libp11 initial commit

38 files changed, 7489 insertions, 1 deletions

diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..b124cf5
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,510 @@
+
+                  GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 2.1, February 1999
+
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+     59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+[This is the first released version of the Lesser GPL.  It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+  This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it.  You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations
+below.
+
+  When we speak of free software, we are referring to freedom of use,
+not price.  Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+
+  To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights.  These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+
+  For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you.  You must make sure that they, too, receive or can get the source
+code.  If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it.  And you must show them these terms so they know their rights.
+
+  We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+
+  To protect each distributor, we want to make it very clear that
+there is no warranty for the free library.  Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
+
+  Finally, software patents pose a constant threat to the existence of
+any free program.  We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder.  Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+
+  Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License.  This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License.  We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+
+  When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library.  The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom.  The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+
+  We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License.  It also provides other free software developers Less
+of an advantage over competing non-free programs.  These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries.  However, the Lesser license provides advantages in certain
+special circumstances.
+
+  For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it
+becomes a de-facto standard.  To achieve this, non-free programs must
+be allowed to use the library.  A more frequent case is that a free
+library does the same job as widely used non-free libraries.  In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+  In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software.  For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+  Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.  Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library".  The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+
+                  GNU LESSER GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
+
+  A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+  The "Library", below, refers to any such software library or work
+which has been distributed under these terms.  A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language.  (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+  "Source code" for a work means the preferred form of the work for
+making modifications to it.  For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control
+compilation and installation of the library.
+
+  Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it).  Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+
+  1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
+
+  You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+
+  2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) The modified work must itself be a software library.
+
+    b) You must cause the files modified to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    c) You must cause the whole of the work to be licensed at no
+    charge to all third parties under the terms of this License.
+
+    d) If a facility in the modified Library refers to a function or a
+    table of data to be supplied by an application program that uses
+    the facility, other than as an argument passed when the facility
+    is invoked, then you must make a good faith effort to ensure that,
+    in the event an application does not supply such function or
+    table, the facility still operates, and performs whatever part of
+    its purpose remains meaningful.
+
+    (For example, a function in a library to compute square roots has
+    a purpose that is entirely well-defined independent of the
+    application.  Therefore, Subsection 2d requires that any
+    application-supplied function or table used by this function must
+    be optional: if the application does not supply it, the square
+    root function must still compute square roots.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Library,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Library, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote
+it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Library.
+
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library.  To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License.  (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.)  Do not make any other change in
+these notices.
+
+  Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
+
+  This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
+
+  4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
+
+  If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library".  Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
+
+  However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library".  The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+  When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library.  The
+threshold for this to be true is not precisely defined by law.
+
+  If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work.  (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+  Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+
+  6. As an exception to the Sections above, you may also combine or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+  You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License.  You must supply a copy of this License.  If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License.  Also, you must do one
+of these things:
+
+    a) Accompany the work with the complete corresponding
+    machine-readable source code for the Library including whatever
+    changes were used in the work (which must be distributed under
+    Sections 1 and 2 above); and, if the work is an executable linked
+    with the Library, with the complete machine-readable "work that
+    uses the Library", as object code and/or source code, so that the
+    user can modify the Library and then relink to produce a modified
+    executable containing the modified Library.  (It is understood
+    that the user who changes the contents of definitions files in the
+    Library will not necessarily be able to recompile the application
+    to use the modified definitions.)
+
+    b) Use a suitable shared library mechanism for linking with the
+    Library.  A suitable mechanism is one that (1) uses at run time a
+    copy of the library already present on the user's computer system,
+    rather than copying library functions into the executable, and (2)
+    will operate properly with a modified version of the library, if
+    the user installs one, as long as the modified version is
+    interface-compatible with the version that the work was made with.
+
+    c) Accompany the work with a written offer, valid for at least
+    three years, to give the same user the materials specified in
+    Subsection 6a, above, for a charge no more than the cost of
+    performing this distribution.
+
+    d) If distribution of the work is made by offering access to copy
+    from a designated place, offer equivalent access to copy the above
+    specified materials from the same place.
+
+    e) Verify that the user has already received a copy of these
+    materials or that you have already sent this user a copy.
+
+  For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it.  However, as a special exception,
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+  It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system.  Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+
+  7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+    a) Accompany the combined library with a copy of the same work
+    based on the Library, uncombined with any other library
+    facilities.  This must be distributed under the terms of the
+    Sections above.
+
+    b) Give prominent notice with the combined library of the fact
+    that part of it is a work based on the Library, and explaining
+    where to find the accompanying uncombined form of the same work.
+
+  8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License.  Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License.  However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+  9. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Library or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Library or works based on it.
+
+  10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties with
+this License.
+
+  11. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Library at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Library by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Library.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply, and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  12. If the distribution and/or use of the Library is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Library under this License
+may add an explicit geographical distribution limitation excluding those
+countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  13. The Free Software Foundation may publish revised and/or new
+versions of the Lesser General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation.  If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+
+  14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission.  For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this.  Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
+
+                            NO WARRANTY
+
+  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU.  SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+           How to Apply These Terms to Your New Libraries
+
+  If you develop a new library, and you want it to be of the greatest
+possible use to the public, we recommend making it free software that
+everyone can redistribute and change.  You can do so by permitting
+redistribution under these terms (or, alternatively, under the terms
+of the ordinary General Public License).
+
+  To apply these terms, attach the following notices to the library.
+It is safest to attach them to the start of each source file to most
+effectively convey the exclusion of warranty; and each file should
+have at least the "copyright" line and a pointer to where the full
+notice is found.
+
+
+    <one line to give the library's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This library is free software; you can redistribute it and/or
+    modify it under the terms of the GNU Lesser General Public
+    License as published by the Free Software Foundation; either
+    version 2.1 of the License, or (at your option) any later version.
+
+    This library is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+    Lesser General Public License for more details.
+
+    You should have received a copy of the GNU Lesser General Public
+    License along with this library; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+You should also get your employer (if you work as a programmer) or
+your school, if any, to sign a "copyright disclaimer" for the library,
+if necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the
+  library `Frob' (a library for tweaking knobs) written by James
+  Random Hacker.
+
+  <signature of Ty Coon>, 1 April 1990
+  Ty Coon, President of Vice
+
+That's all there is to it!
+
+
diff --git a/Makefile.am b/Makefile.am
new file mode 100644
index 0000000..2287cf7
--- /dev/null
+++ b/Makefile.am
@@ -0,0 +1,26 @@
+AUTOMAKE_OPTIONS = foreign 1.10
+ACLOCAL_AMFLAGS = -I m4
+
+MAINTAINERCLEANFILES = \
+        config.log config.status \
+        $(srcdir)/Makefile.in \
+        $(srcdir)/config.h.in $(srcdir)/config.h.in~ $(srcdir)/configure \
+        $(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \
+        $(srcdir)/depcomp $(srcdir)/aclocal.m4 \
+        $(srcdir)/config.guess $(srcdir)/config.sub \
+        $(srcdir)/m4/ltsugar.m4 $(srcdir)/m4/libtool.m4 \
+        $(srcdir)/m4/ltversion.m4 $(srcdir)/m4/lt~obsolete.m4 \
+        $(srcdir)/m4/ltoptions.m4 \
+        $(srcdir)/packaged
+EXTRA_DIST = svnignore Makefile.mak winconfig.h
+
+dist_noinst_DATA = COPYING bootstrap \
+        $(srcdir)/examples/Makefile $(srcdir)/examples/*.c $(srcdir)/examples/README
+dist_doc_DATA = NEWS
+
+SUBDIRS = src doc
+
+# Allow detection of packaged tarball
+dist-hook:
+        $(MKDIR_P) "$(distdir)/m4"
+        echo > "$(distdir)/packaged"
diff --git a/Makefile.mak b/Makefile.mak
new file mode 100644
index 0000000..bfb1a31
--- /dev/null
+++ b/Makefile.mak
@@ -0,0 +1,13 @@
+
+SUBDIRS = src
+
+all::
+
+all:: config.h
+
+config.h: winconfig.h
+        @copy /y winconfig.h config.h
+        
+all depend install clean::
+         @for %i in ( $(SUBDIRS) ) do \
+                @cmd /c "cd %i && $(MAKE) /nologo /f Makefile.mak $@"
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000..801871d
--- /dev/null
+++ b/NEWS
@@ -0,0 +1,39 @@
+NEWS for Libp11 -- History of user visible changes
+
+New in 0.2.8; 2011-04-15; Martin Paljak
+* Bumped soname for PKCS11_token struct size changes (Martin Paljak).
+* Display the number of available slots (Ludovic Rousseau).
+* Add openssl libcrypto to pkg-config private libs list (Kalev Lember).
+* Fix building examples with --no-add-needed which is the default in Fedora
+  (Kalev Lember).
+* Expose more token flags in PKCS11_token structure (Kalev Lember).
+* Check that private data is not NULL in pkcs11_release_slot (Robin Bryce,
+  ticket #137).
+
+New in 0.2.7; 2009-10-20; Andreas Jellinghaus
+* If CKR_CRYPTOKI_ALREADY_INITIALIZED is returned from C_Initialize(): ignore. 
+  (Needed for unloaded/reloaded engines e.g. in wpa_supplicant.) By David Smith.
+
+New in 0.2.6; 2009-07-22; Andreas Jellinghaus
+* Fix new version: add new symbol to export file
+* fix building on MSVC plattform
+
+New in 0.2.5; 2009-06-15; Andreas Jellinghaus
+* Add function to export the slot id (Douglas E. Engert).
+* Increase library version because of the new function.
+
+New in 0.2.4; 2008-07-31; Andreas Jellinghaus
+* Build system rewritten (NOTICE: configure options was modified). 
+  The build system can produce outputs for *NIX, cygwin and native
+  windows (using mingw).
+* added PKCS11_CTX_init_args (David Smith).
+* fix segfault in init_args code.
+* implemented PKCS11_private_encrypt (with PKCS11_sign now based on it)
+  (Arnaud Ebalard)
+
+New in 0.2.3; 2007-07-11; Andreas Jellinghaus
+* update wiki export script (add images, fix links).
+* replaced rsa header files from rsalabs (official) with scute (open source).
+* allow CKR_USER_ALREADY_LOGGED_IN on C_Login.
+* mark internal functions as static.
+* add code to store public keys and generate keys.
diff --git a/README.txt b/README.txt
deleted file mode 100644
index b35787d..0000000
--- a/README.txt
+++ /dev/null
@@ -1 +0,0 @@
-Initial temporary file
diff --git a/bootstrap b/bootstrap
new file mode 100755
index 0000000..1ed89d2
--- /dev/null
+++ b/bootstrap
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+set -x
+if test -f Makefile; then
+  make distclean
+fi
+rm -rf *~ *.cache *.m4 config.guess config.log \
+        config.status config.sub depcomp ltmain.sh
+autoreconf --verbose --install --force
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..336542a
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,281 @@
+dnl -*- mode: m4; -*-
+
+AC_PREREQ(2.60)
+
+define([PACKAGE_VERSION_MAJOR], [0])
+define([PACKAGE_VERSION_MINOR], [2])
+define([PACKAGE_VERSION_FIX], [9])
+define([PACKAGE_SUFFIX], [-svn-r201])
+
+AC_INIT([libp11],[PACKAGE_VERSION_MAJOR.PACKAGE_VERSION_MINOR.PACKAGE_VERSION_FIX[]PACKAGE_SUFFIX])
+AC_CONFIG_AUX_DIR([.])
+AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_MACRO_DIR([m4])
+AM_INIT_AUTOMAKE([${PACKAGE_NAME}], [${PACKAGE_VERSION}])
+
+LIBP11_VERSION_MAJOR="PACKAGE_VERSION_MAJOR"
+LIBP11_VERSION_MINOR="PACKAGE_VERSION_MINOR"
+LIBP11_VERSION_FIX="PACKAGE_VERSION_FIX"
+
+# LT Version numbers, remember to change them just *before* a release.
+#   (Code changed:                      REVISION++)
+#   (Oldest interface removed:          OLDEST++)
+#   (Interfaces added:                  CURRENT++, REVISION=0)
+LIBP11_LT_CURRENT="4"
+LIBP11_LT_OLDEST="2"
+LIBP11_LT_REVISION="0"
+LIBP11_LT_AGE="$((${LIBP11_LT_CURRENT}-${LIBP11_LT_OLDEST}))"
+
+AC_CONFIG_SRCDIR([src/libp11.h])
+
+AC_CANONICAL_HOST
+AC_PROG_CC
+PKG_PROG_PKG_CONFIG
+AC_C_BIGENDIAN
+
+AC_MSG_CHECKING([svn checkout])
+if test -e "${srcdir}/packaged"; then
+        svn_checkout="no"
+else
+        svn_checkout="yes"
+fi
+AC_MSG_RESULT([${svn_checkout}])
+
+AC_ARG_WITH(
+        [cygwin-native],
+        [AS_HELP_STRING([--with-cygwin-native],[compile native win32])],
+        ,
+        [with_cygwin_native="no"]
+)
+
+dnl Check for some target-specific stuff
+test -z "${WIN32}" && WIN32="no"
+test -z "${CYGWIN}" && CYGWIN="no"
+case "${host}" in
+        *-mingw*|*-winnt*)
+                WIN32="yes"
+                CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN"
+                WIN_LIBPREFIX="lib"
+        ;;
+        *-cygwin*)
+                AC_MSG_CHECKING([cygwin mode to use])
+                CYGWIN="yes"
+                if test "${with_cygwin_native}" = "yes"; then
+                        AC_MSG_RESULT([Using native win32])
+                        CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN"
+                        CFLAGS="${CFLAGS} -mno-cygwin"
+                        WIN32="yes"
+                else
+                        AC_MSG_RESULT([Using cygwin])
+                        CPPFLAGS="${CPPFLAGS} -DCRYPTOKI_FORCE_WIN32"
+                        WIN_LIBPREFIX="cyg"
+                        AC_DEFINE([USE_CYGWIN], [1], [Define if you are on Cygwin])
+                fi
+        ;;
+esac
+
+AC_ARG_ENABLE(
+        [strict],
+        [AS_HELP_STRING([--enable-strict],[enable strict compile mode @<:@disabled@:>@])],
+        ,
+        [enable_strict="no"]
+)
+
+AC_ARG_ENABLE(
+        [pedantic],
+        [AS_HELP_STRING([--enable-pedantic],[enable pedantic compile mode @<:@disabled@:>@])],
+        ,
+        [enable_pedantic="no"]
+)
+
+AC_ARG_ENABLE(
+        [doc],
+        [AS_HELP_STRING([--enable-doc],[enable installation of documents @<:@disabled@:>@])],
+        ,
+        [enable_doc="no"]
+)
+
+AC_ARG_ENABLE(
+        [api-doc],
+        [AS_HELP_STRING([--enable-api-doc],[enable generation and installation of api documents @<:@disabled@:>@])],
+        ,
+        [enable_api_doc="no"]
+)
+
+AC_ARG_WITH(
+        [apidocdir],
+        [AS_HELP_STRING([--with-apidocdir],[put API documents at this directory @<:@HTMLDIR/api@:>@])],
+        [apidocdir="${with_apidocdir}"],
+        [apidocdir="\$(htmldir)/api"]
+)
+
+dnl Checks for programs.
+AC_PROG_CPP
+AC_PROG_INSTALL
+AC_PROG_LN_S
+AC_PROG_MKDIR_P
+AC_PROG_SED
+AC_PROG_MAKE_SET
+
+dnl Add libtool support.
+ifdef(
+        [LT_INIT],
+        [
+                LT_INIT([win32-dll])
+                LT_LANG([Windows Resource])
+        ],
+        [
+                AC_LIBTOOL_WIN32_DLL
+                AC_LIBTOOL_RC
+                AC_PROG_LIBTOOL
+        ]
+)
+
+dnl Checks for header files.
+AC_HEADER_STDC
+AC_HEADER_SYS_WAIT
+AC_CHECK_HEADERS([ \
+        errno.h fcntl.h malloc.h stdlib.h \
+        inttypes.h string.h strings.h sys/time.h \
+        unistd.h locale.h getopt.h dlfcn.h utmp.h \
+])
+
+AC_CHECK_PROGS([DOXYGEN],[doxygen])
+test "${enable_api_doc}" = "yes" -a -z "${DOXYGEN}" && AC_MSG_ERROR([doxygen is required for api doc])
+
+dnl These required for svn checkout
+AC_ARG_VAR([XSLTPROC], [xsltproc utility])
+AC_ARG_VAR([SVN], [subversion utility])
+AC_ARG_VAR([WGET], [wget utility])
+AC_ARG_VAR([WGET_OPTS], [wget options])
+AC_ARG_VAR([TR], [tr utility])
+AC_CHECK_PROGS([XSLTPROC],[xsltproc])
+AC_CHECK_PROGS([SVN],[svn])
+AC_CHECK_PROGS([WGET],[wget])
+AC_CHECK_PROGS([TR],[tr])
+test -z "${WGET_OPTS}" && WGET_OPTS="-nv"
+
+dnl svn checkout dependencies
+if test "${svn_checkout}" = "yes"; then
+        AC_MSG_CHECKING([XSLTPROC requirement])
+        if test -n "${XSLTPROC}"; then
+                AC_MSG_RESULT([ok])
+        else
+                if test "${enable_doc}" = "yes"; then
+                        AC_MSG_ERROR([Missing XSLTPROC svn build with doc])
+                else
+                        AC_MSG_WARN(["make dist" will not work])
+                fi
+        fi
+
+        AC_MSG_CHECKING([svn doc build dependencies])
+        if test -n "${SVN}" -a -n "${TR}" -a -n "${WGET}"; then
+                AC_MSG_RESULT([ok])
+        else
+                if test "${enable_doc}" = "yes"; then
+                        AC_MSG_ERROR([Missing SVN, TR or WGET for svn doc build])
+                else
+                        AC_MSG_WARN(["make dist" will not work])
+                fi
+        fi
+fi
+
+AC_ARG_VAR([LTLIB_CFLAGS], [C compiler flags for libltdl])
+AC_ARG_VAR([LTLIB_LIBS], [linker flags for libltdl])
+if test -z "${LTLIB_LIBS}"; then
+        AC_CHECK_LIB(
+                [ltdl],
+                [lt_dlopen],
+                [LTLIB_LIBS="-lltdl"],
+                [AC_MSG_ERROR([ltdl not found, please install libltdl and/or libtool])]
+        )
+
+fi
+saved_CFLAGS="${CFLAGS}"
+CFLAGS="${CFLAGS} ${LTLIB_CFLAGS}"
+AC_CHECK_HEADER(
+        [ltdl.h],
+        ,
+        [AC_MSG_ERROR([ltdl.h not found, please install libltdl and/or libtool])]
+)
+CFLAGS="${saved_CFLAGS}"
+
+PKG_CHECK_MODULES(
+        [OPENSSL],
+        [libcrypto >= 0.9.7],
+        ,
+        [PKG_CHECK_MODULES(
+                [OPENSSL],
+                [openssl >= 0.9.7],
+                ,
+                [AC_CHECK_LIB(
+                        [crypto],
+                        [RSA_version],
+                        [OPENSSL_LIBS="-lcrypto"],
+                        [AC_MSG_ERROR([Cannot find OpenSSL])]
+                )]
+        )]
+)
+
+pkgconfigdir="\$(libdir)/pkgconfig"
+
+AC_SUBST([pkgconfigdir])
+AC_SUBST([apidocdir])
+AC_SUBST([LIBP11_VERSION_MAJOR])
+AC_SUBST([LIBP11_VERSION_MINOR])
+AC_SUBST([LIBP11_VERSION_FIX])
+AC_SUBST([LIBP11_LT_CURRENT])
+AC_SUBST([LIBP11_LT_REVISION])
+AC_SUBST([LIBP11_LT_AGE])
+AC_SUBST([LIBP11_LT_OLDEST])
+AC_SUBST([WIN_LIBPREFIX])
+
+AM_CONDITIONAL([SVN_CHECKOUT], [test "${svn_checkout}" = "yes"])
+AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
+AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"])
+AM_CONDITIONAL([ENABLE_DOC], [test "${enable_doc}" = "yes"])
+AM_CONDITIONAL([ENABLE_API_DOC], [test "${enable_api_doc}" = "yes"])
+
+if test "${enable_pedantic}" = "yes"; then
+        enable_strict="yes";
+        CFLAGS="${CFLAGS} -pedantic"
+fi
+if test "${enable_strict}" = "yes"; then
+        CFLAGS="${CFLAGS} -Wall -Wextra"
+fi
+
+AC_CONFIG_FILES([
+        Makefile
+        src/Makefile
+        src/libp11.pc
+        src/versioninfo.rc
+        doc/Makefile
+        doc/doxygen.conf
+        doc/nonpersistent/Makefile
+])
+AC_OUTPUT
+
+cat <<EOF
+
+libp11 has been configured with the following options:
+
+
+Version:                 ${PACKAGE_VERSION}
+Libraries:               $(eval eval eval echo "${libdir}")
+
+doc support:             ${enable_doc}
+api doc support:         ${enable_api_doc}
+
+Host:                    ${host}
+Compiler:                ${CC}
+Preprocessor flags:      ${CPPFLAGS}
+Compiler flags:          ${CFLAGS}
+Linker flags:            ${LDFLAGS}
+Libraries:               ${LIBS}
+
+LTLIB_CFLAGS:            ${LTLIB_CFLAGS}
+LTLIB_LIBS:              ${LTLIB_LIBS}
+OPENSSL_CFLAGS:          ${OPENSSL_CFLAGS}
+OPENSSL_LIBS:            ${OPENSSL_LIBS}
+
+EOF
diff --git a/doc/Makefile.am b/doc/Makefile.am
new file mode 100644
index 0000000..397b302
--- /dev/null
+++ b/doc/Makefile.am
@@ -0,0 +1,26 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+
+if ENABLE_DOC
+SUBDIRS = nonpersistent
+endif
+DIST_SUBDIRS = nonpersistent
+
+dist_doc_DATA = README
+dist_noinst_DATA = $(srcdir)/doxygen-footer.html $(srcdir)/*.gif
+
+if ENABLE_API_DOC
+
+apidoc_DATA=api.out/html/*
+
+api.out/html/*: api.out
+api.out:        $(top_srcdir)/src/*.h \
+                $(srcdir)/*.gif \
+                doxygen.conf
+        -rm -fr api.out
+        $(DOXYGEN) doxygen.conf
+        cp "$(srcdir)"/*.gif api.out/html
+
+endif
+
+clean-local:
+        -rm -fr api.out
diff --git a/doc/README b/doc/README
new file mode 100644
index 0000000..9019ef0
--- /dev/null
+++ b/doc/README
@@ -0,0 +1,10 @@
+This directory contains a snapshot of the LibP11 Wiki
+=====================================================
+
+The original wiki page is at http://www.opensc-project.org/libp11/
+and includes a bug tracker and source browser.
+
+The wiki was transformed to html using the export-wiki shell
+script and xsl style sheet. The original version is at 
+        http://www.twdata.org/trac-howto/
+
diff --git a/doc/doxygen.conf.in b/doc/doxygen.conf.in
new file mode 100644
index 0000000..f2876fb
--- /dev/null
+++ b/doc/doxygen.conf.in
@@ -0,0 +1,1310 @@
+# Doxyfile 1.5.4
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project
+#
+# All text after a hash (#) is considered a comment and will be ignored
+# The format is:
+#       TAG = value [value, ...]
+# For lists items can also be appended using:
+#       TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (" ")
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+
+# This tag specifies the encoding used for all characters in the config file that 
+# follow. The default is UTF-8 which is also the encoding used for all text before 
+# the first occurrence of this tag. Doxygen uses libiconv (or the iconv built into 
+# libc) for the transcoding. See http://www.gnu.org/software/libiconv for the list of 
+# possible encodings.
+
+DOXYFILE_ENCODING      = UTF-8
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded 
+# by quotes) that should identify the project.
+
+PROJECT_NAME           = libp11
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. 
+# This could be handy for archiving the generated documentation or 
+# if some version control system is used.
+
+PROJECT_NUMBER         = @VERSION@
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
+# base path where the generated documentation will be put. 
+# If a relative path is entered, it will be relative to the location 
+# where doxygen was started. If left blank the current directory will be used.
+
+OUTPUT_DIRECTORY       = api.out
+
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 
+# 4096 sub-directories (in 2 levels) under the output directory of each output 
+# format and will distribute the generated files over these directories. 
+# Enabling this option can be useful when feeding doxygen a huge amount of 
+# source files, where putting all generated files in the same directory would 
+# otherwise cause performance problems for the file system.
+
+CREATE_SUBDIRS         = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all 
+# documentation generated by doxygen is written. Doxygen will use this 
+# information to generate all constant output in the proper language. 
+# The default language is English, other supported languages are: 
+# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, 
+# Croatian, Czech, Danish, Dutch, Finnish, French, German, Greek, Hungarian, 
+# Italian, Japanese, Japanese-en (Japanese with English messages), Korean, 
+# Korean-en, Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian, 
+# Serbian, Slovak, Slovene, Spanish, Swedish, and Ukrainian.
+
+OUTPUT_LANGUAGE        = English
+
+# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will 
+# include brief member descriptions after the members that are listed in 
+# the file and class documentation (similar to JavaDoc). 
+# Set to NO to disable this.
+
+BRIEF_MEMBER_DESC      = YES
+
+# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend 
+# the brief description of a member or function before the detailed description. 
+# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the 
+# brief descriptions will be completely suppressed.
+
+REPEAT_BRIEF           = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator 
+# that is used to form the text in various listings. Each string 
+# in this list, if found as the leading text of the brief description, will be 
+# stripped from the text and the result after processing the whole list, is 
+# used as the annotated text. Otherwise, the brief description is used as-is. 
+# If left blank, the following values are used ("$name" is automatically 
+# replaced with the name of the entity): "The $name class" "The $name widget" 
+# "The $name file" "is" "provides" "specifies" "contains" 
+# "represents" "a" "an" "the"
+
+ABBREVIATE_BRIEF       = 
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then 
+# Doxygen will generate a detailed section even if there is only a brief 
+# description.
+
+ALWAYS_DETAILED_SEC    = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all 
+# inherited members of a class in the documentation of that class as if those 
+# members were ordinary class members. Constructors, destructors and assignment 
+# operators of the base classes will not be shown.
+
+INLINE_INHERITED_MEMB  = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full 
+# path before files name in the file list and in the header files. If set 
+# to NO the shortest path that makes the file name unique will be used.
+
+FULL_PATH_NAMES        = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag 
+# can be used to strip a user-defined part of the path. Stripping is 
+# only done if one of the specified strings matches the left-hand part of 
+# the path. The tag can be used to show relative paths in the file list. 
+# If left blank the directory from which doxygen is run is used as the 
+# path to strip.
+
+STRIP_FROM_PATH        = @top_srcdir@/src
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of 
+# the path mentioned in the documentation of a class, which tells 
+# the reader which header file to include in order to use a class. 
+# If left blank only the name of the header file containing the class 
+# definition is used. Otherwise one should specify the include paths that 
+# are normally passed to the compiler using the -I flag.
+
+STRIP_FROM_INC_PATH    = 
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter 
+# (but less readable) file names. This can be useful is your file systems 
+# doesn't support long names like on DOS, Mac, or CD-ROM.
+
+SHORT_NAMES            = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen 
+# will interpret the first line (until the first dot) of a JavaDoc-style 
+# comment as the brief description. If set to NO, the JavaDoc 
+# comments will behave just like regular Qt-style comments 
+# (thus requiring an explicit @brief command for a brief description.)
+
+JAVADOC_AUTOBRIEF      = YES
+
+# If the QT_AUTOBRIEF tag is set to YES then Doxygen will 
+# interpret the first line (until the first dot) of a Qt-style 
+# comment as the brief description. If set to NO, the comments 
+# will behave just like regular Qt-style comments (thus requiring 
+# an explicit \brief command for a brief description.)
+
+QT_AUTOBRIEF           = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen 
+# treat a multi-line C++ special comment block (i.e. a block of //! or /// 
+# comments) as a brief description. This used to be the default behaviour. 
+# The new default is to treat a multi-line C++ comment block as a detailed 
+# description. Set this tag to YES if you prefer the old behaviour instead.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the DETAILS_AT_TOP tag is set to YES then Doxygen 
+# will output the detailed description near the top, like JavaDoc.
+# If set to NO, the detailed description appears after the member 
+# documentation.
+
+DETAILS_AT_TOP         = NO
+
+# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented 
+# member inherits the documentation from any documented member that it 
+# re-implements.
+
+INHERIT_DOCS           = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce 
+# a new page for each member. If set to NO, the documentation of a member will 
+# be part of the file/class/namespace that contains it.
+
+SEPARATE_MEMBER_PAGES  = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. 
+# Doxygen uses this value to replace tabs by spaces in code fragments.
+
+TAB_SIZE               = 8
+
+# This tag can be used to specify a number of aliases that acts 
+# as commands in the documentation. An alias has the form "name=value". 
+# For example adding "sideeffect=\par Side Effects:\n" will allow you to 
+# put the command \sideeffect (or @sideeffect) in the documentation, which 
+# will result in a user-defined paragraph with heading "Side Effects:". 
+# You can put \n's in the value part of an alias to insert newlines.
+
+ALIASES                = 
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C 
+# sources only. Doxygen will then generate output that is more tailored for C. 
+# For instance, some of the names that are used will be different. The list 
+# of all members will be omitted, etc.
+
+OPTIMIZE_OUTPUT_FOR_C  = YES
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java 
+# sources only. Doxygen will then generate output that is more tailored for Java. 
+# For instance, namespaces will be presented as packages, qualified scopes 
+# will look different, etc.
+
+OPTIMIZE_OUTPUT_JAVA   = NO
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want to 
+# include (a tag file for) the STL sources as input, then you should 
+# set this tag to YES in order to let doxygen match functions declarations and 
+# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. 
+# func(std::string) {}). This also make the inheritance and collaboration 
+# diagrams that involve STL classes more complete and accurate.
+
+BUILTIN_STL_SUPPORT    = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+
+CPP_CLI_SUPPORT        = NO
+
+# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. 
+# Doxygen will parse them like normal C++ but will assume all classes use public 
+# instead of private inheritance when no explicit protection keyword is present.
+
+SIP_SUPPORT            = NO
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC 
+# tag is set to YES, then doxygen will reuse the documentation of the first 
+# member in the group (if any) for the other members of the group. By default 
+# all members of a group must be documented explicitly.
+
+DISTRIBUTE_GROUP_DOC   = NO
+
+# Set the SUBGROUPING tag to YES (the default) to allow class member groups of 
+# the same type (for instance a group of public functions) to be put as a 
+# subgroup of that type (e.g. under the Public Functions section). Set it to 
+# NO to prevent subgrouping. Alternatively, this can be done per class using 
+# the \nosubgrouping command.
+
+SUBGROUPING            = YES
+
+# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct (or union) is 
+# documented as struct with the name of the typedef. So 
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct 
+# with name TypeT. When disabled the typedef will appear as a member of a file, 
+# namespace, or class. And the struct will be named TypeS. This can typically 
+# be useful for C code where the coding convention is that all structs are 
+# typedef'ed and only the typedef is referenced never the struct's name.
+
+TYPEDEF_HIDES_STRUCT   = NO
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in 
+# documentation are documented, even if no documentation was available. 
+# Private class members and static file members will be hidden unless 
+# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
+
+EXTRACT_ALL            = NO
+
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class 
+# will be included in the documentation.
+
+EXTRACT_PRIVATE        = NO
+
+# If the EXTRACT_STATIC tag is set to YES all static members of a file 
+# will be included in the documentation.
+
+EXTRACT_STATIC         = YES
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) 
+# defined locally in source files will be included in the documentation. 
+# If set to NO only classes defined in header files are included.
+
+EXTRACT_LOCAL_CLASSES  = YES
+
+# This flag is only useful for Objective-C code. When set to YES local 
+# methods, which are defined in the implementation section but not in 
+# the interface are included in the documentation. 
+# If set to NO (the default) only methods in the interface are included.
+
+EXTRACT_LOCAL_METHODS  = NO
+
+# If this flag is set to YES, the members of anonymous namespaces will be extracted 
+# and appear in the documentation as a namespace called 'anonymous_namespace{file}', 
+# where file will be replaced with the base name of the file that contains the anonymous 
+# namespace. By default anonymous namespace are hidden.
+
+EXTRACT_ANON_NSPACES   = NO
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all 
+# undocumented members of documented classes, files or namespaces. 
+# If set to NO (the default) these members will be included in the 
+# various overviews, but no documentation section is generated. 
+# This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_MEMBERS     = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all 
+# undocumented classes that are normally visible in the class hierarchy. 
