p_objects_found!=NULL);
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_findObjects entry session=%p, filter=%p, filter_attrs=%ld, p_objects=%p, p_objects_found=%p",
+               (void *)session,
+               (void *)filter,
+               filter_attrs,
+               (void *)p_objects,
+               (void *)p_objects_found
+       );
+
+       *p_objects = NULL;
+       *p_objects_found = 0;
+
+       if (
+               rv == CKR_OK &&
+               (rv = session->provider->f->C_FindObjectsInit (
+                       session->session_handle,
+                       (CK_ATTRIBUTE *)filter,
+                       filter_attrs
+               )) == CKR_OK
+       ) {
+               should_FindObjectsFinal = TRUE;
+       }
+
+       while (
+               rv == CKR_OK &&
+               (rv = session->provider->f->C_FindObjects (
+                       session->session_handle,
+                       objects_buffer,
+                       sizeof (objects_buffer) / sizeof (CK_OBJECT_HANDLE),
+                       &objects_found
+               )) == CKR_OK &&
+               objects_found > 0
+       ) { 
+               CK_OBJECT_HANDLE *temp = NULL;
+               
+               /*
+                * Begin workaround
+                *
+                * Workaround iKey bug
+                * It returns the same objects over and over
+                */
+               if (oLast == objects_buffer[0]) {
+                       PKCS11H_LOG (
+                               PKCS11H_LOG_WARN,
+                               "PKCS#11: Bad PKCS#11 C_FindObjects implementation detected, workaround applied"
+                       );
+                       break;
+               }
+               oLast = objects_buffer[0];
+               /* End workaround */
+               
+               if (
+                       (rv = _pkcs11h_mem_malloc (
+                               (void *)&temp,
+                               (objects_size+objects_found) * sizeof (CK_OBJECT_HANDLE)
+                       )) == CKR_OK
+               ) {
+                       if (objects != NULL) {
+                               memmove (
+                                       temp,
+                                       objects,
+                                       objects_size * sizeof (CK_OBJECT_HANDLE)
+                               );
+                       }
+                       memmove (
+                               temp + objects_size,
+                               objects_buffer,
+                               objects_found * sizeof (CK_OBJECT_HANDLE)
+                       );
+               }
+
+               if (objects != NULL) {
+                       _pkcs11h_mem_free ((void *)&objects);
+                       objects = NULL;
+               }
+
+               if (rv == CKR_OK) {
+                       objects = temp;
+                       objects_size += objects_found;
+                       temp = NULL;
+               }
+
+               if (temp != NULL) {
+                       _pkcs11h_mem_free ((void *)&temp);
+                       temp = NULL;
+               }
+       }
+
+       if (should_FindObjectsFinal) {
+               session->provider->f->C_FindObjectsFinal (
+                       session->session_handle
+               );
+               should_FindObjectsFinal = FALSE;
+       }
+       
+       if (rv == CKR_OK) {
+               *p_objects = objects;
+               *p_objects_found = objects_size;
+               objects = NULL;
+               objects_size = 0;
+       }
+
+       if (objects != NULL) {
+               _pkcs11h_mem_free ((void *)&objects);
+               objects = NULL;
+               objects_size = 0;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_findObjects return rv=%ld-'%s', *p_objects_found=%ld",
+               rv,
+               pkcs11h_getMessage (rv),
+               *p_objects_found
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_token_getTokenId (
+       IN const CK_TOKEN_INFO_PTR info,
+       OUT pkcs11h_token_id_t * const p_token_id
+) {
+       pkcs11h_token_id_t token_id;
+       CK_RV rv = CKR_OK;
+       
+       PKCS11H_ASSERT (info!=NULL);
+       PKCS11H_ASSERT (p_token_id!=NULL);
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=%p",
+               (void *)p_token_id
+       );
+
+       *p_token_id = NULL;
+
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_token_newTokenId (&token_id)) == CKR_OK
+       ) {
+               _pkcs11h_util_fixupFixedString (
+                       token_id->label,
+                       (char *)info->label,
+                       sizeof (info->label)
+               );
+               _pkcs11h_util_fixupFixedString (
+                       token_id->manufacturerID,
+                       (char *)info->manufacturerID,
+                       sizeof (info->manufacturerID)
+               );
+               _pkcs11h_util_fixupFixedString (
+                       token_id->model,
+                       (char *)info->model,
+                       sizeof (info->model)
+               );
+               _pkcs11h_util_fixupFixedString (
+                       token_id->serialNumber,
+                       (char *)info->serialNumber,
+                       sizeof (info->serialNumber)
+               );
+               strncpy (
+                       token_id->display,
+                       token_id->label,
+                       sizeof (token_id->display)
+               );
+       }
+
+       if (rv == CKR_OK) {
+               *p_token_id = token_id;
+               token_id = NULL;
+       }
+
+       if (token_id != NULL) {
+               _pkcs11h_mem_free ((void *)&token_id);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_token_getTokenId return rv=%ld-'%s', *p_token_id=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_token_id
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_token_newTokenId (
+       OUT pkcs11h_token_id_t * const p_token_id
+) {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (p_token_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=%p",
+               (void *)p_token_id
+       );
+
+       *p_token_id = NULL;
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_malloc ((void *)p_token_id, sizeof (struct pkcs11h_token_id_s));
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_token_newTokenId return rv=%ld-'%s', *p_token_id=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_token_id
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_session_getSessionByTokenId (
+       IN const pkcs11h_token_id_t token_id,
+       OUT pkcs11h_session_t * const p_session
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       pkcs11h_session_t session = NULL;
+       PKCS11H_BOOL is_new_session = FALSE;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (token_id!=NULL);
+       PKCS11H_ASSERT (p_session!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=%p, p_session=%p",
+               (void *)token_id,
+               (void *)p_session
+       );
+
+       *p_session = NULL;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.session)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (rv == CKR_OK) {
+               pkcs11h_session_t current_session;
+
+               for (
+                       current_session = s_pkcs11h_data->sessions;
+                       current_session != NULL && session == NULL;
+                       current_session = current_session->next
+               ) {
+                       if (
+                               pkcs11h_token_sameTokenId (
+                                       current_session->token_id,
+                                       token_id
+                               )
+                       ) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Using cached session"
+                               );
+                               session = current_session;
+                               session->reference_count++;
+                       }
+               }
+       }
+
+       if (
+               rv == CKR_OK &&
+               session == NULL
+       ) {
+               is_new_session = TRUE;
+       }
+
+       if (is_new_session) {
+               PKCS11H_DEBUG (
+                       PKCS11H_LOG_DEBUG1,
+                       "PKCS#11: Creating a new session"
+               );
+
+               if (
+                       rv == CKR_OK &&
+                       (rv = _pkcs11h_mem_malloc ((void *)&session, sizeof (struct pkcs11h_session_s))) == CKR_OK
+               ) {
+                       session->reference_count = 1;
+                       session->session_handle = PKCS11H_INVALID_SESSION_HANDLE;
+                       
+                       session->pin_cache_period = s_pkcs11h_data->pin_cache_period;
+
+               }
+
+               if (rv == CKR_OK) {
+                       rv = pkcs11h_token_duplicateTokenId (
+                               &session->token_id,
+                               token_id
+                       );
+               }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_threading_mutexInit (&session->mutex);
+               }
+#endif
+
+               if (rv == CKR_OK) {
+                       session->valid = TRUE;
+                       session->next = s_pkcs11h_data->sessions;
+                       s_pkcs11h_data->sessions = session;
+               }
+               else {
+#if defined(ENABLE_PKCS11H_THREADING)
+                       _pkcs11h_threading_mutexFree (&session->mutex);
+#endif
+                       _pkcs11h_mem_free ((void *)&session);
+               }
+       }
+
+       if (rv == CKR_OK) {
+               *p_session = session;
+               session = NULL;
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.session);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=%ld-'%s', *p_session=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_session
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_session_release (
+       IN const pkcs11h_session_t session
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (session!=NULL);
+       PKCS11H_ASSERT (session->reference_count>=0);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_release entry session=%p",
+               (void *)session
+       );
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       /*
+        * Never logout for now
+        */
+       if (rv == CKR_OK) {
+               if (session->reference_count > 0) {
+                       session->reference_count--;
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&session->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_release return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_session_reset (
+       IN const pkcs11h_session_t session,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT CK_SLOT_ID * const p_slot
+) {
+       PKCS11H_BOOL found = FALSE;
+
+       CK_RV rv = CKR_OK;
+
+       unsigned nRetry = 0;
+
+       PKCS11H_ASSERT (session!=NULL);
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+       PKCS11H_ASSERT (p_slot!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_reset entry session=%p, user_data=%p, mask_prompt=%08x, p_slot=%p",
+               (void *)session,
+               user_data,
+               mask_prompt,
+               (void *)p_slot
+       );
+
+       *p_slot = PKCS11H_INVALID_SLOT_ID;
+
+       while (
+               rv == CKR_OK &&
+               !found
+       ) {
+               pkcs11h_provider_t current_provider = NULL;
+
+               for (
+                       current_provider = s_pkcs11h_data->providers;
+                       (
+                               rv == CKR_OK &&
+                               current_provider != NULL &&
+                               !found
+                       );
+                       current_provider = current_provider->next
+               ) {
+                       CK_SLOT_ID_PTR slots = NULL;
+                       CK_ULONG slotnum;
+                       CK_SLOT_ID slot_index;
+
+                       /*
+                        * Skip all other providers,
+                        * if one was set in the past
+                        */
+                       if (
+                               session->provider != NULL &&
+                               session->provider != current_provider
+                       ) {
+                               rv = CKR_CANCEL;
+                       }
+               
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_session_getSlotList (
+                                       current_provider,
+                                       CK_TRUE,
+                                       &slots,
+                                       &slotnum
+                               );
+                       }
+
+                       for (
+                               slot_index=0;
+                               (
+                                       slot_index < slotnum &&
+                                       rv == CKR_OK && 
+                                       !found
+                               );
+                               slot_index++
+                       ) {
+                               pkcs11h_token_id_t token_id = NULL;
+                               CK_TOKEN_INFO info;
+
+                               if (rv == CKR_OK) {
+                                       rv = current_provider->f->C_GetTokenInfo (
+                                               slots[slot_index],
+                                               &info
+                                       );
+                               }
+
+                               if (
+                                       rv == CKR_OK &&
+                                       (rv = _pkcs11h_token_getTokenId (
+                                               &info,
+                                               &token_id
+                                       )) == CKR_OK &&
+                                       pkcs11h_token_sameTokenId (
+                                               session->token_id,
+                                               token_id
+                                       )
+                               ) {
+                                       found = TRUE;
+                                       *p_slot = slots[slot_index];
+                                       if (session->provider == NULL) {
+                                               session->provider = current_provider;
+                                               session->allow_protected_auth_supported = (info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) != 0;
+                                       }
+                               }
+
+                               if (rv != CKR_OK) {
+                                       PKCS11H_DEBUG (
+                                               PKCS11H_LOG_DEBUG1,
+                                               "PKCS#11: Cannot get token information for provider '%s' slot %ld rv=%ld-'%s'",
+                                               current_provider->manufacturerID,
+                                               slots[slot_index],
+                                               rv,
+                                               pkcs11h_getMessage (rv)
+                                       );
+
+                                       /*
+                                        * Ignore error
+                                        */
+                                       rv = CKR_OK;
+                               }
+
+                               if (token_id != NULL) {
+                                       pkcs11h_token_freeTokenId (token_id);
+                               }
+                       }
+
+                       if (rv != CKR_OK) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Cannot get slot list for provider '%s' rv=%ld-'%s'",
+                                       current_provider->manufacturerID,
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+
+                               /*
+                                * Ignore error
+                                */
+                               rv = CKR_OK;
+                       }
+
+                       if (slots != NULL) {
+                               _pkcs11h_mem_free ((void *)&slots);
+                               slots = NULL;
+                       }
+               }
+
+               if (rv == CKR_OK && !found && (mask_prompt & PKCS11H_PROMPT_MAST_ALLOW_CARD_PROMPT) == 0) {
+                       rv = CKR_TOKEN_NOT_PRESENT;
+               }
+
+               if (
+                       rv == CKR_OK &&
+                       !found
+               ) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Calling token_prompt hook for '%s'",
+                               session->token_id->display
+                       );
+       
+                       if (
+                               !s_pkcs11h_data->hooks.token_prompt (
+                                       s_pkcs11h_data->hooks.token_prompt_data,
+                                       user_data,
+                                       session->token_id,
+                                       nRetry++
+                               )
+                       ) {
+                               rv = CKR_CANCEL;
+                       }
+
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: token_prompt returned %ld",
+                               rv
+                       );
+               }
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_reset return rv=%ld-'%s', *p_slot=%ld",
+               rv,
+               pkcs11h_getMessage (rv),
+               *p_slot
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_session_getObjectById (
+       IN const pkcs11h_session_t session,
+       IN const CK_OBJECT_CLASS class,
+       IN const CK_BYTE_PTR id,
+       IN const size_t id_size,
+       OUT CK_OBJECT_HANDLE * const p_handle
+) {
+       /*
+        * THREADING:
+        * session->mutex must be locked
+        */
+       CK_ATTRIBUTE filter[] = {
+               {CKA_CLASS, (void *)&class, sizeof (class)},
+               {CKA_ID, (void *)id, id_size}
+       };
+       CK_OBJECT_HANDLE *objects = NULL;
+       CK_ULONG objects_found = 0;
+       CK_RV rv = CKR_OK;
+       
+       /*PKCS11H_ASSERT (session!=NULL); NOT NEEDED*/
+       PKCS11H_ASSERT (id!=NULL);
+       PKCS11H_ASSERT (p_handle!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_getObjectById entry session=%p, class=%ld, id=%p, id_size=%u, p_handle=%p",
+               (void *)session,
+               class,
+               id,
+               id_size,
+               (void *)p_handle
+       );
+
+       *p_handle = PKCS11H_INVALID_OBJECT_HANDLE;
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_validate (session);
+       }
+
+       if (rv == CKR_OK) { 
+               rv = _pkcs11h_session_findObjects (
+                       session,
+                       filter,
+                       sizeof (filter) / sizeof (CK_ATTRIBUTE),
+                       &objects,
+                       &objects_found
+               );
+       }
+
+       if (
+               rv == CKR_OK &&
+               objects_found == 0
+       ) {
+               rv = CKR_FUNCTION_REJECTED;
+       }
+
+       if (rv == CKR_OK) {
+               *p_handle = objects[0];
+       }
+
+       if (objects != NULL) {
+               _pkcs11h_mem_free ((void *)&objects);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_getObjectById return rv=%ld-'%s', *p_handle=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_handle
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_session_validate (
+       IN const pkcs11h_session_t session
+) {
+       CK_RV rv = CKR_OK;
+
+       /*PKCS11H_ASSERT (session!=NULL); NOT NEEDED*/
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_validate entry session=%p",
+               (void *)session
+       );
+
+       if (
+               rv == CKR_OK &&
+               session == NULL
+       ) {
+               rv = CKR_SESSION_HANDLE_INVALID;
+       }
+
+       if (
+               rv == CKR_OK &&
+               (
+                       session->provider == NULL ||
+                       !session->provider->enabled ||
+                       session->session_handle == PKCS11H_INVALID_SESSION_HANDLE
+               )
+       ) {
+               rv = CKR_SESSION_HANDLE_INVALID;
+       }
+
+       if (
+               rv == CKR_OK &&
+               session->pin_expire_time != (time_t)0 &&
+               session->pin_expire_time < PKCS11H_TIME (NULL)
+       ) {
+               PKCS11H_DEBUG (
+                       PKCS11H_LOG_DEBUG1,
+                       "PKCS#11: Forcing logout due to pin timeout"
+               );
+               _pkcs11h_session_logout (session);
+               rv = CKR_SESSION_HANDLE_INVALID;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_validate return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_session_touch (
+       IN const pkcs11h_session_t session
+) {
+       /*
+        * THREADING:
+        * session->mutex must be locked
+        */
+       PKCS11H_ASSERT (session!=NULL);
+
+       if (session->pin_cache_period == PKCS11H_PIN_CACHE_INFINITE) {
+               session->pin_expire_time = 0;
+       }
+       else {
+               session->pin_expire_time = (
+                       PKCS11H_TIME (NULL) +
+                       (time_t)session->pin_cache_period
+               );
+       }
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_token_login (
+       IN const pkcs11h_token_id_t token_id,
+       IN const PKCS11H_BOOL readonly,
+       IN const char * const pin
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       CK_SLOT_ID slot = PKCS11H_INVALID_SLOT_ID;
+       CK_ULONG pin_size = 0;
+       CK_RV rv = CKR_OK;
+
+       pkcs11h_session_t session = NULL;
+
+       PKCS11H_ASSERT (token_id!=NULL);
+       /*PKCS11H_ASSERT (pin!=NULL); NOT NEEDED*/
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_login entry token_id=%p, readonly=%d\n", 
+               (void *)token_id,
+               readonly ? 1 : 0
+       );
+
+       if (pin != NULL) {
+               pin_size = strlen (pin);
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_getSessionByTokenId (
+                       token_id,
+                       &session
+               );
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_logout (session);
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_reset (session, NULL, 0, &slot);
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_touch (session);
+       }
+
+       if (rv == CKR_OK) {
+               rv = session->provider->f->C_OpenSession (
+                       slot,
+                       (
+                               CKF_SERIAL_SESSION |
+                               (readonly ? 0 : CKF_RW_SESSION)
+                       ),
+                       NULL_PTR,
+                       NULL_PTR,
+                       &session->session_handle
+               );
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = session->provider->f->C_Login (
+                       session->session_handle,
+                       CKU_USER,
+                       (CK_UTF8CHAR_PTR)pin,
+                       pin_size
+               )) != CKR_OK
+       ) {
+               if (rv == CKR_USER_ALREADY_LOGGED_IN) {
+                       rv = CKR_OK;
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&session->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       if (session != NULL) {
+               _pkcs11h_session_release (session);
+               session = NULL;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_login return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_session_login (
+       IN const pkcs11h_session_t session,
+       IN const PKCS11H_BOOL is_publicOnly,
+       IN const PKCS11H_BOOL readonly,
+       IN void * const user_data,
+       IN const unsigned mask_prompt
+) {
+       /*
+        * THREADING:
+        * session->mutex must be locked
+        */
+       CK_SLOT_ID slot = PKCS11H_INVALID_SLOT_ID;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (session!=NULL);
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_login entry session=%p, is_publicOnly=%d, readonly=%d, user_data=%p, mask_prompt=%08x",
+               (void *)session,
+               is_publicOnly ? 1 : 0,
+               readonly ? 1 : 0,
+               user_data,
+               mask_prompt
+       );
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_logout (session);
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_reset (session, user_data, mask_prompt, &slot);
+       }
+
+       if (rv == CKR_OK) {
+               rv = session->provider->f->C_OpenSession (
+                       slot,
+                       (
+                               CKF_SERIAL_SESSION |
+                               (readonly ? 0 : CKF_RW_SESSION)
+                       ),
+                       NULL_PTR,
+                       NULL_PTR,
+                       &session->session_handle
+               );
+       }
+
+       if (
+               rv == CKR_OK &&
+               (
+                       !is_publicOnly ||
+                       session->provider->cert_is_private
+               )
+       ) {
+               PKCS11H_BOOL login_succeeded = FALSE;
+               unsigned nRetryCount = 0;
+
+               if ((mask_prompt & PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT) == 0) {
+                       rv = CKR_USER_NOT_LOGGED_IN;
+
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Calling pin_prompt hook denied because of prompt mask"
+                       );
+               }
+
+               while (
+                       rv == CKR_OK &&
+                       !login_succeeded &&
+                       nRetryCount < s_pkcs11h_data->max_retries 
+               ) {
+                       CK_UTF8CHAR_PTR utfPIN = NULL;
+                       CK_ULONG lPINLength = 0;
+                       char pin[1024];
+
+                       if (
+                               rv == CKR_OK &&
+                               !(
+                                       s_pkcs11h_data->allow_protected_auth  &&
+                                       session->provider->allow_protected_auth &&
+                                       session->allow_protected_auth_supported
+                               )
+                       ) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Calling pin_prompt hook for '%s'",
+                                       session->token_id->display
+                               );
+
+                               if (
+                                       !s_pkcs11h_data->hooks.pin_prompt (
+                                               s_pkcs11h_data->hooks.pin_prompt_data,
+                                               user_data,
+                                               session->token_id,
+                                               nRetryCount,
+                                               pin,
+                                               sizeof (pin)
+                                       )
+                               ) {
+                                       rv = CKR_CANCEL;
+                               }
+                               else {
+                                       utfPIN = (CK_UTF8CHAR_PTR)pin;
+                                       lPINLength = strlen (pin);
+                               }
+
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: pin_prompt hook return rv=%ld",
+                                       rv
+                               );
+                       }
+
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_session_touch (session);
+                       }
+
+                       if (
+                               rv == CKR_OK &&
+                               (rv = session->provider->f->C_Login (
+                                       session->session_handle,
+                                       CKU_USER,
+                                       utfPIN,
+                                       lPINLength
+                               )) != CKR_OK
+                       ) {
+                               if (rv == CKR_USER_ALREADY_LOGGED_IN) {
+                                       rv = CKR_OK;
+                               }
+                       }
+
+                       /*
+                        * Clean PIN buffer
+                        */
+                       memset (pin, 0, sizeof (pin));
+
+                       if (rv == CKR_OK) {
+                               login_succeeded = TRUE;
+                       }
+                       else if (
+                               rv == CKR_PIN_INCORRECT ||
+                               rv == CKR_PIN_INVALID
+                       ) {
+                               /*
+                                * Ignore these errors
+                                * so retry can be performed
+                                */
+                               rv = CKR_OK;
+                       }
+
+                       nRetryCount++;
+               }
+
+               /*
+                * Retry limit
+                */
+               if (!login_succeeded && rv == CKR_OK) {
+                       rv = CKR_PIN_INCORRECT;
+               }
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_login return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_session_logout (
+       IN const pkcs11h_session_t session
+) {
+       /*
+        * THREADING:
+        * session->mutex must be locked
+        */
+       /*PKCS11H_ASSERT (session!=NULL); NOT NEEDED*/
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_logout entry session=%p",
+               (void *)session
+       );
+
+       if (
+               session != NULL &&
+               session->session_handle != PKCS11H_INVALID_SESSION_HANDLE
+       ) {
+               CK_RV rv = CKR_OK;
+
+               if (rv == CKR_OK) {
+                       if (session->provider != NULL) {
+                               session->provider->f->C_Logout (session->session_handle);
+                               session->provider->f->C_CloseSession (session->session_handle);
+                       }
+                       session->session_handle = PKCS11H_INVALID_SESSION_HANDLE;
+               }
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_session_logout return"
+       );
+
+       return CKR_OK;
+}
+
+static
+void
+_pkcs11h_hooks_default_log (
+       IN void * const global_data,
+       IN const unsigned flags,
+       IN const char * const format,
+       IN va_list args
+) {
+       (void)global_data;
+       (void)flags;
+       (void)format;
+       (void)args;
+}
+
+static
+PKCS11H_BOOL
+_pkcs11h_hooks_default_token_prompt (
+       IN void * const global_data,
+       IN void * const user_data,
+       IN const pkcs11h_token_id_t token,
+       IN const unsigned retry
+) {
+       /*PKCS11H_ASSERT (global_data) NOT NEEDED */
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+       PKCS11H_ASSERT (token!=NULL);
+
+       (void)global_data;
+       (void)user_data;
+       (void)retry;
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_hooks_default_token_prompt global_data=%p, user_data=%p, display='%s'",
+               global_data,
+               user_data,
+               token->display
+       );
+
+       return FALSE;
+}
+
+static
+PKCS11H_BOOL
+_pkcs11h_hooks_default_pin_prompt (
+       IN void * const global_data,
+       IN void * const user_data,
+       IN const pkcs11h_token_id_t token,
+       IN const unsigned retry,
+       OUT char * const pin,
+       IN const size_t pin_max
+) {
+       /*PKCS11H_ASSERT (global_data) NOT NEEDED */
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+       PKCS11H_ASSERT (token!=NULL);
+
+       (void)global_data;
+       (void)user_data;
+       (void)retry;
+       (void)pin;
+       (void)pin_max;
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_hooks_default_pin_prompt global_data=%p, user_data=%p, display='%s'",
+               global_data,
+               user_data,
+               token->display
+       );
+       
+       return FALSE;
+}
+
+#if !defined(WIN32)
+#if defined(ENABLE_PKCS11H_THREADING)
+
+static
+void
+__pkcs11h_threading_atfork_prepare  () {
+       __pkcs1h_threading_mutexLockAll ();
+}
+static
+void
+__pkcs11h_threading_atfork_parent () {
+       __pkcs1h_threading_mutexReleaseAll ();
+}
+static
+void
+__pkcs11h_threading_atfork_child () {
+       __pkcs1h_threading_mutexReleaseAll ();
+       _pkcs11h_forkFixup ();
+}
+
+#endif                         /* ENABLE_PKCS11H_THREADING */
+
+static
+CK_RV
+_pkcs11h_forkFixup () {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       pid_t mypid = getpid ();
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_forkFixup entry pid=%d",
+               mypid
+       );
+
+       if (s_pkcs11h_data != NULL && s_pkcs11h_data->initialized) {
+               pkcs11h_provider_t current;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               if (_pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global) == CKR_OK) {
+                       mutex_locked = TRUE;
+               }
+#endif
+
+               for (
+                       current = s_pkcs11h_data->providers;
+                       current != NULL;
+                       current = current->next
+               ) {
+                       if (current->enabled) {
+                               current->f->C_Initialize (NULL);
+                       }
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+                       /*
+                        * After fork we have no threads...
+                        * So just initialized.
