/*
 * Copyright (C) 2013 Texas Instruments Incorporated - http://www.ti.com/
 * Copyright (c) 2002 Juha Yrjölä.  All rights reserved.
 * Copyright (c) 2001 Markus Friedl.
 * Copyright (c) 2002 Olaf Kirch
 * Copyright (c) 2003 Kevin Stefanik
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*****************************************************************************
 ChangeLog (01/04/2013):
  Added following new functionalities
   - API to list objects on the token
   - API to store certificate to token
   - API to generate & store RSA key pair to token
   - API to get RSA public key from token
   - API to Delete object from token
 *****************************************************************************/

#include <config.h>
#include <stdio.h>
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/objects.h>
#include <openssl/engine.h>
#include <libp11.h>
#include "engine_pkcs11.h"

#ifdef _WIN32
#define strncasecmp strnicmp
#endif

#define fail(msg) { fprintf(stderr,msg); return NULL;}

/** The maximum length of an internally-allocated PIN */
#define MAX_PIN_LENGTH   32

/* Maximum size of a token object */
#define MAX_OBJECT_SIZE	5000

static int do_login(PKCS11_SLOT *slot);
static int pkcs11_store_cert
(
	ENGINE * e,
	int slot_nr,
	unsigned char *cert_id,
	size_t cert_id_len,
	char *cert_label,
	X509 *x
);
static int parse_cert_store_string
(
	const char *cert_store_str,
	int *slot,
	unsigned char *id,
	size_t * id_len,
	char **label,
	char **cert_file
);
static int parse_key_gen_string
(
	const char *key_gen_str,
	int *slot,
	int *key_size,
	unsigned char *id,
	size_t * id_len,
	char **label
);
static int pkcs11_gen_key
(
	ENGINE * e,
	int slot_nr,
	unsigned int key_size,
	unsigned char *key_id,
	size_t key_id_len,
	char *key_label
);
static int pkcs11_del_obj
(
	ENGINE * e,
	int slot_nr,
	char *type_str,
	unsigned char *id,
	size_t id_len,
	char *label
);
static int parse_del_obj_string
(
	const char *del_obj_str,
	int *slot,
	char **type,
	unsigned char *id,
	size_t * id_len,
	char **label
);
static int parse_key_string
(
	const char *pubkey_get_str,
	int *slot,
	unsigned char *id,
	size_t * id_len,
	char **label,
	char **key_file
);

static PKCS11_CTX *ctx = NULL;

/** 
 * The PIN used for login. Cache for the get_pin function.
 * The memory for this PIN is always owned internally,
 * and may be freed as necessary. Before freeing, the PIN 
 * must be whitened, to prevent security holes.
 */
static char *pin = NULL;
static int pin_length = 0;

static int verbose = 0;

static char *module = NULL;

static char *init_args = NULL;

int set_module(const char *modulename)
{
	module = modulename ? strdup(modulename) : NULL;
	return 1;
}

/**
 * Set the PIN used for login. A copy of the PIN shall be made.
 *
 * If the PIN cannot be assigned, the value 0 shall be returned
 * and errno shall be set as follows:
 *
 *   EINVAL - a NULL PIN was supplied
 *   ENOMEM - insufficient memory to copy the PIN
 *
 * @param _pin the pin to use for login. Must not be NULL.
 *
 * @return 1 on success, 0 on failure.
 */
int set_pin(const char *_pin)
{
	/* Pre-condition check */
	if (_pin == NULL) {
		errno = EINVAL;
		return 0;
	}

	/* Copy the PIN. If the string cannot be copied, NULL
	   shall be returned and errno shall be set. */
	pin = strdup(_pin);
	if (pin != NULL)
		pin_length = strlen(pin);

	return (pin != NULL);
}

int inc_verbose(void)
{
	verbose++;
	return 1;
}

/* either get the pin code from the supplied callback data, or get the pin
 * via asking our self. In both cases keep a copy of the pin code in the
 * pin variable (strdup'ed copy). */
static int get_pin(UI_METHOD * ui_method, void *callback_data)
{
	UI *ui;
	struct {
		const void *password;
		const char *prompt_info;
	} *mycb = callback_data;

	/* pin in the call back data, copy and use */
	if (mycb != NULL && mycb->password) {
		pin = (char *)calloc(MAX_PIN_LENGTH, sizeof(char));
		if (!pin)
			return 0;
		strncpy(pin,mycb->password,MAX_PIN_LENGTH);
		pin_length = MAX_PIN_LENGTH;
		return 1;
	}