+# If set to NO (the default) these classes will be included in the various 
+# overviews. This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_CLASSES     = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all 
+# friend (class|struct|union) declarations. 
+# If set to NO (the default) these declarations will be included in the 
+# documentation.
+
+HIDE_FRIEND_COMPOUNDS  = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any 
+# documentation blocks found inside the body of a function. 
+# If set to NO (the default) these blocks will be appended to the 
+# function's detailed documentation block.
+
+HIDE_IN_BODY_DOCS      = NO
+
+# The INTERNAL_DOCS tag determines if documentation 
+# that is typed after a \internal command is included. If the tag is set 
+# to NO (the default) then the documentation will be excluded. 
+# Set it to YES to include the internal documentation.
+
+INTERNAL_DOCS          = NO
+
+# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate 
+# file names in lower-case letters. If set to YES upper-case letters are also 
+# allowed. This is useful if you have classes or files whose names only differ 
+# in case and if your file system supports case sensitive file names. Windows 
+# and Mac users are advised to set this option to NO.
+
+CASE_SENSE_NAMES       = YES
+
+# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen 
+# will show members with their full class and namespace scopes in the 
+# documentation. If set to YES the scope will be hidden.
+
+HIDE_SCOPE_NAMES       = YES
+
+# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen 
+# will put a list of the files that are included by a file in the documentation 
+# of that file.
+
+SHOW_INCLUDE_FILES     = YES
+
+# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] 
+# is inserted in the documentation for inline members.
+
+INLINE_INFO            = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen 
+# will sort the (detailed) documentation of file and class members 
+# alphabetically by member name. If set to NO the members will appear in 
+# declaration order.
+
+SORT_MEMBER_DOCS       = YES
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the 
+# brief documentation of file, namespace and class members alphabetically 
+# by member name. If set to NO (the default) the members will appear in 
+# declaration order.
+
+SORT_BRIEF_DOCS        = NO
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be 
+# sorted by fully-qualified names, including namespaces. If set to 
+# NO (the default), the class list will be sorted only by class name, 
+# not including the namespace part. 
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the 
+# alphabetical list.
+
+SORT_BY_SCOPE_NAME     = NO
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or 
+# disable (NO) the todo list. This list is created by putting \todo 
+# commands in the documentation.
+
+GENERATE_TODOLIST      = YES
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or 
+# disable (NO) the test list. This list is created by putting \test 
+# commands in the documentation.
+
+GENERATE_TESTLIST      = YES
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or 
+# disable (NO) the bug list. This list is created by putting \bug 
+# commands in the documentation.
+
+GENERATE_BUGLIST       = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or 
+# disable (NO) the deprecated list. This list is created by putting 
+# \deprecated commands in the documentation.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional 
+# documentation sections, marked by \if sectionname ... \endif.
+
+ENABLED_SECTIONS       = 
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines 
+# the initial value of a variable or define consists of for it to appear in 
+# the documentation. If the initializer consists of more lines than specified 
+# here it will be hidden. Use a value of 0 to hide initializers completely. 
+# The appearance of the initializer of individual variables and defines in the 
+# documentation can be controlled using \showinitializer or \hideinitializer 
+# command in the documentation regardless of this setting.
+
+MAX_INITIALIZER_LINES  = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated 
+# at the bottom of the documentation of classes and structs. If set to YES the 
+# list will mention the files that were used to generate the documentation.
+
+SHOW_USED_FILES        = YES
+
+# If the sources in your project are distributed over multiple directories 
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy 
+# in the documentation. The default is NO.
+
+SHOW_DIRECTORIES       = YES
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that 
+# doxygen should invoke to get the current version for each file (typically from the 
+# version control system). Doxygen will invoke the program by executing (via 
+# popen()) the command <command> <input-file>, where <command> is the value of 
+# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file 
+# provided by doxygen. Whatever the program writes to standard output 
+# is used as the file version. See the manual for examples.
+
+FILE_VERSION_FILTER    = 
+
+#---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated 
+# by doxygen. Possible values are YES and NO. If left blank NO is used.
+
+QUIET                  = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are 
+# generated by doxygen. Possible values are YES and NO. If left blank 
+# NO is used.
+
+WARNINGS               = YES
+
+# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings 
+# for undocumented members. If EXTRACT_ALL is set to YES then this flag will 
+# automatically be disabled.
+
+WARN_IF_UNDOCUMENTED   = NO
+
+# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for 
+# potential errors in the documentation, such as not documenting some 
+# parameters in a documented function, or documenting parameters that 
+# don't exist or using markup commands wrongly.
+
+WARN_IF_DOC_ERROR      = YES
+
+# This WARN_NO_PARAMDOC option can be abled to get warnings for 
+# functions that are documented, but have no documentation for their parameters 
+# or return value. If set to NO (the default) doxygen will only warn about 
+# wrong or incomplete parameter documentation, but not about the absence of 
+# documentation.
+
+WARN_NO_PARAMDOC       = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that 
+# doxygen can produce. The string should contain the $file, $line, and $text 
+# tags, which will be replaced by the file and line number from which the 
+# warning originated and the warning text. Optionally the format may contain 
+# $version, which will be replaced by the version of the file (if it could 
+# be obtained via FILE_VERSION_FILTER)
+
+WARN_FORMAT            = "$file:$line: $text  "
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning 
+# and error messages should be written. If left blank the output is written 
+# to stderr.
+
+WARN_LOGFILE           = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the input files
+#---------------------------------------------------------------------------
+
+# The INPUT tag can be used to specify the files and/or directories that contain 
+# documented source files. You may enter file names like "myfile.cpp" or 
+# directories like "/usr/src/myproject". Separate the files or directories 
+# with spaces.
+
+INPUT                  = @top_srcdir@/src
+
+# This tag can be used to specify the character encoding of the source files that 
+# doxygen parses. Internally doxygen uses the UTF-8 encoding, which is also the default 
+# input encoding. Doxygen uses libiconv (or the iconv built into libc) for the transcoding. 
+# See http://www.gnu.org/software/libiconv for the list of possible encodings.
+
+INPUT_ENCODING         = UTF-8
+
+# If the value of the INPUT tag contains directories, you can use the 
+# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank the following patterns are tested: 
+# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx 
+# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
+
+FILE_PATTERNS          = libp11.h
+
+# The RECURSIVE tag can be used to turn specify whether or not subdirectories 
+# should be searched for input files as well. Possible values are YES and NO. 
+# If left blank NO is used.
+
+RECURSIVE              = NO
+
+# The EXCLUDE tag can be used to specify files and/or directories that should 
+# excluded from the INPUT source files. This way you can easily exclude a 
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+
+EXCLUDE                = 
+
+# The EXCLUDE_SYMLINKS tag can be used select whether or not files or 
+# directories that are symbolic links (a Unix filesystem feature) are excluded 
+# from the input.
+
+EXCLUDE_SYMLINKS       = NO
+
+# If the value of the INPUT tag contains directories, you can use the 
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude 
+# certain files from those directories. Note that the wildcards are matched 
+# against the file with absolute path, so to exclude all test directories 
+# for example use the pattern */test/*
+
+EXCLUDE_PATTERNS       = */.svn/*
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names 
+# (namespaces, classes, functions, etc.) that should be excluded from the output. 
+# The symbol name can be a fully qualified name, a word, or if the wildcard * is used, 
+# a substring. Examples: ANamespace, AClass, AClass::ANamespace, ANamespace::*Test
+
+EXCLUDE_SYMBOLS        = 
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or 
+# directories that contain example code fragments that are included (see 
+# the \include command).
+
+EXAMPLE_PATH           = 
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the 
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank all files are included.
+
+EXAMPLE_PATTERNS       = 
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be 
+# searched for input files to be used with the \include or \dontinclude 
+# commands irrespective of the value of the RECURSIVE tag. 
+# Possible values are YES and NO. If left blank NO is used.
+
+EXAMPLE_RECURSIVE      = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or 
+# directories that contain image that are included in the documentation (see 
+# the \image command).
+
+IMAGE_PATH             = 
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should 
+# invoke to filter for each input file. Doxygen will invoke the filter program 
+# by executing (via popen()) the command <filter> <input-file>, where <filter> 
+# is the value of the INPUT_FILTER tag, and <input-file> is the name of an 
+# input file. Doxygen will then use the output that the filter program writes 
+# to standard output.  If FILTER_PATTERNS is specified, this tag will be 
+# ignored.
+
+INPUT_FILTER           = 
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern 
+# basis.  Doxygen will compare the file name with each pattern and apply the 
+# filter if there is a match.  The filters are a list of the form: 
+# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further 
+# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER 
+# is applied to all files.
+
+FILTER_PATTERNS        = 
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using 
+# INPUT_FILTER) will be used to filter the input files when producing source 
+# files to browse (i.e. when SOURCE_BROWSER is set to YES).
+
+FILTER_SOURCE_FILES    = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will 
+# be generated. Documented entities will be cross-referenced with these sources. 
+# Note: To get rid of all source code in the generated output, make sure also 
+# VERBATIM_HEADERS is set to NO. If you have enabled CALL_GRAPH or CALLER_GRAPH 
+# then you must also enable this option. If you don't then doxygen will produce 
+# a warning and turn it on anyway
+
+SOURCE_BROWSER         = YES
+
+# Setting the INLINE_SOURCES tag to YES will include the body 
+# of functions and classes directly in the documentation.
+
+INLINE_SOURCES         = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct 
+# doxygen to hide any special comment blocks from generated source code 
+# fragments. Normal C and C++ comments will always remain visible.
+
+STRIP_CODE_COMMENTS    = YES
+
+# If the REFERENCED_BY_RELATION tag is set to YES (the default) 
+# then for each documented function all documented 
+# functions referencing it will be listed.
+
+REFERENCED_BY_RELATION = YES
+
+# If the REFERENCES_RELATION tag is set to YES (the default) 
+# then for each documented function all documented entities 
+# called/used by that function will be listed.
+
+REFERENCES_RELATION    = YES
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
+# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
+# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
+# link to the source code.  Otherwise they will link to the documentstion.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code 
+# will point to the HTML generated by the htags(1) tool instead of doxygen 
+# built-in source browser. The htags tool is part of GNU's global source 
+# tagging system (see http://www.gnu.org/software/global/global.html). You 
+# will need version 4.8.6 or higher.
+
+USE_HTAGS              = NO
+
+# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen 
+# will generate a verbatim copy of the header file for each class for 
+# which an include is specified. Set to NO to disable this.
+
+VERBATIM_HEADERS       = YES
+
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index 
+# of all compounds will be generated. Enable this if the project 
+# contains a lot of classes, structs, unions or interfaces.
+
+ALPHABETICAL_INDEX     = NO
+
+# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then 
+# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns 
+# in which this list will be split (can be a number in the range [1..20])
+
+COLS_IN_ALPHA_INDEX    = 5
+
+# In case all classes in a project start with a common prefix, all 
+# classes will be put under the same header in the alphabetical index. 
+# The IGNORE_PREFIX tag can be used to specify one or more prefixes that 
+# should be ignored while generating the index headers.
+
+IGNORE_PREFIX          = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the HTML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_HTML tag is set to YES (the default) Doxygen will 
+# generate HTML output.
+
+GENERATE_HTML          = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `html' will be used as the default path.
+
+HTML_OUTPUT            = html
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for 
+# each generated HTML page (for example: .htm,.php,.asp). If it is left blank 
+# doxygen will generate files with .html extension.
+
+HTML_FILE_EXTENSION    = .html
+
+# The HTML_HEADER tag can be used to specify a personal HTML header for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard header.
+
+HTML_HEADER            = 
+
+# The HTML_FOOTER tag can be used to specify a personal HTML footer for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard footer.
+
+HTML_FOOTER            = @srcdir@/doxygen-footer.html
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading 
+# style sheet that is used by each HTML page. It can be used to 
+# fine-tune the look of the HTML output. If the tag is left blank doxygen 
+# will generate a default style sheet. Note that doxygen will try to copy 
+# the style sheet file to the HTML output directory, so don't put your own 
+# stylesheet in the HTML output directory as well, or it will be erased!
+
+HTML_STYLESHEET        = 
+
+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, 
+# files or namespaces will be aligned in HTML using tables. If set to 
+# NO a bullet list will be used.
+
+HTML_ALIGN_MEMBERS     = YES
+
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files 
+# will be generated that can be used as input for tools like the 
+# Microsoft HTML help workshop to generate a compressed HTML help file (.chm) 
+# of the generated HTML documentation.
+
+GENERATE_HTMLHELP      = NO
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML 
+# documentation will contain sections that can be hidden and shown after the 
+# page has loaded. For this to work a browser that supports 
+# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox 
+# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
+
+HTML_DYNAMIC_SECTIONS  = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can 
+# be used to specify the file name of the resulting .chm file. You 
+# can add a path in front of the file if the result should not be 
+# written to the html output directory.
+
+CHM_FILE               = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can 
+# be used to specify the location (absolute path including file name) of 
+# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run 
+# the HTML help compiler on the generated index.hhp.
+
+HHC_LOCATION           = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag 
+# controls if a separate .chi index file is generated (YES) or that 
+# it should be included in the master .chm file (NO).
+
+GENERATE_CHI           = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag 
+# controls whether a binary table of contents is generated (YES) or a 
+# normal table of contents (NO) in the .chm file.
+
+BINARY_TOC             = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members 
+# to the contents of the HTML help documentation and to the tree view.
+
+TOC_EXPAND             = NO
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index at 
+# top of each HTML page. The value NO (the default) enables the index and 
+# the value YES disables it.
+
+DISABLE_INDEX          = NO
+
+# This tag can be used to set the number of enum values (range [1..20]) 
+# that doxygen will group on one line in the generated HTML documentation.
+
+ENUM_VALUES_PER_LINE   = 4
+
+# If the GENERATE_TREEVIEW tag is set to YES, a side panel will be
+# generated containing a tree-like index structure (just like the one that 
+# is generated for HTML Help). For this to work a browser that supports 
+# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, 
+# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are 
+# probably better off using the HTML help feature.
+
+GENERATE_TREEVIEW      = NO
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be 
+# used to set the initial width (in pixels) of the frame in which the tree 
+# is shown.
+
+TREEVIEW_WIDTH         = 250
+
+#---------------------------------------------------------------------------
+# configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will 
+# generate Latex output.
+
+GENERATE_LATEX         = NO
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `latex' will be used as the default path.
+
+LATEX_OUTPUT           = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be 
+# invoked. If left blank `latex' will be used as the default command name.
+
+LATEX_CMD_NAME         = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to 
+# generate index for LaTeX. If left blank `makeindex' will be used as the 
+# default command name.
+
+MAKEINDEX_CMD_NAME     = makeindex
+
+# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact 
+# LaTeX documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_LATEX          = NO
+
+# The PAPER_TYPE tag can be used to set the paper type that is used 
+# by the printer. Possible values are: a4, a4wide, letter, legal and 
+# executive. If left blank a4wide will be used.
+
+PAPER_TYPE             = a4wide
+
+# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX 
+# packages that should be included in the LaTeX output.
+
+EXTRA_PACKAGES         = 
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for 
+# the generated latex document. The header should contain everything until 
+# the first chapter. If it is left blank doxygen will generate a 
+# standard header. Notice: only use this tag if you know what you are doing!
+
+LATEX_HEADER           = 
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated 
+# is prepared for conversion to pdf (using ps2pdf). The pdf file will 
+# contain links (just like the HTML output) instead of page references 
+# This makes the output suitable for online browsing using a pdf viewer.
+
+PDF_HYPERLINKS         = NO
+
+# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of 
+# plain latex in the generated Makefile. Set this option to YES to get a 
+# higher quality PDF documentation.
+
+USE_PDFLATEX           = NO
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. 
+# command to the generated LaTeX files. This will instruct LaTeX to keep 
+# running if errors occur, instead of asking the user for help. 
+# This option is also used when generating formulas in HTML.
+
+LATEX_BATCHMODE        = NO
+
+# If LATEX_HIDE_INDICES is set to YES then doxygen will not 
+# include the index chapters (such as File Index, Compound Index, etc.) 
+# in the output.
+
+LATEX_HIDE_INDICES     = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output 
+# The RTF output is optimized for Word 97 and may not look very pretty with 
+# other RTF readers or editors.
+
+GENERATE_RTF           = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `rtf' will be used as the default path.
+
+RTF_OUTPUT             = rtf
+
+# If the COMPACT_RTF tag is set to YES Doxygen generates more compact 
+# RTF documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_RTF            = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated 
+# will contain hyperlink fields. The RTF file will 
+# contain links (just like the HTML output) instead of page references. 
+# This makes the output suitable for online browsing using WORD or other 
+# programs which support those fields. 
+# Note: wordpad (write) and others do not support links.
+
+RTF_HYPERLINKS         = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's 
+# config file, i.e. a series of assignments. You only have to provide 
+# replacements, missing definitions are set to their default value.
+
+RTF_STYLESHEET_FILE    = 
+
+# Set optional variables used in the generation of an rtf document. 
+# Syntax is similar to doxygen's config file.
+
+RTF_EXTENSIONS_FILE    = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the man page output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_MAN tag is set to YES (the default) Doxygen will 
+# generate man pages
+
+GENERATE_MAN           = NO
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `man' will be used as the default path.
+
+MAN_OUTPUT             = man
+
+# The MAN_EXTENSION tag determines the extension that is added to 
+# the generated man pages (default is the subroutine's section .3)
+
+MAN_EXTENSION          = .3
+
+# If the MAN_LINKS tag is set to YES and Doxygen generates man output, 
+# then it will generate one additional man file for each entity 
+# documented in the real man page(s). These additional files 
+# only source the real man page, but without them the man command 
+# would be unable to find the correct page. The default is NO.
+
+MAN_LINKS              = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the XML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_XML tag is set to YES Doxygen will 
+# generate an XML file that captures the structure of 
+# the code including all documentation.
+
+GENERATE_XML           = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `xml' will be used as the default path.
+
+XML_OUTPUT             = xml
+
+# The XML_SCHEMA tag can be used to specify an XML schema, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_SCHEMA             = 
+
+# The XML_DTD tag can be used to specify an XML DTD, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_DTD                = 
+
+# If the XML_PROGRAMLISTING tag is set to YES Doxygen will 
+# dump the program listings (including syntax highlighting 
+# and cross-referencing information) to the XML output. Note that 
+# enabling this will significantly increase the size of the XML output.
+
+XML_PROGRAMLISTING     = YES
+
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will 
+# generate an AutoGen Definitions (see autogen.sf.net) file 
+# that captures the structure of the code including all 
+# documentation. Note that this feature is still experimental 
+# and incomplete at the moment.
+
+GENERATE_AUTOGEN_DEF   = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES Doxygen will 
+# generate a Perl module file that captures the structure of 
+# the code including all documentation. Note that this 
+# feature is still experimental and incomplete at the 
+# moment.
+
+GENERATE_PERLMOD       = NO
+
+# If the PERLMOD_LATEX tag is set to YES Doxygen will generate 
+# the necessary Makefile rules, Perl scripts and LaTeX code to be able 
+# to generate PDF and DVI output from the Perl module output.
+
+PERLMOD_LATEX          = NO
+
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be 
+# nicely formatted so it can be parsed by a human reader.  This is useful 
+# if you want to understand what is going on.  On the other hand, if this 
+# tag is set to NO the size of the Perl module output will be much smaller 
+# and Perl will parse it just the same.
+
+PERLMOD_PRETTY         = YES
+
+# The names of the make variables in the generated doxyrules.make file 
+# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. 
+# This is useful so different doxyrules.make files included by the same 
+# Makefile don't overwrite each other's variables.
+
+PERLMOD_MAKEVAR_PREFIX = 
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor   
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will 
+# evaluate all C-preprocessor directives found in the sources and include 
+# files.
+
+ENABLE_PREPROCESSING   = YES
+
+# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro 
+# names in the source code. If set to NO (the default) only conditional 
+# compilation will be performed. Macro expansion can be done in a controlled 
+# way by setting EXPAND_ONLY_PREDEF to YES.
+
+MACRO_EXPANSION        = NO
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES 
+# then the macro expansion is limited to the macros specified with the 
+# PREDEFINED and EXPAND_AS_DEFINED tags.
+
+EXPAND_ONLY_PREDEF     = NO
+
+# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files 
+# in the INCLUDE_PATH (see below) will be search if a #include is found.
+
+SEARCH_INCLUDES        = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that 
+# contain include files that are not input files but should be processed by 
+# the preprocessor.
+
+INCLUDE_PATH           = 
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard 
+# patterns (like *.h and *.hpp) to filter out the header-files in the 
+# directories. If left blank, the patterns specified with FILE_PATTERNS will 
+# be used.
+
+INCLUDE_FILE_PATTERNS  = 
+
+# The PREDEFINED tag can be used to specify one or more macro names that 
+# are defined before the preprocessor is started (similar to the -D option of 
+# gcc). The argument of the tag is a list of macros of the form: name 
+# or name=definition (no spaces). If the definition and the = are 
+# omitted =1 is assumed. To prevent a macro definition from being 
+# undefined via #undef or recursively expanded use the := operator 
+# instead of the = operator.
+
+PREDEFINED             = 
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then 
+# this tag can be used to specify a list of macro names that should be expanded. 
+# The macro definition that is found in the sources will be used. 
+# Use the PREDEFINED tag if you want to use a different macro definition.
+
+EXPAND_AS_DEFINED      = 
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then 
+# doxygen's preprocessor will remove all function-like macros that are alone 
+# on a line, have an all uppercase name, and do not end with a semicolon. Such 
+# function macros are typically used for boiler-plate code, and will confuse 
+# the parser if not removed.
+
+SKIP_FUNCTION_MACROS   = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to external references   
+#---------------------------------------------------------------------------
+
+# The TAGFILES option can be used to specify one or more tagfiles. 
+# Optionally an initial location of the external documentation 
+# can be added for each tagfile. The format of a tag file without 
+# this location is as follows: 
+#   TAGFILES = file1 file2 ... 
+# Adding location for the tag files is done as follows: 
+#   TAGFILES = file1=loc1 "file2 = loc2" ... 
+# where "loc1" and "loc2" can be relative or absolute paths or 
+# URLs. If a location is present for each tag, the installdox tool 
+# does not have to be run to correct the links.
+# Note that each tag file must have a unique name
+# (where the name does NOT include the path)
+# If a tag file is not located in the directory in which doxygen 
+# is run, you must also specify the path to the tagfile here.
+
+TAGFILES               = 
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create 
+# a tag file that is based on the input files it reads.
+
+GENERATE_TAGFILE       = 
+
+# If the ALLEXTERNALS tag is set to YES all external classes will be listed 
+# in the class index. If set to NO only the inherited external classes 
+# will be listed.
+
+ALLEXTERNALS           = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed 
+# in the modules index. If set to NO, only the current project's groups will 
+# be listed.
+
+EXTERNAL_GROUPS        = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script 
+# interpreter (i.e. the result of `which perl').
+
+PERL_PATH              = /usr/bin/perl
+
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool   
+#---------------------------------------------------------------------------
+
+# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will 
+# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base 
+# or super classes. Setting the tag to NO turns the diagrams off. Note that 
+# this option is superseded by the HAVE_DOT option below. This is only a 
+# fallback. It is recommended to install and use dot, since it yields more 
+# powerful graphs.
+
+CLASS_DIAGRAMS         = YES
+
+# You can define message sequence charts within doxygen comments using the \msc 
+# command. Doxygen will then run the mscgen tool (see http://www.mcternan.me.uk/mscgen/) to 
+# produce the chart and insert it in the documentation. The MSCGEN_PATH tag allows you to 
+# specify the directory where the mscgen tool resides. If left empty the tool is assumed to 
+# be found in the default search path.
+
+MSCGEN_PATH            = 
+
+# If set to YES, the inheritance and collaboration graphs will hide 
+# inheritance and usage relations if the target is undocumented 
+# or is not a class.
+
+HIDE_UNDOC_RELATIONS   = YES
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is 
+# available from the path. This tool is part of Graphviz, a graph visualization 
+# toolkit from AT&T and Lucent Bell Labs. The other options in this section 
+# have no effect if this option is set to NO (the default)
+
+HAVE_DOT               = NO
+
+# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect inheritance relations. Setting this tag to YES will force the 
+# the CLASS_DIAGRAMS tag to NO.
+
+CLASS_GRAPH            = YES
+
+# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect implementation dependencies (inheritance, containment, and 
+# class references variables) of the class with other documented classes.
+
+COLLABORATION_GRAPH    = YES
+
+# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for groups, showing the direct groups dependencies
+
+GROUP_GRAPHS           = YES
+
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and 
+# collaboration diagrams in a style similar to the OMG's Unified Modeling 
+# Language.
+
+UML_LOOK               = NO
+
+# If set to YES, the inheritance and collaboration graphs will show the 
+# relations between templates and their instances.
+
+TEMPLATE_RELATIONS     = NO
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT 
+# tags are set to YES then doxygen will generate a graph for each documented 
+# file showing the direct and indirect include dependencies of the file with 
+# other documented files.
+
+INCLUDE_GRAPH          = YES
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and 
+# HAVE_DOT tags are set to YES then doxygen will generate a graph for each 
+# documented header file showing the documented files that directly or 
+# indirectly include this file.
+
+INCLUDED_BY_GRAPH      = YES
+
+# If the CALL_GRAPH, SOURCE_BROWSER and HAVE_DOT tags are set to YES then doxygen will 
+# generate a call dependency graph for every global function or class method. 
+# Note that enabling this option will significantly increase the time of a run. 
+# So in most cases it will be better to enable call graphs for selected 
+# functions only using the \callgraph command.
+
+CALL_GRAPH             = NO
+
+# If the CALLER_GRAPH, SOURCE_BROWSER and HAVE_DOT tags are set to YES then doxygen will 
+# generate a caller dependency graph for every global function or class method. 
+# Note that enabling this option will significantly increase the time of a run. 
+# So in most cases it will be better to enable caller graphs for selected 
+# functions only using the \callergraph command.
+
+CALLER_GRAPH           = NO
+
+# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen 
+# will graphical hierarchy of all classes instead of a textual one.
+
+GRAPHICAL_HIERARCHY    = YES
+
+# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES 
+# then doxygen will show the dependencies a directory has on other directories 
+# in a graphical way. The dependency relations are determined by the #include
+# relations between the files in the directories.
+
+DIRECTORY_GRAPH        = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images 
+# generated by dot. Possible values are png, jpg, or gif
+# If left blank png will be used.
+
+DOT_IMAGE_FORMAT       = png
+
+# The tag DOT_PATH can be used to specify the path where the dot tool can be 
+# found. If left blank, it is assumed the dot tool can be found in the path.
+
+DOT_PATH               = 
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that 
+# contain dot files that are included in the documentation (see the 
+# \dotfile command).
+
+DOTFILE_DIRS           = 
+
+# The MAX_DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of 
+# nodes that will be shown in the graph. If the number of nodes in a graph 
+# becomes larger than this value, doxygen will truncate the graph, which is 
+# visualized by representing a node as a red box. Note that doxygen if the number 
+# of direct children of the root node in a graph is already larger than 
+# MAX_DOT_GRAPH_NOTES then the graph will not be shown at all. Also note 
+# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+
+DOT_GRAPH_MAX_NODES    = 50
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the 
+# graphs generated by dot. A depth value of 3 means that only nodes reachable 
+# from the root by following a path via at most 3 edges will be shown. Nodes 
+# that lay further from the root node will be omitted. Note that setting this 
+# option to 1 or 2 may greatly reduce the computation time needed for large 
+# code bases. Also note that the size of a graph can be further restricted by 
+# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+
+MAX_DOT_GRAPH_DEPTH    = 0
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent 
+# background. This is disabled by default, which results in a white background. 
+# Warning: Depending on the platform used, enabling this option may lead to 
+# badly anti-aliased labels on the edges of a graph (i.e. they become hard to 
+# read).
+
+DOT_TRANSPARENT        = NO
+
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output 
+# files in one run (i.e. multiple -o and -T options on the command line). This 
+# makes dot run faster, but since only newer versions of dot (>1.8.10) 
+# support this, this feature is disabled by default.
+
+DOT_MULTI_TARGETS      = NO
+
+# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will 
+# generate a legend page explaining the meaning of the various boxes and 
+# arrows in the dot generated graphs.
+
+GENERATE_LEGEND        = YES
+
+# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will 
+# remove the intermediate dot files that are used to generate 
+# the various graphs.
+
+DOT_CLEANUP            = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to the search engine   
+#---------------------------------------------------------------------------
+
+# The SEARCHENGINE tag specifies whether or not a search engine should be 
+# used. If set to NO the values of all tags below this one will be ignored.
+
+SEARCHENGINE           = NO
diff --git a/doc/nonpersistent/Makefile.am b/doc/nonpersistent/Makefile.am
new file mode 100644
index 0000000..e67c6af
--- /dev/null
+++ b/doc/nonpersistent/Makefile.am
@@ -0,0 +1,59 @@
+MAINTAINERCLEANFILES = \
+        $(srcdir)/Makefile.in
+
+wikidir=$(htmldir)/wiki
+
+dist_noinst_SCRIPTS = export-wiki.sh export-wiki.xsl \
+        svn2cl.xsl 
+dist_wiki_DATA = wiki.out/*
+dist_noinst_DATA = ChangeLog
+
+if SVN_CHECKOUT
+
+wiki.out/*:     wiki.out
+wiki.out:
+        -rm -fr wiki.out
+        test -n "$(WGET)" -a -n "$(SED)" -a -n "$(TR)" -a -n "$(XSLTPROC)"
+        WGET="$(WGET)" WGET_OPTS="$(WGET_OPTS)" SED="$(SED)" TR="$(TR)" XSLTPROC="$(XSLTPROC)" \
+                PROJECT="@PACKAGE_NAME@" \
+                $(SHELL) "$(srcdir)/export-wiki.sh" "$(srcdir)" "wiki.tmp"
+        mv wiki.tmp wiki.out
+
+ChangeLog:
+        test -n "$(SVN)" -a -n "$(XSLTPROC)"
+        if test -d "$(top_srcdir)/.svn"; then \
+                $(SVN) --verbose --xml log "$(top_srcdir)" | \
+                        $(XSLTPROC) --nonet --stringparam linelen 75 \
+                        --stringparam groupbyday no \
+                        --stringparam include-rev no \
+                        "$(srcdir)/svn2cl.xsl" - > ChangeLog.tmp; \
+        else \
+                echo "Warning: Unable to generate ChangeLog from none svn checkout" >&2; \
+                echo > ChangeLog.tmp; \
+        fi
+        mv ChangeLog.tmp ChangeLog
+
+else
+
+wiki.out/*:     $(abs_builddir)/wiki.out
+$(abs_builddir)/wiki.out:
+        $(LN_S) "$(srcdir)/wiki.out" wiki.out
+
+ChangeLog:
+        $(LN_S) "$(srcdir)/ChangeLog" ChangeLog
+
+endif
+
+distclean-local:
+        -rm -rf wiki.tmp
+        if test -L wiki.out; then \
+                rm -fr wiki.out; \
+        fi
+        -rm -fr ChangeLog.tmp
+        if test -L ChangeLog; then \
+                rm -fr ChangeLog; \
+        fi
+
+maintainer-clean-local:
+        -rm -rf "$(srcdir)/wiki.out"
+        -rm -rf "$(srcdir)/ChangeLog"
diff --git a/doc/nonpersistent/export-wiki.sh b/doc/nonpersistent/export-wiki.sh
new file mode 100755
index 0000000..956fb21
--- /dev/null
+++ b/doc/nonpersistent/export-wiki.sh
@@ -0,0 +1,71 @@
+#!/bin/sh
+
+set -e
+
+test -z "$XSLTPROC" && XSLTPROC="xsltproc"
+test -z "$WGET" && WGET="wget"
+test -z "$WGET_OPTS" && WGET_OPTS="$WGET_OPTS"
+test -z "$SED" && SED="sed"
+test -z "$TR" && TR="tr"
+
+test -z "$SERVER" && SERVER="http://www.opensc-project.org"
+test -z "$PROJECT" && PROJECT="opensc"
+
+SRCDIR=.
+OUTDIR=.