+                        */
+                       if (s_pkcs11h_data->slotevent.initialized) {
+                               s_pkcs11h_data->slotevent.initialized = FALSE;
+                               _pkcs11h_slotevent_init ();
+                       }
+#endif
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_forkFixup return"
+       );
+
+       return CKR_OK;
+}
+
+#endif                         /* !WIN32 */
+
+#if defined(ENABLE_PKCS11H_TOKEN)
+/*======================================================================*
+ * TOKEN INTERFACE
+ *======================================================================*/
+
+CK_RV
+pkcs11h_token_ensureAccess (
+       IN const pkcs11h_token_id_t token_id,
+       IN void * const user_data,
+       IN const unsigned mask_prompt
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       pkcs11h_session_t session = NULL;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (token_id!=NULL);
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_ensureAccess entry token_id=%p, user_data=%p, mask_prompt=%08x",
+               (void *)token_id,
+               user_data,
+               mask_prompt
+       );
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_getSessionByTokenId (
+                       token_id,
+                       &session
+               );
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (rv == CKR_OK) {
+               CK_SLOT_ID slot;
+
+               rv = _pkcs11h_session_reset (
+                       session,
+                       user_data,
+                       mask_prompt,
+                       &slot
+               );
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&session->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       if (session != NULL) {
+               _pkcs11h_session_release (session);
+               session = NULL;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_ensureAccess return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+#endif                         /* ENABLE_PKCS11H_TOKEN */
+
+#if defined(ENABLE_PKCS11H_DATA)
+/*======================================================================*
+ * DATA INTERFACE
+ *======================================================================*/
+
+static
+CK_RV
+_pkcs11h_data_getObject (
+       IN const pkcs11h_session_t session,
+       IN const char * const application,
+       IN const char * const label,
+       OUT CK_OBJECT_HANDLE * const p_handle
+) {
+       CK_OBJECT_CLASS class = CKO_DATA;
+       CK_ATTRIBUTE filter[] = {
+               {CKA_CLASS, (void *)&class, sizeof (class)},
+               {CKA_APPLICATION, (void *)application, application == NULL ? 0 : strlen (application)},
+               {CKA_LABEL, (void *)label, label == NULL ? 0 : strlen (label)}
+       };
+       CK_OBJECT_HANDLE *objects = NULL;
+       CK_ULONG objects_found = 0;
+       CK_RV rv = CKR_OK;
+       
+       PKCS11H_ASSERT (session!=NULL);
+       PKCS11H_ASSERT (application!=NULL);
+       PKCS11H_ASSERT (label!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_data_getObject entry session=%p, application='%s', label='%s', p_handle=%p",
+               (void *)session,
+               application,
+               label,
+               (void *)p_handle
+       );
+
+       *p_handle = PKCS11H_INVALID_OBJECT_HANDLE;
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_validate (session);
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_findObjects (
+                       session,
+                       filter,
+                       sizeof (filter) / sizeof (CK_ATTRIBUTE),
+                       &objects,
+                       &objects_found
+               );
+       }
+
+       if (
+               rv == CKR_OK &&
+               objects_found == 0
+       ) {
+               rv = CKR_FUNCTION_REJECTED;
+       }
+
+       if (rv == CKR_OK) {
+               *p_handle = objects[0];
+       }
+
+       if (objects != NULL) {
+               _pkcs11h_mem_free ((void *)&objects);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_data_getObject return rv=%ld-'%s', *p_handle=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_handle
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_data_get (
+       IN const pkcs11h_token_id_t token_id,
+       IN const PKCS11H_BOOL is_public,
+       IN const char * const application,
+       IN const char * const label,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT unsigned char * const blob,
+       IN OUT size_t * const p_blob_size
+) {
+       CK_ATTRIBUTE attrs[] = {
+               {CKA_VALUE, NULL, 0}
+       };
+       CK_OBJECT_HANDLE handle = PKCS11H_INVALID_OBJECT_HANDLE;
+       CK_RV rv = CKR_OK;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       pkcs11h_session_t session = NULL;
+       PKCS11H_BOOL op_succeed = FALSE;
+       PKCS11H_BOOL login_retry = FALSE;
+       size_t blob_size_max = 0;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (token_id!=NULL);
+       PKCS11H_ASSERT (application!=NULL);
+       PKCS11H_ASSERT (label!=NULL);
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+       /*PKCS11H_ASSERT (blob!=NULL); NOT NEEDED*/
+       PKCS11H_ASSERT (p_blob_size!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_data_get entry token_id=%p, application='%s', label='%s', user_data=%p, mask_prompt=%08x, blob=%p, *p_blob_size=%u",
+               (void *)token_id,
+               application,
+               label,
+               user_data,
+               mask_prompt,
+               blob,
+               blob != NULL ? *p_blob_size : 0
+       );
+
+       if (blob != NULL) {
+               blob_size_max = *p_blob_size;
+       }
+       *p_blob_size = 0;
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_getSessionByTokenId (
+                       token_id,
+                       &session
+               );
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       while (rv == CKR_OK && !op_succeed) {
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_validate (session);
+               }
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_data_getObject (
+                               session,
+                               application,
+                               label,
+                               &handle
+                       );
+               }
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_getObjectAttributes (
+                               session,
+                               handle,
+                               attrs,
+                               sizeof (attrs)/sizeof (CK_ATTRIBUTE)
+                       );
+               }
+
+               if (rv == CKR_OK) {
+                       op_succeed = TRUE;
+               }
+               else {
+                       if (!login_retry) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Read data object failed rv=%ld-'%s'",
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+                               login_retry = TRUE;
+                               rv = _pkcs11h_session_login (
+                                       session,
+                                       is_public,
+                                       TRUE,
+                                       user_data,
+                                       mask_prompt
+                               );
+                       }
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&session->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       if (rv == CKR_OK) {
+               *p_blob_size = attrs[0].ulValueLen;
+       }
+
+       if (rv == CKR_OK) {
+               if (blob != NULL) {
+                       if (*p_blob_size > blob_size_max) {
+                               rv = CKR_BUFFER_TOO_SMALL;
+                       }
+                       else {
+                               memmove (blob, attrs[0].pValue, *p_blob_size);
+                       }
+               }
+       }
+
+       _pkcs11h_session_freeObjectAttributes (
+               attrs,
+               sizeof (attrs)/sizeof (CK_ATTRIBUTE)
+       );
+
+       if (session != NULL) {
+               _pkcs11h_session_release (session);
+               session = NULL;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_data_get return rv=%ld-'%s', *p_blob_size=%u",
+               rv,
+               pkcs11h_getMessage (rv),
+               *p_blob_size
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_data_put (
+       IN const pkcs11h_token_id_t token_id,
+       IN const PKCS11H_BOOL is_public,
+       IN const char * const application,
+       IN const char * const label,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT unsigned char * const blob,
+       IN const size_t blob_size
+) {
+       CK_OBJECT_CLASS class = CKO_DATA;
+       CK_BBOOL ck_true = CK_TRUE;
+       CK_BBOOL ck_false = CK_FALSE;
+
+       CK_ATTRIBUTE attrs[] = {
+               {CKA_CLASS, &class, sizeof (class)},
+               {CKA_TOKEN, &ck_true, sizeof (ck_true)},
+               {CKA_PRIVATE, is_public ? &ck_false : &ck_true, sizeof (CK_BBOOL)},
+               {CKA_APPLICATION, (void *)application, strlen (application)},
+               {CKA_LABEL, (void *)label, strlen (label)},
+               {CKA_VALUE, blob, blob_size}
+       };
+
+       CK_OBJECT_HANDLE handle = PKCS11H_INVALID_OBJECT_HANDLE;
+       CK_RV rv = CKR_OK;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       pkcs11h_session_t session = NULL;
+       PKCS11H_BOOL op_succeed = FALSE;
+       PKCS11H_BOOL login_retry = FALSE;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (token_id!=NULL);
+       PKCS11H_ASSERT (application!=NULL);
+       PKCS11H_ASSERT (label!=NULL);
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+       PKCS11H_ASSERT (blob!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_data_put entry token_id=%p, application='%s', label='%s', user_data=%p, mask_prompt=%08x, blob=%p, blob_size=%u",
+               (void *)token_id,
+               application,
+               label,
+               user_data,
+               mask_prompt,
+               blob,
+               blob != NULL ? blob_size : 0
+       );
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_getSessionByTokenId (
+                       token_id,
+                       &session
+               );
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       while (rv == CKR_OK && !op_succeed) {
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_validate (session);
+               }
+
+               if (rv == CKR_OK) {
+                       rv = session->provider->f->C_CreateObject (
+                               session->session_handle,
+                               attrs,
+                               sizeof (attrs)/sizeof (CK_ATTRIBUTE),
+                               &handle
+                       );
+               }
+
+               if (rv == CKR_OK) {
+                       op_succeed = TRUE;
+               }
+               else {
+                       if (!login_retry) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Write data object failed rv=%ld-'%s'",
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+                               login_retry = TRUE;
+                               rv = _pkcs11h_session_login (
+                                       session,
+                                       is_public,
+                                       FALSE,
+                                       user_data,
+                                       mask_prompt
+                               );
+                       }
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&session->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       if (session != NULL) {
+               _pkcs11h_session_release (session);
+               session = NULL;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_data_put return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_data_del (
+       IN const pkcs11h_token_id_t token_id,
+       IN const PKCS11H_BOOL is_public,
+       IN const char * const application,
+       IN const char * const label,
+       IN void * const user_data,
+       IN const unsigned mask_prompt
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       pkcs11h_session_t session = NULL;
+       PKCS11H_BOOL op_succeed = FALSE;
+       PKCS11H_BOOL login_retry = FALSE;
+       CK_OBJECT_HANDLE handle = PKCS11H_INVALID_OBJECT_HANDLE;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (token_id!=NULL);
+       PKCS11H_ASSERT (application!=NULL);
+       PKCS11H_ASSERT (label!=NULL);
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_data_del entry token_id=%p, application='%s', label='%s', user_data=%p, mask_prompt=%08x",
+               (void *)token_id,
+               application,
+               label,
+               user_data,
+               mask_prompt
+       );
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_getSessionByTokenId (
+                       token_id,
+                       &session
+               );
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       while (rv == CKR_OK && !op_succeed) {
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_validate (session);
+               }
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_data_getObject (
+                               session,
+                               application,
+                               label,
+                               &handle
+                       );
+               }
+
+               if (rv == CKR_OK) {
+                       rv = session->provider->f->C_DestroyObject (
+                               session->session_handle,
+                               handle
+                       );
+               }
+
+               if (rv == CKR_OK) {
+                       op_succeed = TRUE;
+               }
+               else {
+                       if (!login_retry) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Remove data object failed rv=%ld-'%s'",
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+                               login_retry = TRUE;
+                               rv = _pkcs11h_session_login (
+                                       session,
+                                       is_public,
+                                       FALSE,
+                                       user_data,
+                                       mask_prompt
+                               );
+                       }
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               if (mutex_locked) {
+                       _pkcs11h_threading_mutexRelease (&session->mutex);
+                       mutex_locked = FALSE;
+               }
+#endif
+
+       if (session != NULL) {
+               _pkcs11h_session_release (session);
+               session = NULL;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_data_del return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+#endif                         /* ENABLE_PKCS11H_DATA */
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+/*======================================================================*
+ * CERTIFICATE INTERFACE
+ *======================================================================*/
+
+static
+time_t
+_pkcs11h_certificate_getExpiration (
+       IN const unsigned char * const certificate,
+       IN const size_t certificate_size
+) {
+       /*
+        * This function compare the notAfter
+        * and select the most recent certificate
+        */
+
+#if defined(USE_PKCS11H_OPENSSL)
+       X509 *x509 = NULL;
+#elif defined(USE_PKCS11H_GNUTLS)
+       gnutls_x509_crt_t cert = NULL;
+#endif
+       time_t expire = (time_t)0;
+
+       PKCS11H_ASSERT (certificate!=NULL);
+
+#if defined(USE_PKCS11H_OPENSSL)
+       x509 = X509_new ();
+
+       if (x509 != NULL) {
+               pkcs11_openssl_d2i_t d2i = (pkcs11_openssl_d2i_t)certificate;
+
+               if (
+                       d2i_X509 (&x509, &d2i, certificate_size)
+               ) {
+                       ASN1_TIME *notBefore = X509_get_notBefore (x509);
+                       ASN1_TIME *notAfter = X509_get_notAfter (x509);
+
+                       if (
+                               notBefore != NULL &&
+                               notAfter != NULL &&
+                               X509_cmp_current_time (notBefore) <= 0 &&
+                               X509_cmp_current_time (notAfter) >= 0 &&
+                               notAfter->length >= 12
+                       ) {
+                               struct tm tm1;
+                               time_t now = time (NULL);
+
+                               memset (&tm1, 0, sizeof (tm1));
+                               tm1.tm_year = (notAfter->data[ 0] - '0') * 10 + (notAfter->data[ 1] - '0') + 100;
+                               tm1.tm_mon  = (notAfter->data[ 2] - '0') * 10 + (notAfter->data[ 3] - '0') - 1;
+                               tm1.tm_mday = (notAfter->data[ 4] - '0') * 10 + (notAfter->data[ 5] - '0');
+                               tm1.tm_hour = (notAfter->data[ 6] - '0') * 10 + (notAfter->data[ 7] - '0');
+                               tm1.tm_min  = (notAfter->data[ 8] - '0') * 10 + (notAfter->data[ 9] - '0');
+                               tm1.tm_sec  = (notAfter->data[10] - '0') * 10 + (notAfter->data[11] - '0');
+
+                               tm1.tm_sec += (int)(mktime (localtime (&now)) - mktime (gmtime (&now)));
+
+                               expire = mktime (&tm1);
+                       }
+               }
+       }
+
+       if (x509 != NULL) {
+               X509_free (x509);
+               x509 = NULL;
+       }
+#elif defined(USE_PKCS11H_GNUTLS)
+       if (gnutls_x509_crt_init (&cert) == GNUTLS_E_SUCCESS) {
+               gnutls_datum_t datum = {(unsigned char *)certificate, certificate_size};
+
+               if (gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER) == GNUTLS_E_SUCCESS) {
+
+                       time_t activation_time = gnutls_x509_crt_get_activation_time (cert);
+                       time_t expiration_time = gnutls_x509_crt_get_expiration_time (cert);
+                       time_t now = time (NULL);
+
+                       if (
+                               now >= activation_time &&
+                               now <= expiration_time
+                       ) {
+                               expire = expiration_time;
+                       }
+               }
+               gnutls_x509_crt_deinit (cert);
+       }
+#else
+#error Invalid configuration
+#endif
+
+       return expire;
+}
+
+static
+PKCS11H_BOOL
+_pkcs11h_certificate_isBetterCertificate (
+       IN const unsigned char * const current,
+       IN const size_t current_size,
+       IN const unsigned char * const newone,
+       IN const size_t newone_size
+) {
+       PKCS11H_BOOL is_better = FALSE;
+
+       /*PKCS11H_ASSERT (current!=NULL); NOT NEEDED */
+       PKCS11H_ASSERT (newone!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_isBetterCertificate entry current=%p, current_size=%u, newone=%p, newone_size=%u",
+               current,
+               current_size,
+               newone,
+               newone_size
+       );
+
+       /*
+        * First certificae
+        * always select
+        */
+       if (current_size == 0 || current == NULL) {
+               is_better = TRUE;
+       }
+       else {
+               time_t notAfterCurrent, notAfterNew;
+
+               notAfterCurrent = _pkcs11h_certificate_getExpiration (
+                       current,
+                       current_size
+               );
+               notAfterNew = _pkcs11h_certificate_getExpiration (
+                       newone,
+                       newone_size
+               );
+
+               PKCS11H_DEBUG (
+                       PKCS11H_LOG_DEBUG2,
+                       "PKCS#11: _pkcs11h_certificate_isBetterCertificate notAfterCurrent='%s', notAfterNew='%s'",
+                       asctime (localtime (&notAfterCurrent)),
+                       asctime (localtime (&notAfterNew))
+               );
+
+               is_better = notAfterNew > notAfterCurrent;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_isBetterCertificate return is_better=%d",
+               is_better ? 1 : 0
+       );
+       
+       return is_better;
+}
+
+static
+CK_RV
+_pkcs11h_certificate_newCertificateId (
+       OUT pkcs11h_certificate_id_t * const p_certificate_id
+) {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (p_certificate_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=%p",
+               (void *)p_certificate_id
+       );
+
+       *p_certificate_id = NULL;
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_malloc ((void *)p_certificate_id, sizeof (struct pkcs11h_certificate_id_s));
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_newCertificateId return rv=%ld-'%s', *p_certificate_id=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_certificate_id
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_certificate_getDN (
+       IN const unsigned char * const blob,
+       IN const size_t blob_size,
+       OUT char * const dn,
+       IN const size_t dn_size
+) {
+#if defined(USE_PKCS11H_OPENSSL)
+       X509 *x509 = NULL;
+       pkcs11_openssl_d2i_t d2i1;
+#elif defined(USE_PKCS11H_GNUTLS)
+       gnutls_x509_crt_t cert = NULL;
+#endif
+
+       PKCS11H_ASSERT (blob_size==0||blob!=NULL);
+       PKCS11H_ASSERT (dn!=NULL);
+
+       dn[0] = '\x0';
+
+#if defined(USE_PKCS11H_OPENSSL)
+
+       if (blob_size > 0) {
+               x509 = X509_new ();
+
+               d2i1 = (pkcs11_openssl_d2i_t)blob;
+               if (d2i_X509 (&x509, &d2i1, blob_size)) {
+                       X509_NAME_oneline (
+                               X509_get_subject_name (x509),
+                               dn,
+                               dn_size
+                       );
+               }
+
+               if (x509 != NULL) {
+                       X509_free (x509);
+                       x509 = NULL;
+               }
+       }
+
+#elif defined(USE_PKCS11H_GNUTLS)
+
+       if (blob_size > 0) {
+               if (gnutls_x509_crt_init (&cert) == GNUTLS_E_SUCCESS) {
+                       gnutls_datum_t datum = {(unsigned char *)blob, blob_size};
+
+                       if (gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER) == GNUTLS_E_SUCCESS) {
+                               size_t s = dn_size;
+                               if (
+                                       gnutls_x509_crt_get_dn (
+                                               cert,
+                                               dn,
+                                               &s
+                                       ) != GNUTLS_E_SUCCESS
+                               ) {
+                                       /* gnutls sets output parameters */
+                                       dn[0] = '\x0';
+                               }
+                       }
+                       gnutls_x509_crt_deinit (cert);
+               }
+       }
+
+#else
+#error Invalid configuration
+#endif
+
+       return CKR_OK;
+}
+
+static
+CK_RV
+_pkcs11h_certificate_loadCertificate (
+       IN const pkcs11h_certificate_t certificate
+) {
+       /*
+        * THREADING:
+        * certificate->mutex must be locked
+        */
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       CK_OBJECT_CLASS cert_filter_class = CKO_CERTIFICATE;
+       CK_ATTRIBUTE cert_filter[] = {
+               {CKA_CLASS, &cert_filter_class, sizeof (cert_filter_class)},
+               {CKA_ID, NULL, 0}
+       };
+
+       CK_OBJECT_HANDLE *objects = NULL;
+       CK_ULONG objects_found = 0;
+       CK_RV rv = CKR_OK;
+
+       CK_ULONG i;
+
+       PKCS11H_ASSERT (certificate!=NULL);
+       PKCS11H_ASSERT (certificate->id!=NULL);
+       
+       /* Must be after assert */
+       cert_filter[1].pValue = certificate->id->attrCKA_ID;
+       cert_filter[1].ulValueLen = certificate->id->attrCKA_ID_size;
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_loadCertificate entry certificate=%p",
+               (void *)certificate
+       );
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&certificate->session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_validate (certificate->session);
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_findObjects (
+                       certificate->session,
+                       cert_filter,
+                       sizeof (cert_filter) / sizeof (CK_ATTRIBUTE),
+                       &objects,
+                       &objects_found
+               );
+       }
+
+       for (i=0;rv == CKR_OK && i < objects_found;i++) {
+               CK_ATTRIBUTE attrs[] = {
+                       {CKA_VALUE, NULL, 0}
+               };
+
+               if (
+                       rv == CKR_OK &&
+                       (rv = _pkcs11h_session_getObjectAttributes (
+                               certificate->session,
+                               objects[i],
+                               attrs,
+                               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+                       )) == CKR_OK
+               ) {
+                       if (
+                               _pkcs11h_certificate_isBetterCertificate (
+                                       certificate->id->certificate_blob,
+                                       certificate->id->certificate_blob_size,
+                                       attrs[0].pValue,
+                                       attrs[0].ulValueLen
+                               )
+                       ) {
+                               if (certificate->id->certificate_blob != NULL) {
+                                       _pkcs11h_mem_free ((void *)&certificate->id->certificate_blob);
+                               }
+
+                               rv = _pkcs11h_mem_duplicate (
+                                       (void*)&certificate->id->certificate_blob,
+                                       &certificate->id->certificate_blob_size,
+                                       attrs[0].pValue,
+                                       attrs[0].ulValueLen
+                               );
+                       }
+               }
+
+               if (rv != CKR_OK) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Cannot get object attribute for provider '%s' object %ld rv=%ld-'%s'",
+                               certificate->session->provider->manufacturerID,
+                               objects[i],
+                               rv,
+                               pkcs11h_getMessage (rv)
+                       );
+
+                       /*
+                        * Ignore error
+                        */
+                       rv = CKR_OK;
+               }
+
+               _pkcs11h_session_freeObjectAttributes (
+                       attrs,
+                       sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+               );
+       }
+       
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       if (
+               rv == CKR_OK &&
+               certificate->id->certificate_blob == NULL
+       ) {
+               rv = CKR_ATTRIBUTE_VALUE_INVALID;
+       }
+
+       if (objects != NULL) {
+               _pkcs11h_mem_free ((void *)&objects);
+       }
+
+       /*
+        * No need to free allocated objects
+        * on error, since the certificate_id
+        * should be free by caller.
+        */
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_loadCertificate return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_certificate_updateCertificateIdDescription (
+       IN OUT pkcs11h_certificate_id_t certificate_id
+) {
+       static const char * separator = " on ";
+       static const char * unknown = "UNKNOWN";
+
+       PKCS11H_ASSERT (certificate_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=%p",
+               (void *)certificate_id
+       );
+
+       certificate_id->displayName[0] = '\x0';
+
+       _pkcs11h_certificate_getDN (
+               certificate_id->certificate_blob,
+               certificate_id->certificate_blob_size,
+               certificate_id->displayName,
+               sizeof (certificate_id->displayName)
+       );
+
+       if (strlen (certificate_id->displayName) == 0) {
+               strncpy (
+                       certificate_id->displayName,
+                       unknown,
+                       sizeof (certificate_id->displayName)-1
+               );
+       }
+
+       /*
+        * Try to avoid using snprintf,
+        * may be unavailable
+        */
+       strncat (
+               certificate_id->displayName,
+               separator,
+               sizeof (certificate_id->displayName)-1-strlen (certificate_id->displayName)
+       );
+       strncat (
+               certificate_id->displayName,
+               certificate_id->token_id->display,
+               sizeof (certificate_id->displayName)-1-strlen (certificate_id->displayName)
+       );
+       certificate_id->displayName[sizeof (certificate_id->displayName) - 1] = '\0';
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_updateCertificateIdDescription return displayName='%s'",
+               certificate_id->displayName
+       );
+
+       return CKR_OK;
+}
+
+static
+CK_RV
+_pkcs11h_certificate_getKeyAttributes (
+       IN const pkcs11h_certificate_t certificate
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_BOOL op_succeed = FALSE;
+       PKCS11H_BOOL login_retry = FALSE;
+
+       PKCS11H_ASSERT (certificate!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_getKeyAttributes entry certificate=%p",
+               (void *)certificate
+       );
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&certificate->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       certificate->mask_sign_mode = 0;
+
+       while (rv == CKR_OK && !op_succeed) {
+               CK_ATTRIBUTE key_attrs[] = {
+                       {CKA_SIGN, NULL, 0},
+                       {CKA_SIGN_RECOVER, NULL, 0}
+               };
+
+               /*
+                * Don't try invalid object
+                */
+               if (
+                       rv == CKR_OK &&
+                       certificate->key_handle == PKCS11H_INVALID_OBJECT_HANDLE
+               ) {
+                       rv = CKR_OBJECT_HANDLE_INVALID;
+               }
+
+               if (rv == CKR_OK) {
+                       if (certificate->session->provider->mask_sign_mode != 0) {
+                               certificate->mask_sign_mode = certificate->session->provider->mask_sign_mode;
+                               op_succeed = TRUE;
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Key attributes enforced by provider (%08x)",
+                                       certificate->mask_sign_mode
+                               );
+                       }
+               }
+
+               if (rv == CKR_OK && !op_succeed) {
+                       rv = _pkcs11h_session_getObjectAttributes (
+                               certificate->session,
+                               certificate->key_handle,
+                               key_attrs,
+                               sizeof (key_attrs) / sizeof (CK_ATTRIBUTE)
+                       );
+               }
+
+               if (rv == CKR_OK && !op_succeed) {
+                       CK_BBOOL *key_attrs_sign = (CK_BBOOL *)key_attrs[0].pValue;
+                       CK_BBOOL *key_attrs_sign_recover = (CK_BBOOL *)key_attrs[1].pValue;
+
+                       if (key_attrs_sign != NULL && *key_attrs_sign != CK_FALSE) {
+                               certificate->mask_sign_mode |= PKCS11H_SIGNMODE_MASK_SIGN;
+                       }
+                       if (key_attrs_sign_recover != NULL && *key_attrs_sign_recover != CK_FALSE) {
+                               certificate->mask_sign_mode |= PKCS11H_SIGNMODE_MASK_RECOVER;
+                       }
+                       if (certificate->mask_sign_mode == 0) {
+                               rv = CKR_KEY_TYPE_INCONSISTENT;
+                       }
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Key attributes loaded (%08x)",
+                               certificate->mask_sign_mode
+                       );
+               }
+
+               _pkcs11h_session_freeObjectAttributes (
+                       key_attrs,
+                       sizeof (key_attrs) / sizeof (CK_ATTRIBUTE)
+               );
+
+               if (rv == CKR_OK) {
+                       op_succeed = TRUE;
+               }
+               else {
+                       if (!login_retry) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Get private key attributes failed: %ld:'%s'",
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+
+                               rv = _pkcs11h_certificate_resetSession (
+                                       certificate,
+                                       FALSE,
+                                       TRUE
+                               );
+
+                               login_retry = TRUE;
+                       }
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&certificate->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_getKeyAttributes return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_certificate_validateSession (
+       IN const pkcs11h_certificate_t certificate
+) {
+       /*
+        * THREADING:
+        * certificate->mutex must be locked
+        * certificate->session->mutex must be locked
+        */
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (certificate!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_validateSession entry certificate=%p",
+               (void *)certificate
+       );
+
+       if (certificate->session == NULL) {
+               rv = CKR_SESSION_HANDLE_INVALID;
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_validate (certificate->session);
+       }
+
+       if (rv == CKR_OK) {
+               if (certificate->key_handle == PKCS11H_INVALID_OBJECT_HANDLE) {
+                       rv = CKR_OBJECT_HANDLE_INVALID;
+               }
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_validateSession return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+CK_RV
+_pkcs11h_certificate_resetSession (
+       IN const pkcs11h_certificate_t certificate,
+       IN const PKCS11H_BOOL public_only,
+       IN const PKCS11H_BOOL session_mutex_locked
+) {
+       /*
+        * THREADING:
+        * certificate->mutex must be locked
+        */
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       PKCS11H_BOOL is_key_valid = FALSE;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (certificate!=NULL);
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_resetSession entry certificate=%p, public_only=%d, session_mutex_locked=%d",
+               (void *)certificate,
+               public_only ? 1 : 0,
+               session_mutex_locked ? 1 : 0
+       );
+
+       if (rv == CKR_OK && certificate->session == NULL) {
+               rv = _pkcs11h_session_getSessionByTokenId (certificate->id->token_id, &certificate->session);
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               !session_mutex_locked &&
+               (rv = _pkcs11h_threading_mutexLock (&certificate->session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (
+               rv == CKR_OK &&
+               !certificate->pin_cache_populated_to_session
+       ) {
+               certificate->pin_cache_populated_to_session = TRUE;
+
+               if (certificate->pin_cache_period != PKCS11H_PIN_CACHE_INFINITE) {
+                       if (certificate->session->pin_cache_period != PKCS11H_PIN_CACHE_INFINITE) {
+                               if (certificate->session->pin_cache_period > certificate->pin_cache_period) {
+                                       certificate->session->pin_expire_time = (
+                                               certificate->session->pin_expire_time -
+                                               (time_t)certificate->session->pin_cache_period +
+                                               (time_t)certificate->pin_cache_period
+                                       );
+                                       certificate->session->pin_cache_period = certificate->pin_cache_period;
+                               }
+                       }
+                       else {
+                               certificate->session->pin_expire_time = (
+                                       PKCS11H_TIME (NULL) +
+                                       (time_t)certificate->pin_cache_period
+                               );
+                               certificate->session->pin_cache_period = certificate->pin_cache_period;
+                       }
+               }       
+       }
+
+       /*
+        * First, if session seems to be valid
+        * and key handle is invalid (hard-set),
+        * try to fetch key handle,
+        * maybe the token is already logged in
+        */
+       if (rv == CKR_OK) {
+               if (
+                       certificate->session->session_handle != PKCS11H_INVALID_SESSION_HANDLE &&
+                       certificate->key_handle == PKCS11H_INVALID_OBJECT_HANDLE
+               ) {
+                       if (!public_only || certificate->session->provider->cert_is_private) {
+                               if (
+                                       (rv = _pkcs11h_session_getObjectById (
+                                               certificate->session,
+                                               CKO_PRIVATE_KEY,
+                                               certificate->id->attrCKA_ID,
+                                               certificate->id->attrCKA_ID_size,
+                                               &certificate->key_handle
+                                       )) == CKR_OK
+                               ) {
+                                       is_key_valid = TRUE;
+                               }
+                               else {
+                                       /*
+                                        * Ignore error
+                                        */
+                                       rv = CKR_OK;
+                                       certificate->key_handle = PKCS11H_INVALID_OBJECT_HANDLE;
+                               }
+                       }
+               }
+       }
+
+       if (
+               !is_key_valid &&
+               rv == CKR_OK &&
+               (rv = _pkcs11h_session_login (
+                       certificate->session,
+                       public_only,
+                       TRUE,
+                       certificate->user_data,
+                       certificate->mask_prompt
+               )) == CKR_OK
+       ) {
+               rv = _pkcs11h_certificate_updateCertificateIdDescription (certificate->id);
+       }
+
+       if (
+               !is_key_valid &&
+               rv == CKR_OK &&
+               !public_only &&
+               (rv = _pkcs11h_session_getObjectById (
+                       certificate->session,
+                       CKO_PRIVATE_KEY,
+                       certificate->id->attrCKA_ID,
+                       certificate->id->attrCKA_ID_size,
+                       &certificate->key_handle
+               )) == CKR_OK
+       ) {
+               is_key_valid = TRUE;
+       }
+
+       if (
+               rv == CKR_OK &&
+               !public_only &&
+               !is_key_valid
+       ) {
+               rv = CKR_FUNCTION_REJECTED;
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_resetSession return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_certificate_doPrivateOperation (
+       IN const pkcs11h_certificate_t certificate,
+       IN const enum _pkcs11h_private_op_e op,
+       IN const CK_MECHANISM_TYPE mech_type,
+       IN const unsigned char * const source,
+       IN const size_t source_size,
+       OUT unsigned char * const target,
+       IN OUT size_t * const p_target_size
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       CK_MECHANISM mech = {
+               mech_type, NULL, 0
+       };
+       
+       CK_RV rv = CKR_OK;
+       PKCS11H_BOOL login_retry = FALSE;
+       PKCS11H_BOOL op_succeed = FALSE;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate!=NULL);
+       PKCS11H_ASSERT (source!=NULL);
+       /*PKCS11H_ASSERT (target); NOT NEEDED*/
+       PKCS11H_ASSERT (p_target_size!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_doPrivateOperation entry certificate=%p, op=%d, mech_type=%ld, source=%p, source_size=%u, target=%p, *p_target_size=%u",
+               (void *)certificate,
+               op,
+               mech_type,
+               source,
+               source_size,
+               target,
+               target != NULL ? *p_target_size : 0
+       );
+
+       if (target == NULL) {
+               *p_target_size = 0;
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&certificate->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       while (rv == CKR_OK && !op_succeed) {
+               if (rv == CKR_OK && !certificate->operation_active) {
+                       rv = _pkcs11h_certificate_validateSession (certificate);
+               }
+
+               if (rv == CKR_OK && !certificate->operation_active) {
+                       switch (op) {
+                               case _pkcs11h_private_op_sign:
+                                       rv = certificate->session->provider->f->C_SignInit (
+                                               certificate->session->session_handle,
+                                               &mech,
+                                               certificate->key_handle
+                                       );
+                               break;
+                               case _pkcs11h_private_op_sign_recover:
+                                       rv = certificate->session->provider->f->C_SignRecoverInit (
+                                               certificate->session->session_handle,
+                                               &mech,
+                                               certificate->key_handle
+                                       );
+                               break;
+                               case _pkcs11h_private_op_decrypt:
+                                       rv = certificate->session->provider->f->C_DecryptInit (
+                                               certificate->session->session_handle,
+                                               &mech,
+                                               certificate->key_handle
+                                       );
+                               break;
+                               default:
+                                       rv = CKR_ARGUMENTS_BAD;
+                               break;
+                       }
+
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG2,
+                               "PKCS#11: _pkcs11h_certificate_doPrivateOperation init rv=%ld",
+                               rv
+                       );
+               }
+
+               if (rv == CKR_OK) {
+                       CK_ULONG size = *p_target_size;
+
+                       switch (op) {
+                               case _pkcs11h_private_op_sign:
+                                       rv = certificate->session->provider->f->C_Sign (
+                                               certificate->session->session_handle,
+                                               (CK_BYTE_PTR)source,
+                                               source_size,
+                                               (CK_BYTE_PTR)target,
+                                               &size
+                                       );
+                               break;
+                               case _pkcs11h_private_op_sign_recover:
+                                       rv = certificate->session->provider->f->C_SignRecover (
+                                               certificate->session->session_handle,
+                                               (CK_BYTE_PTR)source,
+                                               source_size,
+                                               (CK_BYTE_PTR)target,
+                                               &size
+                                       );
+                               break;
+                               case _pkcs11h_private_op_decrypt:
+                                       rv = certificate->session->provider->f->C_Decrypt (
+                                               certificate->session->session_handle,
+                                               (CK_BYTE_PTR)source,
+                                               source_size,
+                                               (CK_BYTE_PTR)target,
+                                               &size
+                                       );
+                               break;
+                               default:
+                                       rv = CKR_ARGUMENTS_BAD;
+                               break;
+                       }
+
+                       *p_target_size = size;
+
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG2,
+                               "PKCS#11: _pkcs11h_certificate_doPrivateOperation op rv=%ld",
+                               rv
+                       );
+               }
+               
+               if (
+                       target == NULL &&
+                       (
+                               rv == CKR_BUFFER_TOO_SMALL ||
+                               rv == CKR_OK
+                       )
+               ) {
+                       certificate->operation_active = TRUE;
+                       rv = CKR_OK;
+               }
+               else {
+                       certificate->operation_active = FALSE;
+               }
+
+               if (rv == CKR_OK) {
+                       op_succeed = TRUE;
+               }
+               else {
+                       /*
+                        * OpenSC workaround
+                        * It still allows C_FindObjectsInit when
+                        * token is removed/inserted but fails
+                        * private key operation.
+                        * So we force logout.