	/* call ui to ask for a pin */
	ui = UI_new();
	if (ui_method != NULL)
		UI_set_method(ui, ui_method);
	if (callback_data != NULL)
		UI_set_app_data(ui, callback_data);

	if (!UI_add_input_string
	    (ui, "PKCS#11 token PIN: ", 0, pin, 1, MAX_PIN_LENGTH)) {
		fprintf(stderr, "UI_add_input_string failed\n");
		UI_free(ui);
		return 0;
	}
	if (UI_process(ui)) {
		fprintf(stderr, "UI_process failed\n");
		UI_free(ui);
		return 0;
	}
	UI_free(ui);
	return 1;
}

int set_init_args(const char *init_args_orig)
{
	init_args = init_args_orig ? strdup(init_args_orig) : NULL;
	return 1;
}

int pkcs11_finish(ENGINE * engine)
{
	if (verbose) {
		fprintf(stderr, "engine finish\n");
	}
	if (ctx) {
		PKCS11_CTX_unload(ctx);
		PKCS11_CTX_free(ctx);
		ctx = NULL;
	}
	if (pin != NULL) {
		OPENSSL_cleanse(pin, pin_length);
		free(pin);
		pin = NULL;
		pin_length = 0;
	}
	return 1;
}

int pkcs11_init(ENGINE * engine)
{
	if (verbose) {
		fprintf(stderr, "initializing engine\n");
	}
	ctx = PKCS11_CTX_new();
        PKCS11_CTX_init_args(ctx, init_args);
	if (PKCS11_CTX_load(ctx, module) < 0) {
		fprintf(stderr, "unable to load module %s\n", module);
		return 0;
	}
	return 1;
}

int pkcs11_rsa_finish(RSA * rsa)
{
	if (pin) {
		OPENSSL_cleanse(pin, pin_length);
		free(pin);
		pin = NULL;
		pin_length = 0;
	}
	if (module) {
		free(module);
		module = NULL;
	}
	/* need to free RSA_ex_data? */
	return 1;
}

static int hex_to_bin(const char *in, unsigned char *out, size_t * outlen)
{
	size_t left, count = 0;

	if (in == NULL || *in == '\0') {
		*outlen = 0;
		return 1;
	}

	left = *outlen;

	while (*in != '\0') {
		int byte = 0, nybbles = 2;

		while (nybbles-- && *in && *in != ':') {
			char c;
			byte <<= 4;
			c = *in++;
			if ('0' <= c && c <= '9')
				c -= '0';
			else if ('a' <= c && c <= 'f')
				c = c - 'a' + 10;
			else if ('A' <= c && c <= 'F')
				c = c - 'A' + 10;
			else {
				fprintf(stderr,
					"hex_to_bin(): invalid char '%c' in hex string\n",
					c);
				*outlen = 0;
				return 0;
			}
			byte |= c;
		}
		if (*in == ':')
			in++;
		if (left <= 0) {
			fprintf(stderr, "hex_to_bin(): hex string too long\n");
			*outlen = 0;
			return 0;
		}
		out[count++] = (unsigned char)byte;
		left--;
	}

	*outlen = count;
	return 1;
}

/* parse string containing slot and id information */

static int parse_slot_id_string(const char *slot_id, int *slot,
				unsigned char *id, size_t * id_len,
				char **label)
{
	int n, i;

	if (!slot_id)
		return 0;

	/* support for several formats */
#define HEXDIGITS "01234567890ABCDEFabcdef"
#define DIGITS "0123456789"

	/* first: pure hex number (id, slot is 0) */
	if (strspn(slot_id, HEXDIGITS) == strlen(slot_id)) {
		/* ah, easiest case: only hex. */
		if ((strlen(slot_id) + 1) / 2 > *id_len) {
			fprintf(stderr, "id string too long!\n");
			return 0;
		}
		*slot = 0;
		return hex_to_bin(slot_id, id, id_len);
	}

	/* second: slot:id. slot is an digital int. */
	if (sscanf(slot_id, "%d", &n) == 1) {
		i = strspn(slot_id, DIGITS);

		if (slot_id[i] != ':') {
			fprintf(stderr, "could not parse string!\n");
			return 0;
		}
		i++;
		if (slot_id[i] == 0) {
			*slot = n;
			*id_len = 0;
			return 1;
		}
		if (strspn(slot_id + i, HEXDIGITS) + i != strlen(slot_id)) {
			fprintf(stderr, "could not parse string!\n");
			return 0;
		}
		/* ah, rest is hex */
		if ((strlen(slot_id) - i + 1) / 2 > *id_len) {
			fprintf(stderr, "id string too long!\n");
			return 0;
		}
		*slot = n;
		return hex_to_bin(slot_id + i, id, id_len);
	}