+test -n "$1" && SRCDIR="$1"
+test -n "$2" && OUTDIR="$2"
+
+WIKI="$PROJECT/wiki"
+XSL="$SRCDIR/export-wiki.xsl"
+
+test -f "$SRCDIR"/`basename $0`
+
+test -e "$OUTDIR" && rm -fr "$OUTDIR"
+
+mkdir "$OUTDIR" || exit 1
+
+$WGET $WGET_OPTS $SERVER/$WIKI/TitleIndex -O "$OUTDIR"/TitleIndex.tmp
+
+$SED -e "s#</li>#</li>\n#g" < "$OUTDIR"/TitleIndex.tmp \
+        | grep "\"/$WIKI/[^\"]*\"" \
+        |$SED -e "s#.*\"/$WIKI/\([^\"]*\)\".*#\1#g" \
+        > "$OUTDIR"/WikiWords.tmp
+$SED -e /^Trac/d -e /^Wiki/d -e /^TitleIndex/d -e /^RecentChanges/d \
+        -e /^CamelCase/d -e /^SandBox/d -e /^InterMapTxt/d -e /^InterWiki/d \
+        -e /^InterTrac/d -i "$OUTDIR"/WikiWords.tmp
+
+for A in WikiStart `cat "$OUTDIR"/WikiWords.tmp`
+do
+        F=`echo $A|$SED -e 's/\//_/g'`
+        $WGET $WGET_OPTS $SERVER/$WIKI/$A  -O "$OUTDIR"/$F.tmp
+        $XSLTPROC --nonet --output "$OUTDIR"/$F.html "$XSL" "$OUTDIR"/$F.tmp
+        $SED -e "s#<a href=\"/$WIKI/\([^\"]*\)\"#<a href=\"\1.html\"#g" \
+                -i "$OUTDIR"/$F.html
+done
+
+mv "$OUTDIR"/WikiStart.html "$OUTDIR"/index.html
+
+$WGET $WGET_OPTS http://www.opensc-project.org/trac/css/trac.css \
+        -O "$OUTDIR"/trac.css
+
+cat "$OUTDIR"/*.html |grep "<img src=\"/$PROJECT/attachment/wiki" \
+        |$SED -e 's/.*<img src="\/'$PROJECT'\/attachment\/wiki\/\([^"]*\)?format=raw".*/\1/g' \
+        |sort -u |while read A
+do
+        B="`echo $A |$TR / _`"
+        $WGET $WGET_OPTS "$SERVER/$PROJECT/attachment/wiki/$A?format=raw" -O "$OUTDIR"/$B
+        for C in "${OUTDIR}"/*.html
+        do
+                $SED -e 's#\/'$PROJECT'\/attachment\/wiki\/'$A'?format=raw#'$B'#g' -i "$C"
+        done
+done
+
+for A in "${OUTDIR}"/*.html
+do
+        $SED -e 's#href="/'$PROJECT'/wiki/\([^"]*\)"#href="\1.html"#g' \
+                -i $A
+done
+
+rm "$OUTDIR"/*.tmp
+exit 0
diff --git a/doc/nonpersistent/export-wiki.xsl b/doc/nonpersistent/export-wiki.xsl
new file mode 100644
index 0000000..30a600e
--- /dev/null
+++ b/doc/nonpersistent/export-wiki.xsl
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0"
+xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+xmlns="http://www.w3.org/1999/xhtml"
+xmlns:html="http://www.w3.org/1999/xhtml">
+        <xsl:output method="html" indent="yes"/>
+  
+  <xsl:template match="/">
+    <xsl:apply-templates />
+  </xsl:template>
+  
+  <xsl:template match="/html:html">
+      <html>
+        <head>
+          <title><xsl:value-of select="/html:html/html:head/html:title" /></title>
+          <style type="text/css">
+           @import url(trac.css);
+          </style>
+        </head>
+        <body>
+          <xsl:apply-templates select="//html:div[@class='wiki']" />
+          <div class="footer">
+            <hr />
+            <p><a href="index.html">Back to Index</a></p>
+          </div>
+        </body>
+      </html>
+  </xsl:template>
+  
+  <xsl:template match="/pages">
+      <html>
+        <head>
+          <title>Wiki Index</title>
+          <style type="text/css">
+           @import url(trac.css);
+          </style>
+        </head>
+        <body>
+          <h1>Index of Wiki Pages</h1>
+          <ul>
+          <xsl:apply-templates select="page" />
+          </ul>
+        </body>
+      </html>
+  </xsl:template>
+  
+  <xsl:template match="page">
+    <li><a href="{.}.html"><xsl:value-of select="." /></a></li>
+  </xsl:template>
+  
+  <xsl:template match="node()|@*" priority="-1">
+    <xsl:copy>
+      <xsl:apply-templates select="@*|node()"/>
+    </xsl:copy>
+  </xsl:template>
+ 
+</xsl:stylesheet>
+
diff --git a/doc/nonpersistent/svn2cl.xsl b/doc/nonpersistent/svn2cl.xsl
new file mode 100755
index 0000000..3672035
--- /dev/null
+++ b/doc/nonpersistent/svn2cl.xsl
@@ -0,0 +1,295 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+
+   svn2cl.xsl - xslt stylesheet for converting svn log to a normal
+                changelog
+
+   Usage (replace ++ with two minus signs):
+     svn ++verbose ++xml log | \
+       xsltproc ++stringparam strip-prefix `basename $(pwd)` \
+                ++stringparam linelen 75 \
+                ++stringparam groupbyday yes \
+                ++stringparam include-rev yes \
+                svn2cl.xsl - > ChangeLog
+
+   This file is based on several implementations of this conversion
+   that I was not completely happy with and some other common
+   xslt constructs found on the web.
+
+   Copyright (C) 2004, 2005 Arthur de Jong.
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in
+      the documentation and/or other materials provided with the
+      distribution.
+   3. The name of the author may not be used to endorse or promote
+      products derived from this software without specific prior
+      written permission.
+
+   THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+   IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+   ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+   DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+   GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+   IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+   OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+   IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+-->
+
+<!DOCTYPE page [
+ <!ENTITY tab "&#9;">
+ <!ENTITY newl "&#13;">
+ <!ENTITY space "&#32;">
+]>
+
+<!--
+   TODO
+   - make external lookups of author names possible
+   - find a place for revision numbers
+   - mark deleted files as such
+   - combine paths
+   - make path formatting nicer
+-->
+
+<xsl:stylesheet
+  version="1.0"
+  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+  xmlns="http://www.w3.org/1999/xhtml">
+
+ <xsl:output
+   method="text"
+   encoding="iso-8859-15"
+   media-type="text/plain"
+   omit-xml-declaration="yes"
+   standalone="yes"
+   indent="no" />
+
+ <xsl:strip-space elements="*" />
+
+ <!-- the prefix of pathnames to strip -->
+ <xsl:param name="strip-prefix" select="'/'" />
+
+ <!-- the length of a line to wrap messages at -->
+ <xsl:param name="linelen" select="75" />
+ 
+ <!-- whether entries should be grouped by day -->
+ <xsl:param name="groupbyday" select="'no'" />
+
+ <!-- whether entries should be grouped by day -->
+ <xsl:param name="include-rev" select="'no'" />
+
+ <!-- add newlines at the end of the changelog -->
+ <xsl:template match="log">
+  <xsl:apply-templates/>
+  <xsl:text>&newl;</xsl:text>
+ </xsl:template>
+
+ <!-- format one entry from the log -->
+ <xsl:template match="logentry">
+  <!-- save log entry number -->
+  <xsl:variable name="pos" select="position()"/>
+  <!-- fetch previous entry's date -->
+  <xsl:variable name="prevdate">
+   <xsl:apply-templates select="../logentry[position()=(($pos)-1)]/date"/>
+  </xsl:variable>
+  <!-- fetch previous entry's author -->
+  <xsl:variable name="prevauthor">
+   <xsl:apply-templates select="../logentry[position()=(($pos)-1)]/author"/>
+  </xsl:variable>
+  <!-- fetch this entry's date -->
+  <xsl:variable name="date">
+   <xsl:apply-templates select="date" />
+  </xsl:variable>
+  <!-- fetch this entry's author -->
+  <xsl:variable name="author">
+   <xsl:apply-templates select="author" />
+  </xsl:variable>
+  <!-- check if header is changed -->
+  <xsl:if test="($prevdate!=$date) or ($prevauthor!=$author)">
+   <!-- add newline -->
+   <xsl:if test="not(position()=1)">
+     <xsl:text>&newl;</xsl:text>
+   </xsl:if>
+   <!-- date -->
+   <xsl:apply-templates select="date" />
+   <!-- two spaces -->
+   <xsl:text>&space;&space;</xsl:text>
+   <!-- author's name -->
+   <xsl:apply-templates select="author" />
+   <!-- two newlines -->
+   <xsl:text>&newl;&newl;</xsl:text>
+  </xsl:if>
+  <!-- get paths string -->
+  <xsl:variable name="paths">
+   <xsl:apply-templates select="paths" />
+  </xsl:variable>
+  <!-- get revision number -->
+  <xsl:variable name="rev">
+   <xsl:if test="$include-rev='yes'">
+    <xsl:text>[r</xsl:text>
+    <xsl:value-of select="@revision"/>
+    <xsl:text>]&space;</xsl:text>
+   </xsl:if>
+  </xsl:variable>
+  <!-- first line is indented (other indents are done in wrap template) -->
+  <xsl:text>&tab;*&space;</xsl:text>
+  <!-- print the paths and message nicely wrapped -->
+  <xsl:call-template name="wrap">
+   <xsl:with-param name="txt" select="concat($rev,$paths,normalize-space(msg))" />
+  </xsl:call-template>
+ </xsl:template>
+
+ <!-- format date -->
+ <xsl:template match="date">
+  <xsl:variable name="date" select="normalize-space(.)" />
+  <!-- output date part -->
+  <xsl:value-of select="substring($date,1,10)" />
+  <!-- output time part -->
+  <xsl:if test="$groupbyday!='yes'">
+   <xsl:text>&space;</xsl:text>
+   <xsl:value-of select="substring($date,12,5)" />
+  </xsl:if>
+ </xsl:template>
+
+ <!-- format author -->
+ <xsl:template match="author">
+  <xsl:value-of select="normalize-space(.)" />
+ </xsl:template>
+
+ <!-- present a list of paths names -->
+ <xsl:template match="paths">
+  <xsl:for-each select="path">
+   <xsl:sort select="normalize-space(.)" data-type="text" />
+   <!-- unless we are the first entry, add a comma -->
+   <xsl:if test="not(position()=1)">
+    <xsl:text>,&space;</xsl:text>
+   </xsl:if>
+   <!-- print the path name -->
+   <xsl:apply-templates select="."/>
+  </xsl:for-each>
+  <!-- end the list with a colon -->
+  <xsl:text>:&space;</xsl:text>
+ </xsl:template>
+
+ <!-- transform path to something printable -->
+ <xsl:template match="path">
+  <!-- fetch the pathname -->
+  <xsl:variable name="p1" select="normalize-space(.)" />
+  <!-- strip leading slash -->
+  <xsl:variable name="p2">
+   <xsl:choose>
+    <xsl:when test="starts-with($p1,'/')">
+     <xsl:value-of select="substring($p1,2)" />
+    </xsl:when>
+    <xsl:otherwise>
+     <xsl:value-of select="$p1" />
+    </xsl:otherwise>
+   </xsl:choose>
+  </xsl:variable>
+  <!-- strip trailing slash from strip-prefix -->
+  <xsl:variable name="sp">
+   <xsl:choose>
+    <xsl:when test="substring($strip-prefix,string-length($strip-prefix),1)='/'">
+     <xsl:value-of select="substring($strip-prefix,1,string-length($strip-prefix)-1)" />
+    </xsl:when>
+    <xsl:otherwise>
+     <xsl:value-of select="$strip-prefix" />
+    </xsl:otherwise>
+   </xsl:choose>
+  </xsl:variable>
+  <!-- strip strip-prefix -->
+  <xsl:variable name="p3">
+   <xsl:choose>
+    <xsl:when test="starts-with($p2,$sp)">
+     <xsl:value-of select="substring($p2,1+string-length($sp))" />
+    </xsl:when>
+    <xsl:otherwise>
+     <!-- TODO: do not print strings that do not begin with strip-prefix -->
+     <xsl:value-of select="$p2" />
+    </xsl:otherwise>
+   </xsl:choose>
+  </xsl:variable>
+  <!-- strip another slash -->
+  <xsl:variable name="p4">
+   <xsl:choose>
+    <xsl:when test="starts-with($p3,'/')">
+     <xsl:value-of select="substring($p3,2)" />
+    </xsl:when>
+    <xsl:otherwise>
+     <xsl:value-of select="$p3" />
+    </xsl:otherwise>
+   </xsl:choose>
+  </xsl:variable>
+  <!-- translate empty string to dot -->
+  <xsl:choose>
+   <xsl:when test="$p4 = ''">
+    <xsl:text>.</xsl:text>
+   </xsl:when>
+   <xsl:otherwise>
+    <xsl:value-of select="$p4" />
+   </xsl:otherwise>
+  </xsl:choose>
+ </xsl:template>
+
+ <!-- string-wrapping template -->
+ <xsl:template name="wrap">
+  <xsl:param name="txt" />
+  <xsl:choose>
+   <xsl:when test="(string-length($txt) &lt; (($linelen)-9)) or not(contains($txt,' '))">
+    <!-- this is easy, nothing to do -->
+    <xsl:value-of select="$txt" />
+    <!-- add newline -->
+    <xsl:text>&newl;</xsl:text>
+   </xsl:when>
+   <xsl:otherwise>
+    <!-- find the first line -->
+    <xsl:variable name="tmp" select="substring($txt,1,(($linelen)-10))" />
+    <xsl:variable name="line">
+     <xsl:choose>
+      <xsl:when test="contains($tmp,' ')">
+       <xsl:call-template name="find-line">
+        <xsl:with-param name="txt" select="$tmp" />
+       </xsl:call-template>
+      </xsl:when>
+      <xsl:otherwise>
+       <xsl:value-of select="substring-before($txt,' ')" />
+      </xsl:otherwise>
+     </xsl:choose>
+    </xsl:variable>
+    <!-- print newline and tab -->
+    <xsl:value-of select="$line" />
+    <xsl:text>&newl;&tab;&space;&space;</xsl:text>
+    <!-- wrap the rest of the text -->
+    <xsl:call-template name="wrap">
+     <xsl:with-param name="txt" select="normalize-space(substring($txt,string-length($line)+1))" />
+    </xsl:call-template>
+   </xsl:otherwise>
+  </xsl:choose>
+ </xsl:template>
+
+ <!-- template to trim line to contain space as last char -->
+ <xsl:template name="find-line">
+  <xsl:param name="txt" />
+  <xsl:choose>
+   <xsl:when test="substring($txt,string-length($txt),1) = ' '">
+    <xsl:value-of select="normalize-space($txt)" />
+   </xsl:when>
+   <xsl:otherwise>
+    <xsl:call-template name="find-line">
+     <xsl:with-param name="txt" select="substring($txt,1,string-length($txt)-1)" />
+    </xsl:call-template>
+   </xsl:otherwise>
+  </xsl:choose>
+ </xsl:template>
+
+</xsl:stylesheet>
diff --git a/examples/README b/examples/README
new file mode 100644
index 0000000..6db711e
--- /dev/null
+++ b/examples/README
@@ -0,0 +1,25 @@
+Libp11 example code
+===================
+
+This directory contains some example code how to use libp11.
+Feel free to use this code in any way, it is public domain,
+not copyrighted.
+
+auth.c          Example for authentication, i.e. get the first
+                token, get the first certificate, ask for pin,
+                login, sign some random data, and verify the
+                signature using the certificate/public key.
+
+For easy building see the Makefile in this directory. If you
+are using autoconf/automake/libtool, you might want to add
+to your configure.ac file:
+
+PKG_CHECK_MODULES([LIBP11], [libp11])
+
+and to your Makefile.am:
+
+bin_PROGRAMS = myapp
+
+myapp_CFLAGS = @LIBP11_CFLAGS@
+myapp_LIBADD = @LIBP11_LIBS@
+myapp_SOURCES = myapp.c
diff --git a/examples/auth.c b/examples/auth.c
new file mode 100644
index 0000000..98ff161
--- /dev/null
+++ b/examples/auth.c
@@ -0,0 +1,225 @@
+/* libp11 example code: auth.c
+ *
+ * This examply simply connects to your smart card
+ * and does a public key authentication.
+ *
+ * Feel free to copy all of the code as needed.
+ *
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <termios.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <libp11.h>
+
+#define RANDOM_SOURCE "/dev/urandom"
+#define RANDOM_SIZE 20
+#define MAX_SIGSIZE 256
+
+int main(int argc, char *argv[])
+{
+        PKCS11_CTX *ctx;
+        PKCS11_SLOT *slots, *slot;
+        PKCS11_CERT *certs;
+        
+        PKCS11_KEY *authkey;
+        PKCS11_CERT *authcert;
+        EVP_PKEY *pubkey = NULL;
+
+        unsigned char *random = NULL, *signature = NULL;
+
+        char password[20];
+        int rc = 0, fd;
+        unsigned int nslots, ncerts, siglen;
+
+        if (argc != 2) {
+                fprintf(stderr, "usage: auth /usr/lib/opensc-pkcs11.so\n");
+                return 1;
+        }
+
+        ctx = PKCS11_CTX_new();
+
+        /* load pkcs #11 module */
+        rc = PKCS11_CTX_load(ctx, argv[1]);
+        if (rc) {
+                fprintf(stderr, "loading pkcs11 engine failed: %s\n",
+                        ERR_reason_error_string(ERR_get_error()));
+                rc = 1;
+                goto nolib;
+        }
+
+        /* get information on all slots */
+        rc = PKCS11_enumerate_slots(ctx, &slots, &nslots);
+        if (rc < 0) {
+                fprintf(stderr, "no slots available\n");
+                rc = 2;
+                goto noslots;
+        }
+
+        /* get first slot with a token */
+        slot = PKCS11_find_token(ctx, slots, nslots);
+        if (!slot || !slot->token) {
+                fprintf(stderr, "no token available\n");
+                rc = 3;
+                goto notoken;
+        }
+        printf("Slot manufacturer......: %s\n", slot->manufacturer);
+        printf("Slot description.......: %s\n", slot->description);
+        printf("Slot token label.......: %s\n", slot->token->label);
+        printf("Slot token manufacturer: %s\n", slot->token->manufacturer);
+        printf("Slot token model.......: %s\n", slot->token->model);
+        printf("Slot token serialnr....: %s\n", slot->token->serialnr);
+
+        /* get all certs */
+        rc = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
+        if (rc) {
+                fprintf(stderr, "PKCS11_enumerate_certs failed\n");
+                goto failed;
+        }
+        if (ncerts <= 0) {
+                fprintf(stderr, "no certificates found\n");
+                goto failed;
+        }
+
+        /* use the first cert */
+        authcert=&certs[0];
+
+        if (!slot->token->loginRequired)
+                goto loggedin;
+
+        /* get password */
+        struct termios old, new;
+
+        /* Turn echoing off and fail if we can't. */
+        if (tcgetattr(0, &old) != 0)
+                goto failed;
+
+        new = old;
+        new.c_lflag &= ~ECHO;
+        if (tcsetattr(0, TCSAFLUSH, &new) != 0)
+                goto failed;
+
+        /* Read the password. */
+        printf("Password for token %.32s: ", slot->token->label);
+        fgets(password, sizeof(password), stdin);
+
+        /* Restore terminal. */
+        (void)tcsetattr(0, TCSAFLUSH, &old);
+
+        /* strip tailing \n from password */
+        rc = strlen(password);
+        if (rc <= 0)
+                goto failed;
+        password[rc-1]=0;
+
+        /* perform pkcs #11 login */
+        rc = PKCS11_login(slot, 0, password);
+        memset(password, 0, strlen(password));
+        if (rc != 0) {
+                fprintf(stderr, "PKCS11_login failed\n");
+                goto failed;
+        }
+
+      loggedin:
+        /* get random bytes */
+        random = malloc(RANDOM_SIZE);
+        if (!random)
+                goto failed;
+
+        fd = open(RANDOM_SOURCE, O_RDONLY);
+        if (fd < 0) {
+                fprintf(stderr, "fatal: cannot open RANDOM_SOURCE: %s\n",
+                                strerror(errno));
+                goto failed;
+        }
+
+        rc = read(fd, random, RANDOM_SIZE);
+        if (rc < 0) {
+                fprintf(stderr, "fatal: read from random source failed: %s\n",
+                        strerror(errno));
+                close(fd);
+                goto failed;
+        }
+
+        if (rc < RANDOM_SIZE) {
+                fprintf(stderr, "fatal: read returned less than %d<%d bytes\n",
+                       rc, RANDOM_SIZE);
+                close(fd);
+                goto failed;
+        }
+
+        close(fd);
+
+        authkey = PKCS11_find_key(authcert);
+        if (!authkey) {
+                fprintf(stderr, "no key matching certificate available\n");
+                goto failed;
+        }
+
+        /* ask for a sha1 hash of the random data, signed by the key */
+        siglen = MAX_SIGSIZE;
+        signature = malloc(MAX_SIGSIZE);
+        if (!signature)
+                goto failed;
+
+        rc = PKCS11_sign(NID_sha1, random, RANDOM_SIZE, signature, &siglen,
+                         authkey);
+        if (rc != 1) {
+                fprintf(stderr, "fatal: pkcs11_sign failed\n");
+                goto failed;
+        }
+
+        /* verify the signature */
+        pubkey = X509_get_pubkey(authcert->x509);
+        if (pubkey == NULL) {
+                fprintf(stderr, "could not extract public key\n");
+                goto failed;
+        }
+
+        /* now verify the result */
+        rc = RSA_verify(NID_sha1, random, RANDOM_SIZE,
+                        signature, siglen, pubkey->pkey.rsa);
+        if (rc != 1) {
+                fprintf(stderr, "fatal: RSA_verify failed\n");
+                goto failed;
+        }
+
+        if (pubkey != NULL)
+                EVP_PKEY_free(pubkey);
+
+        if (random != NULL)
+                free(random);
+        if (signature != NULL)
+                free(signature);
+
+        PKCS11_release_all_slots(ctx, slots, nslots);
+        PKCS11_CTX_unload(ctx);
+        PKCS11_CTX_free(ctx);
+
+        CRYPTO_cleanup_all_ex_data();
+        ERR_free_strings();
+        ERR_remove_state(0);
+
+        printf("authentication successfull.\n");
+        return 0;
+
+
+      failed:
+        ERR_print_errors_fp(stderr);
+      notoken:
+        PKCS11_release_all_slots(ctx, slots, nslots);
+
+      noslots:
+        PKCS11_CTX_unload(ctx);
+
+      nolib:
+        PKCS11_CTX_free(ctx);
+        
+
+        printf("authentication failed.\n");
+        return 1;
+}
diff --git a/examples/decrypt.c b/examples/decrypt.c
new file mode 100644
index 0000000..16745a4
--- /dev/null
+++ b/examples/decrypt.c
@@ -0,0 +1,240 @@
+/* libp11 example code: auth.c
+ *
+ * This examply simply connects to your smart card
+ * and does a public key authentication.
+ *
+ * Feel free to copy all of the code as needed.
+ *
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <termios.h>
+#include <stdio.h>
+#include <string.h>
+#include <libp11.h>
+
+#define RANDOM_SOURCE "/dev/urandom"
+#define RANDOM_SIZE 64
+#define MAX_SIGSIZE 256
+
+int main(int argc, char *argv[])
+{
+        PKCS11_CTX *ctx;
+        PKCS11_SLOT *slots, *slot;
+        PKCS11_CERT *certs;
+        
+        PKCS11_KEY *authkey;
+        PKCS11_CERT *authcert;
+        EVP_PKEY *pubkey = NULL;
+
+        unsigned char *random = NULL, *encrypted = NULL, *decrypted = NULL;
+
+        char password[20];
+        int rc = 0, fd, len;
+        unsigned int nslots, ncerts;
+
+        if (argc != 2) {
+                fprintf(stderr, "usage: auth /usr/lib/opensc-pkcs11.so\n");
+                return 1;
+        }
+
+        ctx = PKCS11_CTX_new();
+
+        /* load pkcs #11 module */
+        rc = PKCS11_CTX_load(ctx, argv[1]);
+        if (rc) {
+                fprintf(stderr, "loading pkcs11 engine failed: %s\n",
+                        ERR_reason_error_string(ERR_get_error()));
+                rc = 1;
+                goto nolib;
+        }
+
+        /* get information on all slots */
+        rc = PKCS11_enumerate_slots(ctx, &slots, &nslots);
+        if (rc < 0) {
+                fprintf(stderr, "no slots available\n");
+                rc = 2;
+                goto noslots;
+        }
+
+        /* get first slot with a token */
+        slot = PKCS11_find_token(ctx, slots, nslots);
+        if (!slot || !slot->token) {
+                fprintf(stderr, "no token available\n");
+                rc = 3;
+                goto notoken;
+        }
+        printf("Slot manufacturer......: %s\n", slot->manufacturer);
+        printf("Slot description.......: %s\n", slot->description);
+        printf("Slot token label.......: %s\n", slot->token->label);
+        printf("Slot token manufacturer: %s\n", slot->token->manufacturer);
+        printf("Slot token model.......: %s\n", slot->token->model);
+        printf("Slot token serialnr....: %s\n", slot->token->serialnr);
+
+        /* get all certs */
+        rc = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
+        if (rc) {
+                fprintf(stderr, "PKCS11_enumerate_certs failed\n");
+                goto failed;
+        }
+        if (ncerts <= 0) {
+                fprintf(stderr, "no certificates found\n");
+                goto failed;
+        }
+
+        /* use the first cert */
+        authcert=&certs[0];
+
+        /* get random bytes */
+        random = malloc(RANDOM_SIZE);
+        if (!random)
+                goto failed;
+
+        fd = open(RANDOM_SOURCE, O_RDONLY);
+        if (fd < 0) {
+                fprintf(stderr, "fatal: cannot open RANDOM_SOURCE: %s\n",
+                                strerror(errno));
+                goto failed;
+        }
+
+        rc = read(fd, random, RANDOM_SIZE);
+        if (rc < 0) {
+                fprintf(stderr, "fatal: read from random source failed: %s\n",
+                        strerror(errno));
+                close(fd);
+                goto failed;
+        }
+
+        if (rc < RANDOM_SIZE) {
+                fprintf(stderr, "fatal: read returned less than %d<%d bytes\n",
+                       rc, RANDOM_SIZE);
+                close(fd);
+                goto failed;
+        }
+
+        close(fd);
+
+        /* get RSA key */
+        pubkey = X509_get_pubkey(authcert->x509);
+        if (pubkey == NULL) {
+                fprintf(stderr, "could not extract public key\n");
+                goto failed;
+        }
+
+        /* allocate destination buffer */
+        encrypted = malloc(RSA_size(pubkey->pkey.rsa));
+        if (!encrypted) {
+                fprintf(stderr,"out of memory for encrypted data");
+                goto failed;
+        }
+
+        /* use public key for encryption */
+        len = RSA_public_encrypt(RANDOM_SIZE, random, encrypted,
+                        pubkey->pkey.rsa, RSA_PKCS1_PADDING);
+        if (len < 0) {
+                fprintf(stderr, "fatal: RSA_public_encrypt failed\n");
+                goto failed;
+        }
+
+        /* now decrypt */
+        if (!slot->token->loginRequired)
+                goto loggedin;
+
+        /* get password */
+        struct termios old, new;
+
+        /* Turn echoing off and fail if we can't. */
+        if (tcgetattr(0, &old) != 0)
+                goto failed;
+
+        new = old;
+        new.c_lflag &= ~ECHO;
+        if (tcsetattr(0, TCSAFLUSH, &new) != 0)
+                goto failed;
+
+        /* Read the password. */
+        printf("Password for token %.32s: ", slot->token->label);
+        fgets(password, sizeof(password), stdin);
+
+        /* Restore terminal. */
+        (void)tcsetattr(0, TCSAFLUSH, &old);
+
+        /* strip tailing \n from password */
+        rc = strlen(password);
+        if (rc <= 0)
+                goto failed;
+        password[rc-1]=0;
+
+        /* perform pkcs #11 login */
+        rc = PKCS11_login(slot, 0, password);
+        memset(password, 0, strlen(password));
+        if (rc != 0) {
+                fprintf(stderr, "PKCS11_login failed\n");
+                goto failed;
+        }
+
+      loggedin:
+
+        authkey = PKCS11_find_key(authcert);
+        if (!authkey) {
+                fprintf(stderr, "no key matching certificate available\n");
+                goto failed;
+        }
+
+        /* allocate space for decrypted data */
+        decrypted = malloc(RSA_size(pubkey->pkey.rsa));
+        if (!decrypted)
+                goto failed;
+
+        rc = PKCS11_private_decrypt(len, encrypted,
+                        decrypted, authkey, RSA_PKCS1_PADDING);
+        if (rc != RANDOM_SIZE) {
+                fprintf(stderr, "fatal: PKCS11_private_decrypt failed\n");
+                goto failed;
+        }
+
+        /* check if original matches decypted */
+        if (memcmp(random, decrypted, RANDOM_SIZE) != 0) {
+                fprintf(stderr, "fatal: decrypted data does not match original\n");
+                goto failed;
+        }
+
+        PKCS11_release_all_slots(ctx, slots, nslots);
+        PKCS11_CTX_unload(ctx);
+        PKCS11_CTX_free(ctx);
+
+        if (pubkey != NULL)
+                EVP_PKEY_free(pubkey);
+        if (random != NULL)
+                free(random);
+        if (encrypted != NULL)
+                free(encrypted);
+        if (decrypted != NULL)
+                free(decrypted);
+
+        CRYPTO_cleanup_all_ex_data();
+        ERR_free_strings();
+        ERR_remove_state(0);
+
+        printf("decryption successfull.\n");
+        return 0;
+
+
+      failed:
+        ERR_print_errors_fp(stderr); 
+      notoken:
+        PKCS11_release_all_slots(ctx, slots, nslots);
+
+      noslots:
+        PKCS11_CTX_unload(ctx);
+
+      nolib:
+        PKCS11_CTX_free(ctx);
+        
+
+        printf("decryption failed.\n");
+        return 1;
+}
diff --git a/examples/getrandom.c b/examples/getrandom.c
new file mode 100644
index 0000000..b8f0a69
--- /dev/null
+++ b/examples/getrandom.c
@@ -0,0 +1,88 @@
+/* libp11 example code: getrandom.c 
+ *
+ * This examply simply connects to your smart card and 
+ * asks for a few random bytes.
+ * 
+ * Feel free to copy all of the code as needed.