+                        * bug#108 at OpenSC trac
+                        */
+                       if (login_retry && rv == CKR_DEVICE_REMOVED) {
+                               login_retry = FALSE;
+                               _pkcs11h_session_logout (certificate->session);
+                       }
+
+                       if (!login_retry) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Private key operation failed rv=%ld-'%s'",
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+                               login_retry = TRUE;
+                               rv = _pkcs11h_certificate_resetSession (
+                                       certificate,
+                                       FALSE,
+                                       TRUE
+                               );
+                       }
+               }
+
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&certificate->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_doPrivateOperation return rv=%ld-'%s', *p_target_size=%u",
+               rv,
+               pkcs11h_getMessage (rv),
+               *p_target_size
+       );
+       
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_freeCertificateId (
+       IN pkcs11h_certificate_id_t certificate_id
+) {
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=%p",
+               (void *)certificate_id
+       );
+
+       if (certificate_id->attrCKA_ID != NULL) {
+               _pkcs11h_mem_free ((void *)&certificate_id->attrCKA_ID);
+       }
+       if (certificate_id->certificate_blob != NULL) {
+               _pkcs11h_mem_free ((void *)&certificate_id->certificate_blob);
+       }
+       if (certificate_id->token_id != NULL) {
+               pkcs11h_token_freeTokenId (certificate_id->token_id);
+               certificate_id->token_id = NULL;
+       }
+       _pkcs11h_mem_free ((void *)&certificate_id);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_freeCertificateId return"
+       );
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_certificate_duplicateCertificateId (
+       OUT pkcs11h_certificate_id_t * const to,
+       IN const pkcs11h_certificate_id_t from
+) {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (to!=NULL);
+       PKCS11H_ASSERT (from!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=%p form=%p",
+               (void *)to,
+               (void *)from
+       );
+
+       *to = NULL;
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_duplicate (
+                       (void*)to,
+                       NULL,
+                       from,
+                       sizeof (struct pkcs11h_certificate_id_s)
+               );
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_duplicate (
+                       (void*)&(*to)->token_id,
+                       NULL,
+                       from->token_id,
+                       sizeof (struct pkcs11h_token_id_s)
+               );
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_duplicate (
+                       (void*)&(*to)->attrCKA_ID,
+                       &(*to)->attrCKA_ID_size,
+                       from->attrCKA_ID,
+                       from->attrCKA_ID_size
+               );
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_duplicate (
+                       (void*)&(*to)->certificate_blob,
+                       &(*to)->certificate_blob_size,
+                       from->certificate_blob,
+                       from->certificate_blob_size
+               );
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=%ld-'%s', *to=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*to
+       );
+       
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_setCertificateIdCertificateBlob (
+       IN const pkcs11h_certificate_id_t certificate_id,
+       IN const unsigned char * const blob,
+       IN const size_t blob_size
+) {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate_id!=NULL);
+       PKCS11H_ASSERT (blob!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_setCertificateIdCertificateBlob entry certificate_id=%p",
+               (void *)certificate_id
+       );
+
+       if (rv == CKR_OK && certificate_id->certificate_blob != NULL) {
+               rv = _pkcs11h_mem_free ((void *)&certificate_id->certificate_blob);
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_duplicate (
+                       (void *)&certificate_id->certificate_blob,
+                       &certificate_id->certificate_blob_size,
+                       blob,
+                       blob_size
+               );
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_setCertificateIdCertificateBlob return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+       
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_freeCertificate (
+       IN pkcs11h_certificate_t certificate
+) {
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=%p",
+               (void *)certificate
+       );
+
+       if (certificate != NULL) {
+               if (certificate->session != NULL) {
+                       _pkcs11h_session_release (certificate->session);
+               }
+               pkcs11h_certificate_freeCertificateId (certificate->id);
+               certificate->id = NULL;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               _pkcs11h_threading_mutexFree (&certificate->mutex);
+#endif
+
+               _pkcs11h_mem_free ((void *)&certificate);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_freeCertificate return"
+       );
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_certificate_lockSession (
+       IN const pkcs11h_certificate_t certificate
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate!=NULL);
+
+       if (rv == CKR_OK && certificate->session == NULL) {
+               rv = _pkcs11h_session_getSessionByTokenId (certificate->id->token_id, &certificate->session);
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_threading_mutexLock (&certificate->session->mutex);
+       }
+
+       return rv;
+#else
+       return CKR_OK;
+#endif
+}
+
+CK_RV
+pkcs11h_certificate_releaseSession (
+       IN const pkcs11h_certificate_t certificate
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate!=NULL);
+
+       if (certificate->session != NULL) {
+               rv = _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
+       }
+
+       return rv;
+#else
+       return CKR_OK;
+#endif
+}
+
+CK_RV
+pkcs11h_certificate_sign (
+       IN const pkcs11h_certificate_t certificate,
+       IN const CK_MECHANISM_TYPE mech_type,
+       IN const unsigned char * const source,
+       IN const size_t source_size,
+       OUT unsigned char * const target,
+       IN OUT size_t * const p_target_size
+) {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate!=NULL);
+       PKCS11H_ASSERT (source!=NULL);
+       /*PKCS11H_ASSERT (target); NOT NEEDED*/
+       PKCS11H_ASSERT (p_target_size!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_sign entry certificate=%p, mech_type=%ld, source=%p, source_size=%u, target=%p, *p_target_size=%u",
+               (void *)certificate,
+               mech_type,
+               source,
+               source_size,
+               target,
+               target != NULL ? *p_target_size : 0
+       );
+
+       if (target == NULL) {
+               *p_target_size = 0;
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_certificate_doPrivateOperation (
+                       certificate,
+                       _pkcs11h_private_op_sign,
+                       mech_type,
+                       source,
+                       source_size,
+                       target,
+                       p_target_size
+               );
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_sign return rv=%ld-'%s', *p_target_size=%u",
+               rv,
+               pkcs11h_getMessage (rv),
+               *p_target_size
+       );
+       
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_signRecover (
+       IN const pkcs11h_certificate_t certificate,
+       IN const CK_MECHANISM_TYPE mech_type,
+       IN const unsigned char * const source,
+       IN const size_t source_size,
+       OUT unsigned char * const target,
+       IN OUT size_t * const p_target_size
+) {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate!=NULL);
+       PKCS11H_ASSERT (source!=NULL);
+       /*PKCS11H_ASSERT (target); NOT NEEDED*/
+       PKCS11H_ASSERT (p_target_size!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_signRecover entry certificate=%p, mech_type=%ld, source=%p, source_size=%u, target=%p, *p_target_size=%u",
+               (void *)certificate,
+               mech_type,
+               source,
+               source_size,
+               target,
+               target != NULL ? *p_target_size : 0
+       );
+
+       if (target == NULL) {
+               *p_target_size = 0;
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_certificate_doPrivateOperation (
+                       certificate,
+                       _pkcs11h_private_op_sign_recover,
+                       mech_type,
+                       source,
+                       source_size,
+                       target,
+                       p_target_size
+               );
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_signRecover return rv=%ld-'%s', *p_target_size=%u",
+               rv,
+               pkcs11h_getMessage (rv),
+               *p_target_size
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_signAny (
+       IN const pkcs11h_certificate_t certificate,
+       IN const CK_MECHANISM_TYPE mech_type,
+       IN const unsigned char * const source,
+       IN const size_t source_size,
+       OUT unsigned char * const target,
+       IN OUT size_t * const p_target_size
+) {
+       CK_RV rv = CKR_OK;
+       PKCS11H_BOOL fSigned = FALSE;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate!=NULL);
+       PKCS11H_ASSERT (source!=NULL);
+       /*PKCS11H_ASSERT (target); NOT NEEDED*/
+       PKCS11H_ASSERT (p_target_size!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_signAny entry certificate=%p, mech_type=%ld, source=%p, source_size=%u, target=%p, *p_target_size=%u",
+               (void *)certificate,
+               mech_type,
+               source,
+               source_size,
+               target,
+               target != NULL ? *p_target_size : 0
+       );
+
+       if (
+               rv == CKR_OK &&
+               certificate->mask_sign_mode == 0
+       ) {
+               PKCS11H_DEBUG (
+                       PKCS11H_LOG_DEBUG1,
+                       "PKCS#11: Getting key attributes"
+               );
+               rv = _pkcs11h_certificate_getKeyAttributes (certificate);
+       }
+
+       if (
+               rv == CKR_OK &&
+               !fSigned &&
+               (certificate->mask_sign_mode & PKCS11H_SIGNMODE_MASK_SIGN) != 0
+       ) {
+               rv = pkcs11h_certificate_sign (
+                       certificate,
+                       mech_type,
+                       source,
+                       source_size,
+                       target,
+                       p_target_size
+               );
+
+               if (rv == CKR_OK) {
+                       fSigned = TRUE;
+               }
+               else if (
+                       rv == CKR_FUNCTION_NOT_SUPPORTED ||
+                       rv == CKR_KEY_FUNCTION_NOT_PERMITTED
+               ) {
+                       certificate->mask_sign_mode &= ~PKCS11H_SIGNMODE_MASK_SIGN;
+                       rv = CKR_OK;
+               }
+       }
+       
+       if (
+               rv == CKR_OK &&
+               !fSigned &&
+               (certificate->mask_sign_mode & PKCS11H_SIGNMODE_MASK_RECOVER) != 0
+       ) {
+               rv = pkcs11h_certificate_signRecover (
+                       certificate,
+                       mech_type,
+                       source,
+                       source_size,
+                       target,
+                       p_target_size
+               );
+
+               if (rv == CKR_OK) {
+                       fSigned = TRUE;
+               }
+               else if (
+                       rv == CKR_FUNCTION_NOT_SUPPORTED ||
+                       rv == CKR_KEY_FUNCTION_NOT_PERMITTED
+               ) {
+                       certificate->mask_sign_mode &= ~PKCS11H_SIGNMODE_MASK_RECOVER;
+                       rv = CKR_OK;
+               }
+       }
+
+       if (rv == CKR_OK && !fSigned) {
+               rv = CKR_FUNCTION_FAILED;
+       }
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_signAny return rv=%ld-'%s', *p_target_size=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_target_size
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_decrypt (
+       IN const pkcs11h_certificate_t certificate,
+       IN const CK_MECHANISM_TYPE mech_type,
+       IN const unsigned char * const source,
+       IN const size_t source_size,
+       OUT unsigned char * const target,
+       IN OUT size_t * const p_target_size
+) {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate!=NULL);
+       PKCS11H_ASSERT (source!=NULL);
+       /*PKCS11H_ASSERT (target); NOT NEEDED*/
+       PKCS11H_ASSERT (p_target_size!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_decrypt entry certificate=%p, mech_type=%ld, source=%p, source_size=%u, target=%p, *p_target_size=%u",
+               (void *)certificate,
+               mech_type,
+               source,
+               source_size,
+               target,
+               target != NULL ? *p_target_size : 0
+       );
+
+       if (target == NULL) {
+               *p_target_size = 0;
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_certificate_doPrivateOperation (
+                       certificate,
+                       _pkcs11h_private_op_decrypt,
+                       mech_type,
+                       source,
+                       source_size,
+                       target,
+                       p_target_size
+               );
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_decrypt return rv=%ld-'%s', *p_target_size=%u",
+               rv,
+               pkcs11h_getMessage (rv),
+               *p_target_size
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_create (
+       IN const pkcs11h_certificate_id_t certificate_id,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       IN const int pin_cache_period,
+       OUT pkcs11h_certificate_t * const p_certificate
+) {
+       pkcs11h_certificate_t certificate = NULL;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       /*PKCS11H_ASSERT (user_data!=NULL); NOT NEEDED */
+       PKCS11H_ASSERT (p_certificate!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_create entry certificate_id=%p, user_data=%p, mask_prompt=%08x, pin_cache_period=%d, p_certificate=%p",
+               (void *)certificate_id,
+               user_data,
+               mask_prompt,
+               pin_cache_period,
+               (void *)p_certificate
+       );
+
+       *p_certificate = NULL;
+
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_mem_malloc ((void*)&certificate, sizeof (struct pkcs11h_certificate_s))) == CKR_OK
+       ) {
+               certificate->user_data = user_data;
+               certificate->mask_prompt = mask_prompt;
+               certificate->key_handle = PKCS11H_INVALID_OBJECT_HANDLE;
+               certificate->pin_cache_period = pin_cache_period;
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_threading_mutexInit (&certificate->mutex);
+       }
+#endif
+
+       if (rv == CKR_OK) {
+               rv = pkcs11h_certificate_duplicateCertificateId (&certificate->id, certificate_id);
+       }
+
+       if (rv == CKR_OK) {
+               *p_certificate = certificate;
+               certificate = NULL;
+       }
+
+       if (certificate != NULL) {
+#if defined(ENABLE_PKCS11H_THREADING)
+               _pkcs11h_threading_mutexFree (&certificate->mutex);
+#endif
+               _pkcs11h_mem_free ((void *)&certificate);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_create return rv=%ld-'%s' *p_certificate=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_certificate
+       );
+       
+       return rv;
+}
+
+unsigned
+pkcs11h_certificate_getPromptMask (
+       IN const pkcs11h_certificate_t certificate
+) {
+       PKCS11H_ASSERT (certificate!=NULL);
+
+       return certificate->mask_prompt;
+}
+
+void
+pkcs11h_certificate_setPromptMask (
+       IN const pkcs11h_certificate_t certificate,
+       IN const unsigned mask_prompt
+) {
+       PKCS11H_ASSERT (certificate!=NULL);
+
+       certificate->mask_prompt = mask_prompt;
+}
+
+void *
+pkcs11h_certificate_getUserData (
+       IN const pkcs11h_certificate_t certificate
+) {
+       PKCS11H_ASSERT (certificate!=NULL);
+
+       return certificate->user_data;
+}
+
+void
+pkcs11h_certificate_setUserData (
+       IN const pkcs11h_certificate_t certificate,
+       IN void * const user_data
+) {
+       PKCS11H_ASSERT (certificate!=NULL);
+
+       certificate->user_data = user_data;
+}
+
+CK_RV
+pkcs11h_certificate_getCertificateId (
+       IN const pkcs11h_certificate_t certificate,
+       OUT pkcs11h_certificate_id_t * const p_certificate_id
+) {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate!=NULL);
+       PKCS11H_ASSERT (p_certificate_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_getCertificateId entry certificate=%p, certificate_id=%p",
+               (void *)certificate,
+               (void *)p_certificate_id
+       );
+
+       if (rv == CKR_OK) {
+               rv = pkcs11h_certificate_duplicateCertificateId (
+                       p_certificate_id,
+                       certificate->id
+               );
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_getCertificateId return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_getCertificateBlob (
+       IN const pkcs11h_certificate_t certificate,
+       OUT unsigned char * const certificate_blob,
+       IN OUT size_t * const p_certificate_blob_size
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       CK_RV rv = CKR_OK;
+       size_t certifiate_blob_size_max = 0;
+       
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate!=NULL);
+       /*PKCS11H_ASSERT (certificate_blob!=NULL); NOT NEEDED */
+       PKCS11H_ASSERT (p_certificate_blob_size!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=%p, certificate_blob=%p, *p_certificate_blob_size=%u",
+               (void *)certificate,
+               certificate_blob,
+               certificate_blob != NULL ? *p_certificate_blob_size : 0
+       );
+
+       if (certificate_blob != NULL) {
+               certifiate_blob_size_max = *p_certificate_blob_size;
+       }
+       *p_certificate_blob_size = 0;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&certificate->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (rv == CKR_OK && certificate->id->certificate_blob == NULL) {
+               PKCS11H_BOOL op_succeed = FALSE;
+               PKCS11H_BOOL login_retry = FALSE;
+               while (rv == CKR_OK && !op_succeed) {
+                       if (certificate->session == NULL) {
+                               rv = CKR_SESSION_HANDLE_INVALID;
+                       }
+
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_certificate_loadCertificate (certificate);
+                       }
+
+                       if (rv == CKR_OK) {
+                               op_succeed = TRUE;
+                       }
+                       else {
+                               if (!login_retry) {
+                                       login_retry = TRUE;
+                                       rv = _pkcs11h_certificate_resetSession (
+                                               certificate,
+                                               TRUE,
+                                               FALSE
+                                       );
+                               }
+                       }
+               }
+       }
+       
+       if (
+               rv == CKR_OK &&
+               certificate->id->certificate_blob == NULL
+       ) {
+               rv = CKR_FUNCTION_REJECTED;
+       }
+
+       if (rv == CKR_OK) {
+               _pkcs11h_certificate_updateCertificateIdDescription (certificate->id);
+       }
+
+       if (rv == CKR_OK) {
+               *p_certificate_blob_size = certificate->id->certificate_blob_size;
+       }
+
+       if (certificate_blob != NULL) {
+               if (
+                       rv == CKR_OK &&
+                       certificate->id->certificate_blob_size > certifiate_blob_size_max
+               ) {
+                       rv = CKR_BUFFER_TOO_SMALL;
+               }
+       
+               if (rv == CKR_OK) {
+                       memmove (
+                               certificate_blob,
+                               certificate->id->certificate_blob,
+                               *p_certificate_blob_size
+                       );
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&certificate->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+#if defined(ENABLE_PKCS11H_SERIALIZATION)
+
+CK_RV
+pkcs11h_certificate_serializeCertificateId (
+       OUT char * const sz,
+       IN OUT size_t *max,
+       IN const pkcs11h_certificate_id_t certificate_id
+) {
+       CK_RV rv = CKR_OK;
+       size_t saved_max = 0;
+       size_t n = 0;
+       size_t _max = 0;
+
+       /*PKCS11H_ASSERT (sz!=NULL); Not required */
+       PKCS11H_ASSERT (max!=NULL);
+       PKCS11H_ASSERT (certificate_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_serializeCertificateId entry sz=%p, *max=%u, certificate_id=%p",
+               sz,
+               sz != NULL ? *max : 0,
+               (void *)certificate_id
+       );
+
+       if (sz != NULL) {
+               saved_max = n = *max;
+       }
+       *max = 0;
+
+       if (rv == CKR_OK) {
+               rv = pkcs11h_token_serializeTokenId (
+                       sz,
+                       &n,
+                       certificate_id->token_id
+               );
+       }
+
+       if (rv == CKR_OK) {
+               _max = n + certificate_id->attrCKA_ID_size*2 + 1;
+       }
+
+       if (sz != NULL) {
+               if (saved_max < _max) {
+                       rv = CKR_ATTRIBUTE_VALUE_INVALID;
+               }
+
+               if (rv == CKR_OK) {
+                       sz[n-1] = '/';
+                       rv = _pkcs11h_util_binaryToHex (
+                               sz+n,
+                               saved_max-n,
+                               certificate_id->attrCKA_ID,
+                               certificate_id->attrCKA_ID_size
+                       );
+
+               }
+       }
+
+       *max = _max;
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_serializeCertificateId return rv=%ld-'%s', *max=%u, sz='%s'",
+               rv,
+               pkcs11h_getMessage (rv),
+               *max,
+               sz
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_deserializeCertificateId (
+       OUT pkcs11h_certificate_id_t * const p_certificate_id,
+       IN const char * const sz
+) {
+       pkcs11h_certificate_id_t certificate_id = NULL;
+       CK_RV rv = CKR_OK;
+       char *p = NULL;
+       char *_sz = NULL;
+
+       PKCS11H_ASSERT (p_certificate_id!=NULL);
+       PKCS11H_ASSERT (sz!=NULL);
+
+       *p_certificate_id = NULL;
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'",
+               (void *)p_certificate_id,
+               sz
+       );
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_mem_strdup (
+                       (void *)&_sz,
+                       sz
+               );
+       }
+
+       if (rv == CKR_OK) {
+               p = _sz;
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_certificate_newCertificateId (&certificate_id);
+       }
+
+       if (
+               rv == CKR_OK &&
+               (p = strrchr (_sz, '/')) == NULL
+       ) {
+               rv = CKR_ATTRIBUTE_VALUE_INVALID;
+       }
+
+       if (rv == CKR_OK) {
+               *p = '\x0';
+               p++;
+       }
+
+       if (rv == CKR_OK) {
+               rv = pkcs11h_token_deserializeTokenId (
+                       &certificate_id->token_id,
+                       _sz
+               );
+       }
+
+       if (rv == CKR_OK) {
+               certificate_id->attrCKA_ID_size = strlen (p)/2;
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_mem_malloc (
+                       (void *)&certificate_id->attrCKA_ID,
+                       certificate_id->attrCKA_ID_size)
+               ) == CKR_OK
+       ) {
+               rv = _pkcs11h_util_hexToBinary (
+                       certificate_id->attrCKA_ID,
+                       p,
+                       &certificate_id->attrCKA_ID_size
+               );
+       }
+
+       if (rv == CKR_OK) {
+               *p_certificate_id = certificate_id;
+               certificate_id = NULL;
+       }
+
+       if (certificate_id != NULL) {
+               pkcs11h_certificate_freeCertificateId (certificate_id);
+               certificate_id = NULL;
+       }
+
+       if (_sz != NULL) {
+               _pkcs11h_mem_free ((void *)&_sz);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+
+}
+
+#endif                         /* ENABLE_PKCS11H_SERIALIZATION */
+
+CK_RV
+pkcs11h_certificate_ensureCertificateAccess (
+       IN const pkcs11h_certificate_t certificate
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked_cert = FALSE;
+       PKCS11H_BOOL mutex_locked_sess = FALSE;
+#endif
+       PKCS11H_BOOL validCert = FALSE;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_ensureCertificateAccess entry certificate=%p",
+               (void *)certificate
+       );
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&certificate->mutex)) == CKR_OK
+       ) {
+               mutex_locked_cert = TRUE;
+       }
+#endif
+
+       if (!validCert && rv == CKR_OK) {
+               CK_OBJECT_HANDLE h = PKCS11H_INVALID_OBJECT_HANDLE;
+
+               if (certificate->session == NULL) {
+                       rv = CKR_SESSION_HANDLE_INVALID;
+               }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               if (
+                       rv == CKR_OK &&
+                       (rv = _pkcs11h_threading_mutexLock (&certificate->session->mutex)) == CKR_OK
+               ) {
+                       mutex_locked_sess = TRUE;
+               }
+#endif
+
+               if (
+                       (rv = _pkcs11h_session_getObjectById (
+                               certificate->session,
+                               CKO_CERTIFICATE,
+                               certificate->id->attrCKA_ID,
+                               certificate->id->attrCKA_ID_size,
+                               &h
+                       )) == CKR_OK
+               ) {
+                       validCert = TRUE;
+               }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               if (mutex_locked_sess) {
+                       _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
+                       mutex_locked_sess = FALSE;
+               }
+#endif
+
+               if (rv != CKR_OK) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Cannot access existing object rv=%ld-'%s'",
+                               rv,
+                               pkcs11h_getMessage (rv)
+                       );
+
+                       /*
+                        * Ignore error
+                        */
+                       rv = CKR_OK;
+               }
+       }
+
+       if (!validCert && rv == CKR_OK) {
+               if (
+                       (rv = _pkcs11h_certificate_resetSession (
+                               certificate,
+                               TRUE,
+                               FALSE
+                       )) == CKR_OK
+               ) {
+                       validCert = TRUE;
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked_cert) {
+               _pkcs11h_threading_mutexRelease (&certificate->mutex);
+               mutex_locked_cert = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_ensureCertificateAccess return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+       
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_ensureKeyAccess (
+       IN const pkcs11h_certificate_t certificate
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked_cert = FALSE;
+       PKCS11H_BOOL mutex_locked_sess = FALSE;
+#endif
+       CK_RV rv = CKR_OK;
+       PKCS11H_BOOL valid_key = FALSE;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (certificate!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_ensureKeyAccess entry certificate=%p",
+               (void *)certificate
+       );
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&certificate->mutex)) == CKR_OK
+       ) {
+               mutex_locked_cert = TRUE;
+       }
+#endif
+
+       if (!valid_key && rv == CKR_OK) {
+
+               if (certificate->session == NULL) {
+                       rv = CKR_SESSION_HANDLE_INVALID;
+               }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               if (
+                       rv == CKR_OK &&
+                       (rv = _pkcs11h_threading_mutexLock (&certificate->session->mutex)) == CKR_OK
+               ) {
+                       mutex_locked_sess = TRUE;
+               }
+#endif
+
+               if (
+                       (rv = _pkcs11h_session_getObjectById (
+                               certificate->session,
+                               CKO_PRIVATE_KEY,
+                               certificate->id->attrCKA_ID,
+                               certificate->id->attrCKA_ID_size,
+                               &certificate->key_handle
+                       )) == CKR_OK
+               ) {
+                       valid_key = TRUE;
+               }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+               if (mutex_locked_sess) {
+                       _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
+                       mutex_locked_sess = FALSE;
+               }
+#endif
+
+               if (rv != CKR_OK) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Cannot access existing object rv=%ld-'%s'",
+                               rv,
+                               pkcs11h_getMessage (rv)
+                       );
+
+                       /*
+                        * Ignore error
+                        */
+                       rv = CKR_OK;
+                       certificate->key_handle = PKCS11H_INVALID_OBJECT_HANDLE;
+               }
+       }
+
+       if (!valid_key && rv == CKR_OK) {
+               if (
+                       (rv = _pkcs11h_certificate_resetSession (
+                               certificate,
+                               FALSE,
+                               FALSE
+                       )) == CKR_OK
+               ) {
+                       valid_key = TRUE;
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked_sess) {
+               _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
+               mutex_locked_sess = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_ensureKeyAccess return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+       
+       return rv;
+}
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#if defined(ENABLE_PKCS11H_LOCATE)
+/*======================================================================*
+ * LOCATE INTERFACE
+ *======================================================================*/
+
+#if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE)
+
+static
+CK_RV
+_pkcs11h_locate_getTokenIdBySlotId (
+       IN const char * const slot,
+       OUT pkcs11h_token_id_t * const p_token_id
+) {
+       pkcs11h_provider_t current_provider = NULL;
+       char reference[sizeof (((pkcs11h_provider_t)NULL)->reference)];
+
+       CK_SLOT_ID selected_slot = PKCS11H_INVALID_SLOT_ID;
+       CK_TOKEN_INFO info;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (slot!=NULL);
+       PKCS11H_ASSERT (p_token_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_locate_getTokenIdBySlotId entry slot='%s', p_token_id=%p",
+               slot,
+               (void *)p_token_id
+       );
+
+       *p_token_id = NULL;
+
+       if (rv == CKR_OK) {
+               if (strchr (slot, ':') == NULL) {
+                       reference[0] = '\0';
+                       selected_slot = atol (slot);
+               }
+               else {
+                       char *p;
+
+                       strncpy (reference, slot, sizeof (reference));
+                       reference[sizeof (reference)-1] = '\0';
+
+                       p = strchr (reference, ':');
+
+                       *p = '\0';
+                       p++;
+                       selected_slot = atol (p);
+               }
+       }
+       
+       if (rv == CKR_OK) {
+               current_provider=s_pkcs11h_data->providers;
+               while (
+                       current_provider != NULL &&
+                       reference[0] != '\0' &&         /* So first provider will be selected */
+                       strcmp (current_provider->reference, reference)
+               ) {
+                       current_provider = current_provider->next;
+               }
+       
+               if (
+                       current_provider == NULL ||
+                       (
+                               current_provider != NULL &&
+                               !current_provider->enabled
+                       )
+               ) {
+                       rv = CKR_SLOT_ID_INVALID;
+               }
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = current_provider->f->C_GetTokenInfo (selected_slot, &info)) == CKR_OK
+       ) {
+               rv = _pkcs11h_token_getTokenId (
+                       &info,
+                       p_token_id
+               );
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_locate_getTokenIdBySlotId return rv=%ld-'%s', *p_token_id=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_token_id
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_locate_getTokenIdBySlotName (
+       IN const char * const name,
+       OUT pkcs11h_token_id_t * const p_token_id
+) {
+       pkcs11h_provider_t current_provider = NULL;
+
+       CK_SLOT_ID selected_slot = PKCS11H_INVALID_SLOT_ID;
+       CK_TOKEN_INFO info;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_BOOL found = FALSE;
+
+       PKCS11H_ASSERT (name!=NULL);
+       PKCS11H_ASSERT (p_token_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_locate_getTokenIdBySlotName entry name='%s', p_token_id=%p",
+               name,
+               (void *)p_token_id
+       );
+
+       *p_token_id = NULL;
+
+       current_provider = s_pkcs11h_data->providers;
+       while (
+               current_provider != NULL &&
+               rv == CKR_OK &&
+               !found
+       ) {
+               CK_SLOT_ID_PTR slots = NULL;
+               CK_ULONG slotnum;
+               CK_SLOT_ID slot_index;
+
+               if (!current_provider->enabled) {
+                       rv = CKR_CRYPTOKI_NOT_INITIALIZED;
+               }
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_getSlotList (
+                               current_provider,
+                               CK_TRUE,
+                               &slots,
+                               &slotnum
+                       );
+               }
+
+               for (
+                       slot_index=0;
+                       (
+                               slot_index < slotnum &&
+                               rv == CKR_OK &&
+                               !found
+                       );
+                       slot_index++
+               ) {
+                       CK_SLOT_INFO info;
+
+                       if (
+                               (rv = current_provider->f->C_GetSlotInfo (
+                                       slots[slot_index],
+                                       &info
+                               )) == CKR_OK
+                       ) {
+                               char current_name[sizeof (info.slotDescription)+1];
+
+                               _pkcs11h_util_fixupFixedString (
+                                       current_name,
+                                       (char *)info.slotDescription,
+                                       sizeof (info.slotDescription)
+                               );
+
+                               if (!strcmp (current_name, name)) {
+                                       found = TRUE;
+                                       selected_slot = slots[slot_index];
+                               }
+                       }
+
+                       if (rv != CKR_OK) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Cannot get slot information for provider '%s' slot %ld rv=%ld-'%s'",
+                                       current_provider->manufacturerID,
+                                       slots[slot_index],
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+
+                               /*
+                                * Ignore error
+                                */
+                               rv = CKR_OK;
+                       }
+               }
+
+               if (rv != CKR_OK) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Cannot get slot list for provider '%s' rv=%ld-'%s'",
+                               current_provider->manufacturerID,
+                               rv,
+                               pkcs11h_getMessage (rv)
+                       );
+
+                       /*
+                        * Ignore error
+                        */
+                       rv = CKR_OK;
+               }
+
+               if (slots != NULL) {
+                       _pkcs11h_mem_free ((void *)&slots);
+                       slots = NULL;
+               }
+
+               if (!found) {
+                       current_provider = current_provider->next;
+               }
+       }
+
+       if (rv == CKR_OK && !found) {
+               rv = CKR_SLOT_ID_INVALID;
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = current_provider->f->C_GetTokenInfo (selected_slot, &info)) == CKR_OK
+       ) {
+               rv = _pkcs11h_token_getTokenId (
+                       &info,
+                       p_token_id
+               );
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_locate_getTokenIdBySlotName return rv=%ld-'%s' *p_token_id=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_token_id
+       );
+
+       return rv; 
+}
+
+static
+CK_RV
+_pkcs11h_locate_getTokenIdByLabel (
+       IN const char * const label,
+       OUT pkcs11h_token_id_t * const p_token_id
+) {
+       pkcs11h_provider_t current_provider = NULL;
+
+       CK_SLOT_ID selected_slot = PKCS11H_INVALID_SLOT_ID;
+       CK_TOKEN_INFO info;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_BOOL found = FALSE;
+
+       PKCS11H_ASSERT (label!=NULL);
+       PKCS11H_ASSERT (p_token_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_locate_getTokenIdByLabel entry label='%s', p_token_id=%p",
+               label,
+               (void *)p_token_id
+       );
+
+       *p_token_id = NULL;
+
+       current_provider = s_pkcs11h_data->providers;
+       while (
+               current_provider != NULL &&
+               rv == CKR_OK &&
+               !found
+       ) {
+               CK_SLOT_ID_PTR slots = NULL;
+               CK_ULONG slotnum;
+               CK_SLOT_ID slot_index;
+
+               if (!current_provider->enabled) {
+                       rv = CKR_CRYPTOKI_NOT_INITIALIZED;
+               }
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_getSlotList (
+                               current_provider,
+                               CK_TRUE,
+                               &slots,
+                               &slotnum
+                       );
+               }
+
+               for (
+                       slot_index=0;
+                       (
+                               slot_index < slotnum &&
+                               rv == CKR_OK &&
+                               !found
+                       );
+                       slot_index++
+               ) {
+                       CK_TOKEN_INFO info;
+
+                       if (rv == CKR_OK) {
+                               rv = current_provider->f->C_GetTokenInfo (
+                                       slots[slot_index],
+                                       &info
+                               );
+                       }
+
+                       if (rv == CKR_OK) {
+                               char current_label[sizeof (info.label)+1];
+               
+                               _pkcs11h_util_fixupFixedString (
+                                       current_label,
+                                       (char *)info.label,
+                                       sizeof (info.label)
+                               );
+
+                               if (!strcmp (current_label, label)) {
+                                       found = TRUE;
+                                       selected_slot = slots[slot_index];
+                               }
+                       }
+
+                       if (rv != CKR_OK) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Cannot get token information for provider '%s' slot %ld rv=%ld-'%s'",
+                                       current_provider->manufacturerID,
+                                       slots[slot_index],
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+
+                               /*
+                                * Ignore error
+                                */
+                               rv = CKR_OK;
+                       }
+               }
+
+               if (rv != CKR_OK) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Cannot get slot list for provider '%s' rv=%ld-'%s'",
+                               current_provider->manufacturerID,
+                               rv,
+                               pkcs11h_getMessage (rv)
+                       );
+
+                       /*
+                        * Ignore error
+                        */
+                       rv = CKR_OK;
+               }
+
+               if (slots != NULL) {
+                       _pkcs11h_mem_free ((void *)&slots);
+                       slots = NULL;
+               }
+
+               if (!found) {
+                       current_provider = current_provider->next;
+               }
+       }
+
+       if (rv == CKR_OK && !found) {
+               rv = CKR_SLOT_ID_INVALID;
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = current_provider->f->C_GetTokenInfo (selected_slot, &info)) == CKR_OK
+       ) {
+               rv = _pkcs11h_token_getTokenId (
+                       &info,
+                       p_token_id
+               );
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_locate_getTokenIdByLabel return rv=%ld-'%s', *p_token_id=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_token_id
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_locate_token (
+       IN const char * const slot_type,
+       IN const char * const slot,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT pkcs11h_token_id_t * const p_token_id
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+
+       pkcs11h_token_id_t dummy_token_id = NULL;
+       pkcs11h_token_id_t token_id = NULL;
+       PKCS11H_BOOL found = FALSE;
+       
+       CK_RV rv = CKR_OK;
+
+       unsigned nRetry = 0;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (slot_type!=NULL);
+       PKCS11H_ASSERT (slot!=NULL);
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+       PKCS11H_ASSERT (p_token_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_locate_token entry slot_type='%s', slot='%s', user_data=%p, p_token_id=%p",
+               slot_type,
+               slot,
+               user_data,
+               (void *)p_token_id
+       );
+
+       *p_token_id = NULL;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_token_newTokenId (&dummy_token_id)) == CKR_OK
+       ) {
+               /*
+                * Temperary slot id
+                */
+               strcpy (dummy_token_id->display, "SLOT(");
+               strncat (dummy_token_id->display, slot_type, sizeof (dummy_token_id->display)-1-strlen (dummy_token_id->display));
+               strncat (dummy_token_id->display, "=", sizeof (dummy_token_id->display)-1-strlen (dummy_token_id->display));
+               strncat (dummy_token_id->display, slot, sizeof (dummy_token_id->display)-1-strlen (dummy_token_id->display));
+               strncat (dummy_token_id->display, ")", sizeof (dummy_token_id->display)-1-strlen (dummy_token_id->display));
+               dummy_token_id->display[sizeof (dummy_token_id->display)-1] = 0;
+       }
+
+       while (rv == CKR_OK && !found) {
+               if (!strcmp (slot_type, "id")) {
+                       rv = _pkcs11h_locate_getTokenIdBySlotId (
+                               slot,
+                               &token_id
+                       );
+               }
+               else if (!strcmp (slot_type, "name")) {
+                       rv = _pkcs11h_locate_getTokenIdBySlotName (
+                               slot,
+                               &token_id
+                       );
+               }
+               else if (!strcmp (slot_type, "label")) {
+                       rv = _pkcs11h_locate_getTokenIdByLabel (
+                               slot,
+                               &token_id
+                       );
+               }
+               else {
+                       rv = CKR_ARGUMENTS_BAD;
+               }
+
+               if (rv == CKR_OK) {
+                       found = TRUE;
+               }
+
+               /*
+                * Ignore error, since we have what we
+                * want in found.