	/* third: id_<id>  */
	if (strncmp(slot_id, "id_", 3) == 0) {
		if (strspn(slot_id + 3, HEXDIGITS) + 3 != strlen(slot_id)) {
			fprintf(stderr, "could not parse string!\n");
			return 0;
		}
		/* ah, rest is hex */
		if ((strlen(slot_id) - 3 + 1) / 2 > *id_len) {
			fprintf(stderr, "id string too long!\n");
			return 0;
		}
		*slot = 0;
		return hex_to_bin(slot_id + 3, id, id_len);
	}

	/* label_<label>  */
	if (strncmp(slot_id, "label_", 6) == 0) {
		*label = strdup(slot_id + 6);
		return *label != NULL;
	}

	/* last try: it has to be slot_<slot> and then "-id_<cert>" */

	if (strncmp(slot_id, "slot_", 5) != 0) {
		fprintf(stderr, "format not recognized!\n");
		return 0;
	}

	/* slot is an digital int. */
	if (sscanf(slot_id + 5, "%d", &n) != 1) {
		fprintf(stderr, "slot number not deciphered!\n");
		return 0;
	}

	i = strspn(slot_id + 5, DIGITS);

	if (slot_id[i + 5] == 0) {
		*slot = n;
		*id_len = 0;
		return 1; 
	}

	if (slot_id[i + 5] != '-') {
		fprintf(stderr, "could not parse string!\n");
		return 0;
	}

	i = 5 + i + 1;

	/* now followed by "id_" */
	if (strncmp(slot_id + i, "id_", 3) == 0) {
		if (strspn(slot_id + i + 3, HEXDIGITS) + 3 + i !=
		    strlen(slot_id)) {
			fprintf(stderr, "could not parse string!\n");
			return 0;
		}
		/* ah, rest is hex */
		if ((strlen(slot_id) - i - 3 + 1) / 2 > *id_len) {
			fprintf(stderr, "id string too long!\n");
			return 0;
		}
		*slot = n;
		return hex_to_bin(slot_id + i + 3, id, id_len);
	}

	/* ... or "label_" */
	if (strncmp(slot_id + i, "label_", 6) == 0) {
		*slot = n;
		return (*label = strdup(slot_id + i + 6)) != NULL;
	}

	fprintf(stderr, "could not parse string!\n");
	return 0;
}

#define MAX_VALUE_LEN	200

/* prototype for OpenSSL ENGINE_load_cert */
/* used by load_cert_ctrl via ENGINE_ctrl for now */

static X509 *pkcs11_load_cert(ENGINE * e, const char *s_slot_cert_id)
{
	PKCS11_SLOT *slot_list, *slot;
	PKCS11_SLOT *found_slot = NULL;
	PKCS11_TOKEN *tok;
	PKCS11_CERT *certs, *selected_cert = NULL;
	X509 *x509;
	unsigned int slot_count, cert_count, n, m;
	unsigned char cert_id[MAX_VALUE_LEN / 2];
	size_t cert_id_len = sizeof(cert_id);
	char *cert_label = NULL;
	int slot_nr = -1;
	char flags[64];

	if (s_slot_cert_id && *s_slot_cert_id) {
		n = parse_slot_id_string(s_slot_cert_id, &slot_nr,
					 cert_id, &cert_id_len, &cert_label);
		if (!n) {
			fprintf(stderr,
				"supported formats: <id>, <slot>:<id>, id_<id>, slot_<slot>-id_<id>, label_<label>, slot_<slot>-label_<label>\n");
			fprintf(stderr,
				"where <slot> is the slot number as normal integer,\n");
			fprintf(stderr,
				"and <id> is the id number as hex string.\n");
			fprintf(stderr,
				"and <label> is the textual key label string.\n");
			return NULL;
		}
		if (verbose) {
			fprintf(stderr, "Looking in slot %d for certificate: ",
				slot_nr);
			if (cert_label == NULL) {
				for (n = 0; n < cert_id_len; n++)
					fprintf(stderr, "%02x", cert_id[n]);
				fprintf(stderr, "\n");
			} else
				fprintf(stderr, "label: %s\n", cert_label);