+ *
+ */
+
+#include <stdio.h>
+#include <libp11.h>
+
+int main(int argc, char *argv[])
+{
+        PKCS11_CTX *ctx;
+        PKCS11_SLOT *slots, *slot;
+        unsigned char random[10];
+        int rc = 0, i, len;
+        unsigned int nslots;
+
+        if (argc != 2) {
+                fprintf(stderr, "usage: getrandom /usr/lib/opensc-pkcs11.so\n");
+                return 1;
+        }
+
+        /* new context */
+        ctx = PKCS11_CTX_new();
+
+        /* load pkcs #11 module */
+        rc = PKCS11_CTX_load(ctx, argv[1]);
+        if (rc) {
+                fprintf(stderr, "loading pkcs11 engine failed: %s\n",
+                        ERR_reason_error_string(ERR_get_error()));
+                rc = 1;
+                goto nolib;
+        }
+
+        /* get information on all slots */
+        rc = PKCS11_enumerate_slots(ctx, &slots, &nslots);
+        if (rc < 0) {
+                fprintf(stderr, "no slots available\n");
+                rc = 2;
+                goto noslots;
+        }
+        printf("%d slots available\n", nslots);
+
+        /* get first slot with a token */
+        slot = PKCS11_find_token(ctx, slots, nslots);
+        if (!slot || !slot->token) {
+                fprintf(stderr, "no token available\n");
+                rc = 3;
+                goto notoken;
+        }
+        printf("Slot manufacturer......: %s\n", slot->manufacturer);
+        printf("Slot description.......: %s\n", slot->description);
+        printf("Slot token label.......: %s\n", slot->token->label);
+        printf("Slot token manufacturer: %s\n", slot->token->manufacturer);
+        printf("Slot token model.......: %s\n", slot->token->model);
+        printf("Slot token serialnr....: %s\n", slot->token->serialnr);
+
+        /* get 10 random bytes */
+        len = sizeof(random);
+        rc = PKCS11_generate_random(slot, random, len);
+        if (rc < 0) {
+                fprintf(stderr, "generate_random failed: %s\n",
+                        ERR_reason_error_string(ERR_get_error()));
+                rc = 4;
+                goto norandom;
+        }
+
+        printf("\nRandom numbers generated by the token: ");
+        for (i = 0; i < len; i++)
+                printf("%02X ", random[i]);
+        printf("\n");
+
+        rc = 0;
+
+      norandom:
+      notoken:
+        PKCS11_release_all_slots(ctx, slots, nslots);
+
+      noslots:
+        PKCS11_CTX_unload(ctx);
+
+      nolib:
+        PKCS11_CTX_free(ctx);
+        return rc;
+}
diff --git a/packaged b/packaged
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/packaged
@@ -0,0 +1 @@
+
diff --git a/src/Makefile.am b/src/Makefile.am
new file mode 100644
index 0000000..c66a8cd
--- /dev/null
+++ b/src/Makefile.am
@@ -0,0 +1,42 @@
+MAINTAINERCLEANFILES = \
+        $(srcdir)/Makefile.in $(srcdir)/versioninfo.rc
+CLEANFILES = libp11.pc
+EXTRA_DIST = Makefile.mak
+
+noinst_HEADERS= libp11-int.h pkcs11.h
+include_HEADERS= libp11.h
+lib_LTLIBRARIES = libp11.la
+pkgconfig_DATA = libp11.pc
+
+libp11_la_SOURCES = libpkcs11.c p11_attr.c p11_cert.c p11_err.c p11_key.c \
+        p11_load.c p11_misc.c p11_ops.c p11_rsa.c p11_slot.c \
+        libp11.exports
+if WIN32
+libp11_la_SOURCES += versioninfo.rc
+else
+dist_noinst_DATA = versioninfo.rc
+endif
+libp11_la_CFLAGS = $(AM_CFLAGS) $(OPENSSL_CFLAGS) $(LTLIB_CFLAGS)
+libp11_la_LIBADD = $(OPENSSL_LIBS) $(LTLIB_LIBS)
+libp11_la_LDFLAGS = $(AM_LDFLAGS) \
+        -version-info @LIBP11_LT_CURRENT@:@LIBP11_LT_REVISION@:@LIBP11_LT_AGE@ \
+        -export-symbols "$(srcdir)/libp11.exports" \
+        -no-undefined
+
+if WIN32
+# def file required for MS users to build library
+mylibdir=$(libdir)
+mylib_DATA=.libs/@WIN_LIBPREFIX@p11-@LIBP11_LT_OLDEST@.dll.def
+.libs/@WIN_LIBPREFIX@p11-@LIBP11_LT_OLDEST@.dll.def:    libp11.la
+endif
+
+RCCOMPILE = $(RC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+        $(AM_CPPFLAGS) $(CPPFLAGS)
+LTRCCOMPILE = $(LIBTOOL) --mode=compile --tag=RC $(RCCOMPILE)
+
+.rc.lo:
+        $(LTRCCOMPILE) -i "$<" -o "$@"
+
+.rc.o:
+        $(RCCOMPILE) -i "$<" -o "$@"
+
diff --git a/src/Makefile.mak b/src/Makefile.mak
new file mode 100644
index 0000000..73b5428
--- /dev/null
+++ b/src/Makefile.mak
@@ -0,0 +1,33 @@
+LIBLTDL_INC =    # E.g. /IC:\libtool-1.5.8-lib\include
+LIBLTDL_LIB =     # E.g. C:\libtool-1.5.8-lib\lib\libltdl.lib
+
+OPENSSL_INC = /IC:\openssl\include
+OPENSSL_LIB = C:\openssl\out32dll\libeay32.lib
+
+COPTS = /Zi /MD /nologo /I..\ /I. $(OPENSSL_INC) $(LIBLTDL_INC) /D_WIN32_WINNT=0x0400 /DWIN32 /DWIN32_LEAN_AND_MEAN
+LINKFLAGS = /DEBUG /NOLOGO /INCREMENTAL:NO /MACHINE:IX86
+
+TARGET                  = libp11.dll
+
+OBJECTS                 = libpkcs11.obj p11_attr.obj p11_cert.obj p11_err.obj \
+        p11_key.obj p11_load.obj p11_misc.obj p11_rsa.obj p11_slot.obj p11_ops.obj
+
+all: $(TARGET) versioninfo.res
+
+RSC_PROJ=/l 0x809 /r /fo"versioninfo.res"
+
+versioninfo.res: versioninfo.rc
+        rc $(RSC_PROJ) versioninfo.rc
+ 
+
+.c.obj::
+        cl $(COPTS) /c $<
+
+$(TARGET): $(OBJECTS) versioninfo.res
+        echo LIBRARY $* > $*.def
+        echo EXPORTS >> $*.def
+        type $*.exports >> $*.def
+        link $(LINKFLAGS) /dll /def:$*.def /implib:$*.lib /out:$(TARGET) \
+                $(OBJECTS) $(OPENSSL_LIB) $(LIBLTDL_LIB) versioninfo.res
+        if EXIST $*.dll.manifest mt -manifest $*.dll.manifest -outputresource:$*.dll;2
+
diff --git a/src/libp11-int.h b/src/libp11-int.h
new file mode 100644
index 0000000..be3965f
--- /dev/null
+++ b/src/libp11-int.h
@@ -0,0 +1,159 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+#ifndef _LIBP11_INT_H
+#define _LIBP11_INT_H
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+
+#define CRYPTOKI_EXPORTS
+#include <pkcs11.h>
+
+extern void *C_LoadModule(const char *name, CK_FUNCTION_LIST_PTR_PTR);
+extern CK_RV C_UnloadModule(void *module);
+
+#include "libp11.h"
+
+/* get private implementations of PKCS11 structures */
+
+/*
+ * PKCS11_CTX: context for a PKCS11 implementation
+ */
+typedef struct pkcs11_ctx_private {
+        char *name;
+        void *libinfo;
+        CK_FUNCTION_LIST_PTR method;
+
+        CK_SESSION_HANDLE session;
+        char *init_args;
+} PKCS11_CTX_private;
+#define PRIVCTX(ctx)            ((PKCS11_CTX_private *) (ctx->_private))
+
+typedef struct pkcs11_slot_private {
+        PKCS11_CTX *parent;
+        unsigned char haveSession, loggedIn;
+        CK_SLOT_ID id;
+        CK_SESSION_HANDLE session;
+} PKCS11_SLOT_private;
+#define PRIVSLOT(slot)          ((PKCS11_SLOT_private *) (slot->_private))
+#define SLOT2CTX(slot)          (PRIVSLOT(slot)->parent)
+
+typedef struct pkcs11_token_private {
+        PKCS11_SLOT *parent;
+        int nkeys, nprkeys;
+        PKCS11_KEY *keys;
+        int ncerts;
+        PKCS11_CERT *certs;
+} PKCS11_TOKEN_private;
+#define PRIVTOKEN(token)        ((PKCS11_TOKEN_private *) (token->_private))
+#define TOKEN2SLOT(token)       (PRIVTOKEN(token)->parent)
+#define TOKEN2CTX(token)        SLOT2CTX(TOKEN2SLOT(token))
+
+typedef struct pkcs11_key_ops {
+        int type;               /* EVP_PKEY_xxx */
+        int (*get_public) (PKCS11_KEY *, EVP_PKEY *);
+        int (*get_private) (PKCS11_KEY *, EVP_PKEY *);
+} PKCS11_KEY_ops;
+
+typedef struct pkcs11_key_private {
+        PKCS11_TOKEN *parent;
+        CK_OBJECT_HANDLE object;
+        unsigned char id[255];
+        size_t id_len;
+        PKCS11_KEY_ops *ops;
+} PKCS11_KEY_private;
+#define PRIVKEY(key)            ((PKCS11_KEY_private *) key->_private)
+#define KEY2SLOT(key)           TOKEN2SLOT(KEY2TOKEN(key))
+#define KEY2TOKEN(key)          (PRIVKEY(key)->parent)
+#define KEY2CTX(key)            TOKEN2CTX(KEY2TOKEN(key))
+
+typedef struct pkcs11_cert_private {
+        PKCS11_TOKEN *parent;
+        CK_OBJECT_HANDLE object;
+        unsigned char id[255];
+        size_t id_len;
+} PKCS11_CERT_private;
+#define PRIVCERT(cert)          ((PKCS11_CERT_private *) cert->_private)
+#define CERT2SLOT(cert)         TOKEN2SLOT(CERT2TOKEN(cert))
+#define CERT2TOKEN(cert)        (PRIVCERT(cert)->parent)
+#define CERT2CTX(cert)          TOKEN2CTX(CERT2TOKEN(cert))
+
+/*
+ * Mapping Cryptoki error codes to those used internally
+ * by this code.
+ * Right now, we just map them directly, and make sure
+ * that the few genuine messages we use don't clash with
+ * PKCS#11
+ */
+#define pkcs11_map_err(rv)      (rv)
+
+/*
+ * Internal functions
+ */
+#define CRYPTOKI_checkerr(f, rv) \
+        do { if (rv) { \
+                PKCS11err(f, pkcs11_map_err(rv)); \
+                return -1; \
+        } } while (0)
+#define CRYPTOKI_call(ctx, func_and_args) \
+        PRIVCTX(ctx)->method->func_and_args
+
+/* Memory allocation */
+#define PKCS11_NEW(type) \
+        ((type *) pkcs11_malloc(sizeof(type)))
+#define PKCS11_DUP(s) \
+        pkcs11_strdup((char *) s, sizeof(s))
+
+extern void pkcs11_release_slot(PKCS11_CTX *, PKCS11_SLOT *slot);
+
+extern void pkcs11_destroy_keys(PKCS11_TOKEN *);
+extern void pkcs11_destroy_certs(PKCS11_TOKEN *);
+extern void *pkcs11_malloc(size_t);
+extern char *pkcs11_strdup(char *, size_t);
+
+extern int pkcs11_getattr(PKCS11_TOKEN *, CK_OBJECT_HANDLE,
+                          unsigned int, void *, size_t);
+extern int pkcs11_getattr_s(PKCS11_TOKEN *, CK_OBJECT_HANDLE,
+                            unsigned int, void *, size_t);
+extern int pkcs11_getattr_var(PKCS11_TOKEN *, CK_OBJECT_HANDLE,
+                              unsigned int, void *, size_t *);
+extern int pkcs11_getattr_bn(PKCS11_TOKEN *, CK_OBJECT_HANDLE,
+                             unsigned int, BIGNUM **);
+
+#define key_getattr(key, t, p, s) \
+        pkcs11_getattr(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (p), (s))
+
+#define key_getattr_bn(key, t, bn) \
+        pkcs11_getattr_bn(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (bn))
+
+typedef int (*pkcs11_i2d_fn) (void *, unsigned char **);
+extern void pkcs11_addattr(CK_ATTRIBUTE_PTR, int, const void *, size_t);
+extern void pkcs11_addattr_int(CK_ATTRIBUTE_PTR, int, unsigned long);
+extern void pkcs11_addattr_bool(CK_ATTRIBUTE_PTR, int, int);
+extern void pkcs11_addattr_s(CK_ATTRIBUTE_PTR, int, const char *);
+extern void pkcs11_addattr_bn(CK_ATTRIBUTE_PTR, int, const BIGNUM *);
+extern void pkcs11_addattr_obj(CK_ATTRIBUTE_PTR, int, pkcs11_i2d_fn, void *);
+extern void pkcs11_zap_attrs(CK_ATTRIBUTE_PTR, unsigned int);
+
+extern void *memdup(const void *, size_t);
+
+extern PKCS11_KEY_ops pkcs11_rsa_ops;
+
+#endif
diff --git a/src/libp11.exports b/src/libp11.exports
new file mode 100644
index 0000000..aecbdba
--- /dev/null
+++ b/src/libp11.exports
@@ -0,0 +1,37 @@
+PKCS11_CTX_init_args
+PKCS11_CTX_new
+PKCS11_CTX_load
+PKCS11_CTX_unload
+PKCS11_CTX_free
+PKCS11_open_session
+PKCS11_enumerate_slots
+PKCS11_release_all_slots
+PKCS11_find_token
+PKCS11_login
+PKCS11_logout
+PKCS11_enumerate_keys
+PKCS11_get_key_type
+PKCS11_get_key_size
+PKCS11_get_key_modulus
+PKCS11_get_key_exponent
+PKCS11_get_private_key
+PKCS11_get_public_key
+PKCS11_get_slotid_from_slot
+PKCS11_find_certificate
+PKCS11_find_key
+PKCS11_enumerate_certs
+PKCS11_init_token
+PKCS11_init_pin
+PKCS11_change_pin
+PKCS11_generate_key
+PKCS11_store_private_key
+PKCS11_store_public_key
+PKCS11_store_certificate
+PKCS11_sign
+PKCS11_private_encrypt
+PKCS11_private_decrypt
+PKCS11_verify
+PKCS11_seed_random
+PKCS11_generate_random
+PKCS11_get_rsa_method
+ERR_load_PKCS11_strings
diff --git a/src/libp11.h b/src/libp11.h
new file mode 100644
index 0000000..89604ff
--- /dev/null
+++ b/src/libp11.h
@@ -0,0 +1,428 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+/**
+ * @file libp11.h
+ * @brief libp11 header file
+ */
+
+#ifndef _LIB11_H
+#define _LIB11_H
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* get some structures for local code to handle pkcs11 data readily */
+#define ERR_LIB_PKCS11  ERR_LIB_USER
+
+#define PKCS11err(f,r) \
+ERR_PUT_error(ERR_LIB_PKCS11,(f),(r),__FILE__,__LINE__)
+
+/*
+ * The purpose of this library is to provide a simple PKCS11
+ * interface to OpenSSL application that wish to use a previously
+ * initialized card (as opposed to initializing it, etc).
+ *
+ * I am therefore making some simplifying assumptions:
+ *
+ *  -   no support for any operations that alter the card,
+ *      i.e. readonly-login
+ */
+
+/** PKCS11 key object (public or private) */
+typedef struct PKCS11_key_st {
+        char *label;
+        unsigned char *id;
+        size_t id_len;
+        unsigned char isPrivate;        /**< private key present? */
+        unsigned char needLogin;        /**< login to read private key? */
+        EVP_PKEY *evp_key;              /**< initially NULL, need to call PKCS11_load_key */
+        void *_private;
+} PKCS11_KEY;
+
+/** PKCS11 certificate object */
+typedef struct PKCS11_cert_st {
+        char *label;
+        unsigned char *id;
+        size_t id_len;
+        X509 *x509;
+        void *_private;
+} PKCS11_CERT;
+
+/** PKCS11 token: smart card or USB key */
+typedef struct PKCS11_token_st {
+        char *label;
+        char *manufacturer;
+        char *model;
+        char *serialnr;
+        unsigned char initialized;
+        unsigned char loginRequired;
+        unsigned char secureLogin;
+        unsigned char userPinSet;
+        unsigned char readOnly;
+        unsigned char hasRng;
+        unsigned char userPinCountLow;
+        unsigned char userPinFinalTry;
+        unsigned char userPinLocked;
+        unsigned char userPinToBeChanged;
+        unsigned char soPinCountLow;
+        unsigned char soPinFinalTry;
+        unsigned char soPinLocked;
+        unsigned char soPinToBeChanged;
+        void *_private;
+} PKCS11_TOKEN;
+
+/** PKCS11 slot: card reader */
+typedef struct PKCS11_slot_st {
+        char *manufacturer;
+        char *description;
+        unsigned char removable;
+        PKCS11_TOKEN *token;    /**< NULL if no token present */
+        void *_private;
+} PKCS11_SLOT;
+
+/** PKCS11 context */
+typedef struct PKCS11_ctx_st {
+        char *manufacturer;
+        char *description;
+        void *_private;
+} PKCS11_CTX;
+
+/**
+ * Create a new libp11 context
+ *
+ * This should be the first function called in the use of libp11
+ * @return an allocated context
+ */
+extern PKCS11_CTX *PKCS11_CTX_new(void);
+
+/**
+ * Specify any private PKCS#11 module initializtion args, if necessary
+ *
+ * @return none
+ */
+extern void PKCS11_CTX_init_args(PKCS11_CTX * ctx, const char * init_args);
+
+/**
+ * Load a PKCS#11 module
+ *
+ * @param ctx context allocated by PKCS11_CTX_new()
+ * @param ident PKCS#11 library filename
+ * @retval 0 success
+ * @retval -1 error
+ */
+extern int PKCS11_CTX_load(PKCS11_CTX * ctx, const char * ident);
+
+/**
+ * Unload a PKCS#11 module
+ *
+ * @param ctx context allocated by PKCS11_CTX_new()
+ */
+extern void PKCS11_CTX_unload(PKCS11_CTX * ctx);
+
+/**
+ * Free a libp11 context
+ *
+ * @param ctx context allocated by PKCS11_CTX_new()
+ */
+extern void PKCS11_CTX_free(PKCS11_CTX * ctx);
+
+/** Open a session in RO or RW mode
+ *
+ * @param slot slot descriptor returned by PKCS11_find_token() or PKCS11_enumerate_slots()
+ * @param rw open in read/write mode is mode != 0, otherwise in read only mode
+ * @retval 0 success
+ * @retval -1 error
+ */
+extern int PKCS11_open_session(PKCS11_SLOT * slot, int rw);
+
+/**
+ * Get a list of all slots
+ *
+ * @param ctx context allocated by PKCS11_CTX_new()
+ * @param slotsp pointer on a list of slots
+ * @param nslotsp size of the allocated list
+ * @retval 0 success
+ * @retval -1 error
+ */
+extern int PKCS11_enumerate_slots(PKCS11_CTX * ctx,
+                        PKCS11_SLOT **slotsp, unsigned int *nslotsp);
+
+/**
+ * Get the slot_id from a slot as it is stored in private
+ *
+ * @param slotp pointer on a slot
+ * @retval the slotid 
+ */
+extern unsigned long PKCS11_get_slotid_from_slot(PKCS11_SLOT *slotp);
+
+/**
+ * Free the list of slots allocated by PKCS11_enumerate_slots()
+ *
+ * @param ctx context allocated by PKCS11_CTX_new()
+ * @param slots list of slots allocated by PKCS11_enumerate_slots()
+ * @param nslots size of the list
+ */
+extern void PKCS11_release_all_slots(PKCS11_CTX * ctx,
+                        PKCS11_SLOT *slots, unsigned int nslots);
+
+/**
+ * Find the first slot with a token
+ *
+ * @param ctx context allocated by PKCS11_CTX_new()
+ * @param slots list of slots allocated by PKCS11_enumerate_slots()
+ * @param nslots size of the list
+ * @retval !=NULL pointer on a slot structure
+ * @retval NULL error
+ */
+PKCS11_SLOT *PKCS11_find_token(PKCS11_CTX * ctx, 
+                        PKCS11_SLOT *slots, unsigned int nslots);
+
+/**
+ * Authenticate to the card
+ *
+ * @param slot slot returned by PKCS11_find_token()
+ * @param so login as CKU_SO if != 0, otherwise login as CKU_USER
+ * @param pin PIN value
+ * @retval 0 success
+ * @retval -1 error
+ */
+extern int PKCS11_login(PKCS11_SLOT * slot, int so, const char *pin);
+
+/**
+ * De-authenticate from the card
+ *
+ * @param slot slot returned by PKCS11_find_token()
+ * @retval 0 success
+ * @retval -1 error
+ */
+extern int PKCS11_logout(PKCS11_SLOT * slot);
+
+/* Get a list of all keys associated with this token */
+extern int PKCS11_enumerate_keys(PKCS11_TOKEN *, PKCS11_KEY **, unsigned int *);
+
+/* Get the key type (as EVP_PKEY_XXX) */
+extern int PKCS11_get_key_type(PKCS11_KEY *);
+
+/* Get size of key modulus in number of bytes */
+extern int PKCS11_get_key_size(const PKCS11_KEY *);
+/* Get actual modules and public exponent as BIGNUM */
+extern int PKCS11_get_key_modulus(PKCS11_KEY *, BIGNUM **);
+extern int PKCS11_get_key_exponent(PKCS11_KEY *, BIGNUM **);
+
+/* Get the enveloped private key */
+/**
+ * Returns a EVP_PKEY object for the private key
+ *
+ * @param   key  PKCS11_KEY object
+ * @retval !=NULL reference to EVP_PKEY object.
+ *         The returned EVP_PKEY object should be treated as const 
+ *         and must not be freed.
+ * @retval NULL error
+ */
+extern EVP_PKEY *PKCS11_get_private_key(PKCS11_KEY *key);
+/**
+ * Returns a EVP_PKEY object with the public key
+ *
+ * @param  key  PKCS11_KEY object
+ * @retval !=NULL reference to EVP_PKEY object.
+ *         The returned EVP_PKEY object should be treated as const
+ *         and must not be freed.
+ * @retval NULL error
+ */
+extern EVP_PKEY *PKCS11_get_public_key(PKCS11_KEY *key);
+
+/* Find the corresponding certificate (if any) */
+extern PKCS11_CERT *PKCS11_find_certificate(PKCS11_KEY *);
+
+/* Find the corresponding key (if any) */
+extern PKCS11_KEY *PKCS11_find_key(PKCS11_CERT *);
+
+/* Get a list of all certificates associated with this token */
+extern int PKCS11_enumerate_certs(PKCS11_TOKEN *, PKCS11_CERT **, unsigned int *);
+
+/**
+ * Initialize a token
+ *
+ * @param token token descriptor (in general slot->token)
+ * @param pin Security Officer PIN value
+ * @param label new name of the token
+ * @retval 0 success
+ * @retval -1 error
+ */
+extern int PKCS11_init_token(PKCS11_TOKEN * token, const char *pin,
+        const char *label);
+
+/**
+ * Initialize the user PIN on a token
+ *
+ * @param token token descriptor (in general slot->token)
+ * @param pin new user PIN value
+ * @retval 0 success
+ * @retval -1 error
+ */
+extern int PKCS11_init_pin(PKCS11_TOKEN * token, const char *pin);
+
+/**
+ * Change the user PIN on a token
+ *
+ * @param slot slot returned by PKCS11_find_token()
+ * @param old_pin old PIN value
+ * @param new_pin new PIN value
+ * @retval 0 success
+ * @retval -1 error
+ */
+extern int PKCS11_change_pin(PKCS11_SLOT * slot, const char *old_pin,
+        const char *new_pin);
+
+/** 
+ * Generate and store a private key on the token
+ *
+ * @param token token returned by PKCS11_find_token()
+ * @param algorithm EVP_PKEY_RSA
+ * @param bits size of the modulus in bits
+ * @param label label for this key
+ * @param id bytes to use as id value
+ * @param id_len length of id value.
+ * @retval 0 success
+ * @retval -1 error
+ */
+
+extern int PKCS11_generate_key(PKCS11_TOKEN * token, int algorithm, unsigned int bits, char *label, unsigned char* id, size_t id_len);
+
+/**
+ * Store private key on a token
+ *
+ * @param token token returned by PKCS11_find_token()
+ * @param pk private key
+ * @param label label for this key
+ * @param id bytes to use as id value
+ * @param id_len length of id value.
+ * @retval 0 success
+ * @retval -1 error
+ */
+extern int PKCS11_store_private_key(PKCS11_TOKEN * token, EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len);
+
+/**
+ * Store public key on a token
+ *
+ * @param token token returned by PKCS11_find_token()
+ * @param pk private key
+ * @param label label for this key
+ * @param id bytes to use as id value
+ * @param id_len length of id value.
+ * @retval 0 success
+ * @retval -1 error
+ */
+extern int PKCS11_store_public_key(PKCS11_TOKEN * token, EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len);
+
+/**
+ * Store certificate on a token
+ *
+ * @param token token returned by PKCS11_find_token()
+ * @param x509 x509 certificate object
+ * @param label label for this certificate
+ * @param id bytes to use as id value
+ * @param id_len length of id value.
+ * @param ret_cert put new PKCS11_CERT object here
+ * @retval 0 success
+ * @retval -1 error
+ */
+extern int PKCS11_store_certificate(PKCS11_TOKEN * token, X509 * x509,
+                char *label, unsigned char *id, size_t id_len,
+                PKCS11_CERT **ret_cert);
+
+/* rsa private key operations */
+extern int PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
+        unsigned char *sigret, unsigned int *siglen, const PKCS11_KEY * key);
+extern int PKCS11_private_encrypt(int flen, const unsigned char *from,
+        unsigned char *to, const PKCS11_KEY * rsa, int padding);
+/**
+ * Decrypts data using the private key
+ * 
+ * @param  flen     length of the encrypted data
+ * @param  from     encrypted data
+ * @param  to       output buffer (MUST be a least flen bytes long)
+ * @param  key      private key object 
+ * @param  padding  padding algorithm to be used
+ * @return the length of the decrypted data or 0 if an error occurred
+ */
+extern int PKCS11_private_decrypt(int flen, const unsigned char *from,
+        unsigned char *to, PKCS11_KEY * key, int padding);
+extern int PKCS11_verify(int type, const unsigned char *m, unsigned int m_len,
+        unsigned char *signature, unsigned int siglen, PKCS11_KEY * key);
+
+/* access random number generator */
+extern int PKCS11_seed_random(PKCS11_SLOT *, const unsigned char *s, unsigned int s_len);
+extern int PKCS11_generate_random(PKCS11_SLOT *, unsigned char *r, unsigned int r_len);
+
+/* using with openssl method mechanism */
+RSA_METHOD *PKCS11_get_rsa_method(void);
+
+/**
+ * Load PKCS11 error strings
+ *
+ * Call this function to be able to use ERR_reason_error_string(ERR_get_error())
+ * to get an textual version of the latest error code
+ */
+extern void ERR_load_PKCS11_strings(void);
+
+/*
+ * Function and reason codes
+ */
+#define PKCS11_F_PKCS11_CTX_LOAD                1
+#define PKCS11_F_PKCS11_ENUM_SLOTS              2
+#define PKCS11_F_PKCS11_CHECK_TOKEN             3
+#define PKCS11_F_PKCS11_OPEN_SESSION            4
+#define PKCS11_F_PKCS11_LOGIN                   5
+#define PKCS11_F_PKCS11_ENUM_KEYS               6
+#define PKCS11_F_PKCS11_GET_KEY                 7
+#define PKCS11_F_PKCS11_RSA_DECRYPT             8
+#define PKCS11_F_PKCS11_RSA_ENCRYPT             9
+#define PKCS11_F_PKCS11_RSA_SIGN                10
+#define PKCS11_F_PKCS11_RSA_VERIFY              11
+#define PKCS11_F_PKCS11_ENUM_CERTS              12
+#define PKCS11_F_PKCS11_INIT_TOKEN              13
+#define PKCS11_F_PKCS11_INIT_PIN                14
+#define PKCS11_F_PKCS11_LOGOUT                  15
+#define PKCS11_F_PKCS11_STORE_PRIVATE_KEY       16
+#define PKCS11_F_PKCS11_GENERATE_KEY            17
+#define PKCS11_F_PKCS11_STORE_PUBLIC_KEY        18
+#define PKCS11_F_PKCS11_STORE_CERTIFICATE       19
+#define PKCS11_F_PKCS11_SEED_RANDOM             20
+#define PKCS11_F_PKCS11_GENERATE_RANDOM         21
+#define PKCS11_F_PKCS11_CHANGE_PIN              22
+#define PKCS11_F_PKCS11_GETATTR                 40
+
+#define PKCS11_ERR_BASE                         1024
+#define PKCS11_LOAD_MODULE_ERROR                (PKCS11_ERR_BASE+1)
+#define PKCS11_MODULE_LOADED_ERROR              (PKCS11_ERR_BASE+2)
+#define PKCS11_SYMBOL_NOT_FOUND_ERROR           (PKCS11_ERR_BASE+3)
+#define PKCS11_NOT_SUPPORTED                    (PKCS11_ERR_BASE+4)
+#define PKCS11_NO_SESSION                       (PKCS11_ERR_BASE+5)
+#define PKCS11_KEYGEN_FAILED                    (PKCS11_ERR_BASE+6)
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/src/libp11.pc.in b/src/libp11.pc.in
new file mode 100644
index 0000000..255b220
--- /dev/null
+++ b/src/libp11.pc.in
@@ -0,0 +1,12 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: libp11
+Description: libp11
+Version: @VERSION@
+Libs: -L${libdir} -lp11
+Libs.private: -lcrypto
+Cflags: -I${includedir}
+
diff --git a/src/libpkcs11.c b/src/libpkcs11.c
new file mode 100644
index 0000000..a146361
--- /dev/null
+++ b/src/libpkcs11.c
@@ -0,0 +1,101 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+/*
+ * Convenience pkcs11 library that can be linked into an application,
+ * and will bind to a specific pkcs11 module.
+ *
+ * Copyright (C) 2002  Olaf Kirch <okir@lst.de>
+ */
+
+#include <config.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <ltdl.h>
+#include "libp11-int.h"
+
+#define MAGIC                   0xd00bed00
+
+struct sc_pkcs11_module {
+        unsigned int _magic;
+        lt_dlhandle handle;
+};
+typedef struct sc_pkcs11_module sc_pkcs11_module_t;
+
+/*
+ * Load a module - this will load the shared object, call
+ * C_Initialize, and get the list of function pointers
+ */
+void *
+C_LoadModule(const char *mspec, CK_FUNCTION_LIST_PTR_PTR funcs)
+{
+        sc_pkcs11_module_t *mod;
+        CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR);
+        int rv;
+
+        if (mspec == NULL)
+                return NULL;
+
+        if (lt_dlinit() != 0)
+                return NULL;
+
+        mod = (sc_pkcs11_module_t *) calloc(1, sizeof(*mod));
+        mod->_magic = MAGIC;
+
+        mod->handle = lt_dlopen(mspec);
+        if (mod->handle == NULL)
+                goto failed;
+
+        /* Get the list of function pointers */
+        c_get_function_list = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR))
+                                lt_dlsym(mod->handle, "C_GetFunctionList");
+        if (!c_get_function_list)
+                goto failed;
+        rv = c_get_function_list(funcs);
+        if (rv == CKR_OK)
+                return (void *) mod;
+
+failed:
+        C_UnloadModule((void *) mod);
+        return NULL;
+}
+
+/*
+ * Unload a pkcs11 module.
+ * The calling application is responsible for cleaning up
+ * and calling C_Finalize
+ */
+CK_RV
+C_UnloadModule(void *module)
+{
+        sc_pkcs11_module_t *mod = (sc_pkcs11_module_t *) module;
+
+        if (!mod || mod->_magic != MAGIC)
+                return CKR_ARGUMENTS_BAD;
+
+        if (lt_dlclose(mod->handle) < 0)
+                return CKR_FUNCTION_FAILED;
+
+        memset(mod, 0, sizeof(*mod));
+        free(mod);
+
+        lt_dlexit();
+
+        return CKR_OK;
+}
diff --git a/src/p11_attr.c b/src/p11_attr.c
new file mode 100644
index 0000000..83f603b
--- /dev/null
+++ b/src/p11_attr.c
@@ -0,0 +1,156 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+/*
+ * PKCS11 attribute querying.
+ *
+ * The number of layers we stack on top of each other here
+ * is frightening.