+                */
+               if (rv != CKR_OK && rv != CKR_ARGUMENTS_BAD) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: pkcs11h_locate_token failed rv=%ld-'%s'",
+                               rv,
+                               pkcs11h_getMessage (rv)
+                       );
+
+                       rv = CKR_OK;
+               }
+
+               if (rv == CKR_OK && !found && (mask_prompt & PKCS11H_PROMPT_MAST_ALLOW_CARD_PROMPT) == 0) {
+                       rv = CKR_TOKEN_NOT_PRESENT;
+               }
+
+               if (rv == CKR_OK && !found) {
+
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Calling token_prompt hook for '%s'",
+                               dummy_token_id->display
+                       );
+       
+                       if (
+                               !s_pkcs11h_data->hooks.token_prompt (
+                                       s_pkcs11h_data->hooks.token_prompt_data,
+                                       user_data,
+                                       dummy_token_id,
+                                       nRetry++
+                               )
+                       ) {
+                               rv = CKR_CANCEL;
+                       }
+
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: token_prompt returned %ld",
+                               rv
+                       );
+               }
+       }
+
+       if (rv == CKR_OK && !found) {
+               rv = CKR_SLOT_ID_INVALID;
+       }
+
+       if (rv == CKR_OK) {
+               *p_token_id = token_id;
+               token_id = NULL;
+       }
+
+       if (dummy_token_id != NULL) {
+               pkcs11h_token_freeTokenId (dummy_token_id);
+               dummy_token_id = NULL;
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_locate_token return rv=%ld-'%s', *p_token_id=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_token_id
+       );
+
+       return rv;
+}
+
+#endif                         /* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+
+static
+CK_RV
+_pkcs11h_locate_getCertificateIdByLabel (
+       IN const pkcs11h_session_t session,
+       IN OUT const pkcs11h_certificate_id_t certificate_id,
+       IN const char * const label
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       CK_OBJECT_CLASS cert_filter_class = CKO_CERTIFICATE;
+       CK_ATTRIBUTE cert_filter[] = {
+               {CKA_CLASS, &cert_filter_class, sizeof (cert_filter_class)},
+               {CKA_LABEL, (CK_BYTE_PTR)label, strlen (label)}
+       };
+
+       CK_OBJECT_HANDLE *objects = NULL;
+       CK_ULONG objects_found = 0;
+       CK_RV rv = CKR_OK;
+
+       CK_ULONG i;
+
+       PKCS11H_ASSERT (session!=NULL);
+       PKCS11H_ASSERT (certificate_id!=NULL);
+       PKCS11H_ASSERT (label!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_locate_getCertificateIdByLabel entry session=%p, certificate_id=%p, label='%s'",
+               (void *)session,
+               (void *)certificate_id,
+               label
+       );
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_validate (session);
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_findObjects (
+                       session,
+                       cert_filter,
+                       sizeof (cert_filter) / sizeof (CK_ATTRIBUTE),
+                       &objects,
+                       &objects_found
+               );
+       }
+
+       for (i=0;rv == CKR_OK && i < objects_found;i++) {
+               CK_ATTRIBUTE attrs[] = {
+                       {CKA_ID, NULL, 0},
+                       {CKA_VALUE, NULL, 0}
+               };
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_getObjectAttributes (
+                               session,
+                               objects[i],
+                               attrs,
+                               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+                       );
+               }
+
+               if (
+                       rv == CKR_OK &&
+                       _pkcs11h_certificate_isBetterCertificate (
+                               certificate_id->certificate_blob,
+                               certificate_id->certificate_blob_size,
+                               attrs[1].pValue,
+                               attrs[1].ulValueLen
+                       )
+               ) {
+                       if (certificate_id->attrCKA_ID != NULL) {
+                               _pkcs11h_mem_free ((void *)&certificate_id->attrCKA_ID);
+                       }
+                       if (certificate_id->certificate_blob != NULL) {
+                               _pkcs11h_mem_free ((void *)&certificate_id->certificate_blob);
+                       }
+                       rv = _pkcs11h_mem_duplicate (
+                               (void *)&certificate_id->attrCKA_ID,
+                               &certificate_id->attrCKA_ID_size,
+                               attrs[0].pValue,
+                               attrs[0].ulValueLen
+                       );
+                       rv = _pkcs11h_mem_duplicate (
+                               (void *)&certificate_id->certificate_blob,
+                               &certificate_id->certificate_blob_size,
+                               attrs[1].pValue,
+                               attrs[1].ulValueLen
+                       );
+               }
+
+               if (rv != CKR_OK) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Cannot get object attribute for provider '%s' object %ld rv=%ld-'%s'",
+                               session->provider->manufacturerID,
+                               objects[i],
+                               rv,
+                               pkcs11h_getMessage (rv)
+                       );
+
+                       /*
+                        * Ignore error
+                        */
+                       rv = CKR_OK;
+               }
+
+               _pkcs11h_session_freeObjectAttributes (
+                       attrs,
+                       sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+               );
+       }
+       
+       if (
+               rv == CKR_OK &&
+               certificate_id->certificate_blob == NULL
+       ) {
+               rv = CKR_ATTRIBUTE_VALUE_INVALID;
+       }
+
+       if (objects != NULL) {
+               _pkcs11h_mem_free ((void *)&objects);
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&session->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       /*
+        * No need to free allocated objects
+        * on error, since the certificate_id
+        * should be free by caller.
+        */
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_locate_getCertificateIdByLabel return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_locate_getCertificateIdBySubject (
+       IN const pkcs11h_session_t session,
+       IN OUT const pkcs11h_certificate_id_t certificate_id,
+       IN const char * const subject
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       CK_OBJECT_CLASS cert_filter_class = CKO_CERTIFICATE;
+       CK_ATTRIBUTE cert_filter[] = {
+               {CKA_CLASS, &cert_filter_class, sizeof (cert_filter_class)}
+       };
+
+       CK_OBJECT_HANDLE *objects = NULL;
+       CK_ULONG objects_found = 0;
+       CK_RV rv = CKR_OK;
+
+       CK_ULONG i;
+
+       PKCS11H_ASSERT (session!=NULL);
+       PKCS11H_ASSERT (certificate_id!=NULL);
+       PKCS11H_ASSERT (subject!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_locate_getCertificateIdBySubject entry session=%p, certificate_id=%p, subject='%s'",
+               (void *)session,
+               (void *)certificate_id,
+               subject
+       );
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_validate (session);
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_findObjects (
+                       session,
+                       cert_filter,
+                       sizeof (cert_filter) / sizeof (CK_ATTRIBUTE),
+                       &objects,
+                       &objects_found
+               );
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&session->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       for (i=0;rv == CKR_OK && i < objects_found;i++) {
+               CK_ATTRIBUTE attrs[] = {
+                       {CKA_ID, NULL, 0},
+                       {CKA_VALUE, NULL, 0}
+               };
+               char current_subject[1024];
+               current_subject[0] = '\0';
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_getObjectAttributes (
+                               session,
+                               objects[i],
+                               attrs,
+                               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+                       );
+               }
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_certificate_getDN (
+                               attrs[1].pValue,
+                               attrs[1].ulValueLen,
+                               current_subject,
+                               sizeof (current_subject)
+                       );
+               }
+
+               if (
+                       rv == CKR_OK &&
+                       !strcmp (subject, current_subject) &&
+                       _pkcs11h_certificate_isBetterCertificate (
+                               certificate_id->certificate_blob,
+                               certificate_id->certificate_blob_size,
+                               attrs[1].pValue,
+                               attrs[1].ulValueLen
+                       )
+               ) {
+                       if (certificate_id->attrCKA_ID != NULL) {
+                               _pkcs11h_mem_free ((void *)&certificate_id->attrCKA_ID);
+                       }
+                       if (certificate_id->certificate_blob != NULL) {
+                               _pkcs11h_mem_free ((void *)&certificate_id->certificate_blob);
+                       }
+                       rv = _pkcs11h_mem_duplicate (
+                               (void *)&certificate_id->attrCKA_ID,
+                               &certificate_id->attrCKA_ID_size,
+                               attrs[0].pValue,
+                               attrs[0].ulValueLen
+                       );
+                       rv = _pkcs11h_mem_duplicate (
+                               (void *)&certificate_id->certificate_blob,
+                               &certificate_id->certificate_blob_size,
+                               attrs[1].pValue,
+                               attrs[1].ulValueLen
+                       );
+               }
+
+               if (rv != CKR_OK) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Cannot get object attribute for provider '%s' object %ld rv=%ld-'%s'",
+                               session->provider->manufacturerID,
+                               objects[i],
+                               rv,
+                               pkcs11h_getMessage (rv)
+                       );
+
+                       /*
+                        * Ignore error
+                        */
+                       rv = CKR_OK;
+               }
+
+               _pkcs11h_session_freeObjectAttributes (
+                       attrs,
+                       sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+               );
+       }
+       
+       if (
+               rv == CKR_OK &&
+               certificate_id->certificate_blob == NULL
+       ) {
+               rv = CKR_ATTRIBUTE_VALUE_INVALID;
+       }
+
+       if (objects != NULL) {
+               _pkcs11h_mem_free ((void *)&objects);
+       }
+
+       /*
+        * No need to free allocated objects
+        * on error, since the certificate_id
+        * should be free by caller.
+        */
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_locate_getCertificateIdBySubject return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_locate_certificate (
+       IN const char * const slot_type,
+       IN const char * const slot,
+       IN const char * const id_type,
+       IN const char * const id,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT pkcs11h_certificate_id_t * const p_certificate_id
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       pkcs11h_certificate_id_t certificate_id = NULL;
+       pkcs11h_session_t session = NULL;
+       PKCS11H_BOOL op_succeed = FALSE;
+       PKCS11H_BOOL login_retry = FALSE;
+       
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (slot_type!=NULL);
+       PKCS11H_ASSERT (slot!=NULL);
+       PKCS11H_ASSERT (id_type!=NULL);
+       PKCS11H_ASSERT (id!=NULL);
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+       PKCS11H_ASSERT (p_certificate_id!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_locateCertificate entry slot_type='%s', slot='%s', id_type='%s', id='%s', user_data=%p, mask_prompt=%08x, p_certificate_id=%p",
+               slot_type,
+               slot,
+               id_type,
+               id,
+               user_data,
+               mask_prompt,
+               (void *)p_certificate_id
+       );
+
+       *p_certificate_id = NULL;
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_certificate_newCertificateId (&certificate_id);
+       }
+
+       if (rv == CKR_OK) {
+               rv = pkcs11h_locate_token (
+                       slot_type,
+                       slot,
+                       user_data,
+                       mask_prompt,
+                       &certificate_id->token_id
+               );
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_getSessionByTokenId (
+                       certificate_id->token_id,
+                       &session
+               );
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       while (rv == CKR_OK && !op_succeed) {
+               if (!strcmp (id_type, "id")) {
+                       certificate_id->attrCKA_ID_size = strlen (id)/2;
+
+                       if (certificate_id->attrCKA_ID_size == 0) {
+                               rv = CKR_FUNCTION_FAILED;
+                       }
+
+                       if (
+                               rv == CKR_OK &&
+                               (rv = _pkcs11h_mem_malloc (
+                                       (void*)&certificate_id->attrCKA_ID,
+                                       certificate_id->attrCKA_ID_size
+                               )) == CKR_OK
+                       ) {
+                               _pkcs11h_util_hexToBinary (
+                                       certificate_id->attrCKA_ID,
+                                       id,
+                                       &certificate_id->attrCKA_ID_size
+                               );
+                       }
+               }
+               else if (!strcmp (id_type, "label")) {
+                       rv = _pkcs11h_locate_getCertificateIdByLabel (
+                               session,
+                               certificate_id,
+                               id
+                       );
+               }
+               else if (!strcmp (id_type, "subject")) {
+                       rv = _pkcs11h_locate_getCertificateIdBySubject (
+                               session,
+                               certificate_id,
+                               id
+                       );
+               }
+               else {
+                       rv = CKR_ARGUMENTS_BAD;
+               }
+
+               if (rv == CKR_OK) {
+                       op_succeed = TRUE;
+               }
+               else {
+                       if (!login_retry) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Get certificate failed: %ld:'%s'",
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+
+                               rv = _pkcs11h_session_login (
+                                       session,
+                                       TRUE,
+                                       TRUE,
+                                       user_data,
+                                       mask_prompt
+                               );
+
+                               login_retry = TRUE;
+                       }
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       if (rv == CKR_OK) {
+               *p_certificate_id = certificate_id;
+               certificate_id = NULL;
+       }
+
+       if (certificate_id != NULL) {
+               pkcs11h_certificate_freeCertificateId (certificate_id);
+               certificate_id = NULL;
+       }
+
+       if (session != NULL) {
+               _pkcs11h_session_release (session);
+               session = NULL;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_locateCertificate return rv=%ld-'%s' *p_certificate_id=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_certificate_id
+       );
+       
+       return rv;
+}
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#endif                         /* ENABLE_PKCS11H_LOCATE */
+
+#if defined(ENABLE_PKCS11H_ENUM)
+/*======================================================================*
+ * ENUM INTERFACE
+ *======================================================================*/
+
+#if defined(ENABLE_PKCS11H_TOKEN)
+
+CK_RV
+pkcs11h_token_freeTokenIdList (
+       IN const pkcs11h_token_id_list_t token_id_list
+) {
+       pkcs11h_token_id_list_t _id = token_id_list;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       /*PKCS11H_ASSERT (token_id_list!=NULL); NOT NEEDED*/
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=%p",
+               (void *)token_id_list
+       );
+
+       while (_id != NULL) {
+               pkcs11h_token_id_list_t x = _id;
+               _id = _id->next;
+               if (x->token_id != NULL) {
+                       pkcs11h_token_freeTokenId (x->token_id);
+               }
+               x->next = NULL;
+               _pkcs11h_mem_free ((void *)&x);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_freeTokenIdList return"
+       );
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_token_enumTokenIds (
+       IN const int method,
+       OUT pkcs11h_token_id_list_t * const p_token_id_list
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+
+       pkcs11h_token_id_list_t token_id_list = NULL;
+       pkcs11h_provider_t current_provider;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (p_token_id_list!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_enumTokenIds entry p_token_id_list=%p",
+               (void *)p_token_id_list
+       );
+
+       *p_token_id_list = NULL;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       for (
+               current_provider = s_pkcs11h_data->providers;
+               (
+                       current_provider != NULL &&
+                       rv == CKR_OK
+               );
+               current_provider = current_provider->next
+       ) {
+               CK_SLOT_ID_PTR slots = NULL;
+               CK_ULONG slotnum;
+               CK_SLOT_ID slot_index;
+
+               if (!current_provider->enabled) {
+                       rv = CKR_CRYPTOKI_NOT_INITIALIZED;
+               }
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_getSlotList (
+                               current_provider,
+                               CK_TRUE,
+                               &slots,
+                               &slotnum
+                       );
+               }
+
+               for (
+                       slot_index=0;
+                       (
+                               slot_index < slotnum &&
+                               rv == CKR_OK
+                       );
+                       slot_index++
+               ) {
+                       pkcs11h_token_id_list_t entry = NULL;
+                       CK_TOKEN_INFO info;
+
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_mem_malloc ((void *)&entry, sizeof (struct pkcs11h_token_id_list_s));
+                       }
+
+                       if (rv == CKR_OK) {
+                               rv = current_provider->f->C_GetTokenInfo (
+                                       slots[slot_index],
+                                       &info
+                               );
+                       }
+
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_token_getTokenId (
+                                       &info,
+                                       &entry->token_id
+                               );
+                       }
+
+                       if (rv == CKR_OK) {
+                               entry->next = token_id_list;
+                               token_id_list = entry;
+                               entry = NULL;
+                       }
+
+                       if (entry != NULL) {
+                               pkcs11h_token_freeTokenIdList (entry);
+                               entry = NULL;
+                       }
+               }
+
+               if (rv != CKR_OK) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Cannot get slot list for provider '%s' rv=%ld-'%s'",
+                               current_provider->manufacturerID,
+                               rv,
+                               pkcs11h_getMessage (rv)
+                       );
+
+                       /*
+                        * Ignore error
+                        */
+                       rv = CKR_OK;
+               }
+
+               if (slots != NULL) {
+                       _pkcs11h_mem_free ((void *)&slots);
+                       slots = NULL;
+               }
+       }
+
+       if (rv == CKR_OK && method == PKCS11H_ENUM_METHOD_CACHE) {
+               pkcs11h_session_t session = NULL;
+
+               for (
+                       session = s_pkcs11h_data->sessions;
+                       session != NULL && rv == CKR_OK;
+                       session = session->next
+               ) {
+                       pkcs11h_token_id_list_t entry = NULL;
+                       PKCS11H_BOOL found = FALSE;
+
+                       for (
+                               entry = token_id_list;
+                               entry != NULL && !found;
+                               entry = entry->next
+                       ) {
+                               if (
+                                       pkcs11h_token_sameTokenId (
+                                               session->token_id,
+                                               entry->token_id
+                                       )
+                               ) {
+                                       found = TRUE;
+                               }
+                       }
+
+                       if (!found) {
+                               entry = NULL;
+
+                               if (rv == CKR_OK) {
+                                       rv = _pkcs11h_mem_malloc (
+                                               (void *)&entry,
+                                               sizeof (struct pkcs11h_token_id_list_s)
+                                       );
+                               }
+
+                               if (rv == CKR_OK) {
+                                       rv = pkcs11h_token_duplicateTokenId (
+                                               &entry->token_id,
+                                               session->token_id
+                                       );
+                               }
+
+                               if (rv == CKR_OK) {
+                                       entry->next = token_id_list;
+                                       token_id_list = entry;
+                                       entry = NULL;
+                               }
+
+                               if (entry != NULL) {
+                                       if (entry->token_id != NULL) {
+                                               pkcs11h_token_freeTokenId (entry->token_id);
+                                       }
+                                       _pkcs11h_mem_free ((void *)&entry);
+                               }
+                       }
+               }
+       }
+
+       if (rv == CKR_OK) {
+               *p_token_id_list = token_id_list;
+               token_id_list = NULL;
+       }
+
+       if (token_id_list != NULL) {
+               pkcs11h_token_freeTokenIdList (token_id_list);
+               token_id_list = NULL;
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               rv = _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_enumTokenIds return rv=%ld-'%s', *p_token_id_list=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)p_token_id_list
+       );
+       
+       return rv;
+}
+
+#endif
+
+#if defined(ENABLE_PKCS11H_DATA)
+
+CK_RV
+pkcs11h_data_freeDataIdList (
+       IN const pkcs11h_data_id_list_t data_id_list
+) {
+       pkcs11h_data_id_list_t _id = data_id_list;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       /*PKCS11H_ASSERT (data_id_list!=NULL); NOT NEEDED*/
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_freeDataIdList entry token_id_list=%p",
+               (void *)data_id_list
+       );
+
+       while (_id != NULL) {
+               pkcs11h_data_id_list_t x = _id;
+               _id = _id->next;
+
+               if (x->application != NULL) {
+                       _pkcs11h_mem_free ((void *)&x->application);
+               }
+               if (x->label != NULL) {
+                       _pkcs11h_mem_free ((void *)&x->label);
+               }
+               _pkcs11h_mem_free ((void *)&x);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_token_freeDataIdList return"
+       );
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_data_enumDataObjects (
+       IN const pkcs11h_token_id_t token_id,
+       IN const PKCS11H_BOOL is_public,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT pkcs11h_data_id_list_t * const p_data_id_list
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       pkcs11h_session_t session = NULL;
+       pkcs11h_data_id_list_t data_id_list = NULL;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_BOOL op_succeed = FALSE;
+       PKCS11H_BOOL login_retry = FALSE;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (p_data_id_list!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_data_enumDataObjects entry token_id=%p, is_public=%d, user_data=%p, mask_prompt=%08x, p_data_id_list=%p",
+               (void *)token_id,
+               is_public ? 1 : 0,
+               user_data,
+               mask_prompt,
+               (void *)p_data_id_list
+       );
+
+       *p_data_id_list = NULL;
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_session_getSessionByTokenId (
+                       token_id,
+                       &session
+               );
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       while (rv == CKR_OK && !op_succeed) {
+
+               CK_OBJECT_CLASS class = CKO_DATA;
+               CK_ATTRIBUTE filter[] = {
+                       {CKA_CLASS, (void *)&class, sizeof (class)}
+               };
+               CK_OBJECT_HANDLE *objects = NULL;
+               CK_ULONG objects_found = 0;
+
+               CK_ULONG i;
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_validate (session);
+               }
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_findObjects (
+                               session,
+                               filter,
+                               sizeof (filter) / sizeof (CK_ATTRIBUTE),
+                               &objects,
+                               &objects_found
+                       );
+               }
+
+               for (i = 0;rv == CKR_OK && i < objects_found;i++) {
+                       pkcs11h_data_id_list_t entry = NULL;
+
+                       CK_ATTRIBUTE attrs[] = {
+                               {CKA_APPLICATION, NULL, 0},
+                               {CKA_LABEL, NULL, 0}
+                       };
+
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_session_getObjectAttributes (
+                                       session,
+                                       objects[i],
+                                       attrs,
+                                       sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+                               );
+                       }
+                       
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_mem_malloc (
+                                       (void *)&entry,
+                                       sizeof (struct pkcs11h_data_id_list_s)
+                               );
+                       }
+
+                       if (
+                               rv == CKR_OK &&
+                               (rv = _pkcs11h_mem_malloc (
+                                       (void *)&entry->application,
+                                       attrs[0].ulValueLen+1
+                               )) == CKR_OK
+                       ) {
+                               memmove (entry->application, attrs[0].pValue, attrs[0].ulValueLen);
+                               entry->application[attrs[0].ulValueLen] = '\0';
+                       }
+
+                       if (
+                               rv == CKR_OK &&
+                               (rv = _pkcs11h_mem_malloc (
+                                       (void *)&entry->label,
+                                       attrs[1].ulValueLen+1
+                               )) == CKR_OK
+                       ) {
+                               memmove (entry->label, attrs[1].pValue, attrs[1].ulValueLen);
+                               entry->label[attrs[1].ulValueLen] = '\0';
+                       }
+
+                       if (rv == CKR_OK) {
+                               entry->next = data_id_list;
+                               data_id_list = entry;
+                               entry = NULL;
+                       }
+
+                       _pkcs11h_session_freeObjectAttributes (
+                               attrs,
+                               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+                       );
+
+                       if (entry != NULL) {
+                               if (entry->application != NULL) {
+                                       _pkcs11h_mem_free ((void *)&entry->application);
+                               }
+                               if (entry->label != NULL) {
+                                       _pkcs11h_mem_free ((void *)&entry->label);
+                               }
+                               _pkcs11h_mem_free ((void *)&entry);
+                       }
+               }
+
+               if (objects != NULL) {
+                       _pkcs11h_mem_free ((void *)&objects);
+               }
+
+               if (rv == CKR_OK) {
+                       op_succeed = TRUE;
+               }
+               else {
+                       if (!login_retry) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Enumerate data objects failed rv=%ld-'%s'",
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+                               login_retry = TRUE;
+                               rv = _pkcs11h_session_login (
+                                       session,
+                                       is_public,
+                                       TRUE,
+                                       user_data,
+                                       mask_prompt
+                               );
+                       }
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&session->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       if (rv == CKR_OK) {
+               *p_data_id_list = data_id_list;
+               data_id_list = NULL;
+       }
+
+       if (session != NULL) {
+               _pkcs11h_session_release (session);
+               session = NULL;
+       }
+
+       if (data_id_list != NULL) {
+               pkcs11h_data_freeDataIdList (data_id_list);
+               data_id_list = NULL;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_data_enumDataObjects return rv=%ld-'%s', *p_data_id_list=%p",
+               rv,
+               pkcs11h_getMessage (rv),
+               (void *)*p_data_id_list
+       );
+       
+       return rv;
+}
+
+#endif                         /* ENABLE_PKCS11H_DATA */
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+
+static
+CK_RV
+_pkcs11h_certificate_enumSessionCertificates (
+       IN const pkcs11h_session_t session,
+       IN void * const user_data,
+       IN const unsigned mask_prompt
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       PKCS11H_BOOL op_succeed = FALSE;
+       PKCS11H_BOOL login_retry = FALSE;
+
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (session!=NULL);
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=%p, user_data=%p, mask_prompt=%08x",
+               (void *)session,
+               user_data,
+               mask_prompt
+       );
+       
+       /* THREADS: NO NEED TO LOCK, GLOBAL CACHE IS LOCKED */
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       while (rv == CKR_OK && !op_succeed) {
+               CK_OBJECT_CLASS cert_filter_class = CKO_CERTIFICATE;
+               CK_ATTRIBUTE cert_filter[] = {
+                       {CKA_CLASS, &cert_filter_class, sizeof (cert_filter_class)}
+               };
+
+               CK_OBJECT_HANDLE *objects = NULL;
+               CK_ULONG objects_found = 0;
+
+               CK_ULONG i;
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_validate (session);
+               }
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_findObjects (
+                               session,
+                               cert_filter,
+                               sizeof (cert_filter) / sizeof (CK_ATTRIBUTE),
+                               &objects,
+                               &objects_found
+                       );
+               }
+                       
+               for (i=0;rv == CKR_OK && i < objects_found;i++) {
+                       pkcs11h_certificate_id_t certificate_id = NULL;
+                       pkcs11h_certificate_id_list_t new_element = NULL;
+                       
+                       CK_ATTRIBUTE attrs[] = {
+                               {CKA_ID, NULL, 0},
+                               {CKA_VALUE, NULL, 0}
+                       };
+
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_session_getObjectAttributes (
+                                       session,
+                                       objects[i],
+                                       attrs,
+                                       sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+                               );
+                       }
+
+                       if (
+                               rv == CKR_OK &&
+                               (rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) == CKR_OK
+                       ) {
+                               rv = pkcs11h_token_duplicateTokenId (
+                                       &certificate_id->token_id,
+                                       session->token_id
+                               );
+                       }
+
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_mem_duplicate (
+                                       (void*)&certificate_id->attrCKA_ID,
+                                       &certificate_id->attrCKA_ID_size,
+                                       attrs[0].pValue,
+                                       attrs[0].ulValueLen
+                               );
+                       }
+
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_mem_duplicate (
+                                       (void*)&certificate_id->certificate_blob,
+                                       &certificate_id->certificate_blob_size,
+                                       attrs[1].pValue,
+                                       attrs[1].ulValueLen
+                               );
+                       }
+
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_certificate_updateCertificateIdDescription (certificate_id);
+                       }
+
+                       if (
+                               rv == CKR_OK &&
+                               (rv = _pkcs11h_mem_malloc (
+                                       (void *)&new_element,
+                                       sizeof (struct pkcs11h_certificate_id_list_s)
+                               )) == CKR_OK
+                       ) {
+                               new_element->next = session->cached_certs;
+                               new_element->certificate_id = certificate_id;
+                               certificate_id = NULL;
+
+                               session->cached_certs = new_element;
+                               new_element = NULL;
+                       }
+
+                       if (certificate_id != NULL) {
+                               pkcs11h_certificate_freeCertificateId (certificate_id);
+                               certificate_id = NULL;
+                       }
+
+                       if (new_element != NULL) {
+                               _pkcs11h_mem_free ((void *)&new_element);
+                               new_element = NULL;
+                       }
+
+                       _pkcs11h_session_freeObjectAttributes (
+                               attrs,
+                               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+                       );
+
+                       if (rv != CKR_OK) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Cannot get object attribute for provider '%s' object %ld rv=%ld-'%s'",
+                                       session->provider->manufacturerID,
+                                       objects[i],
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+
+                               /*
+                                * Ignore error
+                                */
+                               rv = CKR_OK;
+                       }
+               }
+
+               if (objects != NULL) {
+                       _pkcs11h_mem_free ((void *)&objects);
+               }
+
+               if (rv == CKR_OK) {
+                       op_succeed = TRUE;
+               }
+               else {
+                       if (!login_retry) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Get certificate attributes failed: %ld:'%s'",
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+
+                               rv = _pkcs11h_session_login (
+                                       session,
+                                       TRUE,
+                                       TRUE,
+                                       user_data,
+                                       (mask_prompt & PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT)
+                               );
+
+                               login_retry = TRUE;
+                       }
+               }
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&session->mutex);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_certificate_splitCertificateIdList (
+       IN const pkcs11h_certificate_id_list_t cert_id_all,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
+) {
+       typedef struct info_s {
+               struct info_s *next;
+               pkcs11h_certificate_id_t e;
+#if defined(USE_PKCS11H_OPENSSL)
+               X509 *x509;
+#elif defined(USE_PKCS11H_GNUTLS)
+               gnutls_x509_crt_t cert;
+#endif
+               PKCS11H_BOOL is_issuer;
+       } *info_t;
+
+       pkcs11h_certificate_id_list_t cert_id_issuers_list = NULL;
+       pkcs11h_certificate_id_list_t cert_id_end_list = NULL;
+
+       info_t head = NULL;
+       info_t info = NULL;
+
+       CK_RV rv = CKR_OK;
+
+       /*PKCS11H_ASSERT (cert_id_all!=NULL); NOT NEEDED */
+       /*PKCS11H_ASSERT (p_cert_id_issuers_list!=NULL); NOT NEEDED*/
+       PKCS11H_ASSERT (p_cert_id_end_list!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_splitCertificateIdList entry cert_id_all=%p, p_cert_id_issuers_list=%p, p_cert_id_end_list=%p",
+               (void *)cert_id_all,
+               (void *)p_cert_id_issuers_list,
+               (void *)p_cert_id_end_list
+       );
+
+       if (p_cert_id_issuers_list != NULL) {
+               *p_cert_id_issuers_list = NULL;
+       }
+       *p_cert_id_end_list = NULL;
+
+       if (rv == CKR_OK) {
+               pkcs11h_certificate_id_list_t entry = NULL;
+
+               for (
+                       entry = cert_id_all;
+                       entry != NULL && rv == CKR_OK;
+                       entry = entry->next
+               ) {
+                       info_t new_info = NULL;
+
+                       if (
+                               rv == CKR_OK &&
+                               (rv = _pkcs11h_mem_malloc ((void *)&new_info, sizeof (struct info_s))) == CKR_OK &&
+                               entry->certificate_id->certificate_blob != NULL
+                       ) {
+#if defined(USE_PKCS11H_OPENSSL)
+                               pkcs11_openssl_d2i_t d2i = (pkcs11_openssl_d2i_t)entry->certificate_id->certificate_blob;
+#endif
+
+                               new_info->next = head;
+                               new_info->e = entry->certificate_id;
+#if defined(USE_PKCS11H_OPENSSL)
+                               new_info->x509 = X509_new ();
+                               if (
+                                       new_info->x509 != NULL &&
+                                       !d2i_X509 (
+                                               &new_info->x509,
+                                               &d2i,
+                                               entry->certificate_id->certificate_blob_size
+                                       )
+                               ) {
+                                       X509_free (new_info->x509);
+                                       new_info->x509 = NULL;
+                               }
+#elif defined(USE_PKCS11H_GNUTLS)
+                               if (gnutls_x509_crt_init (&new_info->cert) != GNUTLS_E_SUCCESS) {
+                                       /* gnutls sets output */
+                                       new_info->cert = NULL;
+                               }
+                               else {
+                                       gnutls_datum_t datum = {
+                                               entry->certificate_id->certificate_blob,
+                                               entry->certificate_id->certificate_blob_size
+                                       };
+
+                                       if (
+                                               gnutls_x509_crt_import (
+                                                       new_info->cert,
+                                                       &datum,
+                                                       GNUTLS_X509_FMT_DER
+                                               ) != GNUTLS_E_SUCCESS
+                                       ) {
+                                               gnutls_x509_crt_deinit (new_info->cert);
+                                               new_info->cert = NULL;
+                                       }
+                               }
+#else
+#error Invalid configuration.
+#endif
+                               head = new_info;
+                               new_info = NULL;
+                       }
+               }
+
+       }
+
+       if (rv == CKR_OK) {
+               for (
+                       info = head;
+                       info != NULL;
+                       info = info->next
+               ) {
+                       info_t info2 = NULL;
+#if defined(USE_PKCS11H_OPENSSL)
+                       EVP_PKEY *pub = X509_get_pubkey (info->x509);
+#endif
+
+                       for (
+                               info2 = head;
+                               info2 != NULL && !info->is_issuer;
+                               info2 = info2->next
+                       ) {
+                               if (info != info2) {
+#if defined(USE_PKCS11H_OPENSSL)
+                                       if (
+                                               info->x509 != NULL &&
+                                               info2->x509 != NULL &&
+                                               !X509_NAME_cmp (
+                                                       X509_get_subject_name (info->x509),
+                                                       X509_get_issuer_name (info2->x509)
+                                               ) &&
+                                               X509_verify (info2->x509, pub) == 1
+                                       ) {
+                                               info->is_issuer = TRUE;
+                                       }
+#elif defined(USE_PKCS11H_GNUTLS)
+                                       unsigned result;
+
+                                       if (
+                                               info->cert != NULL &&
+                                               info2->cert != NULL &&
+                                               gnutls_x509_crt_verify (
+                                                       info2->cert,
+                                                       &info->cert,
+                                                       1,
+                                                       0,
+                                                       &result
+                                               ) &&
+                                               (result & GNUTLS_CERT_INVALID) == 0
+                                       ) {
+                                               info->is_issuer = TRUE;
+                                       }
+#else
+#error Invalid configuration.