+ *
+ * Copyright (C) 2002, Olaf Kirch <okir@lst.de>
+ */
+
+#include <config.h>
+#include <assert.h>
+#include <string.h>
+
+#include "libp11-int.h"
+
+static int pkcs11_getattr_int(PKCS11_CTX *, CK_SESSION_HANDLE,
+                              CK_OBJECT_HANDLE, CK_ATTRIBUTE_TYPE, void *, size_t *);
+
+/*
+ * Query pkcs11 attributes
+ */
+static int
+pkcs11_getattr_int(PKCS11_CTX * ctx, CK_SESSION_HANDLE session,
+                   CK_OBJECT_HANDLE o, CK_ATTRIBUTE_TYPE type, void *value,
+                   size_t * size)
+{
+        CK_ATTRIBUTE templ;
+        int rv;
+
+        templ.type = type;
+        templ.pValue = value;
+        templ.ulValueLen = *size;
+
+        rv = CRYPTOKI_call(ctx, C_GetAttributeValue(session, o, &templ, 1));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_GETATTR, rv);
+
+        *size = templ.ulValueLen;
+        return 0;
+}
+
+int
+pkcs11_getattr_var(PKCS11_TOKEN * token, CK_OBJECT_HANDLE object,
+                   unsigned int type, void *value, size_t * size)
+{
+        return pkcs11_getattr_int(TOKEN2CTX(token),
+                                  PRIVSLOT(TOKEN2SLOT(token))->session,
+                                  object, type, value, size);
+}
+
+int
+pkcs11_getattr(PKCS11_TOKEN * token, CK_OBJECT_HANDLE object,
+               unsigned int type, void *value, size_t size)
+{
+        return pkcs11_getattr_var(token, object, type, value, &size);
+}
+
+int
+pkcs11_getattr_s(PKCS11_TOKEN * token, CK_OBJECT_HANDLE object,
+                 unsigned int type, void *value, size_t size)
+{
+        memset(value, 0, size);
+        return pkcs11_getattr_var(token, object, type, value, &size);
+}
+
+int
+pkcs11_getattr_bn(PKCS11_TOKEN * token, CK_OBJECT_HANDLE object,
+                  unsigned int type, BIGNUM ** bn)
+{
+        CK_BYTE binary[4196 / 8];
+        size_t size = sizeof(binary);
+
+        if (pkcs11_getattr_var(token, object, type, binary, &size))
+                return -1;
+        if (size == -1) {
+                PKCS11err(PKCS11_F_PKCS11_GETATTR,
+                          pkcs11_map_err(CKR_ATTRIBUTE_TYPE_INVALID));
+                return -1;
+        }
+        *bn = BN_bin2bn(binary, size, *bn);
+        return *bn ? 0 : -1;
+}
+
+/*
+ * Add attributes to template
+ */
+void pkcs11_addattr(CK_ATTRIBUTE_PTR ap, int type, const void *data, size_t size)
+{
+        ap->type = type;
+        ap->pValue = malloc(size);
+        memcpy(ap->pValue, data, size);
+        ap->ulValueLen = size;
+}
+
+/* In PKCS11, virtually every integer is a CK_ULONG */
+void pkcs11_addattr_int(CK_ATTRIBUTE_PTR ap, int type, unsigned long value)
+{
+        CK_ULONG ulValue = value;
+
+        pkcs11_addattr(ap, type, &ulValue, sizeof(ulValue));
+}
+
+void pkcs11_addattr_bool(CK_ATTRIBUTE_PTR ap, int type, int value)
+{
+        pkcs11_addattr(ap, type, &value, sizeof(CK_BBOOL));
+}
+
+void pkcs11_addattr_s(CK_ATTRIBUTE_PTR ap, int type, const char *s)
+{
+        pkcs11_addattr(ap, type, s, s ? strlen(s) : 0); // RFC2279 string an unpadded string of CK_UTF8CHARs with no null-termination
+}
+
+void pkcs11_addattr_bn(CK_ATTRIBUTE_PTR ap, int type, const BIGNUM * bn)
+{
+        unsigned char temp[1024];
+        unsigned int n;
+
+        assert(BN_num_bytes(bn) <= sizeof(temp));
+        n = BN_bn2bin(bn, temp);
+        pkcs11_addattr(ap, type, temp, n);
+}
+
+void pkcs11_addattr_obj(CK_ATTRIBUTE_PTR ap, int type, pkcs11_i2d_fn enc, void *obj)
+{
+        unsigned char *p;
+
+        ap->type = type;
+        ap->ulValueLen = enc(obj, NULL);
+        ap->pValue = p = (unsigned char *) malloc(ap->ulValueLen);
+        enc(obj, &p);
+}
+
+void pkcs11_zap_attrs(CK_ATTRIBUTE_PTR ap, unsigned int n)
+{
+        while (n--) {
+                if (ap[n].pValue)
+                        free(ap[n].pValue);
+        }
+}
diff --git a/src/p11_cert.c b/src/p11_cert.c
new file mode 100644
index 0000000..157bc6b
--- /dev/null
+++ b/src/p11_cert.c
@@ -0,0 +1,258 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+/*
+ * p11_cert.c - Handle certificates residing on a PKCS11 token
+ *
+ * Copyright (C) 2002, Olaf Kirch <okir@lst.de>
+ */
+
+#include <config.h>
+#include <string.h>
+#include "libp11-int.h"
+
+static int pkcs11_find_certs(PKCS11_TOKEN *);
+static int pkcs11_next_cert(PKCS11_CTX *, PKCS11_TOKEN *, CK_SESSION_HANDLE);
+static int pkcs11_init_cert(PKCS11_CTX * ctx, PKCS11_TOKEN * token,
+                            CK_SESSION_HANDLE session, CK_OBJECT_HANDLE o,
+                            PKCS11_CERT **);
+
+static CK_OBJECT_CLASS cert_search_class;
+static CK_ATTRIBUTE cert_search_attrs[] = {
+        {CKA_CLASS, &cert_search_class, sizeof(cert_search_class)},
+};
+#define numof(arr)      (sizeof(arr)/sizeof((arr)[0]))
+
+/*
+ * Enumerate all certs on the card
+ */
+int
+PKCS11_enumerate_certs(PKCS11_TOKEN * token,
+                       PKCS11_CERT ** certp, unsigned int *countp)
+{
+        PKCS11_TOKEN_private *priv = PRIVTOKEN(token);
+
+        if (priv->ncerts < 0) {
+                priv->ncerts = 0;
+                if (pkcs11_find_certs(token)) {
+                        pkcs11_destroy_certs(token);
+                        return -1;
+                }
+        }
+        *certp = priv->certs;
+        *countp = priv->ncerts;
+        return 0;
+}
+
+/*
+ * Find certificate matching a key
+ */
+PKCS11_CERT *PKCS11_find_certificate(PKCS11_KEY * key)
+{
+        PKCS11_KEY_private *kpriv;
+        PKCS11_CERT_private *cpriv;
+        PKCS11_CERT *cert;
+        unsigned int n, count;
+
+        kpriv = PRIVKEY(key);
+        if (PKCS11_enumerate_certs(KEY2TOKEN(key), &cert, &count))
+                return NULL;
+        for (n = 0; n < count; n++, cert++) {
+                cpriv = PRIVCERT(cert);
+                if (cpriv->id_len == kpriv->id_len
+                    && !memcmp(cpriv->id, kpriv->id, kpriv->id_len))
+                        return cert;
+        }
+        return NULL;
+}
+
+/*
+ * Find all certs of a given type (public or private)
+ */
+static int pkcs11_find_certs(PKCS11_TOKEN * token)
+{
+        PKCS11_SLOT *slot = TOKEN2SLOT(token);
+        PKCS11_CTX *ctx = TOKEN2CTX(token);
+        CK_SESSION_HANDLE session;
+        int rv, res = -1;
+
+        /* Make sure we have a session */
+        if (!PRIVSLOT(slot)->haveSession && PKCS11_open_session(slot, 0))
+                return -1;
+        session = PRIVSLOT(slot)->session;
+
+        /* Tell the PKCS11 lib to enumerate all matching objects */
+        cert_search_class = CKO_CERTIFICATE;
+        rv = CRYPTOKI_call(ctx, C_FindObjectsInit(session, cert_search_attrs,
+                                                  numof(cert_search_attrs)));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_CERTS, rv);
+
+        do {
+                res = pkcs11_next_cert(ctx, token, session);
+        } while (res == 0);
+
+        CRYPTOKI_call(ctx, C_FindObjectsFinal(session));
+        return (res < 0) ? -1 : 0;
+}
+
+static int pkcs11_next_cert(PKCS11_CTX * ctx, PKCS11_TOKEN * token,
+                CK_SESSION_HANDLE session)
+{
+        CK_OBJECT_HANDLE obj;
+        CK_ULONG count;
+        int rv;
+
+        /* Get the next matching object */
+        rv = CRYPTOKI_call(ctx, C_FindObjects(session, &obj, 1, &count));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_CERTS, rv);
+
+        if (count == 0)
+                return 1;
+
+        if (pkcs11_init_cert(ctx, token, session, obj, NULL))
+                return -1;
+
+        return 0;
+}
+
+static int pkcs11_init_cert(PKCS11_CTX * ctx, PKCS11_TOKEN * token,
+         CK_SESSION_HANDLE session, CK_OBJECT_HANDLE obj, PKCS11_CERT ** ret)
+{
+        PKCS11_TOKEN_private *tpriv;
+        PKCS11_CERT_private *kpriv;
+        PKCS11_CERT *cert, *tmp;
+        char label[256], data[2048];
+        unsigned char id[256];
+        CK_CERTIFICATE_TYPE cert_type;
+        size_t size;
+
+        size = sizeof(cert_type);
+        if (pkcs11_getattr_var(token, obj, CKA_CERTIFICATE_TYPE, &cert_type, &size))
+                return -1;
+
+        /* Ignore any certs we don't understand */
+        if (cert_type != CKC_X_509)
+                return 0;
+
+        tpriv = PRIVTOKEN(token);
+        tmp = (PKCS11_CERT *) OPENSSL_realloc(tpriv->certs,
+                                (tpriv->ncerts + 1) * sizeof(PKCS11_CERT));
+        if (!tmp) {
+                free(tpriv->certs);
+                tpriv->certs = NULL;
+                return -1;
+        }
+        tpriv->certs = tmp;
+
+        cert = tpriv->certs + tpriv->ncerts++;
+        memset(cert, 0, sizeof(*cert));
+        cert->_private = kpriv = PKCS11_NEW(PKCS11_CERT_private);
+        kpriv->object = obj;
+        kpriv->parent = token;
+
+        if (!pkcs11_getattr_s(token, obj, CKA_LABEL, label, sizeof(label)))
+                cert->label = BUF_strdup(label);
+        size = sizeof(data);
+        if (!pkcs11_getattr_var(token, obj, CKA_VALUE, data, &size)) {
+                const unsigned char *p = (unsigned char *) data;
+
+                cert->x509 = d2i_X509(NULL, &p, size);
+        }
+        cert->id_len = sizeof(id);
+        if (!pkcs11_getattr_var(token, obj, CKA_ID, id, &cert->id_len)) {
+                cert->id = (unsigned char *) malloc(cert->id_len);
+                memcpy(cert->id, id, cert->id_len);
+        }
+
+        /* Initialize internal information */
+        kpriv->id_len = sizeof(kpriv->id);
+        if (pkcs11_getattr_var(token, obj, CKA_ID, kpriv->id, &kpriv->id_len))
+                kpriv->id_len = 0;
+
+        if (ret)
+                *ret = cert;
+
+        return 0;
+}
+
+/*
+ * Destroy all certs
+ */
+void pkcs11_destroy_certs(PKCS11_TOKEN * token)
+{
+        PKCS11_TOKEN_private *priv = PRIVTOKEN(token);
+
+        while (priv->ncerts > 0) {
+                PKCS11_CERT *cert = &priv->certs[--(priv->ncerts)];
+
+                if (cert->x509)
+                        X509_free(cert->x509);
+                OPENSSL_free(cert->label);
+                if (cert->id)
+                        free(cert->id);
+                if (cert->_private != NULL)
+                        OPENSSL_free(cert->_private);
+        }
+        if (priv->certs)
+                OPENSSL_free(priv->certs);
+        priv->ncerts = -1;
+        priv->certs = NULL;
+}
+
+/*
+ * Store certificate
+ */
+int
+PKCS11_store_certificate(PKCS11_TOKEN * token, X509 * x509, char *label,
+                         unsigned char *id, size_t id_len,
+                         PKCS11_CERT ** ret_cert)
+{
+        PKCS11_SLOT *slot = TOKEN2SLOT(token);
+        PKCS11_CTX *ctx = TOKEN2CTX(token);
+        CK_SESSION_HANDLE session;
+        CK_OBJECT_HANDLE object;
+        CK_ATTRIBUTE attrs[32];
+        unsigned int n = 0;
+        int rv;
+
+        /* First, make sure we have a session */
+        if (!PRIVSLOT(slot)->haveSession && PKCS11_open_session(slot, 1))
+                return -1;
+        session = PRIVSLOT(slot)->session;
+
+        /* Now build the template */
+        pkcs11_addattr_int(attrs + n++, CKA_CLASS, CKO_CERTIFICATE);
+        pkcs11_addattr_bool(attrs + n++, CKA_TOKEN, TRUE);
+        pkcs11_addattr_int(attrs + n++, CKA_CERTIFICATE_TYPE, CKC_X_509);
+        pkcs11_addattr_obj(attrs + n++, CKA_VALUE, (pkcs11_i2d_fn) i2d_X509, x509);
+        if (label)
+                pkcs11_addattr_s(attrs + n++, CKA_LABEL, label);
+        if (id && id_len)
+                pkcs11_addattr(attrs + n++, CKA_ID, id, id_len);
+
+        /* Now call the pkcs11 module to create the object */
+        rv = CRYPTOKI_call(ctx, C_CreateObject(session, attrs, n, &object));
+
+        /* Zap all memory allocated when building the template */
+        pkcs11_zap_attrs(attrs, n);
+
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_STORE_CERTIFICATE, rv);
+
+        /* Gobble the key object */
+        return pkcs11_init_cert(ctx, token, session, object, ret_cert);
+}
diff --git a/src/p11_err.c b/src/p11_err.c
new file mode 100644
index 0000000..ef373fd
--- /dev/null
+++ b/src/p11_err.c
@@ -0,0 +1,160 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+#include <config.h>
+#include "libp11-int.h"
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA PKCS11_str_library[] = {
+        {ERR_PACK(ERR_LIB_PKCS11, 0, 0), "PKCS11 library"},
+        {0, NULL}
+};
+
+static ERR_STRING_DATA PKCS11_str_functs[] = {
+        {ERR_PACK(0, PKCS11_F_PKCS11_CTX_LOAD, 0), "PKCS11_CTX_load"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_ENUM_SLOTS, 0), "PKCS11_enum_slots"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_CHECK_TOKEN, 0), "PKCS11_check_token"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_OPEN_SESSION, 0), "PKCS11_open_session"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_LOGIN, 0), "PKCS11_login"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_ENUM_KEYS, 0), "PKCS11_enum_keys"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_GET_KEY, 0), "PKCS11_get_key"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_RSA_DECRYPT, 0), "PKCS11_rsa_decrypt"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_RSA_ENCRYPT, 0), "PKCS11_rsa_encrypt"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_RSA_SIGN, 0), "PKCS11_rsa_sign"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_RSA_VERIFY, 0), "PKCS11_rsa_verify"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_ENUM_CERTS, 0), "PKCS11_enum_certs"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_INIT_TOKEN, 0), "PKCS11_init_token"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_INIT_PIN, 0), "PKCS11_init_pin"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_GETATTR, 0), "PKCS11_get_attribute"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_LOGOUT, 0), "PKCS11_logout"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_STORE_PRIVATE_KEY, 0), "PKCS11_store_private_key"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_GENERATE_KEY, 0), "PKCS11_generate_key"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_STORE_PUBLIC_KEY, 0), "PKCS11_store_public_key"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_STORE_CERTIFICATE, 0), "PKCS11_store_certificate"},
+        {ERR_PACK(0, PKCS11_F_PKCS11_CHANGE_PIN, 0), "PKCS11_change_pin"},
+        {0, NULL}
+};
+
+static ERR_STRING_DATA PKCS11_str_reasons[] = {
+        {PKCS11_LOAD_MODULE_ERROR, "Unable to load PKCS#11 module"},
+        {PKCS11_MODULE_LOADED_ERROR, "Already loaded module for PKCS11 context"},
+        {PKCS11_SYMBOL_NOT_FOUND_ERROR, "Symbol not found in PKCS#11 module"},
+        {PKCS11_NOT_SUPPORTED, "Not supported"},
+        {PKCS11_NO_SESSION, "No session open"},
+        {CKR_CANCEL, "Cancel"},
+        {CKR_HOST_MEMORY, "Host memory error"},
+        {CKR_SLOT_ID_INVALID, "Invalid slot ID"},
+        {CKR_GENERAL_ERROR, "General Error"},
+        {CKR_FUNCTION_FAILED, "Function failed"},
+        {CKR_ARGUMENTS_BAD, "Invalid arguments"},
+        {CKR_NO_EVENT, "No event"},
+        {CKR_NEED_TO_CREATE_THREADS, "Need to create threads"},
+        {CKR_CANT_LOCK, "Cannott lock"},
+        {CKR_ATTRIBUTE_READ_ONLY, "Attribute read only"},
+        {CKR_ATTRIBUTE_SENSITIVE, "Attribute sensitive"},
+        {CKR_ATTRIBUTE_TYPE_INVALID, "Attribute type invalid"},
+        {CKR_ATTRIBUTE_VALUE_INVALID, "Attribute value invalid"},
+        {CKR_DATA_INVALID, "Data invalid"},
+        {CKR_DATA_LEN_RANGE, "Data len range"},
+        {CKR_DEVICE_ERROR, "Device error"},
+        {CKR_DEVICE_MEMORY, "Device memory"},
+        {CKR_DEVICE_REMOVED, "Device removed"},
+        {CKR_ENCRYPTED_DATA_INVALID, "Encrypted data invalid"},
+        {CKR_ENCRYPTED_DATA_LEN_RANGE, "Encrypted data len range"},
+        {CKR_FUNCTION_CANCELED, "Function canceled"},
+        {CKR_FUNCTION_NOT_PARALLEL, "Function not parallel"},
+        {CKR_FUNCTION_NOT_SUPPORTED, "Function not supported"},
+        {CKR_KEY_HANDLE_INVALID, "Key handle invalid"},
+        {CKR_KEY_SIZE_RANGE, "Key size range"},
+        {CKR_KEY_TYPE_INCONSISTENT, "Key type inconsistent"},
+        {CKR_KEY_NOT_NEEDED, "Key not needed"},
+        {CKR_KEY_CHANGED, "Key changed"},
+        {CKR_KEY_NEEDED, "Key needed"},
+        {CKR_KEY_INDIGESTIBLE, "Key indigestible"},
+        {CKR_KEY_FUNCTION_NOT_PERMITTED, "Key function not permitted"},
+        {CKR_KEY_NOT_WRAPPABLE, "Key not wrappable"},
+        {CKR_KEY_UNEXTRACTABLE, "Key unextractable"},
+        {CKR_MECHANISM_INVALID, "Mechanism invalid"},
+        {CKR_MECHANISM_PARAM_INVALID, "Mechanism param invalid"},
+        {CKR_OBJECT_HANDLE_INVALID, "Object handle invalid"},
+        {CKR_OPERATION_ACTIVE, "Operation active"},
+        {CKR_OPERATION_NOT_INITIALIZED, "Operation not initialized"},
+        {CKR_PIN_INCORRECT, "PIN incorrect"},
+        {CKR_PIN_INVALID, "PIN invalid"},
+        {CKR_PIN_LEN_RANGE, "Invalid PIN length"},
+        {CKR_PIN_EXPIRED, "PIN expired"},
+        {CKR_PIN_LOCKED, "PIN locked"},
+        {CKR_SESSION_CLOSED, "Session closed"},
+        {CKR_SESSION_COUNT, "Session count"},
+        {CKR_SESSION_HANDLE_INVALID, "Session handle invalid"},
+        {CKR_SESSION_PARALLEL_NOT_SUPPORTED, "Session parallel not supported"},
+        {CKR_SESSION_READ_ONLY, "Session read only"},
+        {CKR_SESSION_EXISTS, "Session exists"},
+        {CKR_SESSION_READ_ONLY_EXISTS, "Read-only session exists"},
+        {CKR_SESSION_READ_WRITE_SO_EXISTS, "Read/write SO session exists"},
+        {CKR_SIGNATURE_INVALID, "Signature invalid"},
+        {CKR_SIGNATURE_LEN_RANGE, "Signature len range"},
+        {CKR_TEMPLATE_INCOMPLETE, "Incomplete template"},
+        {CKR_TEMPLATE_INCONSISTENT, "Inconsistent template"},
+        {CKR_TOKEN_NOT_PRESENT, "No PKCS#11 token present"},
+        {CKR_TOKEN_NOT_RECOGNIZED, "PKCS#11 token not recognized"},
+        {CKR_TOKEN_WRITE_PROTECTED, "Token write protected"},
+        {CKR_UNWRAPPING_KEY_HANDLE_INVALID, "Unwrapping key handle invalid"},
+        {CKR_UNWRAPPING_KEY_SIZE_RANGE, "Unwrapping key size range"},
+        {CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, "Unwrapping key type inconsistent"},
+        {CKR_USER_ALREADY_LOGGED_IN, "User already logged in"},
+        {CKR_USER_NOT_LOGGED_IN, "User not logged in"},
+        {CKR_USER_PIN_NOT_INITIALIZED, "User pin not initialized"},
+        {CKR_USER_TYPE_INVALID, "User type invalid"},
+        {CKR_USER_ANOTHER_ALREADY_LOGGED_IN, "User another is already logged in"},
+        {CKR_USER_TOO_MANY_TYPES, "User too many types"},
+        {CKR_WRAPPED_KEY_INVALID, "Wrapped key invalid"},
+        {CKR_WRAPPED_KEY_LEN_RANGE, "Wrapped key len range"},
+        {CKR_WRAPPING_KEY_HANDLE_INVALID, "Wrapping key handle invalid"},
+        {CKR_WRAPPING_KEY_SIZE_RANGE, "Wrapping key size range"},
+        {CKR_WRAPPING_KEY_TYPE_INCONSISTENT, "Wrapping key type inconsistent"},
+        {CKR_RANDOM_SEED_NOT_SUPPORTED, "Random seed not supported"},
+        {CKR_RANDOM_NO_RNG, "Random no rng"},
+        {CKR_DOMAIN_PARAMS_INVALID, "Domain params invalid"},
+        {CKR_BUFFER_TOO_SMALL, "Buffer too small"},
+        {CKR_SAVED_STATE_INVALID, "Saved state invalid"},
+        {CKR_INFORMATION_SENSITIVE, "Information sensitive"},
+        {CKR_STATE_UNSAVEABLE, "State unsaveable"},
+        {CKR_CRYPTOKI_NOT_INITIALIZED, "Cryptoki not initialized"},
+        {CKR_CRYPTOKI_ALREADY_INITIALIZED, "Cryptoki already initialized"},
+        {CKR_MUTEX_BAD, "Mutex bad"},
+        {CKR_MUTEX_NOT_LOCKED, "Mutex not locked"},
+        {CKR_VENDOR_DEFINED, "Vendor defined"},
+        {0, NULL}
+};
+#endif
+
+void ERR_load_PKCS11_strings(void)
+{
+        static int init = 1;
+
+        if (init) {
+                init = 0;
+#ifndef NO_ERR
+                ERR_load_strings(0, PKCS11_str_library);
+                ERR_load_strings(ERR_LIB_PKCS11, PKCS11_str_functs);
+                ERR_load_strings(ERR_LIB_PKCS11, PKCS11_str_reasons);
+#endif
+        }
+}
diff --git a/src/p11_key.c b/src/p11_key.c
new file mode 100644
index 0000000..f9672fc
--- /dev/null
+++ b/src/p11_key.c
@@ -0,0 +1,470 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+#include <config.h>
+#include <string.h>
+#include "libp11-int.h"
+
+#ifdef _WIN32
+#define strncasecmp strnicmp
+#endif
+
+static int pkcs11_find_keys(PKCS11_TOKEN *, unsigned int);
+static int pkcs11_next_key(PKCS11_CTX * ctx, PKCS11_TOKEN * token,
+                           CK_SESSION_HANDLE session, CK_OBJECT_CLASS type);
+static int pkcs11_init_key(PKCS11_CTX * ctx, PKCS11_TOKEN * token,
+                           CK_SESSION_HANDLE session, CK_OBJECT_HANDLE o,
+                           CK_OBJECT_CLASS type, PKCS11_KEY **);
+static int pkcs11_store_private_key(PKCS11_TOKEN *, EVP_PKEY *, char *,
+                                    unsigned char *, size_t, PKCS11_KEY **);
+static int pkcs11_store_public_key(PKCS11_TOKEN *, EVP_PKEY *, char *,
+                                   unsigned char *, size_t, PKCS11_KEY **);
+
+static CK_OBJECT_CLASS key_search_class;
+static CK_ATTRIBUTE key_search_attrs[] = {
+        {CKA_CLASS, &key_search_class, sizeof(key_search_class)},
+};
+#define numof(arr)      (sizeof(arr)/sizeof((arr)[0]))
+#define MAX_VALUE_LEN     200
+
+/*
+ * Enumerate all keys on the card
+ * For now, we enumerate just the private keys.
+ */
+int
+PKCS11_enumerate_keys(PKCS11_TOKEN * token, PKCS11_KEY ** keyp, unsigned int *countp)
+{
+        PKCS11_TOKEN_private *priv = PRIVTOKEN(token);
+
+        if (priv->nkeys < 0) {
+                priv->nkeys = 0;
+                if (pkcs11_find_keys(token, CKO_PRIVATE_KEY)) {
+                        pkcs11_destroy_keys(token);
+                        return -1;
+                }
+                priv->nprkeys = priv->nkeys;
+                if (pkcs11_find_keys(token, CKO_PUBLIC_KEY)) {
+                        pkcs11_destroy_keys(token);
+                        return -1;
+                }
+        }
+        *keyp = priv->keys;
+        *countp = priv->nprkeys;
+        return 0;
+}
+
+/*
+ * Find key matching a certificate
+ */
+PKCS11_KEY *PKCS11_find_key(PKCS11_CERT *cert)
+{
+        PKCS11_CERT_private *cpriv;
+        PKCS11_KEY_private *kpriv;
+        PKCS11_KEY *key;
+        unsigned int n, count;
+
+        cpriv = PRIVCERT(cert);
+        if (PKCS11_enumerate_keys(CERT2TOKEN(cert), &key, &count))
+                return NULL;
+        for (n = 0; n < count; n++, key++) {
+                kpriv = PRIVKEY(key);
+                if (cpriv->id_len == kpriv->id_len
+                    && !memcmp(cpriv->id, kpriv->id, cpriv->id_len))
+                        return key;
+        }
+        return NULL;
+}
+
+/*
+ * Store a private key on the token
+ */
+int PKCS11_store_private_key(PKCS11_TOKEN * token, EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len)
+{
+        if (pkcs11_store_private_key(token, pk, label, id, id_len, NULL))
+                return -1;
+        return 0;
+}
+
+int PKCS11_store_public_key(PKCS11_TOKEN * token, EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len)
+{
+        if (pkcs11_store_public_key(token, pk, label, id, id_len, NULL))
+                return -1;
+        return 0;
+}
+
+/*
+ * Generate and store a private key on the token
+ * FIXME: We should check first whether the token supports
+ * on-board key generation, and if it does, use its own algorithm
+ */
+int
+PKCS11_generate_key(PKCS11_TOKEN * token,
+                    int algorithm, unsigned int bits, char *label, unsigned char* id, size_t id_len)
+{
+        PKCS11_KEY *key_obj;
+        EVP_PKEY *pk;
+        RSA *rsa;
+        BIO *err;
+        int rc;
+
+        if (algorithm != EVP_PKEY_RSA) {
+                PKCS11err(PKCS11_F_PKCS11_GENERATE_KEY, PKCS11_NOT_SUPPORTED);
+                return -1;
+        }
+
+        err = BIO_new_fp(stderr, BIO_NOCLOSE);
+        rsa = RSA_generate_key(bits, 0x10001, NULL, err);
+        BIO_free(err);
+        if (rsa == NULL) {
+                PKCS11err(PKCS11_F_PKCS11_GENERATE_KEY, PKCS11_KEYGEN_FAILED);
+                return -1;
+        }
+
+        pk = EVP_PKEY_new();
+        EVP_PKEY_assign_RSA(pk, rsa);
+        rc = pkcs11_store_private_key(token, pk, label, id, id_len, &key_obj);
+
+        if (rc == 0) {
+                PKCS11_KEY_private *kpriv;
+
+                kpriv = PRIVKEY(key_obj);
+                rc = pkcs11_store_public_key(token, pk, label,
+                                             kpriv->id, kpriv->id_len, NULL);
+        }
+        EVP_PKEY_free(pk);
+        return rc;
+}
+
+/*
+ * Get the key type
+ */
+int PKCS11_get_key_type(PKCS11_KEY * key)
+{
+        PKCS11_KEY_private *priv = PRIVKEY(key);
+
+        return priv->ops->type;
+}
+
+/*
+ * Create a key object that will allow an OpenSSL application
+ * to use the token via an EVP_PKEY
+ */
+EVP_PKEY *PKCS11_get_private_key(PKCS11_KEY * key)
+{
+        PKCS11_KEY_private *priv = PRIVKEY(key);
+
+        if (key->evp_key == NULL) {
+                EVP_PKEY *pk = EVP_PKEY_new();
+                if (pk == NULL)
+                        return NULL;
+                if (priv->ops->get_private(key, pk)
+                    || priv->ops->get_public(key, pk)) {
+                        EVP_PKEY_free(pk);
+                        return NULL;
+                }
+                key->evp_key = pk;
+        }
+
+        return key->evp_key;
+}
+
+EVP_PKEY *PKCS11_get_public_key(PKCS11_KEY * key)
+{
+        return PKCS11_get_private_key(key);
+}
+
+
+/*
+ * Find all keys of a given type (public or private)
+ */
+static int pkcs11_find_keys(PKCS11_TOKEN * token, unsigned int type)
+{
+        PKCS11_SLOT *slot = TOKEN2SLOT(token);
+        PKCS11_CTX *ctx = TOKEN2CTX(token);
+        CK_SESSION_HANDLE session;
+        int rv, res = -1;
+
+        /* Make sure we have a session */
+        if (!PRIVSLOT(slot)->haveSession && PKCS11_open_session(slot, 0))
+                return -1;
+        session = PRIVSLOT(slot)->session;
+
+        /* Tell the PKCS11 lib to enumerate all matching objects */
+        key_search_class = type;
+        rv = CRYPTOKI_call(ctx, C_FindObjectsInit(session, key_search_attrs,
+                                                  numof(key_search_attrs)));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_KEYS, rv);
+
+        do {
+                res = pkcs11_next_key(ctx, token, session, type);
+        } while (res == 0);
+
+        CRYPTOKI_call(ctx, C_FindObjectsFinal(session));
+        return (res < 0) ? -1 : 0;
+}
+
+static int pkcs11_next_key(PKCS11_CTX * ctx, PKCS11_TOKEN * token,
+                CK_SESSION_HANDLE session, CK_OBJECT_CLASS type)
+{
+        CK_OBJECT_HANDLE obj;
+        CK_ULONG count;
+        int rv;
+
+        /* Get the next matching object */
+        rv = CRYPTOKI_call(ctx, C_FindObjects(session, &obj, 1, &count));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_KEYS, rv);
+
+        if (count == 0)
+                return 1;
+
+        if (pkcs11_init_key(ctx, token, session, obj, type, NULL))
+                return -1;
+
+        return 0;
+}
+
+static int pkcs11_init_key(PKCS11_CTX * ctx, PKCS11_TOKEN * token,
+                CK_SESSION_HANDLE session, CK_OBJECT_HANDLE obj,
+                CK_OBJECT_CLASS type, PKCS11_KEY ** ret)
+{
+        PKCS11_TOKEN_private *tpriv;
+        PKCS11_KEY_private *kpriv;
+        PKCS11_KEY *key, *tmp;
+        char label[256];
+        unsigned char id[256];
+        CK_KEY_TYPE key_type;
+        PKCS11_KEY_ops *ops;
+        size_t size;
+
+        size = sizeof(key_type);
+        if (pkcs11_getattr_var(token, obj, CKA_KEY_TYPE, &key_type, &size))
+                return -1;
+
+        switch (key_type) {
+        case CKK_RSA:
+                ops = &pkcs11_rsa_ops;
+                break;
+        default:
+                /* Ignore any keys we don't understand */
+                return 0;
+        }
+
+        tpriv = PRIVTOKEN(token);
+        tmp = (PKCS11_KEY *) OPENSSL_realloc(tpriv->keys,
+                                (tpriv->nkeys + 1) * sizeof(PKCS11_KEY));
+        if (!tmp) {
+                free(tpriv->keys);
+                tpriv->keys = NULL;
+                return -1;
+        }
+        tpriv->keys = tmp;
+
+        key = tpriv->keys + tpriv->nkeys++;
+        memset(key, 0, sizeof(*key));
+        key->_private = kpriv = PKCS11_NEW(PKCS11_KEY_private);
+        kpriv->object = obj;
+        kpriv->parent = token;
+
+        if (!pkcs11_getattr_s(token, obj, CKA_LABEL, label, sizeof(label)))
+                key->label = BUF_strdup(label);
+        key->id_len = sizeof(id);
+        if (!pkcs11_getattr_var(token, obj, CKA_ID, id, &key->id_len)) {
+                key->id = (unsigned char *) malloc(key->id_len);
+                memcpy(key->id, id, key->id_len);
+        }
+        key->isPrivate = (type == CKO_PRIVATE_KEY);
+
+        /* Initialize internal information */
+        kpriv->id_len = sizeof(kpriv->id);
+        if (pkcs11_getattr_var(token, obj, CKA_ID, kpriv->id, &kpriv->id_len))
+                kpriv->id_len = 0;
+        kpriv->ops = ops;
+
+        if (ret)
+                *ret = key;
+        return 0;
+}
+
+/*
+ * Destroy all keys
+ */
+void pkcs11_destroy_keys(PKCS11_TOKEN * token)
+{
+        PKCS11_TOKEN_private *priv = PRIVTOKEN(token);
+
+        while (priv->nkeys > 0) {
+                PKCS11_KEY *key = &priv->keys[--(priv->nkeys)];
+
+                if (key->evp_key)
+                        EVP_PKEY_free(key->evp_key);
+                OPENSSL_free(key->label);
+                if (key->id)
+                        free(key->id);
+                if (key->_private != NULL)
+                        OPENSSL_free(key->_private);
+        }
+        if (priv->keys)
+                OPENSSL_free(priv->keys);
+        priv->nprkeys = -1;
+        priv->nkeys = -1;
+        priv->keys = NULL;
+}
+
+/*
+ * Store private key
+ */
+static int pkcs11_store_private_key(PKCS11_TOKEN * token, EVP_PKEY * pk,
+                char *label, unsigned char *id, size_t id_len,
+                PKCS11_KEY ** ret_key)
+{
+        PKCS11_SLOT *slot = TOKEN2SLOT(token);
+        PKCS11_CTX *ctx = TOKEN2CTX(token);
+        CK_SESSION_HANDLE session;
+        CK_OBJECT_HANDLE object;
+        CK_ATTRIBUTE attrs[32];
+        unsigned int n = 0;
+        int rv;
+
+        /* First, make sure we have a session */
+        if (!PRIVSLOT(slot)->haveSession && PKCS11_open_session(slot, 1))
+                return -1;
+        session = PRIVSLOT(slot)->session;
+
+        /* Now build the key attrs */
+        if (pk->type == EVP_PKEY_RSA) {
+                RSA *rsa = EVP_PKEY_get1_RSA(pk);
+
+                pkcs11_addattr_int(attrs + n++, CKA_CLASS, CKO_PRIVATE_KEY);
+                pkcs11_addattr_int(attrs + n++, CKA_KEY_TYPE, CKK_RSA);
+
+                pkcs11_addattr_bool(attrs + n++, CKA_TOKEN, TRUE);
+                pkcs11_addattr_bool(attrs + n++, CKA_PRIVATE, TRUE);
+                pkcs11_addattr_bool(attrs + n++, CKA_SENSITIVE, TRUE);
+                pkcs11_addattr_bool(attrs + n++, CKA_DECRYPT, TRUE);
+                pkcs11_addattr_bool(attrs + n++, CKA_SIGN, TRUE);
+                pkcs11_addattr_bool(attrs + n++, CKA_UNWRAP, TRUE);
+
+                pkcs11_addattr_bn(attrs + n++, CKA_MODULUS, rsa->n);
+                pkcs11_addattr_bn(attrs + n++, CKA_PUBLIC_EXPONENT, rsa->e);
+                pkcs11_addattr_bn(attrs + n++, CKA_PRIVATE_EXPONENT, rsa->d);
+                pkcs11_addattr_bn(attrs + n++, CKA_PRIME_1, rsa->p);
+                pkcs11_addattr_bn(attrs + n++, CKA_PRIME_2, rsa->q);
+
+                if (label)
+                        pkcs11_addattr_s(attrs + n++, CKA_LABEL, label);
+                if (id && id_len)
+                        pkcs11_addattr(attrs + n++, CKA_ID, id, id_len);
+
+        } else {
+                PKCS11err(PKCS11_F_PKCS11_STORE_PRIVATE_KEY, PKCS11_NOT_SUPPORTED);
+                return -1;
+        }
+
+        /* Now call the pkcs11 module to create the object */
+        rv = CRYPTOKI_call(ctx, C_CreateObject(session, attrs, n, &object));
+
+        /* Zap all memory allocated when building the template */
+        pkcs11_zap_attrs(attrs, n);
+
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_STORE_PRIVATE_KEY, rv);
+
+        /* Gobble the key object */
+        return pkcs11_init_key(ctx, token, session, object,
+                               CKO_PRIVATE_KEY, ret_key);
+}
+
+/*
+ * Store public key
+ */
+static int pkcs11_store_public_key(PKCS11_TOKEN * token, EVP_PKEY * pk,
+                char *label, unsigned char *id, size_t id_len,
+                PKCS11_KEY ** ret_key)
+{
+        PKCS11_SLOT *slot = TOKEN2SLOT(token);
+        PKCS11_CTX *ctx = TOKEN2CTX(token);
+        CK_SESSION_HANDLE session;
+        CK_OBJECT_HANDLE object;
+        CK_ATTRIBUTE attrs[32];
+        unsigned int n = 0;
+        int rv;
+
+        /* First, make sure we have a session */
+        if (!PRIVSLOT(slot)->haveSession && PKCS11_open_session(slot, 1))
+                return -1;
+        session = PRIVSLOT(slot)->session;
+
+        /* Now build the key attrs */
+        if (pk->type == EVP_PKEY_RSA) {
+                RSA *rsa = EVP_PKEY_get1_RSA(pk);
+
+                pkcs11_addattr_int(attrs + n++, CKA_CLASS, CKO_PUBLIC_KEY);
+                pkcs11_addattr_int(attrs + n++, CKA_KEY_TYPE, CKK_RSA);
+
+                pkcs11_addattr_bool(attrs + n++, CKA_TOKEN, TRUE);
+                pkcs11_addattr_bool(attrs + n++, CKA_ENCRYPT, TRUE);
+                pkcs11_addattr_bool(attrs + n++, CKA_VERIFY, TRUE);
+                pkcs11_addattr_bool(attrs + n++, CKA_WRAP, TRUE);
+
+                pkcs11_addattr_bn(attrs + n++, CKA_MODULUS, rsa->n);
+                pkcs11_addattr_bn(attrs + n++, CKA_PUBLIC_EXPONENT, rsa->e);
+                if (label)
+                        pkcs11_addattr_s(attrs + n++, CKA_LABEL, label);
+                if (id && id_len)
+                        pkcs11_addattr(attrs + n++, CKA_ID, id, id_len);
+        } else {
+                PKCS11err(PKCS11_F_PKCS11_STORE_PUBLIC_KEY, PKCS11_NOT_SUPPORTED);
+                return -1;
+        }
+
+        /* Now call the pkcs11 module to create the object */
+        rv = CRYPTOKI_call(ctx, C_CreateObject(session, attrs, n, &object));
+
+        /* Zap all memory allocated when building the template */
+        pkcs11_zap_attrs(attrs, n);
+
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_STORE_PUBLIC_KEY, rv);
+
+        /* Gobble the key object */
+        return pkcs11_init_key(ctx, token, session, object, CKO_PUBLIC_KEY, ret_key);
+}
+int PKCS11_get_key_modulus(PKCS11_KEY * key, BIGNUM **bn) 
+{
+        
+        if (pkcs11_getattr_bn(KEY2TOKEN(key), PRIVKEY(key)->object, CKA_MODULUS, bn))
+                return 0;
+        return 1;
+}
+int PKCS11_get_key_exponent(PKCS11_KEY * key, BIGNUM **bn) 
+{
+        
+        if (pkcs11_getattr_bn(KEY2TOKEN(key), PRIVKEY(key)->object, CKA_PUBLIC_EXPONENT, bn))
+                return 0;
+        return 1;
+}
+
+
+int PKCS11_get_key_size(const PKCS11_KEY * key) 
+{
+        BIGNUM* n = NULL;
+        int     numbytes = 0;
+        if(key_getattr_bn(key, CKA_MODULUS, &n))
+                return 0;
+        numbytes = BN_num_bytes(n);
+        BN_free(n);
+        return numbytes;
+}
diff --git a/src/p11_load.c b/src/p11_load.c
new file mode 100644
index 0000000..d315aa6
--- /dev/null
+++ b/src/p11_load.c
@@ -0,0 +1,125 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+#include <config.h>
+#include <string.h>
+#include "libp11-int.h"
+
+static void *handle = NULL;
+
+/*
+ * Create a new context
+ */
+PKCS11_CTX *PKCS11_CTX_new(void)
+{
+        PKCS11_CTX_private *priv;
+        PKCS11_CTX *ctx;
+
+        /* Load error strings */
+        ERR_load_PKCS11_strings();
+
+        priv = PKCS11_NEW(PKCS11_CTX_private);
+        ctx = PKCS11_NEW(PKCS11_CTX);
+        ctx->_private = priv;
+
+        return ctx;
+}
+
+/*
+ * Set private init args for module
+ */
+void PKCS11_CTX_init_args(PKCS11_CTX * ctx, const char *init_args)
+{
+        PKCS11_CTX_private *priv = PRIVCTX(ctx);
+        priv->init_args = init_args ? strdup(init_args) : NULL;
+}
+
+/*
+ * Load the shared library, and initialize it.