+#endif
+                               }
+
+                       }
+
+#if defined(USE_PKCS11H_OPENSSL)
+                       if (pub != NULL) {
+                               EVP_PKEY_free (pub);
+                               pub = NULL;
+                       }
+#endif
+               }
+       }
+
+       if (rv == CKR_OK) {
+               for (
+                       info = head;
+                       info != NULL && rv == CKR_OK;
+                       info = info->next
+               ) {
+                       pkcs11h_certificate_id_list_t new_entry = NULL;
+
+                       if (rv == CKR_OK) {
+                               rv = _pkcs11h_mem_malloc (
+                                       (void *)&new_entry,
+                                       sizeof (struct pkcs11h_certificate_id_list_s)
+                               );
+                       }
+
+                       if (
+                               rv == CKR_OK &&
+                               (rv = pkcs11h_certificate_duplicateCertificateId (
+                                       &new_entry->certificate_id,
+                                       info->e
+                               )) == CKR_OK
+                       ) {
+                               /*
+                                * Should not free base list
+                                */
+                               info->e = NULL;
+                       }
+
+                       if (rv == CKR_OK) {
+                               if (info->is_issuer) {
+                                       new_entry->next = cert_id_issuers_list;
+                                       cert_id_issuers_list = new_entry;
+                                       new_entry = NULL;
+                               }
+                               else {
+                                       new_entry->next = cert_id_end_list;
+                                       cert_id_end_list = new_entry;
+                                       new_entry = NULL;
+                               }
+                       }
+
+                       if (new_entry != NULL) {
+                               if (new_entry->certificate_id != NULL) {
+                                       pkcs11h_certificate_freeCertificateId (new_entry->certificate_id);
+                               }
+                               _pkcs11h_mem_free ((void *)&new_entry);
+                       }
+               }
+       }
+
+       if (rv == CKR_OK) {
+               while (head != NULL) {
+                       info_t entry = head;
+                       head = head->next;
+
+#if defined(USE_PKCS11H_OPENSSL)
+                       if (entry->x509 != NULL) {
+                               X509_free (entry->x509);
+                               entry->x509 = NULL;
+                       }
+#elif defined(USE_PKCS11H_GNUTLS)
+                       if (entry->cert != NULL) {
+                               gnutls_x509_crt_deinit (entry->cert);
+                               entry->cert = NULL;
+                       }
+#else
+#error Invalid configuration.
+#endif
+
+                       _pkcs11h_mem_free ((void *)&entry);
+               }
+       }
+
+       if (rv == CKR_OK && p_cert_id_issuers_list != NULL ) {
+               *p_cert_id_issuers_list = cert_id_issuers_list;
+               cert_id_issuers_list = NULL;
+       }
+
+       if (rv == CKR_OK) {
+               *p_cert_id_end_list = cert_id_end_list;
+               cert_id_end_list = NULL;
+       }
+
+       if (cert_id_issuers_list != NULL) {
+               pkcs11h_certificate_freeCertificateIdList (cert_id_issuers_list);
+       }
+
+       if (cert_id_end_list != NULL) {
+               pkcs11h_certificate_freeCertificateIdList (cert_id_end_list);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_certificate_splitCertificateIdList return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_freeCertificateIdList (
+       IN const pkcs11h_certificate_id_list_t cert_id_list
+) {
+       pkcs11h_certificate_id_list_t _id = cert_id_list;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       /*PKCS11H_ASSERT (cert_id_list!=NULL); NOT NEEDED*/
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=%p",
+               (void *)cert_id_list
+       );
+
+       while (_id != NULL) {
+               pkcs11h_certificate_id_list_t x = _id;
+               _id = _id->next;
+               if (x->certificate_id != NULL) {
+                       pkcs11h_certificate_freeCertificateId (x->certificate_id);
+               }
+               x->next = NULL;
+               _pkcs11h_mem_free ((void *)&x);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_freeCertificateIdList return"
+       );
+
+       return CKR_OK;
+}
+
+CK_RV
+pkcs11h_certificate_enumTokenCertificateIds (
+       IN const pkcs11h_token_id_t token_id,
+       IN const int method,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       pkcs11h_session_t session = NULL;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       PKCS11H_ASSERT (token_id!=NULL);
+       /*PKCS11H_ASSERT (user_data) NOT NEEDED */
+       /*PKCS11H_ASSERT (p_cert_id_issuers_list!=NULL); NOT NEEDED*/
+       PKCS11H_ASSERT (p_cert_id_end_list!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_enumTokenCertificateIds entry token_id=%p, method=%d, user_data=%p, mask_prompt=%08x, p_cert_id_issuers_list=%p, p_cert_id_end_list=%p",
+               (void *)token_id,
+               method,
+               user_data,
+               mask_prompt,
+               (void *)p_cert_id_issuers_list,
+               (void *)p_cert_id_end_list
+       );
+
+       if (p_cert_id_issuers_list != NULL) {
+               *p_cert_id_issuers_list = NULL;
+       }
+       *p_cert_id_end_list = NULL;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.cache)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_session_getSessionByTokenId (
+                       token_id,
+                       &session
+               )) == CKR_OK
+       ) {
+               if (method == PKCS11H_ENUM_METHOD_RELOAD) {
+                       pkcs11h_certificate_freeCertificateIdList (session->cached_certs);
+                       session->cached_certs = NULL;
+               }
+
+               if (session->cached_certs == NULL) {
+                       rv = _pkcs11h_certificate_enumSessionCertificates (session, user_data, mask_prompt);
+               }
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_certificate_splitCertificateIdList (
+                       session->cached_certs,
+                       p_cert_id_issuers_list,
+                       p_cert_id_end_list
+               );
+       }
+
+       if (session != NULL) {
+               _pkcs11h_session_release (session);
+       }
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.cache);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_enumTokenCertificateIds return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+       
+       return rv;
+}
+
+CK_RV
+pkcs11h_certificate_enumCertificateIds (
+       IN const int method,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
+) {
+#if defined(ENABLE_PKCS11H_THREADING)
+       PKCS11H_BOOL mutex_locked = FALSE;
+#endif
+       pkcs11h_certificate_id_list_t cert_id_list = NULL;
+       pkcs11h_provider_t current_provider;
+       pkcs11h_session_t current_session;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
+       PKCS11H_ASSERT (s_pkcs11h_data->initialized);
+       /*PKCS11H_ASSERT (user_data!=NULL); NOT NEEDED*/
+       /*PKCS11H_ASSERT (p_cert_id_issuers_list!=NULL); NOT NEEDED*/
+       PKCS11H_ASSERT (p_cert_id_end_list!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=%d, mask_prompt=%08x, p_cert_id_issuers_list=%p, p_cert_id_end_list=%p",
+               method,
+               mask_prompt,
+               (void *)p_cert_id_issuers_list,
+               (void *)p_cert_id_end_list
+       );
+
+       if (p_cert_id_issuers_list != NULL) {
+               *p_cert_id_issuers_list = NULL;
+       }
+       *p_cert_id_end_list = NULL;
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (
+               rv == CKR_OK &&
+               (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.cache)) == CKR_OK
+       ) {
+               mutex_locked = TRUE;
+       }
+#endif
+
+       for (
+               current_session = s_pkcs11h_data->sessions;
+               current_session != NULL;
+               current_session = current_session->next
+       ) {
+               current_session->touch = FALSE;
+               if (method == PKCS11H_ENUM_METHOD_RELOAD) {
+                       pkcs11h_certificate_freeCertificateIdList (current_session->cached_certs);
+                       current_session->cached_certs = NULL;
+               }
+       }
+
+       for (
+               current_provider = s_pkcs11h_data->providers;
+               (
+                       current_provider != NULL &&
+                       rv == CKR_OK
+               );
+               current_provider = current_provider->next
+       ) {
+               CK_SLOT_ID_PTR slots = NULL;
+               CK_ULONG slotnum;
+               CK_SLOT_ID slot_index;
+
+               if (!current_provider->enabled) {
+                       rv = CKR_CRYPTOKI_NOT_INITIALIZED;
+               }
+
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_session_getSlotList (
+                               current_provider,
+                               CK_TRUE,
+                               &slots,
+                               &slotnum
+                       );
+               }
+
+               for (
+                       slot_index=0;
+                       (
+                               slot_index < slotnum &&
+                               rv == CKR_OK
+                       );
+                       slot_index++
+               ) {
+                       pkcs11h_session_t session = NULL;
+                       pkcs11h_token_id_t token_id = NULL;
+                       CK_TOKEN_INFO info;
+
+                       if (rv == CKR_OK) {
+                               rv = current_provider->f->C_GetTokenInfo (
+                                       slots[slot_index],
+                                       &info
+                               );
+                       }
+
+                       if (
+                               rv == CKR_OK &&
+                               (rv = _pkcs11h_token_getTokenId (
+                                       &info,
+                                       &token_id
+                               )) == CKR_OK &&
+                               (rv = _pkcs11h_session_getSessionByTokenId (
+                                       token_id,
+                                       &session
+                               )) == CKR_OK
+                       ) {
+                               session->touch = TRUE;
+
+                               if (session->cached_certs == NULL) {
+                                       rv = _pkcs11h_certificate_enumSessionCertificates (session, user_data, mask_prompt);
+                               }
+                       }
+
+                       if (rv != CKR_OK) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Cannot get token information for provider '%s' slot %ld rv=%ld-'%s'",
+                                       current_provider->manufacturerID,
+                                       slots[slot_index],
+                                       rv,
+                                       pkcs11h_getMessage (rv)
+                               );
+
+                               /*
+                                * Ignore error
+                                */
+                               rv = CKR_OK;
+                       }
+
+                       if (session != NULL) {
+                               _pkcs11h_session_release (session);
+                               session = NULL;
+                       }
+
+                       if (token_id != NULL) {
+                               pkcs11h_token_freeTokenId (token_id);
+                               token_id = NULL;
+                       }
+               }
+
+               if (rv != CKR_OK) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Cannot get slot list for provider '%s' rv=%ld-'%s'",
+                               current_provider->manufacturerID,
+                               rv,
+                               pkcs11h_getMessage (rv)
+                       );
+
+                       /*
+                        * Ignore error
+                        */
+                       rv = CKR_OK;
+               }
+
+               if (slots != NULL) {
+                       _pkcs11h_mem_free ((void *)&slots);
+                       slots = NULL;
+               }
+       }
+
+       for (
+               current_session = s_pkcs11h_data->sessions;
+               (
+                       current_session != NULL &&
+                       rv == CKR_OK
+               );
+               current_session = current_session->next
+       ) {
+               if (
+                       method == PKCS11H_ENUM_METHOD_CACHE ||
+                       (
+                               (
+                                       method == PKCS11H_ENUM_METHOD_RELOAD ||
+                                       method == PKCS11H_ENUM_METHOD_CACHE_EXIST
+                               ) &&
+                               current_session->touch
+                       )
+               ) {
+                       pkcs11h_certificate_id_list_t entry = NULL;
+
+                       for (
+                               entry = current_session->cached_certs;
+                               (
+                                       entry != NULL &&
+                                       rv == CKR_OK
+                               );
+                               entry = entry->next
+                       ) {
+                               pkcs11h_certificate_id_list_t new_entry = NULL;
+
+                               if (
+                                       rv == CKR_OK &&
+                                       (rv = _pkcs11h_mem_malloc (
+                                               (void *)&new_entry,
+                                               sizeof (struct pkcs11h_certificate_id_list_s)
+                                       )) == CKR_OK &&
+                                       (rv = pkcs11h_certificate_duplicateCertificateId (
+                                               &new_entry->certificate_id,
+                                               entry->certificate_id
+                                       )) == CKR_OK
+                               ) {
+                                       new_entry->next = cert_id_list;
+                                       cert_id_list = new_entry;
+                                       new_entry = NULL;
+                               }
+
+                               if (new_entry != NULL) {
+                                       new_entry->next = NULL;
+                                       pkcs11h_certificate_freeCertificateIdList (new_entry);
+                                       new_entry = NULL;
+                               }
+                       }
+               }
+       }
+
+       if (rv == CKR_OK) {
+               rv = _pkcs11h_certificate_splitCertificateIdList (
+                       cert_id_list,
+                       p_cert_id_issuers_list,
+                       p_cert_id_end_list
+               );
+       }
+
+       if (cert_id_list != NULL) {
+               pkcs11h_certificate_freeCertificateIdList (cert_id_list);
+               cert_id_list = NULL;
+       }
+
+
+#if defined(ENABLE_PKCS11H_THREADING)
+       if (mutex_locked) {
+               _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.cache);
+               mutex_locked = FALSE;
+       }
+#endif
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+       
+       return rv;
+}
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#endif                         /* ENABLE_PKCS11H_ENUM */
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT)
+/*======================================================================*
+ * SLOTEVENT INTERFACE
+ *======================================================================*/
+
+static
+unsigned long
+_pkcs11h_slotevent_checksum (
+       IN const unsigned char * const p,
+       IN const size_t s
+) {
+       unsigned long r = 0;
+       size_t i;
+       for (i=0;i<s;i++) {
+               r += p[i];
+       }
+       return r;
+}
+
+static
+void *
+_pkcs11h_slotevent_provider (
+       IN void *p
+) {
+       pkcs11h_provider_t provider = (pkcs11h_provider_t)p;
+       CK_SLOT_ID slot;
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_slotevent_provider provider='%s' entry",
+               provider->manufacturerID
+       );
+
+       if (rv == CKR_OK && !provider->enabled) {
+               rv = CKR_OPERATION_NOT_INITIALIZED;
+       }
+
+       if (rv == CKR_OK) {
+
+               if (provider->slot_poll_interval == 0) {
+                       provider->slot_poll_interval = PKCS11H_DEFAULT_SLOTEVENT_POLL;
+               }
+
+               /*
+                * If we cannot finalize, we cannot cause
+                * WaitForSlotEvent to terminate
+                */
+               if (!provider->should_finalize) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Setup slotevent provider='%s' mode hardset to poll",
+                               provider->manufacturerID
+                       );
+                       provider->slot_event_method = PKCS11H_SLOTEVENT_METHOD_POLL;
+               }
+
+               if (
+                       provider->slot_event_method == PKCS11H_SLOTEVENT_METHOD_AUTO ||
+                       provider->slot_event_method == PKCS11H_SLOTEVENT_METHOD_TRIGGER
+               ) { 
+                       if (
+                               provider->f->C_WaitForSlotEvent (
+                                       CKF_DONT_BLOCK,
+                                       &slot,
+                                       NULL_PTR
+                               ) == CKR_FUNCTION_NOT_SUPPORTED
+                       ) {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Setup slotevent provider='%s' mode is poll",
+                                       provider->manufacturerID
+                               );
+
+                               provider->slot_event_method = PKCS11H_SLOTEVENT_METHOD_POLL;
+                       }
+                       else {
+                               PKCS11H_DEBUG (
+                                       PKCS11H_LOG_DEBUG1,
+                                       "PKCS#11: Setup slotevent provider='%s' mode is trigger",
+                                       provider->manufacturerID
+                               );
+
+                               provider->slot_event_method = PKCS11H_SLOTEVENT_METHOD_TRIGGER;
+                       }
+               }
+       }
+
+       if (provider->slot_event_method == PKCS11H_SLOTEVENT_METHOD_TRIGGER) {
+               while (
+                       !s_pkcs11h_data->slotevent.should_terminate &&
+                       provider->enabled &&
+                       rv == CKR_OK &&
+                       (rv = provider->f->C_WaitForSlotEvent (
+                               0,
+                               &slot,
+                               NULL_PTR
+                       )) == CKR_OK
+               ) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Slotevent provider='%s' event",
+                               provider->manufacturerID
+                       );
+
+                       _pkcs11h_threading_condSignal (&s_pkcs11h_data->slotevent.cond_event);
+               }
+       }
+       else {
+               unsigned long ulLastChecksum = 0;
+               PKCS11H_BOOL is_first_time = TRUE;
+
+               while (
+                       !s_pkcs11h_data->slotevent.should_terminate &&
+                       provider->enabled &&
+                       rv == CKR_OK
+               ) {
+                       unsigned long ulCurrentChecksum = 0;
+
+                       CK_SLOT_ID_PTR slots = NULL;
+                       CK_ULONG slotnum;
+
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Slotevent provider='%s' poll",
+                               provider->manufacturerID
+                       );
+
+                       if (
+                               rv == CKR_OK &&
+                               (rv = _pkcs11h_session_getSlotList (
+                                       provider,
+                                       TRUE,
+                                       &slots,
+                                       &slotnum
+                               )) == CKR_OK
+                       ) {
+                               CK_ULONG i;
+                               
+                               for (i=0;i<slotnum;i++) {
+                                       CK_TOKEN_INFO info;
+
+                                       if (provider->f->C_GetTokenInfo (slots[i], &info) == CKR_OK) {
+                                               ulCurrentChecksum += (
+                                                       _pkcs11h_slotevent_checksum (
+                                                               info.label,
+                                                               sizeof (info.label)
+                                                       ) +
+                                                       _pkcs11h_slotevent_checksum (
+                                                               info.manufacturerID,
+                                                               sizeof (info.manufacturerID)
+                                                       ) +
+                                                       _pkcs11h_slotevent_checksum (
+                                                               info.model,
+                                                               sizeof (info.model)
+                                                       ) +
+                                                       _pkcs11h_slotevent_checksum (
+                                                               info.serialNumber,
+                                                               sizeof (info.serialNumber)
+                                                       )
+                                               );
+                                       }
+                               }
+                       }
+                       
+                       if (rv == CKR_OK) {
+                               if (is_first_time) {
+                                       is_first_time = FALSE;
+                               }
+                               else {
+                                       if (ulLastChecksum != ulCurrentChecksum) {
+                                               PKCS11H_DEBUG (
+                                                       PKCS11H_LOG_DEBUG1,
+                                                       "PKCS#11: Slotevent provider='%s' event",
+                                                       provider->manufacturerID
+                                               );
+
+                                               _pkcs11h_threading_condSignal (&s_pkcs11h_data->slotevent.cond_event);
+                                       }
+                               }
+                               ulLastChecksum = ulCurrentChecksum;
+                       }
+
+                       if (slots != NULL) {
+                               _pkcs11h_mem_free ((void *)&slots);
+                       }
+                       
+                       if (!s_pkcs11h_data->slotevent.should_terminate) {
+                               _pkcs11h_threading_sleep (provider->slot_poll_interval);
+                       }
+               }
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_slotevent_provider provider='%s' return",
+               provider->manufacturerID
+       );
+
+       return NULL;
+}
+
+static
+void *
+_pkcs11h_slotevent_manager (
+       IN void *p
+) {
+       PKCS11H_BOOL first_time = TRUE;
+
+       (void)p;
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_slotevent_manager entry"
+       );
+
+       /*
+        * Trigger hook, so application may
+        * depend on initial slot change
+        */
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG1,
+               "PKCS#11: Calling slotevent hook"
+       );
+       s_pkcs11h_data->hooks.slotevent (s_pkcs11h_data->hooks.slotevent_data);
+
+       while (
+               first_time ||   /* Must enter wait or mutex will never be free */
+               !s_pkcs11h_data->slotevent.should_terminate
+       ) {
+               pkcs11h_provider_t current_provider;
+
+               first_time = FALSE;
+
+               /*
+                * Start each provider thread
+                * if not already started.
+                * This is required in order to allow
+                * adding new providers.
+                */
+               for (
+                       current_provider = s_pkcs11h_data->providers;
+                       current_provider != NULL;
+                       current_provider = current_provider->next
+               ) {
+                       if (!current_provider->enabled) {
+                               if (current_provider->slotevent_thread == PKCS11H_THREAD_NULL) {
+                                       _pkcs11h_threading_threadStart (
+                                               &current_provider->slotevent_thread,
+                                               _pkcs11h_slotevent_provider,
+                                               current_provider
+                                       );
+                               }
+                       }
+                       else {
+                               if (current_provider->slotevent_thread != PKCS11H_THREAD_NULL) {
+                                       _pkcs11h_threading_threadJoin (&current_provider->slotevent_thread);
+                               }
+                       }
+               }
+
+               PKCS11H_DEBUG (
+                       PKCS11H_LOG_DEBUG2,
+                       "PKCS#11: _pkcs11h_slotevent_manager waiting for slotevent"
+               );
+               _pkcs11h_threading_condWait (&s_pkcs11h_data->slotevent.cond_event, PKCS11H_COND_INFINITE);
+
+               if (s_pkcs11h_data->slotevent.skip_event) {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Slotevent skipping event"
+                       );
+                       s_pkcs11h_data->slotevent.skip_event = FALSE;
+               }
+               else {
+                       PKCS11H_DEBUG (
+                               PKCS11H_LOG_DEBUG1,
+                               "PKCS#11: Calling slotevent hook"
+                       );
+                       s_pkcs11h_data->hooks.slotevent (s_pkcs11h_data->hooks.slotevent_data);
+               }
+       }
+
+       {
+               pkcs11h_provider_t current_provider;
+
+               PKCS11H_DEBUG (
+                       PKCS11H_LOG_DEBUG2,
+                       "PKCS#11: _pkcs11h_slotevent_manager joining threads"
+               );
+
+
+               for (
+                       current_provider = s_pkcs11h_data->providers;
+                       current_provider != NULL;
+                       current_provider = current_provider->next
+               ) {
+                       if (current_provider->slotevent_thread != PKCS11H_THREAD_NULL) {
+                               _pkcs11h_threading_threadJoin (&current_provider->slotevent_thread);
+                       }
+               }
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_slotevent_manager return"
+       );
+
+       return NULL;
+}
+
+static
+CK_RV
+_pkcs11h_slotevent_init () {
+       CK_RV rv = CKR_OK;
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_slotevent_init entry"
+       );
+
+       if (!s_pkcs11h_data->slotevent.initialized) {
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_threading_condInit (&s_pkcs11h_data->slotevent.cond_event);
+               }
+               
+               if (rv == CKR_OK) {
+                       rv = _pkcs11h_threading_threadStart (
+                               &s_pkcs11h_data->slotevent.thread,
+                               _pkcs11h_slotevent_manager,
+                               NULL
+                       );
+               }
+               
+               if (rv == CKR_OK) {
+                       s_pkcs11h_data->slotevent.initialized = TRUE;
+               }
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_slotevent_init return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv;
+}
+
+static
+CK_RV
+_pkcs11h_slotevent_notify () {
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_slotevent_notify entry"
+       );
+
+       if (s_pkcs11h_data->slotevent.initialized) {
+               s_pkcs11h_data->slotevent.skip_event = TRUE;
+               _pkcs11h_threading_condSignal (&s_pkcs11h_data->slotevent.cond_event);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_slotevent_notify return"
+       );
+
+       return CKR_OK;
+}
+
+static
+CK_RV
+_pkcs11h_slotevent_terminate () {
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_slotevent_terminate entry"
+       );
+
+       if (s_pkcs11h_data->slotevent.initialized) {
+               s_pkcs11h_data->slotevent.should_terminate = TRUE;
+
+               _pkcs11h_slotevent_notify ();
+
+               if (s_pkcs11h_data->slotevent.thread != PKCS11H_THREAD_NULL) {
+                       _pkcs11h_threading_threadJoin (&s_pkcs11h_data->slotevent.thread);
+               }
+
+               _pkcs11h_threading_condFree (&s_pkcs11h_data->slotevent.cond_event);
+               s_pkcs11h_data->slotevent.initialized = FALSE;
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_slotevent_terminate return"
+       );
+
+       return CKR_OK;
+}
+
+#endif
+
+#if defined(ENABLE_PKCS11H_OPENSSL)
+/*======================================================================*
+ * OPENSSL INTERFACE
+ *======================================================================*/
+
+static
+pkcs11h_openssl_session_t
+_pkcs11h_openssl_get_openssl_session (
+       IN OUT const RSA *rsa
+) {
+       pkcs11h_openssl_session_t session;
+               
+       PKCS11H_ASSERT (rsa!=NULL);
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+       session = (pkcs11h_openssl_session_t)RSA_get_app_data ((RSA *)rsa);
+#else
+       session = (pkcs11h_openssl_session_t)RSA_get_app_data (rsa);
+#endif
+       PKCS11H_ASSERT (session!=NULL);
+
+       return session;
+}
+
+static
+pkcs11h_certificate_t
+_pkcs11h_openssl_get_pkcs11h_certificate (
+       IN OUT const RSA *rsa
+) {
+       pkcs11h_openssl_session_t session = _pkcs11h_openssl_get_openssl_session (rsa);
+       
+       PKCS11H_ASSERT (session!=NULL);
+       PKCS11H_ASSERT (session->certificate!=NULL);
+
+       return session->certificate;
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+static
+int
+_pkcs11h_openssl_dec (
+       IN int flen,
+       IN unsigned char *from,
+       OUT unsigned char *to,
+       IN OUT RSA *rsa,
+       IN int padding
+) {
+#else
+static
+int
+_pkcs11h_openssl_dec (
+       IN int flen,
+       IN const unsigned char *from,
+       OUT unsigned char *to,
+       IN OUT RSA *rsa,
+       IN int padding
+) {
+#endif
+       PKCS11H_ASSERT (from!=NULL);
+       PKCS11H_ASSERT (to!=NULL);
+       PKCS11H_ASSERT (rsa!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_openssl_dec entered - flen=%d, from=%p, to=%p, rsa=%p, padding=%d",
+               flen,
+               from,
+               to,
+               (void *)rsa,
+               padding
+       );
+
+       PKCS11H_LOG (
+               PKCS11H_LOG_ERROR,
+               "PKCS#11: Private key decryption is not supported"
+       );
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_openssl_dec return"
+       );
+
+       return -1;
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+static
+int
+_pkcs11h_openssl_sign (
+       IN int type,
+       IN unsigned char *m,
+       IN unsigned int m_len,
+       OUT unsigned char *sigret,
+       OUT unsigned int *siglen,
+       IN OUT RSA *rsa
+) {
+#else
+static
+int
+_pkcs11h_openssl_sign (
+       IN int type,
+       IN const unsigned char *m,
+       IN unsigned int m_len,
+       OUT unsigned char *sigret,
+       OUT unsigned int *siglen,
+       IN OUT const RSA *rsa
+) {
+#endif
+       pkcs11h_certificate_t certificate = _pkcs11h_openssl_get_pkcs11h_certificate (rsa);
+       PKCS11H_BOOL session_locked = FALSE;
+       CK_RV rv = CKR_OK;
+
+       int myrsa_size = 0;
+       
+       unsigned char *enc_alloc = NULL;
+       unsigned char *enc = NULL;
+       int enc_len = 0;
+
+       PKCS11H_ASSERT (m!=NULL);
+       PKCS11H_ASSERT (sigret!=NULL);
+       PKCS11H_ASSERT (siglen!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_openssl_sign entered - type=%d, m=%p, m_len=%u, signret=%p, *signlen=%u, rsa=%p",
+               type,
+               m,
+               m_len,
+               sigret,
+               sigret != NULL ? *siglen : 0,
+               (void *)rsa
+       );
+
+       if (rv == CKR_OK) {
+               myrsa_size=RSA_size(rsa);
+       }
+
+       if (type == NID_md5_sha1) {
+               if (rv == CKR_OK) {
+                       enc = (unsigned char *)m;
+                       enc_len = m_len;
+               }
+       }
+       else {
+               X509_SIG sig;
+               ASN1_TYPE parameter;
+               X509_ALGOR algor;
+               ASN1_OCTET_STRING digest;
+               unsigned char *p = NULL;
+
+               if (
+                       rv == CKR_OK &&
+                       (rv = _pkcs11h_mem_malloc ((void*)&enc, myrsa_size+1)) == CKR_OK
+               ) {
+                       enc_alloc = enc;
+               }
+               
+               if (rv == CKR_OK) {
+                       sig.algor = &algor;
+               }
+
+               if (
+                       rv == CKR_OK &&
+                       (sig.algor->algorithm = OBJ_nid2obj (type)) == NULL
+               ) {
+                       rv = CKR_FUNCTION_FAILED;
+               }
+       
+               if (
+                       rv == CKR_OK &&
+                       sig.algor->algorithm->length == 0
+               ) {
+                       rv = CKR_KEY_SIZE_RANGE;
+               }
+       
+               if (rv == CKR_OK) {
+                       parameter.type = V_ASN1_NULL;
+                       parameter.value.ptr = NULL;
+       
+                       sig.algor->parameter = &parameter;
+
+                       sig.digest = &digest;
+                       sig.digest->data = (unsigned char *)m;
+                       sig.digest->length = m_len;
+               }
+       
+               if (
+                       rv == CKR_OK &&
+                       (enc_len=i2d_X509_SIG (&sig, NULL)) < 0
+               ) {
+                       rv = CKR_FUNCTION_FAILED;
+               }
+
+               /*
+                * d_X509_SIG increments pointer!
+                */
+               p = enc;
+       
+               if (
+                       rv == CKR_OK &&
+                       (enc_len=i2d_X509_SIG (&sig, &p)) < 0
+               ) {
+                       rv = CKR_FUNCTION_FAILED;
+               }
+       }
+
+       if (
+               rv == CKR_OK &&
+               enc_len > (myrsa_size-RSA_PKCS1_PADDING_SIZE)
+       ) {
+               rv = CKR_KEY_SIZE_RANGE;
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_certificate_lockSession (certificate)) == CKR_OK
+       ) {
+               session_locked = TRUE;
+       }
+
+       if (rv == CKR_OK) {
+               PKCS11H_DEBUG (
+                       PKCS11H_LOG_DEBUG1,
+                       "PKCS#11: Performing signature"
+               );
+
+               *siglen = myrsa_size;
+
+               if (
+                       (rv = pkcs11h_certificate_signAny (
+                               certificate,
+                               CKM_RSA_PKCS,
+                               enc,
+                               enc_len,
+                               sigret,
+                               siglen
+                       )) != CKR_OK
+               ) {
+                       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot perform signature %ld:'%s'", rv, pkcs11h_getMessage (rv));
+               }
+       }
+
+       if (session_locked) {
+               pkcs11h_certificate_releaseSession (certificate);
+               session_locked = FALSE;
+       }
+
+       if (enc_alloc != NULL) {
+               _pkcs11h_mem_free ((void *)&enc_alloc);
+       }
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_openssl_sign - return rv=%ld-'%s'",
+               rv,
+               pkcs11h_getMessage (rv)
+       );
+
+       return rv == CKR_OK ? 1 : -1; 
+}
+
+static
+int
+_pkcs11h_openssl_finish (
+       IN OUT RSA *rsa
+) {
+       pkcs11h_openssl_session_t openssl_session = _pkcs11h_openssl_get_openssl_session (rsa);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_openssl_finish - entered rsa=%p",
+               (void *)rsa
+       );
+
+       RSA_set_app_data (rsa, NULL);
+       
+       if (openssl_session->orig_finish != NULL) {
+               openssl_session->orig_finish (rsa);
+
+#ifdef BROKEN_OPENSSL_ENGINE
+               {
+                       /* We get called TWICE here, once for
+                        * releasing the key and also for
+                        * releasing the engine.
+                        * To prevent endless recursion, FIRST
+                        * clear rsa->engine, THEN call engine->finish
+                        */
+                       ENGINE *e = rsa->engine;
+                       rsa->engine = NULL;
+                       if (e) {
+                               ENGINE_finish(e);
+                       }
+               }
+#endif
+       }
+
+       pkcs11h_openssl_freeSession (openssl_session);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: _pkcs11h_openssl_finish - return"
+       );
+       
+       return 1;
+}
+
+X509 *
+pkcs11h_openssl_getX509 (
+       IN const pkcs11h_certificate_t certificate
+) {
+       unsigned char *certificate_blob = NULL;
+       size_t certificate_blob_size = 0;
+       X509 *x509 = NULL;
+       CK_RV rv = CKR_OK;
+
+       pkcs11_openssl_d2i_t d2i1 = NULL;
+       PKCS11H_BOOL ok = TRUE;
+
+       PKCS11H_ASSERT (certificate!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_openssl_getX509 - entry certificate=%p",
+               (void *)certificate
+       );
+
+       if (
+               ok &&
+               (x509 = X509_new ()) == NULL
+       ) {
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Unable to allocate certificate object");
+       }
+
+       if (
+               ok &&
+               pkcs11h_certificate_getCertificateBlob (
+                       certificate,
+                       NULL,
+                       &certificate_blob_size
+               ) != CKR_OK
+       ) {
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot read X.509 certificate from token %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (
+               ok &&
+               (rv = _pkcs11h_mem_malloc ((void *)&certificate_blob, certificate_blob_size)) != CKR_OK
+       ) {
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot allocate X.509 memory %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (
+               ok &&
+               pkcs11h_certificate_getCertificateBlob (
+                       certificate,
+                       certificate_blob,
+                       &certificate_blob_size
+               ) != CKR_OK
+       ) {
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot read X.509 certificate from token %ld-'%s'", rv, pkcs11h_getMessage (rv));
+       }
+
+       d2i1 = (pkcs11_openssl_d2i_t)certificate_blob;
+       if (
+               ok &&
+               !d2i_X509 (&x509, &d2i1, certificate_blob_size)
+       ) {
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Unable to parse X.509 certificate");
+       }
+
+       if (!ok) {
+               X509_free (x509);
+               x509 = NULL;
+       }
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_openssl_getX509 - return x509=%p",
+               (void *)x509
+       );
+
+       return x509;
+}
+
+pkcs11h_openssl_session_t
+pkcs11h_openssl_createSession (
+       IN const pkcs11h_certificate_t certificate
+) {
+       pkcs11h_openssl_session_t openssl_session = NULL;
+       PKCS11H_BOOL ok = TRUE;
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_openssl_createSession - entry"
+       );
+
+       if (
+               ok &&
+               _pkcs11h_mem_malloc (
+                       (void*)&openssl_session,
+                       sizeof (struct pkcs11h_openssl_session_s)) != CKR_OK
+       ) {
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot allocate memory");
+       }
+
+       if (ok) {
+               const RSA_METHOD *def = RSA_get_default_method();
+
+               memmove (&openssl_session->smart_rsa, def, sizeof(RSA_METHOD));
+
+               openssl_session->orig_finish = def->finish;
+
+               openssl_session->smart_rsa.name = "pkcs11";
+               openssl_session->smart_rsa.rsa_priv_dec = _pkcs11h_openssl_dec;
+               openssl_session->smart_rsa.rsa_sign = _pkcs11h_openssl_sign;
+               openssl_session->smart_rsa.finish = _pkcs11h_openssl_finish;
+               openssl_session->smart_rsa.flags  = RSA_METHOD_FLAG_NO_CHECK | RSA_FLAG_EXT_PKEY;
+               openssl_session->certificate = certificate;
+               openssl_session->reference_count = 1;
+       }
+
+       if (!ok) {
+               _pkcs11h_mem_free ((void *)&openssl_session);
+       }
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_openssl_createSession - return openssl_session=%p",
+               (void *)openssl_session
+       );
+
+       return openssl_session;
+}
+
+pkcs11h_hook_openssl_cleanup_t
+pkcs11h_openssl_getCleanupHook (
+       IN const pkcs11h_openssl_session_t openssl_session
+) {
+       PKCS11H_ASSERT (openssl_session!=NULL);
+
+       return openssl_session->cleanup_hook;
+}
+
+void
+pkcs11h_openssl_setCleanupHook (
+       IN const pkcs11h_openssl_session_t openssl_session,
+       IN const pkcs11h_hook_openssl_cleanup_t cleanup
+) {
+       PKCS11H_ASSERT (openssl_session!=NULL);
+
+       openssl_session->cleanup_hook = cleanup;
+}
+
+void
+pkcs11h_openssl_freeSession (
+       IN const pkcs11h_openssl_session_t openssl_session
+) {
+       PKCS11H_ASSERT (openssl_session!=NULL);
+       PKCS11H_ASSERT (openssl_session->reference_count>0);
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_openssl_freeSession - entry openssl_session=%p, count=%d",
+               (void *)openssl_session,
+               openssl_session->reference_count
+       );
+
+       openssl_session->reference_count--;
+       
+       if (openssl_session->reference_count == 0) {
+               if (openssl_session->cleanup_hook != NULL) {
+                       openssl_session->cleanup_hook (openssl_session->certificate);
+               }
+
+               if (openssl_session->x509 != NULL) {
+                       X509_free (openssl_session->x509);
+                       openssl_session->x509 = NULL;
+               }
+               if (openssl_session->certificate != NULL) {
+                       pkcs11h_certificate_freeCertificate (openssl_session->certificate);
+                       openssl_session->certificate = NULL;
+               }
+               
+               _pkcs11h_mem_free ((void *)&openssl_session);
+       }
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_openssl_freeSession - return"
+       );
+}
+
+RSA *
+pkcs11h_openssl_session_getRSA (
+       IN const pkcs11h_openssl_session_t openssl_session
+) {
+       X509 *x509 = NULL;
+       RSA *rsa = NULL;
+       EVP_PKEY *pubkey = NULL;
+       PKCS11H_BOOL ok = TRUE;
+
+       PKCS11H_ASSERT (openssl_session!=NULL);
+       PKCS11H_ASSERT (!openssl_session->initialized);
+       PKCS11H_ASSERT (openssl_session!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_openssl_session_getRSA - entry openssl_session=%p",
+               (void *)openssl_session
+       );
+       
+       /*
+        * Dup x509 so RSA will not hold session x509
+        */
+       if (
+               ok &&
+               (x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == NULL
+       ) {
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get certificate object");
+       }
+
+       if (
+               ok &&
+               (pubkey = X509_get_pubkey (x509)) == NULL
+       ) {
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get public key");
+       }
+       
+       if (
+               ok &&
+               pubkey->type != EVP_PKEY_RSA
+       ) {
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Invalid public key algorithm");
+       }
+
+       if (
+               ok &&
+               (rsa = EVP_PKEY_get1_RSA (pubkey)) == NULL
+       ) {
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get RSA key");
+       }
+
+       if (ok) {
+               RSA_set_method (rsa, &openssl_session->smart_rsa);
+               RSA_set_app_data (rsa, openssl_session);
+               openssl_session->reference_count++;
+       }
+       
+#ifdef BROKEN_OPENSSL_ENGINE
+       if (ok) {
+               if (!rsa->engine) {
+                       rsa->engine = ENGINE_get_default_RSA();
+               }
+
+               ENGINE_set_RSA(ENGINE_get_default_RSA(), &openssl_session->smart_rsa);
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: OpenSSL engine support is broken! Workaround enabled");
+       }
+#endif
+               
+       if (ok) {
+               rsa->flags |= RSA_FLAG_SIGN_VER;
+               openssl_session->initialized = TRUE;
+       }
+       else {
+               if (rsa != NULL) {
+                       RSA_free (rsa);
+                       rsa = NULL;
+               }
+       }
+
+       /*
+        * openssl objects have reference
+        * count, so release them
+        */
+       if (pubkey != NULL) {
+               EVP_PKEY_free (pubkey);
+               pubkey = NULL;
+       }
+
+       if (x509 != NULL) {
+               X509_free (x509);
+               x509 = NULL;
+       }
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_openssl_session_getRSA - return rsa=%p",
+               (void *)rsa
+       );
+
+       return rsa;
+}
+
+X509 *
+pkcs11h_openssl_session_getX509 (
+       IN const pkcs11h_openssl_session_t openssl_session
+) {
+       X509 *x509 = NULL;
+       PKCS11H_BOOL ok = TRUE;
+       
+       PKCS11H_ASSERT (openssl_session!=NULL);
+
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_openssl_session_getX509 - entry openssl_session=%p",
+               (void *)openssl_session
+       );
+
+       if (
+               ok &&
+               openssl_session->x509 == NULL &&
+               (openssl_session->x509 = pkcs11h_openssl_getX509 (openssl_session->certificate)) == NULL
+       ) {     
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get certificate object");
+       }
+
+       if (
+               ok &&
+               (x509 = X509_dup (openssl_session->x509)) == NULL
+       ) {
+               ok = FALSE;
+               PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot duplicate certificate object");
+       }
+       
+       PKCS11H_DEBUG (
+               PKCS11H_LOG_DEBUG2,
+               "PKCS#11: pkcs11h_openssl_session_getX509 - return x509=%p",
+               (void *)x509
+       );
+
+       return x509;
+}
+
+#endif                         /* ENABLE_PKCS11H_OPENSSL */
+
+#if defined(ENABLE_PKCS11H_STANDALONE)
+/*======================================================================*
+ * STANDALONE INTERFACE
+ *======================================================================*/
+
+void
+pkcs11h_standalone_dump_slots (
+       IN const pkcs11h_output_print_t my_output,
+       IN void * const global_data,
+       IN const char * const provider
+) {
+       CK_RV rv = CKR_OK;
+
+       pkcs11h_provider_t pkcs11h_provider;
+
+       PKCS11H_ASSERT (my_output!=NULL);
+       /*PKCS11H_ASSERT (global_data) NOT NEEDED */
+       PKCS11H_ASSERT (provider!=NULL);
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_initialize ()) != CKR_OK
+       ) {
+               my_output (global_data, "PKCS#11: Cannot initialize interface %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_addProvider (
+                       provider,
+                       provider,
+                       FALSE,
+                       (
+                               PKCS11H_SIGNMODE_MASK_SIGN |
+                               PKCS11H_SIGNMODE_MASK_RECOVER
+                       ),
+                       PKCS11H_SLOTEVENT_METHOD_AUTO,
+                       0,
+                       FALSE
+               )) != CKR_OK
+       ) {
+               my_output (global_data, "PKCS#11: Cannot initialize provider %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
+       }
+
+       /*
+        * our provider is head
+        */
+       if (rv == CKR_OK) {
+               pkcs11h_provider = s_pkcs11h_data->providers;
+               if (pkcs11h_provider == NULL || !pkcs11h_provider->enabled) {
+                       my_output (global_data, "PKCS#11: Cannot get provider %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
+                       rv = CKR_GENERAL_ERROR;
+               }
+       }
+
+       if (rv == CKR_OK) {
+               CK_INFO info;
+               
+               if ((rv = pkcs11h_provider->f->C_GetInfo (&info)) != CKR_OK) {
+                       my_output (global_data, "PKCS#11: Cannot get PKCS#11 provider information %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
+                       rv = CKR_OK;
+               }
+               else {
+                       char manufacturerID[sizeof (info.manufacturerID)+1];
+       
+                       _pkcs11h_util_fixupFixedString (
+                               manufacturerID,
+                               (char *)info.manufacturerID,
+                               sizeof (info.manufacturerID)
+                       );
+       
+                       my_output (
+                               global_data,
+                               (
+                                       "Provider Information:\n"
+                                       "\tcryptokiVersion:\t%u.%u\n"
+                                       "\tmanufacturerID:\t\t%s\n"
+                                       "\tflags:\t\t\t%08x\n"
+                                       "\n"
+                               ),
+                               info.cryptokiVersion.major,
+                               info.cryptokiVersion.minor,
+                               manufacturerID,
+                               (unsigned)info.flags
+                       );
+               }
+       }
+       
+       if (rv == CKR_OK) {
+               CK_SLOT_ID_PTR slots = NULL;
+               CK_ULONG slotnum;
+               CK_SLOT_ID slot_index;
+               
+               if (
+                        _pkcs11h_session_getSlotList (
+                               pkcs11h_provider,
+                               CK_FALSE,
+                               &slots,
+                               &slotnum
+                       ) != CKR_OK
+               ) {
+                       my_output (global_data, "PKCS#11: Cannot get slot list %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
+               }
+               else {
+                       my_output (
+                               global_data,
+                               "The following slots are available for use with this provider.\n"
+                       );
+
+#if defined(PKCS11H_PRM_SLOT_TYPE)
+                       my_output (
+                               global_data,
+                               (
+                                       "Each slot shown below may be used as a parameter to a\n"
+                                       "%s and %s options.\n"
+                               ),
+                               PKCS11H_PRM_SLOT_TYPE,
+                               PKCS11H_PRM_SLOT_ID
+                       );
+#endif
+
+                       my_output (
+                               global_data,
+                               (
+                                       "\n"
+                                       "Slots: (id - name)\n"
+                               )
+                       );
+
+                       for (slot_index=0;slot_index < slotnum;slot_index++) {
+                               CK_SLOT_INFO info;
+       
+                               if (
+                                       (rv = pkcs11h_provider->f->C_GetSlotInfo (
+                                               slots[slot_index],
+                                               &info
+                                       )) == CKR_OK
+                               ) {
+                                       char current_name[sizeof (info.slotDescription)+1];
+                               
+                                       _pkcs11h_util_fixupFixedString (
+                                               current_name,
+                                               (char *)info.slotDescription,
+                                               sizeof (info.slotDescription)
+                                       );
+       
+                                       my_output (global_data, "\t%lu - %s\n", slots[slot_index], current_name);
+                               }
+                       }
+               }
+
+               if (slots != NULL) {
+                       _pkcs11h_mem_free ((void *)&slots);
+               }
+       }
+       
+       pkcs11h_terminate ();
+}
+
+static
+PKCS11H_BOOL
+_pkcs11h_standalone_dump_objects_pin_prompt (
+       IN void * const global_data,
+       IN void * const user_data,
+       IN const pkcs11h_token_id_t token,
+       IN const unsigned retry,
+       OUT char * const pin,
+       IN const size_t pin_max
+) {
+       (void)user_data;
+       (void)token;
+
+       /*
+        * Don't lock card
+        */
+       if (retry == 0) {
+               strncpy (pin, (char *)global_data, pin_max);
+               return TRUE;
+       }
+       else {
+               return FALSE;
+       }
+}
+
+void
+_pkcs11h_standalone_dump_objects_hex (
+       IN const unsigned char * const p,
+       IN const size_t p_size,
+       OUT char * const sz,
+       IN const size_t max,
+       IN const char * const prefix
+) {
+       size_t j;
+
+       sz[0] = '\0';
+
+       for (j=0;j<p_size;j+=16) {
+               char line[3*16+1];
+               size_t k;
+
+               line[0] = '\0';
+               for (k=0;k<16 && j+k<p_size;k++) {
+                       sprintf (line+strlen (line), "%02x ", p[j+k]);
+               }
+
+               strncat (
+                       sz,
+                       prefix,
+                       max-1-strlen (sz)
+               );
+               strncat (
+                       sz,
+                       line,
+                       max-1-strlen (sz)
+               );
+               strncat (
+                       sz,
+                       "\n",
+                       max-1-strlen (sz)
+               );
+       }
+
+       sz[max-1] = '\0';
+}
+       
+void
+pkcs11h_standalone_dump_objects (
+       IN const pkcs11h_output_print_t my_output,
+       IN void * const global_data,
+       IN const char * const provider,
+       IN const char * const slot,
+       IN const char * const pin
+) {
+       CK_SLOT_ID s;
+       CK_RV rv = CKR_OK;
+
+       pkcs11h_provider_t pkcs11h_provider = NULL;
+       pkcs11h_token_id_t token_id = NULL;
+       pkcs11h_session_t session = NULL;
+
+       PKCS11H_ASSERT (my_output!=NULL);
+       /*PKCS11H_ASSERT (global_data) NOT NEEDED */
+       PKCS11H_ASSERT (provider!=NULL);
+       PKCS11H_ASSERT (slot!=NULL);
+       PKCS11H_ASSERT (pin!=NULL);
+
+       s = atoi (slot);
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_initialize ()) != CKR_OK
+       ) {
+               my_output (global_data, "PKCS#11: Cannot initialize interface %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_setPINPromptHook (_pkcs11h_standalone_dump_objects_pin_prompt, (void *)pin)) != CKR_OK
+       ) {
+               my_output (global_data, "PKCS#11: Cannot set hooks %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
+       }
+
+       if (
+               rv == CKR_OK &&
+               (rv = pkcs11h_addProvider (
+                       provider,
+                       provider,
+                       FALSE,
+                       (
+                               PKCS11H_SIGNMODE_MASK_SIGN |
+                               PKCS11H_SIGNMODE_MASK_RECOVER
+                       ),
+                       PKCS11H_SLOTEVENT_METHOD_AUTO,
+                       0,
+                       FALSE
+               )) != CKR_OK
+       ) {
+               my_output (global_data, "PKCS#11: Cannot initialize provider %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
+       }
+
+       /*
+        * our provider is head
+        */
+       if (rv == CKR_OK) {
+               pkcs11h_provider = s_pkcs11h_data->providers;
+               if (pkcs11h_provider == NULL || !pkcs11h_provider->enabled) {
+                       my_output (global_data, "PKCS#11: Cannot get provider %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
+                       rv = CKR_GENERAL_ERROR;
+               }
+       }
+
+       if (rv == CKR_OK) {
+               CK_TOKEN_INFO info;
+               
+               if (
+                       (rv = pkcs11h_provider->f->C_GetTokenInfo (
+                               s,
+                               &info
+                       )) != CKR_OK
+               ) {
+                       my_output (global_data, "PKCS#11: Cannot get token information for slot %ld %ld-'%s'\n", s, rv, pkcs11h_getMessage (rv));
+                       /* Ignore this error */
+                       rv = CKR_OK;
+               }
+               else {
+                       char label[sizeof (info.label)+1];
+                       char manufacturerID[sizeof (info.manufacturerID)+1];
+                       char model[sizeof (info.model)+1];
+                       char serialNumberNumber[sizeof (info.serialNumber)+1];
+                       
+                       _pkcs11h_util_fixupFixedString (
+                               label,
+                               (char *)info.label,
+                               sizeof (info.label)
+                       );
+                       _pkcs11h_util_fixupFixedString (
+                               manufacturerID,
+                               (char *)info.manufacturerID,
+                               sizeof (info.manufacturerID)
+                       );
+                       _pkcs11h_util_fixupFixedString (
+                               model,
+                               (char *)info.model,
+                               sizeof (info.model)
+                       );
+                       _pkcs11h_util_fixupFixedString (
+                               serialNumberNumber,
+                               (char *)info.serialNumber,
+                               sizeof (info.serialNumber)
+                       );
+       
+                       my_output (
+                               global_data,
+                               (
+                                       "Token Information:\n"
+                                       "\tlabel:\t\t%s\n"
+                                       "\tmanufacturerID:\t%s\n"
+                                       "\tmodel:\t\t%s\n"
+                                       "\tserialNumber:\t%s\n"
+                                       "\tflags:\t\t%08x\n"
+                                       "\n"
+                               ),
+                               label,
+                               manufacturerID,
+                               model,
+                               serialNumberNumber,
+                               (unsigned)info.flags
+                       );
+
+#if defined(PKCS11H_PRM_SLOT_TYPE)
+                       my_output (
+                               global_data,
+                               (
+                                       "You can access this token using\n"
+                                       "%s \"label\" %s \"%s\" options.\n"
+                                       "\n"
+                               ),
+                               PKCS11H_PRM_SLOT_TYPE,
+                               PKCS11H_PRM_SLOT_ID,
+                               label
+                       );
+#endif
+
+                       if (
+                               rv == CKR_OK &&
+                               (rv = _pkcs11h_token_getTokenId (
+                                       &info,
+                                       &token_id
+                               )) != CKR_OK
+                       ) {
+                               my_output (global_data, "PKCS#11: Cannot get token id for slot %ld %ld-'%s'\n", s, rv, pkcs11h_getMessage (rv));                
+                               rv = CKR_OK;
+                       }
+               }
+       }
+
+       if (token_id != NULL) {
+               if (
+                       (rv = _pkcs11h_session_getSessionByTokenId (
+                               token_id,
+                               &session
+                       )) != CKR_OK
+               ) {
+                       my_output (global_data, "PKCS#11: Cannot session for token '%s' %ld-'%s'\n", token_id->display, rv, pkcs11h_getMessage (rv));           
+                       rv = CKR_OK;
+               }
+       }
+
+       if (session != NULL) {
+               CK_OBJECT_HANDLE *objects = NULL;
+               CK_ULONG objects_found = 0;
+               CK_ULONG i;
+
+               if (
+                       (rv = _pkcs11h_session_login (
+                               session,
+                               FALSE,
+                               TRUE,
+                               NULL,
+                               PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT
+                       )) != CKR_OK
+               ) {
+                       my_output (global_data, "PKCS#11: Cannot open session to token '%s' %ld-'%s'\n", session->token_id->display, rv, pkcs11h_getMessage (rv));
+               }
+       
+               my_output (
+                       global_data,
+                       "The following objects are available for use with this token.\n"
+               );
+
+#if defined(PKCS11H_PRM_OBJ_TYPE)
+               my_output (
+                       global_data,
+                       (
+                               "Each object shown below may be used as a parameter to\n"
+                               "%s and %s options.\n"
+                       ),
+                       PKCS11H_PRM_OBJ_TYPE,
+                       PKCS11H_PRM_OBJ_ID
+               );
+#endif
+
+               my_output (
+                       global_data,
+                       "\n"
+               );
+
+               if (
+                       rv == CKR_OK &&
+                       (rv = _pkcs11h_session_findObjects (
+                               session,
+                               NULL,
+                               0,
+                               &objects,
+                               &objects_found
+                       )) != CKR_OK
+               ) {
+                       my_output (global_data, "PKCS#11: Cannot query objects for token '%s' %ld-'%s'\n", session->token_id->display, rv, pkcs11h_getMessage (rv));
+               }
+       
+               for (i=0;rv == CKR_OK && i < objects_found;i++) {
+                       CK_OBJECT_CLASS attrs_class = 0;
+                       CK_ATTRIBUTE attrs[] = {
+                               {CKA_CLASS, &attrs_class, sizeof (attrs_class)}
+                       };
+
+                       if (
+                               _pkcs11h_session_getObjectAttributes (
+                                       session,
+                                       objects[i],
+                                       attrs,
+                                       sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+                               ) == CKR_OK
+                       ) {
+                               if (attrs_class == CKO_CERTIFICATE) {
+                                       CK_ATTRIBUTE attrs_cert[] = {
+                                               {CKA_ID, NULL, 0},
+                                               {CKA_LABEL, NULL, 0},
+                                               {CKA_VALUE, NULL, 0}
+                                       };
+                                       unsigned char *attrs_id = NULL;
+                                       int attrs_id_size = 0;
+                                       unsigned char *attrs_value = NULL;
+                                       int attrs_value_size = 0;
+                                       char *attrs_label = NULL;
+                                       char hex_id[1024];
+                                       char subject[1024];
+                                       char serialNumber[1024];
+                                       time_t notAfter = 0;
+
+                                       subject[0] = '\0';
+                                       serialNumber[0] = '\0';
+
+
+                                       if (
+                                               _pkcs11h_session_getObjectAttributes (
+                                                       session,
+                                                       objects[i],
+                                                       attrs_cert,
+                                                       sizeof (attrs_cert) / sizeof (CK_ATTRIBUTE)
+                                               ) == CKR_OK &&
+                                               _pkcs11h_mem_malloc (
+                                                       (void *)&attrs_label,
+                                                       attrs_cert[1].ulValueLen+1
+                                               ) == CKR_OK
+                                       ) {
+                                               attrs_id = (unsigned char *)attrs_cert[0].pValue;
+                                               attrs_id_size = attrs_cert[0].ulValueLen;
+                                               attrs_value = (unsigned char *)attrs_cert[2].pValue;
+                                               attrs_value_size = attrs_cert[2].ulValueLen;
+
+                                               memset (attrs_label, 0, attrs_cert[1].ulValueLen+1);
+                                               memmove (attrs_label, attrs_cert[1].pValue, attrs_cert[1].ulValueLen);
+                                               _pkcs11h_standalone_dump_objects_hex (
+                                                       attrs_id,
+                                                       attrs_id_size,
+                                                       hex_id,
+                                                       sizeof (hex_id),
+                                                       "\t\t"
+                                               );
+                                       }
+
+                                       if (attrs_value != NULL) {
+#if defined(USE_PKCS11H_OPENSSL)
+                                               X509 *x509 = NULL;
+                                               BIO *bioSerial = NULL;
+#elif defined(USE_PKCS11H_GNUTLS)
+                                               gnutls_x509_crt_t cert = NULL;
+#endif
+
+                                               _pkcs11h_certificate_getDN (
+                                                       attrs_value,
+                                                       attrs_value_size,
+                                                       subject,
+                                                       sizeof (subject)
+                                               );
+                                               notAfter = _pkcs11h_certificate_getExpiration (
+                                                       attrs_value,
+                                                       attrs_value_size
+                                               );
+#if defined(USE_PKCS11H_OPENSSL)
+                                               if ((x509 = X509_new ()) == NULL) {
+                                                       my_output (global_data, "Cannot create x509 context\n");
+                                               }
+                                               else {
+                                                       pkcs11_openssl_d2i_t d2i1 = (pkcs11_openssl_d2i_t)attrs_value;
+                                                       if (d2i_X509 (&x509, &d2i1, attrs_value_size)) {
+                                                               if ((bioSerial = BIO_new (BIO_s_mem ())) == NULL) {
+                                                                       my_output (global_data, "Cannot create BIO context\n");
+                                                               }
+                                                               else {
+                                                                       int n;
+
+                                                                       i2a_ASN1_INTEGER(bioSerial, X509_get_serialNumber (x509));
+                                                                       n = BIO_read (bioSerial, serialNumber, sizeof (serialNumber)-1);
+                                                                       if (n<0) {
+                                                                               serialNumber[0] = '\0';
+                                                                       }
+                                                                       else {
+                                                                               serialNumber[n] = '\0';
+                                                                       }
+                                                               }
+                                                       }
+                                               }
+
+
+                                               if (bioSerial != NULL) {
+                                                       BIO_free_all (bioSerial);
+                                                       bioSerial = NULL;
+                                               }
+                                               if (x509 != NULL) {
+                                                       X509_free (x509);
+                                                       x509 = NULL;
+                                               }
+#elif defined(USE_PKCS11H_GNUTLS)
+                                               if (gnutls_x509_crt_init (&cert) == GNUTLS_E_SUCCESS) {
+                                                       gnutls_datum_t datum = {attrs_value, attrs_value_size};
+
+                                                       if (gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER) == GNUTLS_E_SUCCESS) {
+                                                               unsigned char ser[1024];
+                                                               size_t ser_size = sizeof (ser);
+                                                               if (gnutls_x509_crt_get_serial (cert, ser, &ser_size) == GNUTLS_E_SUCCESS) {
+                                                                       _pkcs11h_util_binaryToHex (
+                                                                               serialNumber,
+                                                                               sizeof (serialNumber),
+                                                                               ser,
+                                                                               ser_size
+                                                                       );
+                                                               }
+                                                       }
+                                                       gnutls_x509_crt_deinit (cert);
+                                               }
+#else
+#error Invalid configuration.
+#endif
+                                       }
+
+                                       my_output (
+                                               global_data,
+                                               (
+                                                       "Object\n"
+                                                       "\tType:\t\t\tCertificate\n"
+                                                       "\tCKA_ID:\n"
+                                                       "%s"
+                                                       "\tCKA_LABEL:\t\t%s\n"
+                                                       "\tsubject:\t\t%s\n"
+                                                       "\tserialNumber:\t\t%s\n"
+                                                       "\tnotAfter:\t\t%s\n"
+                                               ),
+                                               hex_id,
+                                               attrs_label,
+                                               subject,
+                                               serialNumber,
+                                               asctime (localtime (&notAfter))
+                                       );
+
+                                       _pkcs11h_mem_free ((void *)&attrs_label);
+
+                                       _pkcs11h_session_freeObjectAttributes (
+                                               attrs_cert,
+                                               sizeof (attrs_cert) / sizeof (CK_ATTRIBUTE)
+                                       );
+                               }
+                               else if (attrs_class == CKO_PRIVATE_KEY) {
+                                       CK_BBOOL sign_recover = CK_FALSE;
+                                       CK_BBOOL sign = CK_FALSE;
+                                       CK_ATTRIBUTE attrs_key[] = {
+                                               {CKA_SIGN, &sign, sizeof (sign)},
+                                               {CKA_SIGN_RECOVER, &sign_recover, sizeof (sign_recover)}
+                                       };
+                                       CK_ATTRIBUTE attrs_key_common[] = {
+                                               {CKA_ID, NULL, 0},
+                                               {CKA_LABEL, NULL, 0}
+                                       };
+                                       unsigned char *attrs_id = NULL;
+                                       int attrs_id_size = 0;
+                                       char *attrs_label = NULL;
+                                       char hex_id[1024];
+
+                                       pkcs11h_provider->f->C_GetAttributeValue (
+                                               session->session_handle,
+                                               objects[i],
+                                               attrs_key,
+                                               sizeof (attrs_key) / sizeof (CK_ATTRIBUTE)
+                                       );
+
+                                       if (
+                                               _pkcs11h_session_getObjectAttributes (
+                                                       session,
+                                                       objects[i],
+                                                       attrs_key_common,
+                                                       sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
+                                               ) == CKR_OK &&
+                                               _pkcs11h_mem_malloc (
+                                                       (void *)&attrs_label,
+                                                       attrs_key_common[1].ulValueLen+1
+                                               ) == CKR_OK
+                                       ) {
+                                               attrs_id = (unsigned char *)attrs_key_common[0].pValue;
+                                               attrs_id_size = attrs_key_common[0].ulValueLen;
+
+                                               memset (attrs_label, 0, attrs_key_common[1].ulValueLen+1);
+                                               memmove (attrs_label, attrs_key_common[1].pValue, attrs_key_common[1].ulValueLen);
+
+                                               _pkcs11h_standalone_dump_objects_hex (
+                                                       attrs_id,
+                                                       attrs_id_size,
+                                                       hex_id,
+                                                       sizeof (hex_id),
+                                                       "\t\t"
+                                               );
+                                                       
+                                       }
+
+                                       my_output (
+                                               global_data,
+                                               (
+                                                       "Object\n"
+                                                       "\tType:\t\t\tPrivate Key\n"
+                                                       "\tCKA_ID:\n"
+                                                       "%s"
+                                                       "\tCKA_LABEL:\t\t%s\n"
+                                                       "\tCKA_SIGN:\t\t%s\n"
+                                                       "\tCKA_SIGN_RECOVER:\t%s\n"
+                                               ),
+                                               hex_id,
+                                               attrs_label,
+                                               sign ? "TRUE" : "FALSE",
+                                               sign_recover ? "TRUE" : "FALSE"
+                                       );
+
+                                       _pkcs11h_mem_free ((void *)&attrs_label);
+
+                                       _pkcs11h_session_freeObjectAttributes (
+                                               attrs_key_common,
+                                               sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
+                                       );
+                               }
+                               else if (attrs_class == CKO_PUBLIC_KEY) {
+                                       CK_ATTRIBUTE attrs_key_common[] = {
+                                               {CKA_ID, NULL, 0},
+                                               {CKA_LABEL, NULL, 0}
+                                       };
+                                       unsigned char *attrs_id = NULL;
+                                       int attrs_id_size = 0;
+                                       char *attrs_label = NULL;
+                                       char hex_id[1024];
+
+                                       if (
+                                               _pkcs11h_session_getObjectAttributes (
+                                                       session,
+                                                       objects[i],
+                                                       attrs_key_common,
+                                                       sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
+                                               ) == CKR_OK &&
+                                               _pkcs11h_mem_malloc (
+                                                       (void *)&attrs_label,
+                                                       attrs_key_common[1].ulValueLen+1
+                                               ) == CKR_OK
+                                       ) {
+                                               attrs_id = (unsigned char *)attrs_key_common[0].pValue;
+                                               attrs_id_size = attrs_key_common[0].ulValueLen;
+
+                                               memset (attrs_label, 0, attrs_key_common[1].ulValueLen+1);
+                                               memmove (attrs_label, attrs_key_common[1].pValue, attrs_key_common[1].ulValueLen);
+
+                                               _pkcs11h_standalone_dump_objects_hex (
+                                                       attrs_id,
+                                                       attrs_id_size,
+                                                       hex_id,
+                                                       sizeof (hex_id),
+                                                       "\t\t"
+                                               );
+                                                       
+                                       }
+
+                                       my_output (
+                                               global_data,
+                                               (
+                                                       "Object\n"
+                                                       "\tType:\t\t\tPublic Key\n"
+                                                       "\tCKA_ID:\n"
+                                                       "%s"
+                                                       "\tCKA_LABEL:\t\t%s\n"
+                                               ),
+                                               hex_id,
+                                               attrs_label
+                                       );
+
+                                       _pkcs11h_mem_free ((void *)&attrs_label);
+
+                                       _pkcs11h_session_freeObjectAttributes (
+                                               attrs_key_common,
+                                               sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
+                                       );
+                               }
+                               else if (attrs_class == CKO_DATA) {
+                                       CK_ATTRIBUTE attrs_key_common[] = {
+                                               {CKA_APPLICATION, NULL, 0},
+                                               {CKA_LABEL, NULL, 0}
+                                       };
+                                       char *attrs_application = NULL;
+                                       char *attrs_label = NULL;
+
+                                       if (
+                                               _pkcs11h_session_getObjectAttributes (
+                                                       session,
+                                                       objects[i],
+                                                       attrs_key_common,
+                                                       sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
+                                               ) == CKR_OK &&
+                                               _pkcs11h_mem_malloc (
+                                                       (void *)&attrs_application,
+                                                       attrs_key_common[0].ulValueLen+1
+                                               ) == CKR_OK &&
+                                               _pkcs11h_mem_malloc (
+                                                       (void *)&attrs_label,
+                                                       attrs_key_common[1].ulValueLen+1
+                                               ) == CKR_OK
+                                       ) {
+                                               memset (attrs_application, 0, attrs_key_common[0].ulValueLen+1);
+                                               memmove (attrs_application, attrs_key_common[0].pValue, attrs_key_common[0].ulValueLen);
+                                               memset (attrs_label, 0, attrs_key_common[1].ulValueLen+1);
+                                               memmove (attrs_label, attrs_key_common[1].pValue, attrs_key_common[1].ulValueLen);
+                                       }
+
+                                       my_output (
+                                               global_data,
+                                               (
+                                                       "Object\n"
+                                                       "\tType:\t\t\tData\n"
+                                                       "\tCKA_APPLICATION\t\t%s\n"
+                                                       "\tCKA_LABEL:\t\t%s\n"
+                                               ),
+                                               attrs_application,
+                                               attrs_label
+                                       );
+
+                                       _pkcs11h_mem_free ((void *)&attrs_application);
+                                       _pkcs11h_mem_free ((void *)&attrs_label);
+
+                                       _pkcs11h_session_freeObjectAttributes (
+                                               attrs_key_common,
+                                               sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
+                                       );
+                               }
+                               else {
+                                       my_output (
+                                               global_data,
+                                               (
+                                                       "Object\n"
+                                                       "\tType:\t\t\tUnsupported\n"
+                                               )
+                                       );
+                               }
+                       }
+
+                       _pkcs11h_session_freeObjectAttributes (
+                               attrs,
+                               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
+                       );
+
+                       /*
+                        * Ignore any error and
+                        * perform next iteration
+                        */
+                       rv = CKR_OK;
+               }
+       
+               if (objects != NULL) {
+                       _pkcs11h_mem_free ((void *)&objects);
+               }
+
+               /*
+                * Ignore this error
+                */
+               rv = CKR_OK;
+       }
+
+       if (session != NULL) {
+               _pkcs11h_session_release (session);
+               session = NULL;
+       }
+
+       if (token_id != NULL) {
+               pkcs11h_token_freeTokenId (token_id);
+               token_id = NULL;
+       }
+       
+       pkcs11h_terminate ();
+}
+
+#endif                         /* ENABLE_PKCS11H_STANDALONE */
+
+#ifdef BROKEN_OPENSSL_ENGINE
+static void broken_openssl_init() __attribute__ ((constructor));
+static void  broken_openssl_init()
+{
+       SSL_library_init();
+       ENGINE_load_openssl();
+       ENGINE_register_all_RSA();
+}
+#endif
+
+#else
+static void dummy (void) {}
+#endif                         /* PKCS11H_HELPER_ENABLE */
+
diff -urNp openssh-4.4p1/pkcs11-helper-config.h openssh-4.4p1+pkcs11-0.17/pkcs11-helper-config.h
--- openssh-4.4p1/pkcs11-helper-config.h        1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/pkcs11-helper-config.h    2006-10-12 16:43:38.000000000 +0200
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2005-2006 Alon Bar-Lev.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __PKCS11H_HELPER_CONFIG_H
+#define __PKCS11H_HELPER_CONFIG_H
+
+#if !defined(PKCS11H_NO_NEED_INCLUDE_CONFIG)
+
+#include "includes.h"
+
+#endif /* PKCS11H_NO_NEED_INCLUDE_CONFIG */
+
+#ifndef SSH_PKCS11H_DISABLED
+#define ENABLE_PKCS11H_HELPER
+#endif
+
+#include <assert.h>
+#include <string.h>
+#include <ctype.h>
+#if !defined(WIN32)
+#include <unistd.h>
+#include <dlfcn.h>
+#endif
+
+#include "log.h"
+#include "xmalloc.h"
+#include "openssl/x509.h"
+
+#if defined(HAVE_CYGWIN)
+#define PKCS11H_USE_CYGWIN
+#endif
+
+#if !defined(FALSE)
+#define FALSE 0
+#endif
+#if !defined(TRUE)
+#define TRUE (!FALSE)
+#endif
+
+typedef int PKCS11H_BOOL;
+
+#if !defined(IN)
+#define IN
+#endif
+#if !defined(OUT)
+#define OUT
+#endif
+
+#define USE_PKCS11H_OPENSSL
+#define ENABLE_PKCS11H_DEBUG
+#undef  ENABLE_PKCS11H_THREADING
+#undef  ENABLE_PKCS11H_TOKEN
+#undef  ENABLE_PKCS11H_DATA
+#define ENABLE_PKCS11H_CERTIFICATE
+#undef  ENABLE_PKCS11H_LOCATE
+#define ENABLE_PKCS11H_ENUM
+#define ENABLE_PKCS11H_SERIALIZATION
+#undef  ENABLE_PKCS11H_SLOTEVENT
+#define ENABLE_PKCS11H_OPENSSL
+#define ENABLE_PKCS11H_STANDALONE
+
+/*
+#define PKCS11H_PRM_SLOT_TYPE  "--pkcs11-slot-type"
+#define PKCS11H_PRM_SLOT_ID    "--pkcs11-slot"
+#define PKCS11H_PRM_OBJ_TYPE   "--pkcs11-id-type"
+#define PKCS11H_PRM_OBJ_ID     "--pkcs11-id"
+*/
+
+#define PKCS11H_ASSERT         assert
+#define PKCS11H_TIME           time
+#define PKCS11H_MALLOC         xmalloc
+#define PKCS11H_FREE           xfree
+
+#ifdef ENABLE_PKCS11H_HELPER
+#if defined(WIN32) || defined(PKCS11H_USE_CYGWIN)
+#include "cryptoki-win32.h"
+#else
+#include "cryptoki.h"
+#endif
+
+#endif         /* ENABLE_PKCS11H_HELPER */
+#endif         /* __PKCS11H_HELPER_CONFIG_H */
diff -urNp openssh-4.4p1/pkcs11-helper.h openssh-4.4p1+pkcs11-0.17/pkcs11-helper.h
--- openssh-4.4p1/pkcs11-helper.h       1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/pkcs11-helper.h   2006-10-22 17:11:14.000000000 +0200
@@ -0,0 +1,1303 @@
+/*
+ * Copyright (c) 2005-2006 Alon Bar-Lev <alon.barlev@gmail.com>
+ * All rights reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses.  You may choose to be licensed under the terms of the GNU
+ * General Public License (GPL) Version 2, or the OpenIB.org BSD license.