+ */
+int PKCS11_CTX_load(PKCS11_CTX * ctx, const char *name)
+{
+        PKCS11_CTX_private *priv = PRIVCTX(ctx);
+        CK_C_INITIALIZE_ARGS _args;
+        CK_C_INITIALIZE_ARGS *args = NULL;
+        CK_INFO ck_info;
+        int rv;
+
+        if (priv->libinfo != NULL) {
+                PKCS11err(PKCS11_F_PKCS11_CTX_LOAD, PKCS11_MODULE_LOADED_ERROR);
+                return -1;
+        }
+        handle = C_LoadModule(name, &priv->method);
+        if (!handle) {
+                PKCS11err(PKCS11_F_PKCS11_CTX_LOAD, PKCS11_LOAD_MODULE_ERROR);
+                return -1;
+        }
+
+        /* Tell the PKCS11 to initialize itself */
+        if (priv->init_args != NULL) {
+                memset(&_args, 0, sizeof(_args));
+                args = &_args;
+                args->pReserved = priv->init_args;
+        }
+        rv = priv->method->C_Initialize(args);
+        if (rv && rv != CKR_CRYPTOKI_ALREADY_INITIALIZED) {
+                PKCS11err(PKCS11_F_PKCS11_CTX_LOAD, rv);
+                return -1;
+        }
+
+        /* Get info on the library */
+        rv = priv->method->C_GetInfo(&ck_info);
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_CTX_LOAD, rv);
+
+        ctx->manufacturer = PKCS11_DUP(ck_info.manufacturerID);
+        ctx->description = PKCS11_DUP(ck_info.libraryDescription);
+
+        return 0;
+}
+
+/*
+ * Unload the shared library
+ */
+void PKCS11_CTX_unload(PKCS11_CTX * ctx)
+{
+        PKCS11_CTX_private *priv;
+        priv = PRIVCTX(ctx);
+
+        /* Tell the PKCS11 library to shut down */
+        priv->method->C_Finalize(NULL);
+
+        /* Unload the module */
+        C_UnloadModule(handle);
+}
+
+/*
+ * Free a context
+ */
+void PKCS11_CTX_free(PKCS11_CTX * ctx)
+{
+        /* Do not remove the strings since OpenSSL strings may still be used by
+         * the application and we can't know
+
+        ERR_free_strings();
+        ERR_remove_state(0);
+        */
+        OPENSSL_free(ctx->manufacturer);
+        OPENSSL_free(ctx->description);
+        OPENSSL_free(ctx->_private);
+        OPENSSL_free(ctx);
+}
diff --git a/src/p11_misc.c b/src/p11_misc.c
new file mode 100644
index 0000000..bfbfce9
--- /dev/null
+++ b/src/p11_misc.c
@@ -0,0 +1,63 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+#include <config.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include "libp11-int.h"
+
+void *pkcs11_malloc(size_t size)
+{
+        void *p = OPENSSL_malloc(size);
+        if (p == NULL)
+                return NULL;
+        memset(p, 0, size);
+        return p;
+}
+
+/* PKCS11 strings are fixed size blank padded,
+ * so when strduping them we must make sure
+ * we stop at the end of the buffer, and while we're
+ * at it it's nice to remove the padding */
+char *pkcs11_strdup(char *mem, size_t size)
+{
+        char *res;
+
+        while (size && mem[size - 1] == ' ')
+                size--;
+        res = (char *) OPENSSL_malloc(size + 1);
+        if (res == NULL)
+                return NULL;
+        memcpy(res, mem, size);
+        res[size] = '\0';
+        return res;
+}
+
+/*
+ * Dup memory
+ */
+void *memdup(const void *src, size_t size)
+{
+        void *dst;
+
+        dst = malloc(size);
+        if (dst == NULL)
+                return NULL;
+        memcpy(dst, src, size);
+        return dst;
+}
diff --git a/src/p11_ops.c b/src/p11_ops.c
new file mode 100644
index 0000000..fb6ad8f
--- /dev/null
+++ b/src/p11_ops.c
@@ -0,0 +1,191 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ * Copyright (C) 2005 Kevin Stefanik <kstef@mtppi.org>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+
+/* this file does certain cryptographic operations via the pkcs11 library */
+
+#include <config.h>
+#include <string.h>
+#include "libp11-int.h"
+
+int
+PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
+                unsigned char *sigret, unsigned int *siglen, const PKCS11_KEY * key)
+{
+        int rv, ssl = ((type == NID_md5_sha1) ? 1 : 0);
+        unsigned char *encoded = NULL;
+        int sigsize;
+
+        if (key == NULL)
+                return 0;
+
+        sigsize = PKCS11_get_key_size(key);
+
+        if (ssl) {
+                if((m_len != 36) /* SHA1 + MD5 */ ||
+                   ((m_len + RSA_PKCS1_PADDING_SIZE) > sigsize)) {
+                        return(0); /* the size is wrong */
+                }
+        } else {
+                ASN1_TYPE parameter = { V_ASN1_NULL, { NULL } };
+                ASN1_STRING digest = { m_len, V_ASN1_OCTET_STRING, (unsigned char *)m };
+                X509_ALGOR algor = { NULL, &parameter };
+                X509_SIG digest_info = { &algor, &digest };
+                int size;
+                /* Fetch the OID of the algorithm used */
+                if((algor.algorithm = OBJ_nid2obj(type)) && 
+                   (algor.algorithm->length) &&
+                   /* Get the size of the encoded DigestInfo */
+                   (size = i2d_X509_SIG(&digest_info, NULL)) &&
+                   /* Check that size is compatible with PKCS#11 padding */
+                   (size + RSA_PKCS1_PADDING_SIZE <= sigsize) &&
+                   (encoded = (unsigned char *) malloc(sigsize))) {
+                        unsigned char *tmp = encoded;
+                        /* Actually do the encoding */
+                        i2d_X509_SIG(&digest_info,&tmp);
+                        m = encoded;
+                        m_len = size;
+                } else {
+                        return(0);
+                }
+        }
+
+        rv = PKCS11_private_encrypt(m_len, m, sigret, key, RSA_PKCS1_PADDING);
+
+        if (rv <= 0)
+                rv = 0;
+        else {
+                *siglen = rv;
+                rv = 1;
+        }
+
+        if (encoded != NULL)  /* NULL on SSL case */
+                free(encoded);
+
+        return rv;
+}
+
+int
+PKCS11_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
+                   const PKCS11_KEY * key, int padding)
+{
+        PKCS11_KEY_private *priv;
+        PKCS11_SLOT *slot;
+        PKCS11_CTX *ctx;
+        CK_SESSION_HANDLE session;
+        CK_MECHANISM mechanism;
+        int rv;
+        int sigsize;
+        CK_ULONG ck_sigsize;
+
+        if (key == NULL)
+                return -1;
+
+        if (padding != RSA_PKCS1_PADDING) {
+                printf("pkcs11 engine: only RSA_PKCS1_PADDING allowed so far\n");
+                return -1;
+        }
+
+        ctx = KEY2CTX(key);
+        priv = PRIVKEY(key);
+        slot = TOKEN2SLOT(priv->parent);
+        session = PRIVSLOT(slot)->session;
+
+        sigsize=PKCS11_get_key_size(key);
+        ck_sigsize=sigsize;
+
+        if ((flen + RSA_PKCS1_PADDING_SIZE) > sigsize) {
+                return -1; /* the size is wrong */
+        }
+
+        memset(&mechanism, 0, sizeof(mechanism));
+        mechanism.mechanism = CKM_RSA_PKCS;
+
+        /* API is somewhat fishy here. *siglen is 0 on entry (cleared
+         * by OpenSSL). The library assumes that the memory passed
+         * by the caller is always big enough */
+        if((rv = CRYPTOKI_call(ctx, C_SignInit
+                               (session, &mechanism, priv->object))) == 0) {
+                rv = CRYPTOKI_call(ctx, C_Sign
+                                   (session, (CK_BYTE *) from, flen,
+                                    to, &ck_sigsize));
+        }
+
+        if (rv) {
+                PKCS11err(PKCS11_F_PKCS11_RSA_SIGN, pkcs11_map_err(rv));
+                return -1;
+        }
+
+        if (sigsize != ck_sigsize)
+                return -1;
+
+        return sigsize;
+}
+
+int
+PKCS11_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
+                   PKCS11_KEY * key, int padding)
+{
+        CK_RV rv;
+        PKCS11_KEY_private *priv;
+        PKCS11_SLOT *slot;
+        PKCS11_CTX *ctx;
+        CK_SESSION_HANDLE session;
+        CK_MECHANISM mechanism;
+        CK_ULONG size = flen;
+                                                                
+        if (padding != RSA_PKCS1_PADDING) {
+                        printf("pkcs11 engine: only RSA_PKCS1_PADDING allowed so far\n");
+                        return -1;
+        }
+        if (key == NULL)
+                        return -1;
+
+        /* PKCS11 calls go here */
+                                                                                
+        ctx = KEY2CTX(key);
+        priv = PRIVKEY(key);
+        slot = TOKEN2SLOT(priv->parent);
+        session = PRIVSLOT(slot)->session;
+        memset(&mechanism, 0, sizeof(mechanism));
+        mechanism.mechanism = CKM_RSA_PKCS;
+
+        if( (rv = CRYPTOKI_call(ctx, C_DecryptInit(session, &mechanism, priv->object))) == 0) {
+                rv = CRYPTOKI_call(ctx, C_Decrypt
+                           (session, (CK_BYTE *) from, (CK_ULONG)flen,
+                            (CK_BYTE_PTR)to, &size));
+        }
+
+        if (rv) {
+                PKCS11err(PKCS11_F_PKCS11_RSA_DECRYPT, pkcs11_map_err(rv));
+        }
+
+        return (rv) ? 0 : size;
+}
+
+int
+PKCS11_verify(int type, const unsigned char *m, unsigned int m_len,
+                  unsigned char *signature, unsigned int siglen, PKCS11_KEY * key)
+{
+
+        /* PKCS11 calls go here */
+        PKCS11err(PKCS11_F_PKCS11_RSA_VERIFY, PKCS11_NOT_SUPPORTED);
+        return -1;
+}
+
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
new file mode 100644
index 0000000..fa36160
--- /dev/null
+++ b/src/p11_rsa.c
@@ -0,0 +1,158 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+/*
+ * This file implements the handling of RSA keys stored on a
+ * PKCS11 token
+ */
+
+#include <config.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include "libp11-int.h"
+
+static int pkcs11_get_rsa_public(PKCS11_KEY *, EVP_PKEY *);
+static int pkcs11_get_rsa_private(PKCS11_KEY *, EVP_PKEY *);
+
+
+/*
+ * Get RSA key material
+ */
+static int pkcs11_get_rsa_private(PKCS11_KEY * key, EVP_PKEY * pk)
+{
+        CK_BBOOL sensitive, extractable;
+        RSA *rsa;
+
+        if (!(rsa = EVP_PKEY_get1_RSA(pk))) {
+                ERR_clear_error();      /* the above flags an error */
+                rsa = RSA_new();
+                EVP_PKEY_set1_RSA(pk, rsa);
+        }
+
+        if (key_getattr(key, CKA_SENSITIVE, &sensitive, sizeof(sensitive))
+            || key_getattr(key, CKA_EXTRACTABLE, &extractable, sizeof(extractable))) {
+                RSA_free(rsa);
+                return -1;
+        }
+
+        if (key_getattr_bn(key, CKA_MODULUS, &rsa->n) ||
+            key_getattr_bn(key, CKA_PUBLIC_EXPONENT, &rsa->e)) {
+                RSA_free(rsa);
+                return -1;
+        }
+
+        /* If the key is not extractable, create a key object
+         * that will use the card's functions to sign & decrypt */
+        if (sensitive || !extractable) {
+                RSA_set_method(rsa, PKCS11_get_rsa_method());
+                rsa->flags |= RSA_FLAG_SIGN_VER;
+                RSA_set_app_data(rsa, key);
+
+                RSA_free(rsa);
+                return 0;
+        }
+
+        /* TBD - extract RSA private key. */
+        /* In the mean time let's use the card anyway */
+        RSA_set_method(rsa, PKCS11_get_rsa_method());
+        rsa->flags |= RSA_FLAG_SIGN_VER;
+        RSA_set_app_data(rsa, key);
+
+        RSA_free(rsa);
+
+        return 0;
+        /*
+        PKCS11err(PKCS11_F_PKCS11_GET_KEY, PKCS11_NOT_SUPPORTED);
+        return -1;
+        */
+}
+
+static int pkcs11_get_rsa_public(PKCS11_KEY * key, EVP_PKEY * pk)
+{
+        /* TBD */
+        return 0;
+/*      return pkcs11_get_rsa_private(key,pk);*/
+}
+
+
+static int pkcs11_rsa_decrypt(int flen, const unsigned char *from,
+                unsigned char *to, RSA * rsa, int padding)
+{
+
+        return PKCS11_private_decrypt(  flen, from, to, (PKCS11_KEY *) RSA_get_app_data(rsa), padding);
+}
+
+static int pkcs11_rsa_encrypt(int flen, const unsigned char *from,
+                unsigned char *to, RSA * rsa, int padding)
+{
+        return PKCS11_private_encrypt(flen,from,to,(PKCS11_KEY *) RSA_get_app_data(rsa), padding);
+}
+
+static int pkcs11_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
+                unsigned char *sigret, unsigned int *siglen, const RSA * rsa)
+{
+        
+        return PKCS11_sign(type,m,m_len,sigret,siglen,(PKCS11_KEY *) RSA_get_app_data(rsa));
+}
+/* Lousy hack alert. If RSA_verify detects that the key has the
+ * RSA_FLAG_SIGN_VER flags set, it will assume that verification
+ * is implemented externally as well.
+ * We work around this by temporarily cleaning the flag, and
+ * calling RSA_verify once more.
+ */
+static int
+pkcs11_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
+                  unsigned char *signature, unsigned int siglen, const RSA * rsa)
+{
+        RSA *r = (RSA *) rsa;   /* Ugly hack to get rid of compiler warning */
+        int res;
+
+        if (r->flags & RSA_FLAG_SIGN_VER) {
+                r->flags &= ~RSA_FLAG_SIGN_VER;
+                res = RSA_verify(type, m, m_len, signature, siglen, r);
+                r->flags |= RSA_FLAG_SIGN_VER;
+        } else {
+                PKCS11err(PKCS11_F_PKCS11_RSA_VERIFY, PKCS11_NOT_SUPPORTED);
+                res = 0;
+        }
+        return res;
+}
+
+/*
+ * Overload the default OpenSSL methods for RSA
+ */
+RSA_METHOD *PKCS11_get_rsa_method(void)
+{
+        static RSA_METHOD ops;
+
+        if (!ops.rsa_priv_enc) {
+                ops = *RSA_get_default_method();
+                ops.rsa_priv_enc = pkcs11_rsa_encrypt;
+                ops.rsa_priv_dec = pkcs11_rsa_decrypt;
+                ops.rsa_sign = pkcs11_rsa_sign;
+                ops.rsa_verify = pkcs11_rsa_verify;
+        }
+        return &ops;
+}
+
+PKCS11_KEY_ops pkcs11_rsa_ops = {
+        EVP_PKEY_RSA,
+        pkcs11_get_rsa_public,
+        pkcs11_get_rsa_private
+};
diff --git a/src/p11_slot.c b/src/p11_slot.c
new file mode 100644
index 0000000..40b47f1
--- /dev/null
+++ b/src/p11_slot.c
@@ -0,0 +1,416 @@
+/* libp11, a simple layer on to of PKCS#11 API
+ * Copyright (C) 2005 Olaf Kirch <okir@lst.de>
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ */
+
+#include <config.h>
+#include <string.h>
+#include <openssl/buffer.h>
+#include "libp11-int.h"
+
+static int pkcs11_init_slot(PKCS11_CTX *, PKCS11_SLOT *, CK_SLOT_ID);
+static int pkcs11_check_token(PKCS11_CTX *, PKCS11_SLOT *);
+static void pkcs11_destroy_token(PKCS11_TOKEN *);
+
+/*
+ * Get slotid from private
+ */
+unsigned long
+PKCS11_get_slotid_from_slot(PKCS11_SLOT *slot)
+{
+        PKCS11_SLOT_private *priv = PRIVSLOT(slot);
+
+                return priv->id;
+}
+
+/*
+ * Enumerate slots
+ */
+int
+PKCS11_enumerate_slots(PKCS11_CTX * ctx, PKCS11_SLOT ** slotp, unsigned int *countp)
+{
+        PKCS11_CTX_private *priv = PRIVCTX(ctx);
+
+        CK_SLOT_ID *slotid;
+        CK_ULONG nslots, n;
+        PKCS11_SLOT *slots;
+        int rv;
+
+        rv = priv->method->C_GetSlotList(FALSE, NULL_PTR, &nslots);
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_SLOTS, rv);
+
+        slotid = (CK_SLOT_ID *)OPENSSL_malloc(nslots * sizeof(CK_SLOT_ID));
+        if (slotid == NULL) return (-1);
+
+        rv = priv->method->C_GetSlotList(FALSE, slotid, &nslots);
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_SLOTS, rv);
+
+        slots = (PKCS11_SLOT *) pkcs11_malloc(nslots * sizeof(PKCS11_SLOT));
+        for (n = 0; n < nslots; n++) {
+                if (pkcs11_init_slot(ctx, &slots[n], slotid[n])) {
+                        while (n--)
+                                pkcs11_release_slot(ctx, slots + n);
+                        OPENSSL_free(slotid);
+                        OPENSSL_free(slots);
+                        return -1;
+                }
+        }
+
+        *slotp = slots;
+        *countp = nslots;
+        OPENSSL_free(slotid);
+        return 0;
+}
+
+/*
+ * Find a slot with a token that looks "valuable"
+ */
+PKCS11_SLOT *PKCS11_find_token(PKCS11_CTX * ctx,  PKCS11_SLOT * slots, unsigned int nslots)
+{
+        PKCS11_SLOT *slot, *best;
+        PKCS11_TOKEN *tok;
+        unsigned int n;
+
+        if (! slots)
+                return NULL;
+
+        best = NULL;
+        for (n = 0, slot = slots; n < nslots; n++, slot++) {
+                if ((tok = slot->token) != NULL) {
+                        if (best == NULL
+                            || (tok->initialized > best->token->initialized
+                                && tok->userPinSet > best->token->userPinSet
+                                && tok->loginRequired > best->token->loginRequired))
+                                best = slot;
+                }
+        }
+        return best;
+}
+
+/*
+ * Open a session with this slot
+ */
+int PKCS11_open_session(PKCS11_SLOT * slot, int rw)
+{
+        PKCS11_SLOT_private *priv = PRIVSLOT(slot);
+        PKCS11_CTX *ctx = SLOT2CTX(slot);
+        int rv;
+
+        if (priv->haveSession) {
+                CRYPTOKI_call(ctx, C_CloseSession(priv->session));
+                priv->haveSession = 0;
+        }
+        rv = CRYPTOKI_call(ctx,
+                           C_OpenSession(priv->id,
+                                         CKF_SERIAL_SESSION | (rw ? CKF_RW_SESSION :
+                                                               0), NULL, NULL,
+                                         &priv->session));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_OPEN_SESSION, rv);
+        priv->haveSession = 1;
+
+        return 0;
+}
+
+/*
+ * Authenticate with the card
+ */
+int PKCS11_login(PKCS11_SLOT * slot, int so, const char *pin)
+{
+        PKCS11_SLOT_private *priv = PRIVSLOT(slot);
+        PKCS11_CTX *ctx = priv->parent;
+        int rv;
+
+        /* Calling PKCS11_login invalidates all cached
+         * keys we have */
+        if (slot->token)
+                pkcs11_destroy_keys(slot->token);
+        if (priv->loggedIn) {
+                /* already logged in, log out first */
+                if (PKCS11_logout(slot))
+                        return -1;
+        }
+        if (!priv->haveSession) {
+                /* SO gets a r/w session by default,
+                 * user gets a r/o session by default. */
+                if (PKCS11_open_session(slot, so))
+                        return -1;
+        }
+
+        rv = CRYPTOKI_call(ctx, C_Login(priv->session,
+                                        so ? CKU_SO : CKU_USER,
+                                        (CK_UTF8CHAR *) pin,
+                                        pin ? strlen(pin) : 0));
+        if (rv && rv != CKR_USER_ALREADY_LOGGED_IN)  /* logged in -> OK   */
+                CRYPTOKI_checkerr(PKCS11_F_PKCS11_LOGIN, rv);
+        priv->loggedIn = 1;
+        return 0;
+}
+
+/*
+ * Log out
+ */
+int PKCS11_logout(PKCS11_SLOT * slot)
+{
+        PKCS11_SLOT_private *priv = PRIVSLOT(slot);
+        PKCS11_CTX *ctx = priv->parent;
+        int rv;
+
+        /* Calling PKCS11_logout invalidates all cached
+         * keys we have */
+        if (slot->token)
+                pkcs11_destroy_keys(slot->token);
+        if (!priv->haveSession) {
+                PKCS11err(PKCS11_F_PKCS11_LOGOUT, PKCS11_NO_SESSION);
+                return -1;
+        }
+
+        rv = CRYPTOKI_call(ctx, C_Logout(priv->session));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_LOGOUT, rv);
+        priv->loggedIn = 0;
+        return 0;
+}
+
+/*
+ * Initialize the token
+ */
+int PKCS11_init_token(PKCS11_TOKEN * token, const char *pin, const char *label)
+{
+        PKCS11_SLOT_private *priv = PRIVSLOT(TOKEN2SLOT(token));
+        PKCS11_CTX *ctx = priv->parent;
+        int rv;
+
+        if (!label)
+                label = "PKCS#11 Token";
+        rv = CRYPTOKI_call(ctx, C_InitToken(priv->id,
+                                            (CK_UTF8CHAR *) pin, strlen(pin),
+                                            (CK_UTF8CHAR *) label));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_INIT_TOKEN, rv);
+
+        /* FIXME: how to update the token?