+ *
+ * GNU General Public License (GPL) Version 2
+ * ===========================================
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING[.GPL2] included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ * OpenIB.org BSD license
+ * =======================
+ * Redistribution and use in source and binary forms, with or without modifi-
+ * cation, are permitted provided that the following conditions are met:
+ *
+ *   o  Redistributions of source code must retain the above copyright notice,
+ *      this list of conditions and the following disclaimer.
+ *
+ *   o  Redistributions in binary form must reproduce the above copyright no-
+ *      tice, this list of conditions and the following disclaimer in the do-
+ *      cumentation and/or other materials provided with the distribution.
+ *
+ *   o  The names of the contributors may not be used to endorse or promote
+ *      products derived from this software without specific prior written
+ *      permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LI-
+ * ABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUEN-
+ * TIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEV-
+ * ER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABI-
+ * LITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * The routines in this file deal with providing private key cryptography
+ * using RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
+ *
+ */
+
+#ifndef __PKCS11H_HELPER_H
+#define __PKCS11H_HELPER_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "pkcs11-helper-config.h"
+
+#if !defined(USE_PKCS11H_OPENSSL) && !defined(USE_PKCS11H_GNUTLS)
+#error PKCS#11: USE_PKCS11H_OPENSSL or USE_PKCS11H_GNUTLS must be defined
+#endif
+
+#if defined(ENABLE_PKCS11H_SLOTEVENT) && !defined(ENABLE_PKCS11H_THREADING)
+#error PKCS#11: ENABLE_PKCS11H_SLOTEVENT requires ENABLE_PKCS11H_THREADING
+#endif
+#if defined(ENABLE_PKCS11H_OPENSSL) && !defined(ENABLE_PKCS11H_CERTIFICATE)
+#error PKCS#11: ENABLE_PKCS11H_OPENSSL requires ENABLE_PKCS11H_CERTIFICATE
+#endif
+
+#define PKCS11H_LOG_DEBUG2     5
+#define PKCS11H_LOG_DEBUG1     4
+#define PKCS11H_LOG_INFO       3
+#define PKCS11H_LOG_WARN       2
+#define PKCS11H_LOG_ERROR      1
+#define PKCS11H_LOG_QUITE      0
+
+#define PKCS11H_PIN_CACHE_INFINITE     -1
+
+#define PKCS11H_SIGNMODE_MASK_SIGN     (1<<0)
+#define PKCS11H_SIGNMODE_MASK_RECOVER  (1<<1)
+
+#define PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT   (1<<0)
+#define PKCS11H_PROMPT_MAST_ALLOW_CARD_PROMPT  (1<<1)
+#define PKCS11H_PROMPT_MASK_ALLOW_ALL ( \
+               PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT | \
+               PKCS11H_PROMPT_MAST_ALLOW_CARD_PROMPT \
+       )
+
+#define PKCS11H_SLOTEVENT_METHOD_AUTO          0
+#define PKCS11H_SLOTEVENT_METHOD_TRIGGER       1
+#define PKCS11H_SLOTEVENT_METHOD_POLL          2
+
+#define PKCS11H_ENUM_METHOD_CACHE              0
+#define PKCS11H_ENUM_METHOD_CACHE_EXIST                1
+#define PKCS11H_ENUM_METHOD_RELOAD             2
+
+typedef void (*pkcs11h_output_print_t)(
+       IN void * const global_data,
+       IN const char * const format,
+       IN ...
+)
+#if __GNUC__ > 2
+    __attribute__ ((format (printf, 2, 3)))
+#endif
+ ;
+
+struct pkcs11h_token_id_s;
+typedef struct pkcs11h_token_id_s *pkcs11h_token_id_t;
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+
+struct pkcs11h_certificate_id_s;
+struct pkcs11h_certificate_s;
+typedef struct pkcs11h_certificate_id_s *pkcs11h_certificate_id_t;
+typedef struct pkcs11h_certificate_s *pkcs11h_certificate_t;
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#if defined(ENABLE_PKCS11H_ENUM)
+
+struct pkcs11h_token_id_list_s;
+typedef struct pkcs11h_token_id_list_s *pkcs11h_token_id_list_t;
+
+#if defined(ENABLE_PKCS11H_DATA)
+
+struct pkcs11h_data_id_list_s;
+typedef struct pkcs11h_data_id_list_s *pkcs11h_data_id_list_t;
+
+#endif                         /* ENABLE_PKCS11H_DATA */
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+
+struct pkcs11h_certificate_id_list_s;
+typedef struct pkcs11h_certificate_id_list_s *pkcs11h_certificate_id_list_t;
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#endif                         /* ENABLE_PKCS11H_ENUM */
+
+typedef void (*pkcs11h_hook_log_t)(
+       IN void * const global_data,
+       IN const unsigned flags,
+       IN const char * const format,
+       IN va_list args
+);
+
+typedef void (*pkcs11h_hook_slotevent_t)(
+       IN void * const global_data
+);
+
+typedef PKCS11H_BOOL (*pkcs11h_hook_token_prompt_t)(
+       IN void * const global_data,
+       IN void * const user_data,
+       IN const pkcs11h_token_id_t token,
+       IN const unsigned retry
+);
+
+typedef PKCS11H_BOOL (*pkcs11h_hook_pin_prompt_t)(
+       IN void * const global_data,
+       IN void * const user_data,
+       IN const pkcs11h_token_id_t token,
+       IN const unsigned retry,
+       OUT char * const pin,
+       IN const size_t pin_max
+);
+
+struct pkcs11h_token_id_s {
+       char display[1024];
+       char manufacturerID[sizeof (((CK_TOKEN_INFO *)NULL)->manufacturerID)+1];
+       char model[sizeof (((CK_TOKEN_INFO *)NULL)->model)+1];
+       char serialNumber[sizeof (((CK_TOKEN_INFO *)NULL)->serialNumber)+1];
+       char label[sizeof (((CK_TOKEN_INFO *)NULL)->label)+1];
+};
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+
+struct pkcs11h_certificate_id_s {
+       pkcs11h_token_id_t token_id;
+
+       char displayName[1024];
+       CK_BYTE_PTR attrCKA_ID;
+       size_t attrCKA_ID_size;
+
+       unsigned char *certificate_blob;
+       size_t certificate_blob_size;
+};
+
+#endif
+
+#if defined(ENABLE_PKCS11H_ENUM)
+
+struct pkcs11h_token_id_list_s {
+       pkcs11h_token_id_list_t next;
+       pkcs11h_token_id_t token_id;
+};
+
+#if defined(ENABLE_PKCS11H_DATA)
+
+struct pkcs11h_data_id_list_s {
+       pkcs11h_data_id_list_t next;
+
+       char *application;
+       char *label;
+};
+
+#endif                         /* ENABLE_PKCS11H_DATA */
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+
+struct pkcs11h_certificate_id_list_s {
+       pkcs11h_certificate_id_list_t next;
+       pkcs11h_certificate_id_t certificate_id;
+};
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#if defined(ENABLE_PKCS11H_OPENSSL)
+
+typedef void (*pkcs11h_hook_openssl_cleanup_t) (
+       IN const pkcs11h_certificate_t certificate
+);
+
+struct pkcs11h_openssl_session_s;
+typedef struct pkcs11h_openssl_session_s *pkcs11h_openssl_session_t;
+
+#endif                         /* ENABLE_PKCS11H_OPENSSL */
+
+/*
+ * pkcs11h_getMessage - Get message by return value.
+ *
+ * Parameters:
+ *     rv              - Return value.
+ */
+const char *
+pkcs11h_getMessage (
+       IN const CK_RV rv
+);
+
+/*
+ * pkcs11h_initialize - Inititalize helper interface.
+ *
+ * Must be called once, from main thread.
+ * Defaults:
+ *     Protected authentication enabled.
+ *     PIN cached is infinite.
+ */
+CK_RV
+pkcs11h_initialize ();
+
+/*
+ * pkcs11h_terminate - Terminate helper interface.
+ *
+ * Must be called once, from main thread, after all
+ * related resources freed.
+ */
+CK_RV
+pkcs11h_terminate ();
+
+/*
+ * pkcs11h_setLogLevel - Set current log level of the helper.
+ *
+ * Parameters:
+ *     flags           - current log level.
+ *
+ * The log level can be set to maximum, but setting it to lower
+ * level will improve performance.
+ */
+void
+pkcs11h_setLogLevel (
+       IN const unsigned flags
+);
+
+/*
+ * pkcs11h_getLogLevel - Get current log level.
+ */
+unsigned
+pkcs11h_getLogLevel ();
+
+/*
+ * pkcs11h_setLogHook - Set a log callback.
+ *
+ * Parameters:
+ *     hook            - Callback.
+ *     pData           - Data to send to callback.
+ */
+CK_RV
+pkcs11h_setLogHook (
+       IN const pkcs11h_hook_log_t hook,
+       IN void * const global_data
+);
+
+/*
+ * pkcs11h_setSlotEventHook - Set a slot event callback.
+ *
+ * Parameters:
+ *     hook            - Callback.
+ *     pData           - Data to send to callback.
+ *
+ * Calling this function initialize slot event notifications, these
+ * notifications can be started, but never terminate due to PKCS#11 limitation.
+ *
+ * In order to use slot events you must have threading enabled.
+ */
+CK_RV
+pkcs11h_setSlotEventHook (
+       IN const pkcs11h_hook_slotevent_t hook,
+       IN void * const global_data
+);
+
+/*
+ * pkcs11h_setTokenPromptHook - Set a token prompt callback.
+ *
+ * Parameters:
+ *     hook            - Callback.
+ *     pData           - Data to send to callback.
+ */
+CK_RV
+pkcs11h_setTokenPromptHook (
+       IN const pkcs11h_hook_token_prompt_t hook,
+       IN void * const global_data
+);
+
+/*
+ * pkcs11h_setPINPromptHook - Set a pin prompt callback.
+ *
+ * Parameters:
+ *     hook            - Callback.
+ *     pData           - Data to send to callback.
+ */
+CK_RV
+pkcs11h_setPINPromptHook (
+       IN const pkcs11h_hook_pin_prompt_t hook,
+       IN void * const global_data
+);
+
+/*
+ * pkcs11h_setProtectedAuthentication - Set global protected authentication mode.
+ *
+ * Parameters:
+ *     allow_protected_auth    - Allow protected authentication if enabled by token.
+ */
+CK_RV
+pkcs11h_setProtectedAuthentication (
+       IN const PKCS11H_BOOL allow_protected_auth
+);
+
+/*
+ * pkcs11h_setPINCachePeriod - Set global PIN cache timeout.
+ *
+ * Parameters:
+ *     pin_cache_period        - Cache period in seconds, or PKCS11H_PIN_CACHE_INFINITE.
+ */
+CK_RV
+pkcs11h_setPINCachePeriod (
+       IN const int pin_cache_period
+);
+
+/*
+ * pkcs11h_setMaxLoginRetries - Set global login retries attempts.
+ *
+ * Parameters:
+ *     max_retries             - Login retries handled by the helper.
+ */
+CK_RV
+pkcs11h_setMaxLoginRetries (
+       IN const unsigned max_retries
+);
+
+/*
+ * pkcs11h_addProvider - Add a PKCS#11 provider.
+ *
+ * Parameters:
+ *     reference               - Reference name for this provider.
+ *     provider                - Provider library location.
+ *     allow_protected_auth    - Allow this provider to use protected authentication.
+ *     mask_sign_mode          - Provider signmode override.
+ *     slot_event_method       - Provider slot event method.
+ *     slot_poll_interval      - Slot event poll interval (If in polling mode).
+ *     cert_is_private         - Provider's certificate access should be done after login.
+ *
+ * This function must be called from the main thread.
+ *
+ * The global allow_protected_auth must be enabled in order to allow provider specific.
+ * The mask_sign_mode can be 0 in order to automatically detect key sign mode.
+ */
+CK_RV
+pkcs11h_addProvider (
+       IN const char * const reference,
+       IN const char * const provider_location,
+       IN const PKCS11H_BOOL allow_protected_auth,
+       IN const unsigned mask_sign_mode,
+       IN const int slot_event_method,
+       IN const int slot_poll_interval,
+       IN const PKCS11H_BOOL cert_is_private
+);
+
+/*
+ * pkcs11h_delProvider - Delete a PKCS#11 provider.
+ *
+ * Parameters:
+ *     reference               - Reference name for this provider.
+ *
+ * This function must be called from the main thread.
+ */
+CK_RV
+pkcs11h_removeProvider (
+       IN const char * const reference
+);
+
+/*
+ * pkcs11h_forkFixup - Handle special case of Unix fork()
+ *
+ * This function should be called after fork is called. This is required
+ * due to a limitation of the PKCS#11 standard.
+ *
+ * This function must be called from the main thread.
+ *
+ * The helper library handles fork automatically if ENABLE_PKCS11H_THREADING
+ * is set on configuration file, by use of pthread_atfork.
+ */
+CK_RV
+pkcs11h_forkFixup ();
+
+/*
+ * pkcs11h_plugAndPlay - Handle slot rescan.
+ *
+ * This function must be called from the main thread.
+ *
+ * PKCS#11 providers do not allow plug&play, plug&play can be established by
+ * finalizing all providers and initializing them again.
+ *
+ * The cost of this process is invalidating all sessions, and require user
+ * login at the next access.
+ */
+CK_RV
+pkcs11h_plugAndPlay ();
+
+/*
+ * pkcs11h_token_freeTokenId - Free token_id object.
+ *
+ * Parameters:
+ *     token_id                - token_id.
+ */
+CK_RV
+pkcs11h_token_freeTokenId (
+       IN pkcs11h_token_id_t token_id
+);
+
+/*
+ * pkcs11h_duplicateTokenId - Duplicate token_id object.
+ *
+ * Parameters:
+ *     to                      - target.
+ *     from                    - source.
+ */
+CK_RV
+pkcs11h_token_duplicateTokenId (
+       OUT pkcs11h_token_id_t * const to,
+       IN const pkcs11h_token_id_t from
+);
+
+/*
+ * pkcs11h_sameTokenId - Returns TRUE if same token id
+ *
+ * Parameters:
+ *     a                       - a.
+ *     b                       - b.
+ */
+PKCS11H_BOOL
+pkcs11h_token_sameTokenId (
+       IN const pkcs11h_token_id_t a,
+       IN const pkcs11h_token_id_t b
+);
+
+/*
+ * pkcs11h_token_login - Force login, avoid hooks.
+ *
+ * Parameters:
+ *     token_id                - Token to login into.
+ *     readonly                - Should session be readonly.
+ *     pin                     - PIN to login, NULL for protected authentication
+ */
+CK_RV
+pkcs11h_token_login (
+       IN const pkcs11h_token_id_t token_id,
+       IN const PKCS11H_BOOL readonly,
+       IN const char * const pin
+);
+
+#if defined(ENABLE_PKCS11H_SERIALIZATION)
+
+/*
+ * pkcs11h_serializeTokenId - Serialize token_id into string.
+ *
+ * Parameters:
+ *     sz                      - Output string.
+ *     max                     - Maximum string size.
+ *     token_id                - id to serialize
+ *
+ * sz may be NULL to get size
+ */
+CK_RV
+pkcs11h_token_serializeTokenId (
+       OUT char * const sz,
+       IN OUT size_t *max,
+       IN const pkcs11h_token_id_t token_id
+);
+
+/*
+ * pkcs11h_deserializeTokenId - Deserialize token_id from string.
+ *
+ * Parameters:
+ *     p_token_id              - id.
+ *     sz                      - Input string
+ */
+CK_RV
+pkcs11h_token_deserializeTokenId (
+       OUT pkcs11h_token_id_t *p_token_id,
+       IN const char * const sz
+);
+
+#endif                         /* ENABLE_PKCS11H_SERIALIZATION */
+
+#if defined(ENABLE_PKCS11H_TOKEN)
+
+/*
+ * pkcs11h_token_ensureAccess - Ensure token is accessible.
+ *
+ * Parameters:
+ *     token_id                - Token id object.
+ *     user_data               - Optional user data, to be passed to hooks.
+ *     mask_prompt             - Allow prompt.
+ */
+CK_RV
+pkcs11h_token_ensureAccess (
+       IN const pkcs11h_token_id_t token_id,
+       IN void * const user_data,
+       IN const unsigned mask_prompt
+);
+
+#endif                         /* ENABLE_PKCS11H_TOKEN */
+
+#if defined(ENABLE_PKCS11H_DATA)
+
+/*
+ * pkcs11h_data_get - get data object.
+ *
+ * Parameters:
+ *     token_id                - Token id object.
+ *     is_public               - Object is public.
+ *     application             - Object application attribute.
+ *     label                   - Object label attribute.
+ *     user_data               - Optional user data, to be passed to hooks.
+ *     mask_prompt             - Allow prompt.
+ *     blob                    - blob, set to NULL to get size.
+ *     p_blob_size             - blob size.
+ */
+CK_RV
+pkcs11h_data_get (
+       IN const pkcs11h_token_id_t token_id,
+       IN const PKCS11H_BOOL is_public,
+       IN const char * const application,
+       IN const char * const label,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT unsigned char * const blob,
+       IN OUT size_t * const p_blob_size
+);
+
+/*
+ * pkcs11h_data_put - put data object.
+ *
+ * Parameters:
+ *     token_id                - Token id object.
+ *     is_public               - Object is public.
+ *     application             - Object application attribute.
+ *     label                   - Object label attribute.
+ *     user_data               - Optional user data, to be passed to hooks.
+ *     mask_prompt             - Allow prompt.
+ *     blob                    - blob.
+ *     blob_size               - blob size.
+ */
+CK_RV
+pkcs11h_data_put (
+       IN const pkcs11h_token_id_t token_id,
+       IN const PKCS11H_BOOL is_public,
+       IN const char * const application,
+       IN const char * const label,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT unsigned char * const blob,
+       IN const size_t blob_size
+);
+
+/*
+ * pkcs11h_data_del - delete data object.
+ *
+ * Parameters:
+ *     token_id                - Token id object.
+ *     is_public               - Object is public.
+ *     application             - Object application attribute.
+ *     label                   - Object label attribute.
+ *     user_data               - Optional user data, to be passed to hooks.
+ *     mask_prompt             - Allow prompt.
+ */
+CK_RV
+pkcs11h_data_del (
+       IN const pkcs11h_token_id_t token_id,
+       IN const PKCS11H_BOOL is_public,
+       IN const char * const application,
+       IN const char * const label,
+       IN void * const user_data,
+       IN const unsigned mask_prompt
+);
+
+#endif                         /* ENABLE_PKCS11H_DATA */
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+/*======================================================================*
+ * CERTIFICATE INTERFACE
+ *======================================================================*/
+
+/*
+ * pkcs11h_certificate_freeCertificateId - Free certificate_id object.
+ */
+CK_RV
+pkcs11h_certificate_freeCertificateId (
+       IN pkcs11h_certificate_id_t certificate_id
+);
+
+/*
+ * pkcs11h_duplicateCertificateId - Duplicate certificate_id object.
+ */
+CK_RV
+pkcs11h_certificate_duplicateCertificateId (
+       OUT pkcs11h_certificate_id_t * const to,
+       IN const pkcs11h_certificate_id_t from
+);
+
+/*
+ * pkcs11h_certificate_setCertificateIdCertificateBlob - Sets internal certificate_id blob.
+ *
+ * Parameters:
+ *     certificate_id          - Certificate id ojbect.
+ *     blob                    - blob.
+ *     blob_size               - blob size.
+ *
+ * Useful to set after deserialization so certificate is available and not read from token.
+ */
+CK_RV
+pkcs11h_certificate_setCertificateIdCertificateBlob (
+       IN const pkcs11h_certificate_id_t certificate_id,
+       IN const unsigned char * const blob,
+       IN const size_t blob_size
+);
+
+/*
+ * pkcs11h_certificate_freeCertificate - Free certificate object.
+ *
+ * Parameters:
+ *     certificate             - Certificate ojbect.
+ */
+CK_RV
+pkcs11h_certificate_freeCertificate (
+       IN pkcs11h_certificate_t certificate
+);
+
+/*
+ * pkcs11h_certificate_create - Create a certificate object out of certificate_id.
+ *
+ * Parameters:
+ *     certificate_id          - Certificate id object to be based on.
+ *     user_data               - Optional user data, to be passed to hooks.
+ *     mask_prompt             - Allow prompt.
+ *     pin_cache_period        - Session specific cache period.
+ *     p_certificate           - Receives certificate object.
+ *
+ * The certificate id object may not specify the full certificate.
+ * The certificate object must be freed by caller.
+ */    
+CK_RV
+pkcs11h_certificate_create (
+       IN const pkcs11h_certificate_id_t certificate_id,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       IN const int pin_cache_period,
+       OUT pkcs11h_certificate_t * const p_certificate
+);
+
+/*
+ * pkcs11h_certificate_getPromptMask - Extract user data out of certificate.
+ *
+ * Parameters:
+ *     certificate             - Certificate ojbect.
+ *
+ * Returns:
+ *     mask_prompt             - Allow prompt.
+ *
+ */
+unsigned
+pkcs11h_certificate_getPromptMask (
+       IN const pkcs11h_certificate_t certificate
+);
+
+/*
+ * pkcs11h_certificate_setPromptMask - Extract user data out of certificate.
+ *
+ * Parameters:
+ *     certificate             - Certificate ojbect.
+ *     mask_prompt             - Allow prompt.
+ */
+void
+pkcs11h_certificate_setPromptMask (
+       IN const pkcs11h_certificate_t certificate,
+       IN const unsigned ask_prompt
+);
+
+/*
+ * pkcs11h_certificate_getUserData - Extract user data out of certificate.
+ *
+ * Parameters:
+ *     certificate             - Certificate ojbect.
+ *
+ * Returns:
+ *     user_data               - Optional user data, to be passed to hooks.
+ */
+void *
+pkcs11h_certificate_getUserData (
+       IN const pkcs11h_certificate_t certificate
+);
+
+/*
+ * pkcs11h_certificate_setUserData - Extract user data out of certificate.
+ *
+ * Parameters:
+ *     certificate             - Certificate ojbect.
+ *     user_data               - Optional user data, to be passed to hooks.
+ */
+void
+pkcs11h_certificate_setUserData (
+       IN const pkcs11h_certificate_t certificate,
+       IN void * const user_data
+);
+
+/*
+ * pkcs11h_certificate_getCertificateId - Get certifiate id object out of a certifiate
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ *     p_certificate_id        - Certificate id object pointer.
+ *
+ * The certificate id must be freed by caller.
+ */
+CK_RV
+pkcs11h_certificate_getCertificateId (
+       IN const pkcs11h_certificate_t certificate,
+       OUT pkcs11h_certificate_id_t * const p_certificate_id
+);
+
+/*
+ * pkcs11h_certificate_getCertificateBlob - Get the certificate blob out of the certificate object.
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ *     certificate_blob        - Buffer.
+ *     certificate_blob_size   - Buffer size.
+ *
+ * Buffer may be NULL in order to get size.
+ */
+CK_RV
+pkcs11h_certificate_getCertificateBlob (
+       IN const pkcs11h_certificate_t certificate,
+       OUT unsigned char * const certificate_blob,
+       IN OUT size_t * const p_certificate_blob_size
+);
+
+#if defined(ENABLE_PKCS11H_SERIALIZATION)
+
+/*
+ * pkcs11h_certificate_serializeCertificateId - Serialize certificate_id into a string
+ *
+ * Parametrs:
+ *     sz                      - Output string.
+ *     max                     - Max buffer size.
+ *     certificate_id          - id to serialize
+ *
+ * sz may be NULL in order to get size.
+ */
+CK_RV
+pkcs11h_certificate_serializeCertificateId (
+       OUT char * const sz,
+       IN OUT size_t *max,
+       IN const pkcs11h_certificate_id_t certificate_id
+);
+
+/*
+ * pkcs11h_certificate_deserializeCertificateId - Deserialize certificate_id out of string.
+ *
+ * Parameters:
+ *     p_certificate_id        - id.
+ *     sz                      - Inut string
+ */
+CK_RV
+pkcs11h_certificate_deserializeCertificateId (
+       OUT pkcs11h_certificate_id_t * const p_certificate_id,
+       IN const char * const sz
+);
+
+#endif                         /* ENABLE_PKCS11H_SERIALIZATION */
+
+/*
+ * pkcs11h_certificate_ensureCertificateAccess - Ensure certificate is accessible.
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ */
+CK_RV
+pkcs11h_certificate_ensureCertificateAccess (
+       IN const pkcs11h_certificate_t certificate
+);
+
+/*
+ * pkcs11h_certificate_ensureKeyAccess - Ensure key is accessible.
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ */
+CK_RV
+pkcs11h_certificate_ensureKeyAccess (
+       IN const pkcs11h_certificate_t certificate
+);
+
+/*
+ * pkcs11h_certificate_lockSession - Lock session for threded environment
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ *
+ * This must be called on threaded environment, so both calls to _sign and
+ * _signRecover and _decrypt will be from the same source.
+ * Failing to lock session, will result with CKR_OPERATION_ACTIVE if
+ * provider is good, or unexpected behaviour for others.
+ *
+ * It is save to call this also in none threaded environment, it will do nothing.
+ * Call this also if you are doing one stage operation, since locking is not
+ * done by method.
+ */
+CK_RV
+pkcs11h_certificate_lockSession (
+       IN const pkcs11h_certificate_t certificate
+);
+
+/*
+ * pkcs11h_certificate_releaseSession - Releases session lock.
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ *
+ * See pkcs11h_certificate_lockSession.
+ */
+CK_RV
+pkcs11h_certificate_releaseSession (
+       IN const pkcs11h_certificate_t certificate
+);
+
+/*
+ * pkcs11h_certificate_sign - Sign data.
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ *     mech_type               - PKCS#11 mechanism.
+ *     source                  - Buffer to sign.
+ *     source_size             - Buffer size.
+ *     target                  - Target buffer, can be NULL to get size.
+ *     target_size             - Target buffer size.
+ */
+CK_RV
+pkcs11h_certificate_sign (
+       IN const pkcs11h_certificate_t certificate,
+       IN const CK_MECHANISM_TYPE mech_type,
+       IN const unsigned char * const source,
+       IN const size_t source_size,
+       OUT unsigned char * const target,
+       IN OUT size_t * const p_target_size
+);
+
+/*
+ * pkcs11h_certificate_signRecover - Sign data.
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ *     mech_type               - PKCS#11 mechanism.
+ *     source                  - Buffer to sign.
+ *     source_size             - Buffer size.
+ *     target                  - Target buffer, can be NULL to get size.
+ *     target_size             - Target buffer size.
+ */
+CK_RV
+pkcs11h_certificate_signRecover (
+       IN const pkcs11h_certificate_t certificate,
+       IN const CK_MECHANISM_TYPE mech_type,
+       IN const unsigned char * const source,
+       IN const size_t source_size,
+       OUT unsigned char * const target,
+       IN OUT size_t * const p_target_size
+);
+
+/*
+ * pkcs11h_certificate_signAny - Sign data mechanism determined by key attributes.
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ *     mech_type               - PKCS#11 mechanism.
+ *     source                  - Buffer to sign.
+ *     source_size             - Buffer size.
+ *     target                  - Target buffer, can be NULL to get size.
+ *     target_size             - Target buffer size.
+ */
+CK_RV
+pkcs11h_certificate_signAny (
+       IN const pkcs11h_certificate_t certificate,
+       IN const CK_MECHANISM_TYPE mech_type,
+       IN const unsigned char * const source,
+       IN const size_t source_size,
+       OUT unsigned char * const target,
+       IN OUT size_t * const p_target_size
+);
+
+/*
+ * pkcs11h_certificate_decrypt - Decrypt data.
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ *     mech_type               - PKCS#11 mechanism.
+ *     source                  - Buffer to sign.
+ *     source_size             - Buffer size.
+ *     target                  - Target buffer, can be NULL to get size.
+ *     target_size             - Target buffer size.
+ */
+CK_RV
+pkcs11h_certificate_decrypt (
+       IN const pkcs11h_certificate_t certificate,
+       IN const CK_MECHANISM_TYPE mech_type,
+       IN const unsigned char * const source,
+       IN const size_t source_size,
+       OUT unsigned char * const target,
+       IN OUT size_t * const p_target_size
+);
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#if defined(ENABLE_PKCS11H_LOCATE)
+/*======================================================================*
+ * LOCATE INTERFACE
+ *======================================================================*/
+
+#if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE)
+
+/*
+ * pkcs11h_locate_token - Locate token based on atributes.
+ *
+ * Parameters:
+ *     slot_type               - How to locate slot.
+ *     slot                    - Slot name.
+ *     user_data               - Optional user data, to be passed to hooks.
+ *     mask_prompt             - Allow prompt.
+ *     p_token_id              - Token object.
+ *
+ * Slot:
+ *     id      - Slot number.
+ *     name    - Slot name.
+ *     label   - Available token label.
+ *
+ * Caller must free token id.
+ */
+CK_RV
+pkcs11h_locate_token (
+       IN const char * const slot_type,
+       IN const char * const slot,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT pkcs11h_token_id_t * const p_token_id
+);
+
+#endif                         /* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+
+/*
+ * pkcs11h_locate_certificate - Locate certificate based on atributes.
+ *
+ * Parameters:
+ *     slot_type               - How to locate slot.
+ *     slot                    - Slot name.
+ *     id_type                 - How to locate object.
+ *     id                      - Object name.
+ *     user_data               - Optional user data, to be passed to hooks.
+ *     mask_prompt             - Allow prompt.
+ *     p_certificate_id        - Certificate object.
+ *
+ * Slot:
+ *     Same as pkcs11h_locate_token.
+ *
+ * Object:
+ *     id      - Certificate CKA_ID (hex string) (Fastest).
+ *     label   - Certificate CKA_LABEL (string).
+ *     subject - Certificate subject (OpenSSL or gnutls DN).
+ *
+ * Caller must free certificate id.
+ */
+CK_RV
+pkcs11h_locate_certificate (
+       IN const char * const slot_type,
+       IN const char * const slot,
+       IN const char * const id_type,
+       IN const char * const id,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT pkcs11h_certificate_id_t * const p_certificate_id
+);
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#endif                         /* ENABLE_PKCS11H_LOCATE */
+
+#if defined(ENABLE_PKCS11H_ENUM)
+/*======================================================================*
+ * ENUM INTERFACE
+ *======================================================================*/
+
+#if defined(ENABLE_PKCS11H_TOKEN)
+
+/*
+ * pkcs11h_freeTokenIdList - Free certificate_id list.
+ */
+CK_RV
+pkcs11h_token_freeTokenIdList (
+       IN const pkcs11h_token_id_list_t token_id_list
+);
+
+/*
+ * pkcs11h_token_enumTokenIds - Enumerate available tokens
+ *
+ * Parameters:
+ *     p_token_id_list         - A list of token ids.
+ *     
+ * Caller must free the list.
+ */
+CK_RV
+pkcs11h_token_enumTokenIds (
+       IN const int method,
+       OUT pkcs11h_token_id_list_t * const p_token_id_list
+);
+
+#endif                         /* ENABLE_PKCS11H_TOKEN */
+
+#if defined(ENABLE_PKCS11H_DATA)
+
+/*
+ * pkcs11h_data_freeDataIdList - free data object list..
+ *
+ * Parameters:
+ *     data_id_list            - list to free.
+ */
+CK_RV
+pkcs11h_data_freeDataIdList (
+       IN const pkcs11h_data_id_list_t data_id_list
+);
+
+/*
+ * pkcs11h_data_enumDataObjects - get list of data objects.
+ *
+ * Parameters:
+ *     token_id                - token id.
+ *     is_public               - Get a list of public objects.
+ *     user_data               - Optional user data, to be passed to hooks.
+ *     mask_prompt             - Allow prompt.
+ *     p_data_id_list          - List location.
+ */
+CK_RV
+pkcs11h_data_enumDataObjects (
+       IN const pkcs11h_token_id_t token_id,
+       IN const PKCS11H_BOOL is_public,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT pkcs11h_data_id_list_t * const p_data_id_list
+);
+
+#endif                         /* ENABLE_PKCS11H_DATA */
+
+#if defined(ENABLE_PKCS11H_CERTIFICATE)
+
+/*
+ * pkcs11h_certificate_freeCertificateIdList - Free certificate_id list.
+ */
+CK_RV
+pkcs11h_certificate_freeCertificateIdList (
+       IN const pkcs11h_certificate_id_list_t cert_id_list
+);
+
+/*
+ * pkcs11h_certificate_enumTokenCertificateIds - Enumerate available certificates on specific token
+ *
+ * Parameters:
+ *     token_id                - Token id to enum.
+ *     method                  - How to fetch certificates.
+ *     user_data               - Some user specific data.
+ *     mask_prompt             - Allow prompt.
+ *     p_cert_id_issuers_list  - Receives issues list, can be NULL.
+ *     p_cert_id_end_list      - Receives end certificates list.
+ *
+ * This function will likely take long time.
+ *
+ * Method can be one of the following:
+ *     PKCS11H_ENUM_METHOD_CACHE
+ *             Return available certificates, even if token was once detected and
+ *             was removed.
+ *     PKCS11H_ENUM_METHOD_CACHE_EXIST
+ *             Return available certificates for available tokens only, don't
+ *             read the contents of the token if already read, even if this token
+ *             removed and inserted.
+ *     PKCS11H_ENUM_METHOD_RELOAD
+ *             Clear all caches and then enum.
+ *
+ * Caller must free the lists.
+ */
+CK_RV
+pkcs11h_certificate_enumTokenCertificateIds (
+       IN const pkcs11h_token_id_t token_id,
+       IN const int method,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
+);
+
+/*
+ * pkcs11h_enum_getCertificateIds - Enumerate available certificates.
+ *
+ * Parameters:
+ *     method                  - How to fetch certificates.
+ *     user_data               - Some user specific data.
+ *     mask_prompt             - Allow prompt.
+ *     p_cert_id_issuers_list  - Receives issues list, can be NULL.
+ *     p_cert_id_end_list      - Receives end certificates list.
+ *
+ * This function will likely take long time.
+ *
+ * Method can be one of the following:
+ *     PKCS11H_ENUM_METHOD_CACHE
+ *             Return available certificates, even if token was once detected and
+ *             was removed.
+ *     PKCS11H_ENUM_METHOD_CACHE_EXIST
+ *             Return available certificates for available tokens only, don't
+ *             read the contents of the token if already read, even if this token
+ *             removed and inserted.
+ *     PKCS11H_ENUM_METHOD_RELOAD
+ *             Clear all caches and then enum.
+ *
+ * Caller must free lists.
+ */
+CK_RV
+pkcs11h_certificate_enumCertificateIds (
+       IN const int method,
+       IN void * const user_data,
+       IN const unsigned mask_prompt,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
+       OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
+);
+
+#endif                         /* ENABLE_PKCS11H_CERTIFICATE */
+
+#endif                         /* ENABLE_PKCS11H_ENUM */
+
+#if defined(ENABLE_PKCS11H_OPENSSL)
+/*======================================================================*
+ * OPENSSL INTERFACE
+ *======================================================================*/
+
+/*
+ * pkcs11h_openssl_getX509 - Returns an X509 object out of the openssl_session object.
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ */
+X509 *
+pkcs11h_openssl_getX509 (
+       IN const pkcs11h_certificate_t certificate
+);
+
+/*
+ * pkcs11h_openssl_createSession - Create OpenSSL session based on a certificate object.
+ *
+ * Parameters:
+ *     certificate             - Certificate object.
+ *
+ * The certificate object will be freed by the OpenSSL interface on session end.
+ */
+pkcs11h_openssl_session_t
+pkcs11h_openssl_createSession (
+       IN const pkcs11h_certificate_t certificate
+);
+
+/*
+ * pkcs11h_openssl_getCleanupHook - Sets cleanup hook
+ *
+ * Parameters:
+ *     openssl_session         - session.
+ */
+pkcs11h_hook_openssl_cleanup_t
+pkcs11h_openssl_getCleanupHook (
+       IN const pkcs11h_openssl_session_t openssl_session
+);
+
+/*
+ * pkcs11h_openssl_setCleanupHook - Sets cleanup hook
+ *
+ * Parameters:
+ *     openssl_session         - session.
+ *     cleanup                 - hook.
+ */
+void
+pkcs11h_openssl_setCleanupHook (
+       IN const pkcs11h_openssl_session_t openssl_session,
+       IN const pkcs11h_hook_openssl_cleanup_t cleanup
+);
+
+/*
+ * pkcs11h_openssl_freeSession - Free OpenSSL session.
+ *
+ * Parameters:
+ *     openssl_session         - Session to free.
+ *
+ * The openssl_session object has a reference count just like other OpenSSL objects.
+ */
+void
+pkcs11h_openssl_freeSession (
+       IN const pkcs11h_openssl_session_t openssl_session
+);
+
+/*
+ * pkcs11h_openssl_session_getRSA - Returns an RSA object out of the openssl_session object.
+ *
+ * Parameters:
+ *     openssl_session         - Session.
+ */
+RSA *
+pkcs11h_openssl_session_getRSA (
+       IN const pkcs11h_openssl_session_t openssl_session
+);
+
+/*
+ * pkcs11h_openssl_session_getX509 - Returns an X509 object out of the openssl_session object.
+ *
+ * Parameters:
+ *     openssl_session         - Session.
+ */
+X509 *
+pkcs11h_openssl_session_getX509 (
+       IN const pkcs11h_openssl_session_t openssl_session
+);
+
+#endif                         /* ENABLE_PKCS11H_OPENSSL */
+
+#if defined(ENABLE_PKCS11H_STANDALONE)
+/*======================================================================*
+ * STANDALONE INTERFACE
+ *======================================================================*/
+
+void
+pkcs11h_standalone_dump_slots (
+       IN const pkcs11h_output_print_t my_output,
+       IN void * const global_data,
+       IN const char * const provider
+);
+
+void
+pkcs11h_standalone_dump_objects (
+       IN const pkcs11h_output_print_t my_output,
+       IN void * const global_data,
+       IN const char * const provider,
+       IN const char * const slot,
+       IN const char * const pin
+);
+
+#endif                         /* ENABLE_PKCS11H_STANDALONE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif                         /* __PKCS11H_HELPER_H */
diff -urNp openssh-4.4p1/README.pkcs11 openssh-4.4p1+pkcs11-0.17/README.pkcs11
--- openssh-4.4p1/README.pkcs11 1970-01-01 02:00:00.000000000 +0200
+++ openssh-4.4p1+pkcs11-0.17/README.pkcs11     2006-10-18 20:22:08.000000000 +0200
@@ -0,0 +1,49 @@
+The PKCS#11 patch modify ssh-add and ssh-agent to support PKCS#11 private keys
+and certificates (http://alon.barlev.googlepages.com/openssh-pkcs11).
+
+It allows using multiple PKCS#11 providers at the same time, selecting keys by
+id, label or certificate subject, handling card removal and card insert events,
+handling card re-insert to a different slot, supporting session expiration.
+
+A valid X.509 certificate should exist on the token, without X.509 support it is
+exported as regular RSA key. Self-signed certificates are treated as RSA key and
+not as X.509 RSA key.
+
+If you like X.509 (http://roumenpetrov.info/openssh) support apply the X.509
+patch AFTER the PKCS#11 patch. You can use -o PubkeyAlgorithms=ssh-rsa in order to
+authenticate to none X.509 servers.
+
+One significant change is that the ssh-agent prompts for passwords now... So you
+need to configure it with a program that asks for card insert or PIN, a program
+such as x11-ssh-askpass. Current implementation (ssh-add asks for passwords) is
+not valid for dynamic smartcard environment.
+
+Current implementation uses the askpin program also for prompting card insert...
+Don't be confused, it only expects ok or cancel, some simple scripts available
+at http://alon.barlev.googlepages.com/openssh-pkcs11 that uses KDE, Gnome and .NET
+in order to display these dialogs.
+
+You can view full usage by:
+$ ssh-agent /bin/sh
+$ ssh-add -h
+
+A common scenario is the following:
+$ ssh-agent /bin/sh
+$ ssh-add --pkcs11-ask-pin `which openssh-kde-dialogs.sh`
+$ ssh-add --pkcs11-add-provider --pkcs11-provider /usr/lib/pkcs11/MyProvider.so
+$ ssh-add --pkcs11-add-id --pkcs11-id "serialized id"
+$ ssh myhost
+
+In order to see available objects, you can use:
+$ ssh-add --pkcs11-show-ids --pkcs11-provider /usr/lib/pkcs11/MyProvider.so
+
+In order to add id without accessing the token, you must put the certificate in
+a PEM file and use:
+$ ssh-add --pkcs11-add-id --pkcs11-id "serialized id" --pkcs11-cert-file my.pem
+
+In order to debug open two shells:
+1$ rm -fr /tmp/s; ssh-agent -d -d -d -a /tmp/s
+
+2$ SSH_AUTH_SOCK=/tmp/s; export SSH_AUTH_SOCK;
+2$ [ssh-add]...
+
diff -urNp openssh-4.4p1/ssh-add.c openssh-4.4p1+pkcs11-0.17/ssh-add.c
--- openssh-4.4p1/ssh-add.c     2006-09-01 08:38:37.000000000 +0300
+++ openssh-4.4p1+pkcs11-0.17/ssh-add.c 2006-10-12 15:10:42.000000000 +0200
@@ -56,12 +56,15 @@
 #include "rsa.h"
 #include "log.h"
 #include "key.h"
+#include "pkcs11.h"
 #include "buffer.h"
 #include "authfd.h"
 #include "authfile.h"
 #include "pathnames.h"
 #include "misc.h"
 
+static void usage (void);
+
 /* argv0 */
 extern char *__progname;
 
@@ -306,6 +309,261 @@ do_file(AuthenticationConnection *ac, in
        return 0;
 }
 
+#ifndef SSH_PKCS11_DISABLED
+
+static
+int
+do_pkcs11 (AuthenticationConnection *ac, int argc, char *argv[])
+{
+       /*
+        * TEMP TEMP TEMP TEMP
+        *
+        * This should be fixed if another mechanism
+        * will be propsed.
+        */
+       pkcs11_identity *id = NULL;
+       char *szPKCS11Provider = NULL;
+       char *szPKCS11Id = NULL;
+       char *szPKCS11SignMode = NULL;
+       char *szPKCS11AskPIN = NULL;
+       char *szPKCS11SlotId = NULL;
+       char *szPKCS11CertFile = NULL;
+       int fDebug = 0;
+       int fPKCS11AddProvider = 0;
+       int fPKCS11AddId = 0;
+       int fPKCS11RemoveId = 0;
+       int fPKCS11ShowIds = 0;
+       int fPKCS11DumpSlots = 0;
+       int fPKCS11DumpObjects = 0;
+       int fPKCS11ProtectedAuthentication = 0;
+       int fPKCS11CertPrivate = 0;
+       int nPKCS11PINCachePeriod = -1;
+       int fBadUsage = 0;
+       int ret = 0;
+       int nSkipPrmCount;
+       int i;
+
+       for (i=0,nSkipPrmCount=0;i<argc;i++) {
+               if (!strcmp (argv[i], "--pkcs11-provider")) {
+                       szPKCS11Provider = argv[i+1];
+                       i++;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-id")) {
+                       szPKCS11Id = argv[i+1];
+                       i++;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-pin-cache")) {
+                       nPKCS11PINCachePeriod = atoi (argv[i+1]);
+                       i++;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-sign-mode")) {
+                       szPKCS11SignMode = argv[i+1];
+                       i++;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-ask-pin")) {
+                       szPKCS11AskPIN = argv[i+1];
+                       i++;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-slot")) {
+                       szPKCS11SlotId = argv[i+1];
+                       i++;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-cert-file")) {
+                       szPKCS11CertFile = argv[i+1];
+                       i++;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-add-provider")) {
+                       fPKCS11AddProvider = 1;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-remove-id")) {
+                       fPKCS11RemoveId = 1;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-add-id")) {
+                       fPKCS11AddId = 1;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-show-ids")) {
+                       fPKCS11ShowIds = 1;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-dump-slots")) {
+                       fPKCS11DumpSlots = 1;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-dump-objects")) {
+                       fPKCS11DumpObjects = 1;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-protected-authentication")) {
+                       fPKCS11ProtectedAuthentication = 1;
+               }
+               else if (!strcmp (argv[i], "--pkcs11-cert-private")) {
+                       fPKCS11CertPrivate = 1;
+               }
+               else if (!strcmp (argv[i], "-d")) {
+                       fDebug = 1;
+               }
+               else {
+                       nSkipPrmCount++;
+               }
+       }
+
+       if (nSkipPrmCount == argc) {
+               /* no pkcs#11 arguments */
+               ret = -2;
+       }
+
+       if (ret == 0) {
+               if (
+                       !fBadUsage &&
+                       fPKCS11AddProvider &&
+                       szPKCS11Provider == NULL
+               ) {
+                       fBadUsage = 1;
+               }
+
+               if (
+                       !fBadUsage &&
+                       fPKCS11AddId &&
+                       (
+                               szPKCS11Id == NULL
+                       )
+               ) {
+                       fBadUsage = 1;
+               }
+
+               if (
+                       !fBadUsage &&
+                       fPKCS11RemoveId &&
+                       (
+                               szPKCS11Id == NULL
+                       )
+               ) {
+                       fBadUsage = 1;
+               }
+
+               if (
+                       !fBadUsage &&
+                       fPKCS11ShowIds &&
+                       szPKCS11Provider == NULL
+               ) {
+                       fBadUsage = 1;
+               }
+
+               if (
+                       !fBadUsage &&
+                       fPKCS11DumpSlots &&
+                       szPKCS11Provider == NULL
+               ) {
+                       fBadUsage = 1;
+               }
+
+               if (
+                       !fBadUsage &&
+                       fPKCS11DumpObjects &&
+                       (
+                               szPKCS11Provider == NULL ||
+                               szPKCS11SlotId == NULL
+                       )
+               ) {
+                       fBadUsage = 1;
+               }
+
+               if (fBadUsage) {
+                       usage ();
+                       ret = 1;
+               }
+       }
+       
+       if (ret == 0) {
+               if (fPKCS11AddId || fPKCS11RemoveId) {
+                       id = pkcs11_identity_new ();
+                       if (id == NULL) {
+                               ret = 1;
+                       }
+                       else {
+                               id->id = strdup (szPKCS11Id);
+                               id->pin_cache_period = nPKCS11PINCachePeriod;
+                               id->cert_file = szPKCS11CertFile;
+                       }
+               }
+       }
+
+       if (ret == 0) {
+               if (fDebug) {
+                       log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 1);
+               }
+
+               if (fPKCS11ShowIds) {
+                       pkcs11_show_ids (szPKCS11Provider, fPKCS11ProtectedAuthentication, fPKCS11CertPrivate);
+                       ret = 0;
+               }
+               else if (fPKCS11DumpSlots) {
+                       pkcs11_dump_slots (szPKCS11Provider);
+                       ret = 0;
+               }
+               else if (fPKCS11DumpObjects) {
+                       char *szPIN = read_passphrase("PIN: ", RP_ALLOW_STDIN);
+                       if (szPIN[0] != '\0') {
+                               pkcs11_dump_objects (szPKCS11Provider, szPKCS11SlotId, szPIN);
+                       }
+                       memset (szPIN, 0, strlen (szPIN));
+                       xfree (szPIN);
+                       ret = 0;
+               }
+               else if (szPKCS11AskPIN != NULL) {
+                       ret = !ssh_pkcs11_set_ask_pin (ac, szPKCS11AskPIN);
+
+                       if (ret) {
+                               fprintf (stderr, "Failed\n");
+                       }
+                       else {
+                               fprintf (stderr, "Success\n");
+                       }
+               }
+               else if (fPKCS11AddProvider) {
+                       ret = !ssh_pkcs11_add_provider (
+                               ac,
+                               szPKCS11Provider,
+                               fPKCS11ProtectedAuthentication,
+                               szPKCS11SignMode,
+                               fPKCS11CertPrivate
+                       );
+
+                       if (ret) {
+                               fprintf (stderr, "Cannot add provider %s\n", szPKCS11Provider);
+                       }
+                       else {
+                               fprintf (stderr, "Provider %s added successfully\n", szPKCS11Provider);
+                       }
+               }
+               else if (fPKCS11AddId) {
+                       ret = !ssh_pkcs11_id (ac, id, 0);
+
+                       if (ret) {
+                               fprintf (stderr, "Cannot add identity\n");
+                       }
+                       else {
+                               fprintf (stderr, "Identity added successfully\n");
+                       }
+               }
+               else if (fPKCS11RemoveId) {
+                       ret = !ssh_pkcs11_id (ac, id, 1);
+
+                       if (ret) {
+                               fprintf (stderr, "Cannot remove identity\n");
+                       }
+                       else {
+                               fprintf (stderr, "Identity removed successfully\n");
+                       }
+               }
+       }
+
+       if (id != NULL) {
+               pkcs11_identity_free (id);
+       }
+
+       return ret;
+}
+
+#endif /* SSH_PKCS11_DISABLED */
+
 static void
 usage(void)
 {
@@ -323,6 +581,50 @@ usage(void)
        fprintf(stderr, "  -s reader   Add key in smartcard reader.\n");
        fprintf(stderr, "  -e reader   Remove key in smartcard reader.\n");
 #endif
+#ifndef SSH_PKCS11_DISABLED
+       fprintf(
+               stderr,
+               (
+                       "\n"
+                       "  PKCS#11 Options:\n"
+                       "  --pkcs11-ask-pin prog          Set ask-pin program\n"
+                       "\n"
+                       "  --pkcs11-add-provider          Add PKCS#11 provider\n"
+                       "    --pkcs11-provider provider   PKCS#11 provider library\n"
+                       "    [--pkcs11-protected-authentication] Use PKCS#11 protected authentication\n"
+                       "    [--pkcs11-sign-mode mode]    Provider signature mode\n"
+                       "                                  auto    - determine automatically\n"
+                       "                                  sign    - perform sign\n"
+                       "                                  recover - perform sign recover\n"
+                       "                                  any     - perform sign and then sign recover\n"
+                       "    [--pkcs11-cert-private]       Login required in order to access certificate\n"
+                       "\n"
+                       "  --pkcs11-show-ids              Show available identities\n"
+                       "    --pkcs11-provider provider   PKCS#11 provider library\n"
+                       "    [--pkcs11-protected-authentication] Use PKCS#11 protected authentication\n"
+                       "    [--pkcs11-cert-private]       Login required in order to access certificate\n"
+                       "    [-d]                         debug\n"  
+                       "\n"
+                       "  --pkcs11-add-id                Add PKCS#11 identity\n"
+                       "    --pkcs11-id id                Serialized string\n"
+                       "    [--pkcs11-cert-file file]     Use this PEM file, don't access token\n"
+                       "    [--pkcs11-pin-cache period]   PIN cache period (seconds)\n"
+                       "\n"
+                       "  --pkcs11-remove-id             Remove PKCS#11 identity\n"
+                       "    --pkcs11-id id                Serialized string\n"
+                       "    [--pkcs11-cert-file file]     Use this PEM file, don't access token\n"
+                       "\n"
+                       " PKCS#11 Debugging Options:\n"
+                       "  --pkcs11-dump-slots            Dump available PKCS#11 slots\n"
+                       "    --pkcs11-provider provider   PKCS#11 provider library\n"
+                       "\n"
+                       "  --pkcs11-dump-objects          Dump available PKCS#11 objects\n"
+                       "    --pkcs11-provider provider   PKCS#11 provider library\n"
+                       "    --pkcs11-slot slot           Slot numeric id\n"
+                       "\n"
+               )
+       );
+#endif  /* SSH_PKCS11_DISABLED */
 }
 
 int
@@ -350,6 +652,17 @@ main(int argc, char **argv)
                    "Could not open a connection to your authentication agent.\n");
                exit(2);
        }
+
+#ifndef SSH_PKCS11_DISABLED
+       {
+               int r = do_pkcs11 (ac, argc, argv);
+               if (r != -2) {
+                       ret = r;
+                       goto done;
+               }
+       }
+#endif /* SSH_PKCS11_DISABLED */
+
        while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
                switch (ch) {
                case 'l':
diff -urNp openssh-4.4p1/ssh-agent.c openssh-4.4p1+pkcs11-0.17/ssh-agent.c
--- openssh-4.4p1/ssh-agent.c   2006-09-01 08:38:37.000000000 +0300
+++ openssh-4.4p1+pkcs11-0.17/ssh-agent.c       2006-10-12 14:00:53.000000000 +0200
@@ -71,6 +71,7 @@
 #include "buffer.h"
 #include "key.h"
 #include "authfd.h"
+#include "pkcs11.h"
 #include "compat.h"
 #include "log.h"
 #include "misc.h"
@@ -690,6 +691,157 @@ send:
 }
 #endif /* SMARTCARD */
 
+#ifndef SSH_PKCS11_DISABLED
+
+static
+void
+process_pkcs11_set_ask_pin (SocketEntry *e)
+{
+       char *szAskPIN = NULL;
+       int success = 0;
+
+       szAskPIN = buffer_get_string(&e->request, NULL);
+
+       success = pkcs11_setAskPIN (szAskPIN);
+
+       buffer_put_int(&e->output, 1);
+       buffer_put_char(&e->output,
+           success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+}
+
+static void
+process_pkcs11_add_provider (SocketEntry *e)
+{
+       char *szProvider = NULL;
+       int fProtectedAuthentication = 0;
+       char *szSignMode = NULL;
+       int fCertIsPrivate = 0;
+       int success = 0;
+
+       szProvider = buffer_get_string(&e->request, NULL);
+       fProtectedAuthentication = buffer_get_int (&e->request);
+       szSignMode = buffer_get_string(&e->request, NULL);
+       fCertIsPrivate = buffer_get_int (&e->request);
+
+       success = pkcs11_addProvider (szProvider, fProtectedAuthentication, szSignMode, fCertIsPrivate);
+
+       buffer_put_int(&e->output, 1);
+       buffer_put_char(&e->output,
+           success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+}
+
+static
+void
+process_pkcs11_add_id (SocketEntry *e)
+{
+       int success = 0;
+       int version = 2;
+       char szComment[1024];
+       Key *k = NULL;
+       pkcs11_identity *pkcs11_id = NULL;
+
+       pkcs11_id = pkcs11_identity_new ();
+       if (pkcs11_id != NULL) {
+               pkcs11_id->id = strdup (buffer_get_string(&e->request, NULL));
+               pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
+               pkcs11_id->cert_file = strdup (buffer_get_string(&e->request, NULL));
+
+               pkcs11_getKey (
+                       pkcs11_id,
+                       &k,
+                       szComment,
+                       sizeof (szComment)
+               );
+
+               if (k != NULL) {
+                       if (lookup_identity(k, version) == NULL) {
+                               Identity *id = xmalloc(sizeof(Identity));
+                               Idtab *tab = NULL;
+       
+                               id->key = k;
+                               k = NULL;
+                               id->comment = xstrdup (szComment);
+                               id->death = 0;          /* handled by pkcs#11 helper */
+                               id->confirm = 0;
+       
+                               tab = idtab_lookup(version);
+                               TAILQ_INSERT_TAIL(&tab->idlist, id, next);
+                               /* Increment the number of identities. */
+                               tab->nentries++;
+                               success = 1;
+                       }
+               }
+       }
+
+       if (k != NULL) {
+               key_free (k);
+       }
+
+       if (pkcs11_id != NULL) {
+               pkcs11_identity_free (pkcs11_id);
+       }
+
+       buffer_put_int(&e->output, 1);
+       buffer_put_char(&e->output,
+           success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+}
+
+static
+void
+process_pkcs11_remove_id (SocketEntry *e)
+{
+       int success = 0;
+       Identity *id = NULL;
+       int version = 2;
+       char szComment[1024];
+       Key *k = NULL;
+
+       pkcs11_identity *pkcs11_id = NULL;
+
+       pkcs11_id = pkcs11_identity_new ();
+       if (pkcs11_id != NULL) {
+               pkcs11_id->id = strdup (buffer_get_string(&e->request, NULL));
+               pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
+               pkcs11_id->cert_file = strdup (buffer_get_string(&e->request, NULL));
+
+               pkcs11_getKey (
+                       pkcs11_id,
+                       &k,
+                       szComment,
+                       sizeof (szComment)
+               );
+
+               if (k != NULL) {
+                       id = lookup_identity (k, version);
+               }
+
+               if (id != NULL) {
+                       Idtab *tab = NULL;
+
+                       tab = idtab_lookup(version);
+                       TAILQ_REMOVE(&tab->idlist, id, next);
+                       tab->nentries--;
+                       free_identity(id);
+                       id = NULL;
+                       success = 1;
+               }
+       }
+
+       if (k != NULL) {
+               key_free (k);
+       }
+
+       if (pkcs11_id != NULL) {
+               pkcs11_identity_free (pkcs11_id);
+       }
+
+       buffer_put_int(&e->output, 1);
+       buffer_put_char(&e->output,
+           success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+}
+
+#endif /* SSH_PKCS11_DISABLED */
+
 /* dispatch incoming messages */
 
 static void
@@ -785,6 +937,21 @@ process_message(SocketEntry *e)
                process_remove_smartcard_key(e);
                break;
 #endif /* SMARTCARD */
+
+#ifndef SSH_PKCS11_DISABLED
+       case SSH_AGENTC_PKCS11_SET_ASK_PIN:
+               process_pkcs11_set_ask_pin (e);
+               break;
+       case SSH_AGENTC_PKCS11_ADD_PROVIDER:
+               process_pkcs11_add_provider (e);
+               break;
+       case SSH_AGENTC_PKCS11_ADD_ID:
+               process_pkcs11_add_id (e);
+               break;
+       case SSH_AGENTC_PKCS11_REMOVE_ID:
+               process_pkcs11_remove_id (e);
+               break;
+#endif /* SSH_PKCS11_DISABLED */
        default:
                /* Unknown message.  Respond with failure. */
                error("Unknown message %d", type);
@@ -1064,7 +1231,7 @@ main(int ac, char **av)
                        s_flag++;
                        break;
                case 'd':
-                       if (d_flag)
+                       if (d_flag > 3)
                                usage();
                        d_flag++;
                        break;
@@ -1167,7 +1334,7 @@ main(int ac, char **av)
         * the socket data.  The child continues as the authentication agent.
         */
        if (d_flag) {
-               log_init(__progname, SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 1);
+               log_init(__progname, SYSLOG_LEVEL_DEBUG1+d_flag-1, SYSLOG_FACILITY_AUTH, 1);
                format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n";
                printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
                    SSH_AUTHSOCKET_ENV_NAME);
@@ -1228,6 +1395,11 @@ main(int ac, char **av)
 #endif
 
 skip:
+
+#ifndef SSH_PKCS11_DISABLED
+       pkcs11_initialize (1, -1);
+#endif /* SSH_PKCS11_DISABLED */
+
        new_socket(AUTH_SOCKET, sock);
        if (ac > 0) {
                mysignal(SIGALRM, check_parent_exists);
@@ -1251,4 +1423,8 @@ skip:
                after_select(readsetp, writesetp);
        }
        /* NOTREACHED */
+
+#ifndef SSH_PKCS11_DISABLED
+       pkcs11_terminate ();
+#endif /* SSH_PKCS11_DISABLED */
 }