+         * PKCS11_CTX_private *cpriv;
+         * int n;
+         * cpriv = PRIVCTX(ctx);
+         * for (n = 0; n < cpriv->nslots; n++) {
+         *      if (pkcs11_check_token(ctx, cpriv->slots + n) < 0)
+         *              return -1;
+         * }
+         */
+
+        return 0;
+}
+
+/*
+ * Set the User PIN
+ */
+int PKCS11_init_pin(PKCS11_TOKEN * token, const char *pin)
+{
+        PKCS11_SLOT_private *priv = PRIVSLOT(TOKEN2SLOT(token));
+        PKCS11_CTX *ctx = priv->parent;
+        int len, rv;
+
+        if (!priv->haveSession) {
+                PKCS11err(PKCS11_F_PKCS11_INIT_PIN, PKCS11_NO_SESSION);
+                return -1;
+        }
+
+        len = pin ? strlen(pin) : 0;
+        rv = CRYPTOKI_call(ctx, C_InitPIN(priv->session, (CK_UTF8CHAR *) pin, len));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_INIT_PIN, rv);
+
+        return pkcs11_check_token(ctx, TOKEN2SLOT(token));
+}
+
+/*
+ * Change the User PIN
+ */
+int PKCS11_change_pin(PKCS11_SLOT * slot, const char *old_pin,
+                const char *new_pin)
+{
+        PKCS11_SLOT_private *priv = PRIVSLOT(slot);
+        PKCS11_CTX *ctx = priv->parent;
+        int old_len, new_len, rv;
+
+        if (!priv->haveSession) {
+                PKCS11err(PKCS11_F_PKCS11_CHANGE_PIN, PKCS11_NO_SESSION);
+                return -1;
+        }
+
+        old_len = old_pin ? strlen(old_pin) : 0;
+        new_len = new_pin ? strlen(new_pin) : 0;
+        rv = CRYPTOKI_call(ctx, C_SetPIN(priv->session, (CK_UTF8CHAR *) old_pin,
+                old_len, (CK_UTF8CHAR *) new_pin, new_len));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_CHANGE_PIN, rv);
+
+        return pkcs11_check_token(ctx, slot);
+}
+
+/*
+ * Seed the random number generator
+ */
+int PKCS11_seed_random(PKCS11_SLOT *slot, const unsigned char *s,
+                unsigned int s_len)
+{
+        PKCS11_SLOT_private *priv = PRIVSLOT(slot);
+        PKCS11_CTX *ctx = priv->parent;
+        int rv;
+
+        if (!priv->haveSession && PKCS11_open_session(slot, 0)) {
+                PKCS11err(PKCS11_F_PKCS11_SEED_RANDOM, PKCS11_NO_SESSION);
+                return -1;
+        }
+
+        rv = CRYPTOKI_call(ctx, C_SeedRandom(priv->session, (CK_BYTE_PTR) s, s_len));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_SEED_RANDOM, rv);
+
+        return pkcs11_check_token(ctx, slot);
+}
+
+/*
+ * Generate random numbers
+ */
+int PKCS11_generate_random(PKCS11_SLOT *slot, unsigned char *r,
+                unsigned int r_len)
+{
+        PKCS11_SLOT_private *priv = PRIVSLOT(slot);
+        PKCS11_CTX *ctx = priv->parent;
+        int rv;
+
+        if (!priv->haveSession && PKCS11_open_session(slot, 0)) {
+                PKCS11err(PKCS11_F_PKCS11_GENERATE_RANDOM, PKCS11_NO_SESSION);
+                return -1;
+        }
+
+        rv = CRYPTOKI_call(ctx, C_GenerateRandom(priv->session, (CK_BYTE_PTR) r, r_len));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_GENERATE_RANDOM, rv);
+
+        return pkcs11_check_token(ctx, slot);
+}
+
+/*
+ * Helper functions
+ */
+static int pkcs11_init_slot(PKCS11_CTX * ctx, PKCS11_SLOT * slot, CK_SLOT_ID id)
+{
+        PKCS11_SLOT_private *priv;
+        CK_SLOT_INFO info;
+        int rv;
+
+        rv = CRYPTOKI_call(ctx, C_GetSlotInfo(id, &info));
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_SLOTS, rv);
+
+        priv = PKCS11_NEW(PKCS11_SLOT_private);
+        priv->parent = ctx;
+        priv->id = id;
+
+        slot->description = PKCS11_DUP(info.slotDescription);
+        slot->manufacturer = PKCS11_DUP(info.manufacturerID);
+        slot->removable = (info.flags & CKF_REMOVABLE_DEVICE) ? 1 : 0;
+        slot->_private = priv;
+
+        if ((info.flags & CKF_TOKEN_PRESENT) && pkcs11_check_token(ctx, slot))
+                return -1;
+
+        return 0;
+}
+
+void PKCS11_release_all_slots(PKCS11_CTX * ctx,  PKCS11_SLOT *slots, unsigned int nslots)
+{
+        int i;
+
+        for (i=0; i < nslots; i++)
+                pkcs11_release_slot(ctx, &slots[i]);
+        OPENSSL_free(slots);
+}
+
+void pkcs11_release_slot(PKCS11_CTX * ctx, PKCS11_SLOT * slot)
+{
+        PKCS11_SLOT_private *priv = PRIVSLOT(slot);
+
+        if (priv)
+                CRYPTOKI_call(ctx, C_CloseAllSessions(priv->id));
+        OPENSSL_free(slot->_private);
+        OPENSSL_free(slot->description);
+        OPENSSL_free(slot->manufacturer);
+        if (slot->token) {
+                pkcs11_destroy_token(slot->token);
+                OPENSSL_free(slot->token);
+        }
+        memset(slot, 0, sizeof(*slot));
+}
+
+static int pkcs11_check_token(PKCS11_CTX * ctx, PKCS11_SLOT * slot)
+{
+        PKCS11_SLOT_private *priv = PRIVSLOT(slot);
+        PKCS11_TOKEN_private *tpriv;
+        CK_TOKEN_INFO info;
+        PKCS11_TOKEN *token;
+        int rv;
+
+        if (slot->token)
+                pkcs11_destroy_token(slot->token);
+        else
+                slot->token = PKCS11_NEW(PKCS11_TOKEN);
+        token = slot->token;
+
+        rv = CRYPTOKI_call(ctx, C_GetTokenInfo(priv->id, &info));
+        if (rv == CKR_TOKEN_NOT_PRESENT || rv == CKR_TOKEN_NOT_RECOGNIZED) {
+                OPENSSL_free(token);
+                slot->token = NULL;
+                return 0;
+        }
+        CRYPTOKI_checkerr(PKCS11_F_PKCS11_CHECK_TOKEN, rv);
+
+        /* We have a token */
+        tpriv = PKCS11_NEW(PKCS11_TOKEN_private);
+        tpriv->parent = slot;
+        tpriv->nkeys = -1;
+        tpriv->ncerts = -1;
+
+        token->label = PKCS11_DUP(info.label);
+        token->manufacturer = PKCS11_DUP(info.manufacturerID);
+        token->model = PKCS11_DUP(info.model);
+        token->serialnr = PKCS11_DUP(info.serialNumber);
+        token->initialized = (info.flags & CKF_TOKEN_INITIALIZED) ? 1 : 0;
+        token->loginRequired = (info.flags & CKF_LOGIN_REQUIRED) ? 1 : 0;
+        token->secureLogin = (info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? 1 : 0;
+        token->userPinSet = (info.flags & CKF_USER_PIN_INITIALIZED) ? 1 : 0;
+        token->readOnly = (info.flags & CKF_WRITE_PROTECTED) ? 1 : 0;
+        token->hasRng = (info.flags & CKF_RNG) ? 1 : 0;
+        token->userPinCountLow = (info.flags & CKF_USER_PIN_COUNT_LOW) ? 1 : 0;
+        token->userPinFinalTry = (info.flags & CKF_USER_PIN_FINAL_TRY) ? 1 : 0;
+        token->userPinLocked = (info.flags & CKF_USER_PIN_LOCKED) ? 1 : 0;
+        token->userPinToBeChanged = (info.flags & CKF_USER_PIN_TO_BE_CHANGED) ? 1 : 0;
+        token->soPinCountLow = (info.flags & CKF_SO_PIN_COUNT_LOW) ? 1 : 0;
+        token->soPinFinalTry = (info.flags & CKF_SO_PIN_FINAL_TRY) ? 1 : 0;
+        token->soPinLocked = (info.flags & CKF_SO_PIN_LOCKED) ? 1 : 0;
+        token->soPinToBeChanged = (info.flags & CKF_SO_PIN_TO_BE_CHANGED) ? 1 : 0;
+        token->_private = tpriv;
+
+        return 0;
+}
+
+static void pkcs11_destroy_token(PKCS11_TOKEN * token)
+{
+        pkcs11_destroy_keys(token);
+        pkcs11_destroy_certs(token);
+
+        OPENSSL_free(token->label);
+        OPENSSL_free(token->manufacturer);
+        OPENSSL_free(token->model);
+        OPENSSL_free(token->serialnr);
+        OPENSSL_free(token->_private);
+        memset(token, 0, sizeof(*token));
+}
diff --git a/src/pkcs11.h b/src/pkcs11.h
new file mode 100644
index 0000000..52cd17d
--- /dev/null
+++ b/src/pkcs11.h
@@ -0,0 +1,1357 @@
+/* pkcs11.h
+   Copyright 2006, 2007 g10 Code GmbH
+   Copyright 2006 Andreas Jellinghaus
+
+   This file is free software; as a special exception the author gives
+   unlimited permission to copy and/or distribute it, with or without
+   modifications, as long as this notice is preserved.
+
+   This file is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+   the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+   PURPOSE.  */
+
+/* Please submit changes back to the Scute project at
+   http://www.scute.org/ (or send them to marcus@g10code.com), so that
+   they can be picked up by other projects from there as well.  */
+
+/* This file is a modified implementation of the PKCS #11 standard by
+   RSA Security Inc.  It is mostly a drop-in replacement, with the
+   following change:
+
+   This header file does not require any macro definitions by the user
+   (like CK_DEFINE_FUNCTION etc).  In fact, it defines those macros
+   for you (if useful, some are missing, let me know if you need
+   more).
+
+   There is an additional API available that does comply better to the
+   GNU coding standard.  It can be switched on by defining
+   CRYPTOKI_GNU before including this header file.  For this, the
+   following changes are made to the specification:
+
+   All structure types are changed to a "struct ck_foo" where CK_FOO
+   is the type name in PKCS #11.
+
+   All non-structure types are changed to ck_foo_t where CK_FOO is the
+   lowercase version of the type name in PKCS #11.  The basic types
+   (CK_ULONG et al.) are removed without substitute.
+
+   All members of structures are modified in the following way: Type
+   indication prefixes are removed, and underscore characters are
+   inserted before words.  Then the result is lowercased.
+
+   Note that function names are still in the original case, as they
+   need for ABI compatibility.
+
+   CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute.  Use
+   <stdbool.h>.
+
+   If CRYPTOKI_COMPAT is defined before including this header file,
+   then none of the API changes above take place, and the API is the
+   one defined by the PKCS #11 standard.  */
+
+#ifndef PKCS11_H
+#define PKCS11_H 1
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* The version of cryptoki we implement.  The revision is changed with
+   each modification of this file.  If you do not use the "official"
+   version of this file, please consider deleting the revision macro
+   (you may use a macro with a different name to keep track of your
+   versions).  */
+#define CRYPTOKI_VERSION_MAJOR          2
+#define CRYPTOKI_VERSION_MINOR          20
+#define CRYPTOKI_VERSION_REVISION       6
+
+
+/* Compatibility interface is default, unless CRYPTOKI_GNU is
+   given.  */
+#ifndef CRYPTOKI_GNU
+#ifndef CRYPTOKI_COMPAT
+#define CRYPTOKI_COMPAT 1
+#endif
+#endif
+
+/* System dependencies.  */
+
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+
+/* There is a matching pop below.  */
+#pragma pack(push, cryptoki, 1)
+
+#ifdef CRYPTOKI_EXPORTS
+#define CK_SPEC __declspec(dllexport)
+#else
+#define CK_SPEC __declspec(dllimport)
+#endif
+
+#else
+
+#define CK_SPEC
+
+#endif
+
+
+#ifdef CRYPTOKI_COMPAT
+  /* If we are in compatibility mode, switch all exposed names to the
+     PKCS #11 variant.  There are corresponding #undefs below.  */
+
+#define ck_flags_t CK_FLAGS
+#define ck_version _CK_VERSION
+
+#define ck_info _CK_INFO
+#define cryptoki_version cryptokiVersion
+#define manufacturer_id manufacturerID
+#define library_description libraryDescription
+#define library_version libraryVersion
+
+#define ck_notification_t CK_NOTIFICATION
+#define ck_slot_id_t CK_SLOT_ID
+
+#define ck_slot_info _CK_SLOT_INFO
+#define slot_description slotDescription
+#define hardware_version hardwareVersion
+#define firmware_version firmwareVersion
+
+#define ck_token_info _CK_TOKEN_INFO
+#define serial_number serialNumber
+#define max_session_count ulMaxSessionCount
+#define session_count ulSessionCount
+#define max_rw_session_count ulMaxRwSessionCount
+#define rw_session_count ulRwSessionCount
+#define max_pin_len ulMaxPinLen
+#define min_pin_len ulMinPinLen
+#define total_public_memory ulTotalPublicMemory
+#define free_public_memory ulFreePublicMemory
+#define total_private_memory ulTotalPrivateMemory
+#define free_private_memory ulFreePrivateMemory
+#define utc_time utcTime
+
+#define ck_session_handle_t CK_SESSION_HANDLE
+#define ck_user_type_t CK_USER_TYPE
+#define ck_state_t CK_STATE
+
+#define ck_session_info _CK_SESSION_INFO
+#define slot_id slotID
+#define device_error ulDeviceError
+
+#define ck_object_handle_t CK_OBJECT_HANDLE
+#define ck_object_class_t CK_OBJECT_CLASS
+#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE
+#define ck_key_type_t CK_KEY_TYPE
+#define ck_certificate_type_t CK_CERTIFICATE_TYPE
+#define ck_attribute_type_t CK_ATTRIBUTE_TYPE
+
+#define ck_attribute _CK_ATTRIBUTE
+#define value pValue
+#define value_len ulValueLen
+
+#define ck_date _CK_DATE
+
+#define ck_mechanism_type_t CK_MECHANISM_TYPE
+
+#define ck_mechanism _CK_MECHANISM
+#define parameter pParameter
+#define parameter_len ulParameterLen
+
+#define ck_mechanism_info _CK_MECHANISM_INFO
+#define min_key_size ulMinKeySize
+#define max_key_size ulMaxKeySize
+
+#define ck_rv_t CK_RV
+#define ck_notify_t CK_NOTIFY
+
+#define ck_function_list _CK_FUNCTION_LIST
+
+#define ck_createmutex_t CK_CREATEMUTEX
+#define ck_destroymutex_t CK_DESTROYMUTEX
+#define ck_lockmutex_t CK_LOCKMUTEX
+#define ck_unlockmutex_t CK_UNLOCKMUTEX
+
+#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS
+#define create_mutex CreateMutex
+#define destroy_mutex DestroyMutex
+#define lock_mutex LockMutex
+#define unlock_mutex UnlockMutex
+#define reserved pReserved
+
+#endif  /* CRYPTOKI_COMPAT */
+
+
+
+typedef unsigned long ck_flags_t;
+
+struct ck_version
+{
+  unsigned char major;
+  unsigned char minor;
+};
+
+
+struct ck_info
+{
+  struct ck_version cryptoki_version;
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  unsigned char library_description[32];
+  struct ck_version library_version;
+};
+
+
+typedef unsigned long ck_notification_t;
+
+#define CKN_SURRENDER   (0)
+
+
+typedef unsigned long ck_slot_id_t;
+
+
+struct ck_slot_info
+{
+  unsigned char slot_description[64];
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+};
+
+
+#define CKF_TOKEN_PRESENT       (1 << 0)
+#define CKF_REMOVABLE_DEVICE    (1 << 1)
+#define CKF_HW_SLOT             (1 << 2)
+#define CKF_ARRAY_ATTRIBUTE     (1 << 30)
+
+
+struct ck_token_info
+{
+  unsigned char label[32];
+  unsigned char manufacturer_id[32];
+  unsigned char model[16];
+  unsigned char serial_number[16];
+  ck_flags_t flags;
+  unsigned long max_session_count;
+  unsigned long session_count;
+  unsigned long max_rw_session_count;
+  unsigned long rw_session_count;
+  unsigned long max_pin_len;
+  unsigned long min_pin_len;
+  unsigned long total_public_memory;
+  unsigned long free_public_memory;
+  unsigned long total_private_memory;
+  unsigned long free_private_memory;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+  unsigned char utc_time[16];
+};
+
+
+#define CKF_RNG                                 (1 << 0)
+#define CKF_WRITE_PROTECTED                     (1 << 1)
+#define CKF_LOGIN_REQUIRED                      (1 << 2)
+#define CKF_USER_PIN_INITIALIZED                (1 << 3)
+#define CKF_RESTORE_KEY_NOT_NEEDED              (1 << 5)
+#define CKF_CLOCK_ON_TOKEN                      (1 << 6)
+#define CKF_PROTECTED_AUTHENTICATION_PATH       (1 << 8)
+#define CKF_DUAL_CRYPTO_OPERATIONS              (1 << 9)
+#define CKF_TOKEN_INITIALIZED                   (1 << 10)
+#define CKF_SECONDARY_AUTHENTICATION            (1 << 11)
+#define CKF_USER_PIN_COUNT_LOW                  (1 << 16)
+#define CKF_USER_PIN_FINAL_TRY                  (1 << 17)
+#define CKF_USER_PIN_LOCKED                     (1 << 18)
+#define CKF_USER_PIN_TO_BE_CHANGED              (1 << 19)
+#define CKF_SO_PIN_COUNT_LOW                    (1 << 20)
+#define CKF_SO_PIN_FINAL_TRY                    (1 << 21)
+#define CKF_SO_PIN_LOCKED                       (1 << 22)
+#define CKF_SO_PIN_TO_BE_CHANGED                (1 << 23)
+
+#define CK_UNAVAILABLE_INFORMATION      ((unsigned long) -1)
+#define CK_EFFECTIVELY_INFINITE         (0)
+
+
+typedef unsigned long ck_session_handle_t;
+
+#define CK_INVALID_HANDLE       (0)
+
+
+typedef unsigned long ck_user_type_t;
+
+#define CKU_SO                  (0)
+#define CKU_USER                (1)
+#define CKU_CONTEXT_SPECIFIC    (2)
+
+
+typedef unsigned long ck_state_t;
+
+#define CKS_RO_PUBLIC_SESSION   (0)
+#define CKS_RO_USER_FUNCTIONS   (1)
+#define CKS_RW_PUBLIC_SESSION   (2)
+#define CKS_RW_USER_FUNCTIONS   (3)
+#define CKS_RW_SO_FUNCTIONS     (4)
+
+
+struct ck_session_info
+{
+  ck_slot_id_t slot_id;
+  ck_state_t state;
+  ck_flags_t flags;
+  unsigned long device_error;
+};
+
+#define CKF_RW_SESSION          (1 << 1)
+#define CKF_SERIAL_SESSION      (1 << 2)
+
+
+typedef unsigned long ck_object_handle_t;
+
+
+typedef unsigned long ck_object_class_t;
+
+#define CKO_DATA                (0)
+#define CKO_CERTIFICATE         (1)
+#define CKO_PUBLIC_KEY          (2)
+#define CKO_PRIVATE_KEY         (3)
+#define CKO_SECRET_KEY          (4)
+#define CKO_HW_FEATURE          (5)
+#define CKO_DOMAIN_PARAMETERS   (6)
+#define CKO_MECHANISM           (7)
+#define CKO_VENDOR_DEFINED      ((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_hw_feature_type_t;
+
+#define CKH_MONOTONIC_COUNTER   (1)
+#define CKH_CLOCK               (2)
+#define CKH_USER_INTERFACE      (3)
+#define CKH_VENDOR_DEFINED      ((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_key_type_t;
+
+#define CKK_RSA                 (0)
+#define CKK_DSA                 (1)
+#define CKK_DH                  (2)
+#define CKK_ECDSA               (3)
+#define CKK_EC                  (3)
+#define CKK_X9_42_DH            (4)
+#define CKK_KEA                 (5)
+#define CKK_GENERIC_SECRET      (0x10)
+#define CKK_RC2                 (0x11)
+#define CKK_RC4                 (0x12)
+#define CKK_DES                 (0x13)
+#define CKK_DES2                (0x14)
+#define CKK_DES3                (0x15)
+#define CKK_CAST                (0x16)
+#define CKK_CAST3               (0x17)
+#define CKK_CAST128             (0x18)
+#define CKK_RC5                 (0x19)
+#define CKK_IDEA                (0x1a)
+#define CKK_SKIPJACK            (0x1b)
+#define CKK_BATON               (0x1c)
+#define CKK_JUNIPER             (0x1d)
+#define CKK_CDMF                (0x1e)
+#define CKK_AES                 (0x1f)
+#define CKK_BLOWFISH            (0x20)
+#define CKK_TWOFISH             (0x21)
+#define CKK_VENDOR_DEFINED      ((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_certificate_type_t;
+
+#define CKC_X_509               (0)
+#define CKC_X_509_ATTR_CERT     (1)
+#define CKC_WTLS                (2)
+#define CKC_VENDOR_DEFINED      ((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_attribute_type_t;
+
+#define CKA_CLASS                       (0)
+#define CKA_TOKEN                       (1)
+#define CKA_PRIVATE                     (2)
+#define CKA_LABEL                       (3)
+#define CKA_APPLICATION                 (0x10)
+#define CKA_VALUE                       (0x11)
+#define CKA_OBJECT_ID                   (0x12)
+#define CKA_CERTIFICATE_TYPE            (0x80)
+#define CKA_ISSUER                      (0x81)
+#define CKA_SERIAL_NUMBER               (0x82)
+#define CKA_AC_ISSUER                   (0x83)
+#define CKA_OWNER                       (0x84)
+#define CKA_ATTR_TYPES                  (0x85)
+#define CKA_TRUSTED                     (0x86)
+#define CKA_CERTIFICATE_CATEGORY        (0x87)
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN   (0x88)
+#define CKA_URL                         (0x89)
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  (0x8a)
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   (0x8b)
+#define CKA_CHECK_VALUE                 (0x90)
+#define CKA_KEY_TYPE                    (0x100)
+#define CKA_SUBJECT                     (0x101)
+#define CKA_ID                          (0x102)
+#define CKA_SENSITIVE                   (0x103)
+#define CKA_ENCRYPT                     (0x104)
+#define CKA_DECRYPT                     (0x105)
+#define CKA_WRAP                        (0x106)
+#define CKA_UNWRAP                      (0x107)
+#define CKA_SIGN                        (0x108)
+#define CKA_SIGN_RECOVER                (0x109)
+#define CKA_VERIFY                      (0x10a)
+#define CKA_VERIFY_RECOVER              (0x10b)
+#define CKA_DERIVE                      (0x10c)
+#define CKA_START_DATE                  (0x110)
+#define CKA_END_DATE                    (0x111)
+#define CKA_MODULUS                     (0x120)
+#define CKA_MODULUS_BITS                (0x121)
+#define CKA_PUBLIC_EXPONENT             (0x122)
+#define CKA_PRIVATE_EXPONENT            (0x123)
+#define CKA_PRIME_1                     (0x124)
+#define CKA_PRIME_2                     (0x125)
+#define CKA_EXPONENT_1                  (0x126)
+#define CKA_EXPONENT_2                  (0x127)
+#define CKA_COEFFICIENT                 (0x128)
+#define CKA_PRIME                       (0x130)
+#define CKA_SUBPRIME                    (0x131)
+#define CKA_BASE                        (0x132)
+#define CKA_PRIME_BITS                  (0x133)
+#define CKA_SUB_PRIME_BITS              (0x134)
+#define CKA_VALUE_BITS                  (0x160)
+#define CKA_VALUE_LEN                   (0x161)
+#define CKA_EXTRACTABLE                 (0x162)
+#define CKA_LOCAL                       (0x163)
+#define CKA_NEVER_EXTRACTABLE           (0x164)
+#define CKA_ALWAYS_SENSITIVE            (0x165)
+#define CKA_KEY_GEN_MECHANISM           (0x166)
+#define CKA_MODIFIABLE                  (0x170)
+#define CKA_ECDSA_PARAMS                (0x180)
+#define CKA_EC_PARAMS                   (0x180)
+#define CKA_EC_POINT                    (0x181)
+#define CKA_SECONDARY_AUTH              (0x200)
+#define CKA_AUTH_PIN_FLAGS              (0x201)
+#define CKA_ALWAYS_AUTHENTICATE         (0x202)
+#define CKA_WRAP_WITH_TRUSTED           (0x210)
+#define CKA_HW_FEATURE_TYPE             (0x300)
+#define CKA_RESET_ON_INIT               (0x301)
+#define CKA_HAS_RESET                   (0x302)
+#define CKA_PIXEL_X                     (0x400)
+#define CKA_PIXEL_Y                     (0x401)
+#define CKA_RESOLUTION                  (0x402)
+#define CKA_CHAR_ROWS                   (0x403)
+#define CKA_CHAR_COLUMNS                (0x404)
+#define CKA_COLOR                       (0x405)
+#define CKA_BITS_PER_PIXEL              (0x406)
+#define CKA_CHAR_SETS                   (0x480)
+#define CKA_ENCODING_METHODS            (0x481)
+#define CKA_MIME_TYPES                  (0x482)
+#define CKA_MECHANISM_TYPE              (0x500)
+#define CKA_REQUIRED_CMS_ATTRIBUTES     (0x501)
+#define CKA_DEFAULT_CMS_ATTRIBUTES      (0x502)
+#define CKA_SUPPORTED_CMS_ATTRIBUTES    (0x503)
+#define CKA_WRAP_TEMPLATE               (CKF_ARRAY_ATTRIBUTE | 0x211)
+#define CKA_UNWRAP_TEMPLATE             (CKF_ARRAY_ATTRIBUTE | 0x212)
+#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE | 0x600)
+#define CKA_VENDOR_DEFINED              ((unsigned long) (1 << 31))
+
+
+struct ck_attribute
+{
+  ck_attribute_type_t type;
+  void *value;
+  size_t value_len;
+};
+
+
+struct ck_date
+{
+  unsigned char year[4];
+  unsigned char month[2];
+  unsigned char day[2];
+};
+
+
+typedef unsigned long ck_mechanism_type_t;
+
+#define CKM_RSA_PKCS_KEY_PAIR_GEN       (0)
+#define CKM_RSA_PKCS                    (1)
+#define CKM_RSA_9796                    (2)
+#define CKM_RSA_X_509                   (3)
+#define CKM_MD2_RSA_PKCS                (4)
+#define CKM_MD5_RSA_PKCS                (5)
+#define CKM_SHA1_RSA_PKCS               (6)
+#define CKM_RIPEMD128_RSA_PKCS          (7)
+#define CKM_RIPEMD160_RSA_PKCS          (8)
+#define CKM_RSA_PKCS_OAEP               (9)
+#define CKM_RSA_X9_31_KEY_PAIR_GEN      (0xa)
+#define CKM_RSA_X9_31                   (0xb)
+#define CKM_SHA1_RSA_X9_31              (0xc)
+#define CKM_RSA_PKCS_PSS                (0xd)
+#define CKM_SHA1_RSA_PKCS_PSS           (0xe)
+#define CKM_DSA_KEY_PAIR_GEN            (0x10)
+#define CKM_DSA                         (0x11)
+#define CKM_DSA_SHA1                    (0x12)
+#define CKM_DH_PKCS_KEY_PAIR_GEN        (0x20)
+#define CKM_DH_PKCS_DERIVE              (0x21)
+#define CKM_X9_42_DH_KEY_PAIR_GEN       (0x30)
+#define CKM_X9_42_DH_DERIVE             (0x31)
+#define CKM_X9_42_DH_HYBRID_DERIVE      (0x32)
+#define CKM_X9_42_MQV_DERIVE            (0x33)
+#define CKM_SHA256_RSA_PKCS             (0x40)
+#define CKM_SHA384_RSA_PKCS             (0x41)
+#define CKM_SHA512_RSA_PKCS             (0x42)
+#define CKM_SHA256_RSA_PKCS_PSS         (0x43)
+#define CKM_SHA384_RSA_PKCS_PSS         (0x44)
+#define CKM_SHA512_RSA_PKCS_PSS         (0x45)
+#define CKM_RC2_KEY_GEN                 (0x100)
+#define CKM_RC2_ECB                     (0x101)
+#define CKM_RC2_CBC                     (0x102)
+#define CKM_RC2_MAC                     (0x103)
+#define CKM_RC2_MAC_GENERAL             (0x104)
+#define CKM_RC2_CBC_PAD                 (0x105)
+#define CKM_RC4_KEY_GEN                 (0x110)
+#define CKM_RC4                         (0x111)
+#define CKM_DES_KEY_GEN                 (0x120)
+#define CKM_DES_ECB                     (0x121)
+#define CKM_DES_CBC                     (0x122)
+#define CKM_DES_MAC                     (0x123)
+#define CKM_DES_MAC_GENERAL             (0x124)
+#define CKM_DES_CBC_PAD                 (0x125)
+#define CKM_DES2_KEY_GEN                (0x130)
+#define CKM_DES3_KEY_GEN                (0x131)
+#define CKM_DES3_ECB                    (0x132)
+#define CKM_DES3_CBC                    (0x133)
+#define CKM_DES3_MAC                    (0x134)
+#define CKM_DES3_MAC_GENERAL            (0x135)
+#define CKM_DES3_CBC_PAD                (0x136)
+#define CKM_CDMF_KEY_GEN                (0x140)
+#define CKM_CDMF_ECB                    (0x141)
+#define CKM_CDMF_CBC                    (0x142)
+#define CKM_CDMF_MAC                    (0x143)
+#define CKM_CDMF_MAC_GENERAL            (0x144)
+#define CKM_CDMF_CBC_PAD                (0x145)
+#define CKM_MD2                         (0x200)
+#define CKM_MD2_HMAC                    (0x201)
+#define CKM_MD2_HMAC_GENERAL            (0x202)
+#define CKM_MD5                         (0x210)
+#define CKM_MD5_HMAC                    (0x211)
+#define CKM_MD5_HMAC_GENERAL            (0x212)
+#define CKM_SHA_1                       (0x220)
+#define CKM_SHA_1_HMAC                  (0x221)
+#define CKM_SHA_1_HMAC_GENERAL          (0x222)
+#define CKM_RIPEMD128                   (0x230)
+#define CKM_RIPEMD128_HMAC              (0x231)
+#define CKM_RIPEMD128_HMAC_GENERAL      (0x232)
+#define CKM_RIPEMD160                   (0x240)
+#define CKM_RIPEMD160_HMAC              (0x241)
+#define CKM_RIPEMD160_HMAC_GENERAL      (0x242)
+#define CKM_SHA256                      (0x250)
+#define CKM_SHA256_HMAC                 (0x251)
+#define CKM_SHA256_HMAC_GENERAL         (0x252)
+#define CKM_SHA384                      (0x260)
+#define CKM_SHA384_HMAC                 (0x261)
+#define CKM_SHA384_HMAC_GENERAL         (0x262)
+#define CKM_SHA512                      (0x270)
+#define CKM_SHA512_HMAC                 (0x271)
+#define CKM_SHA512_HMAC_GENERAL         (0x272)
+#define CKM_CAST_KEY_GEN                (0x300)
+#define CKM_CAST_ECB                    (0x301)
+#define CKM_CAST_CBC                    (0x302)
+#define CKM_CAST_MAC                    (0x303)
+#define CKM_CAST_MAC_GENERAL            (0x304)
+#define CKM_CAST_CBC_PAD                (0x305)
+#define CKM_CAST3_KEY_GEN               (0x310)
+#define CKM_CAST3_ECB                   (0x311)
+#define CKM_CAST3_CBC                   (0x312)
+#define CKM_CAST3_MAC                   (0x313)
+#define CKM_CAST3_MAC_GENERAL           (0x314)
+#define CKM_CAST3_CBC_PAD               (0x315)
+#define CKM_CAST5_KEY_GEN               (0x320)
+#define CKM_CAST128_KEY_GEN             (0x320)
+#define CKM_CAST5_ECB                   (0x321)
+#define CKM_CAST128_ECB                 (0x321)
+#define CKM_CAST5_CBC                   (0x322)
+#define CKM_CAST128_CBC                 (0x322)
+#define CKM_CAST5_MAC                   (0x323)
+#define CKM_CAST128_MAC                 (0x323)
+#define CKM_CAST5_MAC_GENERAL           (0x324)
+#define CKM_CAST128_MAC_GENERAL         (0x324)
+#define CKM_CAST5_CBC_PAD               (0x325)
+#define CKM_CAST128_CBC_PAD             (0x325)
+#define CKM_RC5_KEY_GEN                 (0x330)
+#define CKM_RC5_ECB                     (0x331)
+#define CKM_RC5_CBC                     (0x332)
+#define CKM_RC5_MAC                     (0x333)
+#define CKM_RC5_MAC_GENERAL             (0x334)
+#define CKM_RC5_CBC_PAD                 (0x335)
+#define CKM_IDEA_KEY_GEN                (0x340)
+#define CKM_IDEA_ECB                    (0x341)
+#define CKM_IDEA_CBC                    (0x342)
+#define CKM_IDEA_MAC                    (0x343)
+#define CKM_IDEA_MAC_GENERAL            (0x344)
+#define CKM_IDEA_CBC_PAD                (0x345)
+#define CKM_GENERIC_SECRET_KEY_GEN      (0x350)
+#define CKM_CONCATENATE_BASE_AND_KEY    (0x360)
+#define CKM_CONCATENATE_BASE_AND_DATA   (0x362)
+#define CKM_CONCATENATE_DATA_AND_BASE   (0x363)
+#define CKM_XOR_BASE_AND_DATA           (0x364)
+#define CKM_EXTRACT_KEY_FROM_KEY        (0x365)
+#define CKM_SSL3_PRE_MASTER_KEY_GEN     (0x370)
+#define CKM_SSL3_MASTER_KEY_DERIVE      (0x371)
+#define CKM_SSL3_KEY_AND_MAC_DERIVE     (0x372)
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH   (0x373)
+#define CKM_TLS_PRE_MASTER_KEY_GEN      (0x374)
+#define CKM_TLS_MASTER_KEY_DERIVE       (0x375)
+#define CKM_TLS_KEY_AND_MAC_DERIVE      (0x376)
+#define CKM_TLS_MASTER_KEY_DERIVE_DH    (0x377)
+#define CKM_SSL3_MD5_MAC                (0x380)
+#define CKM_SSL3_SHA1_MAC               (0x381)
+#define CKM_MD5_KEY_DERIVATION          (0x390)
+#define CKM_MD2_KEY_DERIVATION          (0x391)
+#define CKM_SHA1_KEY_DERIVATION         (0x392)
+#define CKM_PBE_MD2_DES_CBC             (0x3a0)
+#define CKM_PBE_MD5_DES_CBC             (0x3a1)
+#define CKM_PBE_MD5_CAST_CBC            (0x3a2)
+#define CKM_PBE_MD5_CAST3_CBC           (0x3a3)
+#define CKM_PBE_MD5_CAST5_CBC           (0x3a4)
+#define CKM_PBE_MD5_CAST128_CBC         (0x3a4)
+#define CKM_PBE_SHA1_CAST5_CBC          (0x3a5)
+#define CKM_PBE_SHA1_CAST128_CBC        (0x3a5)
+#define CKM_PBE_SHA1_RC4_128            (0x3a6)
+#define CKM_PBE_SHA1_RC4_40             (0x3a7)
+#define CKM_PBE_SHA1_DES3_EDE_CBC       (0x3a8)
+#define CKM_PBE_SHA1_DES2_EDE_CBC       (0x3a9)
+#define CKM_PBE_SHA1_RC2_128_CBC        (0x3aa)
+#define CKM_PBE_SHA1_RC2_40_CBC         (0x3ab)
+#define CKM_PKCS5_PBKD2                 (0x3b0)
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC     (0x3c0)
+#define CKM_KEY_WRAP_LYNKS              (0x400)
+#define CKM_KEY_WRAP_SET_OAEP           (0x401)
+#define CKM_SKIPJACK_KEY_GEN            (0x1000)
+#define CKM_SKIPJACK_ECB64              (0x1001)
+#define CKM_SKIPJACK_CBC64              (0x1002)
+#define CKM_SKIPJACK_OFB64              (0x1003)
+#define CKM_SKIPJACK_CFB64              (0x1004)
+#define CKM_SKIPJACK_CFB32              (0x1005)
+#define CKM_SKIPJACK_CFB16              (0x1006)
+#define CKM_SKIPJACK_CFB8               (0x1007)
+#define CKM_SKIPJACK_WRAP               (0x1008)
+#define CKM_SKIPJACK_PRIVATE_WRAP       (0x1009)
+#define CKM_SKIPJACK_RELAYX             (0x100a)
+#define CKM_KEA_KEY_PAIR_GEN            (0x1010)
+#define CKM_KEA_KEY_DERIVE              (0x1011)
+#define CKM_FORTEZZA_TIMESTAMP          (0x1020)
+#define CKM_BATON_KEY_GEN               (0x1030)
+#define CKM_BATON_ECB128                (0x1031)
+#define CKM_BATON_ECB96                 (0x1032)
+#define CKM_BATON_CBC128                (0x1033)
+#define CKM_BATON_COUNTER               (0x1034)
+#define CKM_BATON_SHUFFLE               (0x1035)
+#define CKM_BATON_WRAP                  (0x1036)
+#define CKM_ECDSA_KEY_PAIR_GEN          (0x1040)
+#define CKM_EC_KEY_PAIR_GEN             (0x1040)
+#define CKM_ECDSA                       (0x1041)
+#define CKM_ECDSA_SHA1                  (0x1042)
+#define CKM_ECDH1_DERIVE                (0x1050)
+#define CKM_ECDH1_COFACTOR_DERIVE       (0x1051)
+#define CKM_ECMQV_DERIVE                (0x1052)
+#define CKM_JUNIPER_KEY_GEN             (0x1060)
+#define CKM_JUNIPER_ECB128              (0x1061)
+#define CKM_JUNIPER_CBC128              (0x1062)
+#define CKM_JUNIPER_COUNTER             (0x1063)
+#define CKM_JUNIPER_SHUFFLE             (0x1064)
+#define CKM_JUNIPER_WRAP                (0x1065)
+#define CKM_FASTHASH                    (0x1070)
+#define CKM_AES_KEY_GEN                 (0x1080)
+#define CKM_AES_ECB                     (0x1081)
+#define CKM_AES_CBC                     (0x1082)
+#define CKM_AES_MAC                     (0x1083)
+#define CKM_AES_MAC_GENERAL             (0x1084)
+#define CKM_AES_CBC_PAD                 (0x1085)
+#define CKM_DSA_PARAMETER_GEN           (0x2000)
+#define CKM_DH_PKCS_PARAMETER_GEN       (0x2001)
+#define CKM_X9_42_DH_PARAMETER_GEN      (0x2002)
+#define CKM_VENDOR_DEFINED              ((unsigned long) (1 << 31))
+
+
+struct ck_mechanism
+{
+  ck_mechanism_type_t mechanism;
+  void *parameter;
+  unsigned long parameter_len;
+};
+
+
+struct ck_mechanism_info
+{
+  unsigned long min_key_size;
+  unsigned long max_key_size;
+  ck_flags_t flags;
+};
+
+#define CKF_HW                  (1 << 0)
+#define CKF_ENCRYPT             (1 << 8)
+#define CKF_DECRYPT             (1 << 9)
+#define CKF_DIGEST              (1 << 10)
+#define CKF_SIGN                (1 << 11)
+#define CKF_SIGN_RECOVER        (1 << 12)
+#define CKF_VERIFY              (1 << 13)
+#define CKF_VERIFY_RECOVER      (1 << 14)
+#define CKF_GENERATE            (1 << 15)
+#define CKF_GENERATE_KEY_PAIR   (1 << 16)
+#define CKF_WRAP                (1 << 17)
+#define CKF_UNWRAP              (1 << 18)
+#define CKF_DERIVE              (1 << 19)
+#define CKF_EXTENSION           ((unsigned long) (1 << 31))
+
+
+/* Flags for C_WaitForSlotEvent.  */
+#define CKF_DONT_BLOCK                          (1)
+
+
+typedef unsigned long ck_rv_t;
+
+
+typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session,
+                                ck_notification_t event, void *application);
+
+/* Forward reference.  */
+struct ck_function_list;
+
+#define _CK_DECLARE_FUNCTION(name, args)        \
+typedef ck_rv_t (*CK_ ## name) args;            \
+ck_rv_t CK_SPEC name args
+
+_CK_DECLARE_FUNCTION (C_Initialize, (void *init_args));
+_CK_DECLARE_FUNCTION (C_Finalize, (void *reserved));
+_CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info *info));
+_CK_DECLARE_FUNCTION (C_GetFunctionList,
+                      (struct ck_function_list **function_list));
+
+_CK_DECLARE_FUNCTION (C_GetSlotList,
+                      (unsigned char token_present, ck_slot_id_t *slot_list,
+                       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetSlotInfo,
+                      (ck_slot_id_t slot_id, struct ck_slot_info *info));
+_CK_DECLARE_FUNCTION (C_GetTokenInfo,
+                      (ck_slot_id_t slot_id, struct ck_token_info *info));
+_CK_DECLARE_FUNCTION (C_WaitForSlotEvent,
+                      (ck_flags_t flags, ck_slot_id_t *slot, void *reserved));
+_CK_DECLARE_FUNCTION (C_GetMechanismList,
+                      (ck_slot_id_t slot_id,
+                       ck_mechanism_type_t *mechanism_list,
+                       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetMechanismInfo,
+                      (ck_slot_id_t slot_id, ck_mechanism_type_t type,
+                       struct ck_mechanism_info *info));
+_CK_DECLARE_FUNCTION (C_InitToken,
+                      (ck_slot_id_t slot_id, unsigned char *pin,
+                       unsigned long pin_len, unsigned char *label));
+_CK_DECLARE_FUNCTION (C_InitPIN,
+                      (ck_session_handle_t session, unsigned char *pin,
+                       unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_SetPIN,
+                      (ck_session_handle_t session, unsigned char *old_pin,
+                       unsigned long old_len, unsigned char *new_pin,
+                       unsigned long new_len));
+
+_CK_DECLARE_FUNCTION (C_OpenSession,
+                      (ck_slot_id_t slot_id, ck_flags_t flags,
+                       void *application, ck_notify_t notify,
+                       ck_session_handle_t *session));
+_CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id));
+_CK_DECLARE_FUNCTION (C_GetSessionInfo,
+                      (ck_session_handle_t session,
+                       struct ck_session_info *info));
+_CK_DECLARE_FUNCTION (C_GetOperationState,
+                      (ck_session_handle_t session,
+                       unsigned char *operation_state,
+                       unsigned long *operation_state_len));
+_CK_DECLARE_FUNCTION (C_SetOperationState,
+                      (ck_session_handle_t session,
+                       unsigned char *operation_state,
+                       unsigned long operation_state_len,
+                       ck_object_handle_t encryption_key,
+                       ck_object_handle_t authentiation_key));
+_CK_DECLARE_FUNCTION (C_Login,
+                      (ck_session_handle_t session, ck_user_type_t user_type,
+                       unsigned char *pin, unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_CreateObject,
+                      (ck_session_handle_t session,
+                       struct ck_attribute *templ,
+                       unsigned long count, ck_object_handle_t *object));
+_CK_DECLARE_FUNCTION (C_CopyObject,
+                      (ck_session_handle_t session, ck_object_handle_t object,
+                       struct ck_attribute *templ, unsigned long count,
+                       ck_object_handle_t *new_object));
+_CK_DECLARE_FUNCTION (C_DestroyObject,
+                      (ck_session_handle_t session,
+                       ck_object_handle_t object));
+_CK_DECLARE_FUNCTION (C_GetObjectSize,
+                      (ck_session_handle_t session,
+                       ck_object_handle_t object,
+                       unsigned long *size));
+_CK_DECLARE_FUNCTION (C_GetAttributeValue,
+                      (ck_session_handle_t session,
+                       ck_object_handle_t object,
+                       struct ck_attribute *templ,
+                       unsigned long count));
+_CK_DECLARE_FUNCTION (C_SetAttributeValue,
+                      (ck_session_handle_t session,
+                       ck_object_handle_t object,
+                       struct ck_attribute *templ,
+                       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjectsInit,
+                      (ck_session_handle_t session,
+                       struct ck_attribute *templ,
+                       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjects,
+                      (ck_session_handle_t session,
+                       ck_object_handle_t *object,
+                       unsigned long max_object_count,
+                       unsigned long *object_count));
+_CK_DECLARE_FUNCTION (C_FindObjectsFinal,
+                      (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_EncryptInit,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism,
+                       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Encrypt,
+                      (ck_session_handle_t session,
+                       unsigned char *data, unsigned long data_len,
+                       unsigned char *encrypted_data,
+                       unsigned long *encrypted_data_len));
+_CK_DECLARE_FUNCTION (C_EncryptUpdate,
+                      (ck_session_handle_t session,
+                       unsigned char *part, unsigned long part_len,
+                       unsigned char *encrypted_part,
+                       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_EncryptFinal,
+                      (ck_session_handle_t session,
+                       unsigned char *last_encrypted_part,
+                       unsigned long *last_encrypted_part_len));
+
+_CK_DECLARE_FUNCTION (C_DecryptInit,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism,
+                       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Decrypt,
+                      (ck_session_handle_t session,
+                       unsigned char *encrypted_data,
+                       unsigned long encrypted_data_len,
+                       unsigned char *data, unsigned long *data_len));
+_CK_DECLARE_FUNCTION (C_DecryptUpdate,
+                      (ck_session_handle_t session,
+                       unsigned char *encrypted_part,
+                       unsigned long encrypted_part_len,
+                       unsigned char *part, unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_DecryptFinal,
+                      (ck_session_handle_t session,
+                       unsigned char *last_part,
+                       unsigned long *last_part_len));
+
+_CK_DECLARE_FUNCTION (C_DigestInit,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism));
+_CK_DECLARE_FUNCTION (C_Digest,
+                      (ck_session_handle_t session,
+                       unsigned char *data, unsigned long data_len,
+                       unsigned char *digest,
+                       unsigned long *digest_len));
+_CK_DECLARE_FUNCTION (C_DigestUpdate,
+                      (ck_session_handle_t session,
+                       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_DigestKey,
+                      (ck_session_handle_t session, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_DigestFinal,
+                      (ck_session_handle_t session,
+                       unsigned char *digest,
+                       unsigned long *digest_len));
+
+_CK_DECLARE_FUNCTION (C_SignInit,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism,
+                       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Sign,
+                      (ck_session_handle_t session,
+                       unsigned char *data, unsigned long data_len,
+                       unsigned char *signature,
+                       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignUpdate,
+                      (ck_session_handle_t session,
+                       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_SignFinal,
+                      (ck_session_handle_t session,
+                       unsigned char *signature,
+                       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignRecoverInit,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism,
+                       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_SignRecover,
+                      (ck_session_handle_t session,
+                       unsigned char *data, unsigned long data_len,
+                       unsigned char *signature,
+                       unsigned long *signature_len));
+
+_CK_DECLARE_FUNCTION (C_VerifyInit,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism,
+                       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Verify,
+                      (ck_session_handle_t session,
+                       unsigned char *data, unsigned long data_len,
+                       unsigned char *signature,
+                       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyUpdate,
+                      (ck_session_handle_t session,
+                       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_VerifyFinal,
+                      (ck_session_handle_t session,
+                       unsigned char *signature,
+                       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyRecoverInit,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism,
+                       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_VerifyRecover,
+                      (ck_session_handle_t session,
+                       unsigned char *signature,
+                       unsigned long signature_len,
+                       unsigned char *data,
+                       unsigned long *data_len));
+
+_CK_DECLARE_FUNCTION (C_DigestEncryptUpdate,
+                      (ck_session_handle_t session,
+                       unsigned char *part, unsigned long part_len,
+                       unsigned char *encrypted_part,
+                       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptDigestUpdate,
+                      (ck_session_handle_t session,
+                       unsigned char *encrypted_part,
+                       unsigned long encrypted_part_len,
+                       unsigned char *part,
+                       unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_SignEncryptUpdate,
+                      (ck_session_handle_t session,
+                       unsigned char *part, unsigned long part_len,
+                       unsigned char *encrypted_part,
+                       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate,
+                      (ck_session_handle_t session,
+                       unsigned char *encrypted_part,
+                       unsigned long encrypted_part_len,
+                       unsigned char *part,
+                       unsigned long *part_len));
+
+_CK_DECLARE_FUNCTION (C_GenerateKey,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism,
+                       struct ck_attribute *templ,
+                       unsigned long count,
+                       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_GenerateKeyPair,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism,
+                       struct ck_attribute *public_key_template,
+                       unsigned long public_key_attribute_count,
+                       struct ck_attribute *private_key_template,
+                       unsigned long private_key_attribute_count,
+                       ck_object_handle_t *public_key,
+                       ck_object_handle_t *private_key));
+_CK_DECLARE_FUNCTION (C_WrapKey,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism,
+                       ck_object_handle_t wrapping_key,
+                       ck_object_handle_t key,
+                       unsigned char *wrapped_key,
+                       unsigned long *wrapped_key_len));
+_CK_DECLARE_FUNCTION (C_UnwrapKey,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism,
+                       ck_object_handle_t unwrapping_key,
+                       unsigned char *wrapped_key,
+                       unsigned long wrapped_key_len,
+                       struct ck_attribute *templ,
+                       unsigned long attribute_count,
+                       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_DeriveKey,
+                      (ck_session_handle_t session,
+                       struct ck_mechanism *mechanism,
+                       ck_object_handle_t base_key,
+                       struct ck_attribute *templ,
+                       unsigned long attribute_count,
+                       ck_object_handle_t *key));
+
+_CK_DECLARE_FUNCTION (C_SeedRandom,
+                      (ck_session_handle_t session, unsigned char *seed,
+                       unsigned long seed_len));
+_CK_DECLARE_FUNCTION (C_GenerateRandom,
+                      (ck_session_handle_t session,
+                       unsigned char *random_data,
+                       unsigned long random_len));
+
+_CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session));
+
+
+struct ck_function_list
+{
+  struct ck_version version;
+  CK_C_Initialize C_Initialize;
+  CK_C_Finalize C_Finalize;
+  CK_C_GetInfo C_GetInfo;
+  CK_C_GetFunctionList C_GetFunctionList;
+  CK_C_GetSlotList C_GetSlotList;
+  CK_C_GetSlotInfo C_GetSlotInfo;
+  CK_C_GetTokenInfo C_GetTokenInfo;
+  CK_C_GetMechanismList C_GetMechanismList;
+  CK_C_GetMechanismInfo C_GetMechanismInfo;
+  CK_C_InitToken C_InitToken;
+  CK_C_InitPIN C_InitPIN;
+  CK_C_SetPIN C_SetPIN;
+  CK_C_OpenSession C_OpenSession;
+  CK_C_CloseSession C_CloseSession;
+  CK_C_CloseAllSessions C_CloseAllSessions;
+  CK_C_GetSessionInfo C_GetSessionInfo;
+  CK_C_GetOperationState C_GetOperationState;
+  CK_C_SetOperationState C_SetOperationState;
+  CK_C_Login C_Login;
+  CK_C_Logout C_Logout;
+  CK_C_CreateObject C_CreateObject;
+  CK_C_CopyObject C_CopyObject;
+  CK_C_DestroyObject C_DestroyObject;
+  CK_C_GetObjectSize C_GetObjectSize;
+  CK_C_GetAttributeValue C_GetAttributeValue;
+  CK_C_SetAttributeValue C_SetAttributeValue;
+  CK_C_FindObjectsInit C_FindObjectsInit;
+  CK_C_FindObjects C_FindObjects;
+  CK_C_FindObjectsFinal C_FindObjectsFinal;
+  CK_C_EncryptInit C_EncryptInit;
+  CK_C_Encrypt C_Encrypt;
+  CK_C_EncryptUpdate C_EncryptUpdate;
+  CK_C_EncryptFinal C_EncryptFinal;
+  CK_C_DecryptInit C_DecryptInit;
+  CK_C_Decrypt C_Decrypt;
+  CK_C_DecryptUpdate C_DecryptUpdate;
+  CK_C_DecryptFinal C_DecryptFinal;
+  CK_C_DigestInit C_DigestInit;
+  CK_C_Digest C_Digest;
+  CK_C_DigestUpdate C_DigestUpdate;
+  CK_C_DigestKey C_DigestKey;
+  CK_C_DigestFinal C_DigestFinal;
+  CK_C_SignInit C_SignInit;
+  CK_C_Sign C_Sign;
+  CK_C_SignUpdate C_SignUpdate;
+  CK_C_SignFinal C_SignFinal;
+  CK_C_SignRecoverInit C_SignRecoverInit;
+  CK_C_SignRecover C_SignRecover;
+  CK_C_VerifyInit C_VerifyInit;
+  CK_C_Verify C_Verify;
+  CK_C_VerifyUpdate C_VerifyUpdate;
+  CK_C_VerifyFinal C_VerifyFinal;
+  CK_C_VerifyRecoverInit C_VerifyRecoverInit;
+  CK_C_VerifyRecover C_VerifyRecover;
+  CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
+  CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
+  CK_C_SignEncryptUpdate C_SignEncryptUpdate;
+  CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
+  CK_C_GenerateKey C_GenerateKey;
+  CK_C_GenerateKeyPair C_GenerateKeyPair;
+  CK_C_WrapKey C_WrapKey;
+  CK_C_UnwrapKey C_UnwrapKey;
+  CK_C_DeriveKey C_DeriveKey;
+  CK_C_SeedRandom C_SeedRandom;
+  CK_C_GenerateRandom C_GenerateRandom;
+  CK_C_GetFunctionStatus C_GetFunctionStatus;
+  CK_C_CancelFunction C_CancelFunction;
+  CK_C_WaitForSlotEvent C_WaitForSlotEvent;
+};
+
+
+typedef ck_rv_t (*ck_createmutex_t) (void **mutex);
+typedef ck_rv_t (*ck_destroymutex_t) (void *mutex);
+typedef ck_rv_t (*ck_lockmutex_t) (void *mutex);
+typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex);
+
+
+struct ck_c_initialize_args
+{
+  ck_createmutex_t create_mutex;
+  ck_destroymutex_t destroy_mutex;
+  ck_lockmutex_t lock_mutex;
+  ck_unlockmutex_t unlock_mutex;
+  ck_flags_t flags;
+  void *reserved;
+};
+
+
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS      (1 << 0)
+#define CKF_OS_LOCKING_OK                       (1 << 1)
+
+#define CKR_OK                                  (0)
+#define CKR_CANCEL                              (1)
+#define CKR_HOST_MEMORY                         (2)
+#define CKR_SLOT_ID_INVALID                     (3)
+#define CKR_GENERAL_ERROR                       (5)
+#define CKR_FUNCTION_FAILED                     (6)
+#define CKR_ARGUMENTS_BAD                       (7)
+#define CKR_NO_EVENT                            (8)
+#define CKR_NEED_TO_CREATE_THREADS              (9)
+#define CKR_CANT_LOCK                           (0xa)
+#define CKR_ATTRIBUTE_READ_ONLY                 (0x10)
+#define CKR_ATTRIBUTE_SENSITIVE                 (0x11)
+#define CKR_ATTRIBUTE_TYPE_INVALID              (0x12)
+#define CKR_ATTRIBUTE_VALUE_INVALID             (0x13)
+#define CKR_DATA_INVALID                        (0x20)
+#define CKR_DATA_LEN_RANGE                      (0x21)
+#define CKR_DEVICE_ERROR                        (0x30)
+#define CKR_DEVICE_MEMORY                       (0x31)
+#define CKR_DEVICE_REMOVED                      (0x32)
+#define CKR_ENCRYPTED_DATA_INVALID              (0x40)
+#define CKR_ENCRYPTED_DATA_LEN_RANGE            (0x41)
+#define CKR_FUNCTION_CANCELED                   (0x50)
+#define CKR_FUNCTION_NOT_PARALLEL               (0x51)
+#define CKR_FUNCTION_NOT_SUPPORTED              (0x54)
+#define CKR_KEY_HANDLE_INVALID                  (0x60)
+#define CKR_KEY_SIZE_RANGE                      (0x62)
+#define CKR_KEY_TYPE_INCONSISTENT               (0x63)
+#define CKR_KEY_NOT_NEEDED                      (0x64)
+#define CKR_KEY_CHANGED                         (0x65)
+#define CKR_KEY_NEEDED                          (0x66)
+#define CKR_KEY_INDIGESTIBLE                    (0x67)
+#define CKR_KEY_FUNCTION_NOT_PERMITTED          (0x68)
+#define CKR_KEY_NOT_WRAPPABLE                   (0x69)
+#define CKR_KEY_UNEXTRACTABLE                   (0x6a)
+#define CKR_MECHANISM_INVALID                   (0x70)
+#define CKR_MECHANISM_PARAM_INVALID             (0x71)
+#define CKR_OBJECT_HANDLE_INVALID               (0x82)
+#define CKR_OPERATION_ACTIVE                    (0x90)
+#define CKR_OPERATION_NOT_INITIALIZED           (0x91)
+#define CKR_PIN_INCORRECT                       (0xa0)
+#define CKR_PIN_INVALID                         (0xa1)
+#define CKR_PIN_LEN_RANGE                       (0xa2)
+#define CKR_PIN_EXPIRED                         (0xa3)
+#define CKR_PIN_LOCKED                          (0xa4)
+#define CKR_SESSION_CLOSED                      (0xb0)
+#define CKR_SESSION_COUNT                       (0xb1)
+#define CKR_SESSION_HANDLE_INVALID              (0xb3)
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED      (0xb4)
+#define CKR_SESSION_READ_ONLY                   (0xb5)
+#define CKR_SESSION_EXISTS                      (0xb6)
+#define CKR_SESSION_READ_ONLY_EXISTS            (0xb7)
+#define CKR_SESSION_READ_WRITE_SO_EXISTS        (0xb8)
+#define CKR_SIGNATURE_INVALID                   (0xc0)
+#define CKR_SIGNATURE_LEN_RANGE                 (0xc1)
+#define CKR_TEMPLATE_INCOMPLETE                 (0xd0)
+#define CKR_TEMPLATE_INCONSISTENT               (0xd1)
+#define CKR_TOKEN_NOT_PRESENT                   (0xe0)
+#define CKR_TOKEN_NOT_RECOGNIZED                (0xe1)
+#define CKR_TOKEN_WRITE_PROTECTED               (0xe2)
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID       (0xf0)
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE           (0xf1)
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT    (0xf2)
+#define CKR_USER_ALREADY_LOGGED_IN              (0x100)
+#define CKR_USER_NOT_LOGGED_IN                  (0x101)
+#define CKR_USER_PIN_NOT_INITIALIZED            (0x102)
+#define CKR_USER_TYPE_INVALID                   (0x103)
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN      (0x104)
+#define CKR_USER_TOO_MANY_TYPES                 (0x105)
+#define CKR_WRAPPED_KEY_INVALID                 (0x110)
+#define CKR_WRAPPED_KEY_LEN_RANGE               (0x112)
+#define CKR_WRAPPING_KEY_HANDLE_INVALID         (0x113)
+#define CKR_WRAPPING_KEY_SIZE_RANGE             (0x114)
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT      (0x115)
+#define CKR_RANDOM_SEED_NOT_SUPPORTED           (0x120)
+#define CKR_RANDOM_NO_RNG                       (0x121)
+#define CKR_DOMAIN_PARAMS_INVALID               (0x130)
+#define CKR_BUFFER_TOO_SMALL                    (0x150)
+#define CKR_SAVED_STATE_INVALID                 (0x160)
+#define CKR_INFORMATION_SENSITIVE               (0x170)
+#define CKR_STATE_UNSAVEABLE                    (0x180)
+#define CKR_CRYPTOKI_NOT_INITIALIZED            (0x190)
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED        (0x191)
+#define CKR_MUTEX_BAD                           (0x1a0)
+#define CKR_MUTEX_NOT_LOCKED                    (0x1a1)
+#define CKR_FUNCTION_REJECTED                   (0x200)
+#define CKR_VENDOR_DEFINED                      ((unsigned long) (1 << 31))
+
+
+
+/* Compatibility layer.  */
+
+#ifdef CRYPTOKI_COMPAT
+
+#undef CK_DEFINE_FUNCTION
+#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name
+
+/* For NULL.  */
+#include <stddef.h>
+
+typedef unsigned char CK_BYTE;
+typedef unsigned char CK_CHAR;
+typedef unsigned char CK_UTF8CHAR;
+typedef unsigned char CK_BBOOL;
+typedef unsigned long int CK_ULONG;
+typedef long int CK_LONG;
+typedef CK_BYTE *CK_BYTE_PTR;
+typedef CK_CHAR *CK_CHAR_PTR;
+typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR;
+typedef CK_ULONG *CK_ULONG_PTR;
+typedef void *CK_VOID_PTR;
+typedef void **CK_VOID_PTR_PTR;
+#define CK_FALSE 0
+#define CK_TRUE 1
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE 0
+#endif
+#ifndef TRUE
+#define TRUE 1
+#endif
+#endif
+
+typedef struct ck_version CK_VERSION;
+typedef struct ck_version *CK_VERSION_PTR;
+
+typedef struct ck_info CK_INFO;
+typedef struct ck_info *CK_INFO_PTR;
+
+typedef ck_slot_id_t *CK_SLOT_ID_PTR;
+
+typedef struct ck_slot_info CK_SLOT_INFO;
+typedef struct ck_slot_info *CK_SLOT_INFO_PTR;
+
+typedef struct ck_token_info CK_TOKEN_INFO;
+typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
+
+typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR;
+
+typedef struct ck_session_info CK_SESSION_INFO;
+typedef struct ck_session_info *CK_SESSION_INFO_PTR;
+
+typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR;
+
+typedef ck_object_class_t *CK_OBJECT_CLASS_PTR;
+
+typedef struct ck_attribute CK_ATTRIBUTE;
+typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
+
+typedef struct ck_date CK_DATE;
+typedef struct ck_date *CK_DATE_PTR;
+
+typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;
+
+typedef struct ck_mechanism CK_MECHANISM;
+typedef struct ck_mechanism *CK_MECHANISM_PTR;
+
+typedef struct ck_mechanism_info CK_MECHANISM_INFO;
+typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
+
+typedef struct ck_function_list CK_FUNCTION_LIST;
+typedef struct ck_function_list *CK_FUNCTION_LIST_PTR;
+typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
+
+typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS;
+typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
+
+#define NULL_PTR NULL
+
+/* Delete the helper macros defined at the top of the file.  */
+#undef ck_flags_t
+#undef ck_version
+
+#undef ck_info
+#undef cryptoki_version
+#undef manufacturer_id
+#undef library_description
+#undef library_version
+
+#undef ck_notification_t
+#undef ck_slot_id_t
+
+#undef ck_slot_info
+#undef slot_description
+#undef hardware_version
+#undef firmware_version
+
+#undef ck_token_info
+#undef serial_number
+#undef max_session_count
+#undef session_count
+#undef max_rw_session_count
+#undef rw_session_count
+#undef max_pin_len
+#undef min_pin_len
+#undef total_public_memory
+#undef free_public_memory
+#undef total_private_memory
+#undef free_private_memory
+#undef utc_time
+
+#undef ck_session_handle_t
+#undef ck_user_type_t
+#undef ck_state_t
+
+#undef ck_session_info
+#undef slot_id
+#undef device_error
+
+#undef ck_object_handle_t
+#undef ck_object_class_t
+#undef ck_hw_feature_type_t
+#undef ck_key_type_t
+#undef ck_certificate_type_t
+#undef ck_attribute_type_t
+
+#undef ck_attribute
+#undef value
+#undef value_len
+
+#undef ck_date
+
+#undef ck_mechanism_type_t
+
+#undef ck_mechanism
+#undef parameter
+#undef parameter_len
+
+#undef ck_mechanism_info
+#undef min_key_size
+#undef max_key_size
+
+#undef ck_rv_t
+#undef ck_notify_t
+
+#undef ck_function_list
+
+#undef ck_createmutex_t
+#undef ck_destroymutex_t
+#undef ck_lockmutex_t
+#undef ck_unlockmutex_t
+
+#undef ck_c_initialize_args
+#undef create_mutex
+#undef destroy_mutex
+#undef lock_mutex
+#undef unlock_mutex
+#undef reserved
+
+#endif  /* CRYPTOKI_COMPAT */
+
+
+/* System dependencies.  */
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+#pragma pack(pop, cryptoki)
+#endif
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif  /* PKCS11_H */
diff --git a/src/versioninfo.rc.in b/src/versioninfo.rc.in
new file mode 100644
index 0000000..0529ef8
--- /dev/null
+++ b/src/versioninfo.rc.in
@@ -0,0 +1,35 @@
+#include <winresrc.h>
+
+VS_VERSION_INFO VERSIONINFO
+        FILEVERSION @LIBP11_LT_CURRENT@,@LIBP11_LT_AGE@,@LIBP11_LT_REVISION@,0
+        PRODUCTVERSION @LIBP11_VERSION_MAJOR@,@LIBP11_VERSION_MINOR@,@LIBP11_VERSION_FIX@,0
+        FILEFLAGSMASK 0x3fL
+#ifdef _DEBUG
+        FILEFLAGS 0x21L
+#else
+        FILEFLAGS 0x20L
+#endif
+        FILEOS 0x40004L
+        FILETYPE 0x1L
+        FILESUBTYPE 0x0L
+BEGIN
+        BLOCK "StringFileInfo"
+        BEGIN
+                BLOCK "040904b0"
+                BEGIN
+                        VALUE "Comments", "Provided under the terms of the GNU General Public License (LGPLv2.1+).\0"
+                        VALUE "CompanyName", "OpenSC Project\0"
+                        VALUE "FileDescription", "PKCS#11 access library\0"
+                        VALUE "FileVersion", "@LIBP11_LT_CURRENT@.@LIBP11_LT_AGE@.@LIBP11_LT_REVISION@.0\0"
+                        VALUE "InternalName", "@PACKAGE_NAME@\0"
+                        VALUE "LegalCopyright", "OpenSC Project\0"
+                        VALUE "LegalTrademarks", "\0"
+                        VALUE "OriginalFilename", "@PACKAGE_NAME@-@LIBP11_LT_OLDEST@.dll\0"
+                        VALUE "PrivateBuild", "\0"
+                        VALUE "ProductName", "@PACKAGE_NAME@\0"
+                        VALUE "ProductVersion", "@LIBP11_VERSION_MAJOR@,@LIBP11_VERSION_MINOR@,@LIBP11_VERSION_FIX@,0\0"
+                        VALUE "SpecialBuild", "\0"
+                END
+        END
+END
+
diff --git a/winconfig.h b/winconfig.h
new file mode 100644
index 0000000..013255c
--- /dev/null
+++ b/winconfig.h
@@ -0,0 +1 @@
+/* nothing for now */