		}
	}

	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count) < 0)
		fail("failed to enumerate slots\n");

	if (verbose) {
		fprintf(stderr, "Found %u slot%s\n", slot_count,
			(slot_count <= 1) ? "" : "s");
	}
	for (n = 0; n < slot_count; n++) {
		slot = slot_list + n;
		flags[0] = '\0';
		if (slot->token) {
			if (!slot->token->initialized)
				strcat(flags, "uninitialized, ");
			else if (!slot->token->userPinSet)
				strcat(flags, "no pin, ");
			if (slot->token->loginRequired)
				strcat(flags, "login, ");
			if (slot->token->readOnly)
				strcat(flags, "ro, ");
		} else {
			strcpy(flags, "no token");
		}
		if ((m = strlen(flags)) != 0) {
			flags[m - 2] = '\0';
		}

		if (slot_nr != -1 &&
			slot_nr == PKCS11_get_slotid_from_slot(slot)) {
			found_slot = slot;
		}

		if (verbose) {
			fprintf(stderr, "[%lu] %-25.25s  %-16s",
				PKCS11_get_slotid_from_slot(slot),
				slot->description, flags);
			if (slot->token) {
				fprintf(stderr, "  (%s)",
					slot->token->label[0] ?
					slot->token->label : "no label");
			}
			fprintf(stderr, "\n");
		}
	}

	if (slot_nr == -1) {
		if (!(slot = PKCS11_find_token(ctx, slot_list, slot_count)))
			fail("didn't find any tokens\n");
	} else if (found_slot) {
		slot = found_slot; 
	} else {
		fprintf(stderr, "Invalid slot number: %d\n", slot_nr);
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return NULL;
	}
	tok = slot->token;

	if (tok == NULL) {
		fprintf(stderr, "Found empty token; \n");
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return NULL;
	}

	if (verbose) {
		fprintf(stderr, "Found slot:  %s\n", slot->description);
		fprintf(stderr, "Found token: %s\n", slot->token->label);
	}

	if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
		fprintf(stderr, "unable to enumerate certificates\n");
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return NULL;
	}

	if (verbose) {
		fprintf(stderr, "Found %u cert%s:\n", cert_count,
			(cert_count <= 1) ? "" : "s");
	}
	if ((s_slot_cert_id && *s_slot_cert_id) && (cert_id_len != 0)) {
		for (n = 0; n < cert_count; n++) {
			PKCS11_CERT *k = certs + n;

			if (cert_id_len != 0 && k->id_len == cert_id_len &&
			    memcmp(k->id, cert_id, cert_id_len) == 0) {
				selected_cert = k;
			}
		}
	} else {
		selected_cert = certs;	/* use first */
	}

	if (selected_cert == NULL) {
		fprintf(stderr, "certificate not found.\n");
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return NULL;
	}

	x509 = X509_dup(selected_cert->x509);
	if (cert_label != NULL)
		free(cert_label);
	return x509;
}

int load_cert_ctrl(ENGINE * e, void *p)
{
	struct {
		const char *s_slot_cert_id;
		X509 *cert;
	} *parms = p;

	if (parms->cert != NULL)
		return 0;

	parms->cert = pkcs11_load_cert(e, parms->s_slot_cert_id);
	if (parms->cert == NULL)
		return 0;

	return 1;
}

static EVP_PKEY *pkcs11_load_key
(
	ENGINE * e,
	int slot_nr,
	unsigned char *key_id,
	size_t key_id_len,
	char *key_label,
	UI_METHOD * ui_method,
	void *callback_data,
	int isPrivate
)
{
	PKCS11_SLOT *slot_list, *slot;
	PKCS11_SLOT *found_slot = NULL;
	PKCS11_TOKEN *tok;
	PKCS11_KEY *keys, *selected_key = NULL;
	PKCS11_CERT *certs;
	EVP_PKEY *pk;
	unsigned int slot_count, cert_count, key_count, n, m;
	char flags[64];

	if (ctx == NULL) {
		pkcs11_init(e);
	}

	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count) < 0)
		fail("failed to enumerate slots\n");

	if (verbose) {
		fprintf(stderr, "Found %u slot%s\n", slot_count,
			(slot_count <= 1) ? "" : "s");
	}

	for (n = 0; n < slot_count; n++) {
		slot = slot_list + n;
		flags[0] = '\0';
		if (slot->token) {
			if (!slot->token->initialized)
				strcat(flags, "uninitialized, ");
			else if (!slot->token->userPinSet)
				strcat(flags, "no pin, ");
			if (slot->token->loginRequired)
				strcat(flags, "login, ");
			if (slot->token->readOnly)
				strcat(flags, "ro, ");
		} else {
			strcpy(flags, "no token");
		}
		if ((m = strlen(flags)) != 0) {
			flags[m - 2] = '\0';
		}

		if (slot_nr != -1 &&
			slot_nr == PKCS11_get_slotid_from_slot(slot)) {
			found_slot = slot;
		}

		if (verbose) {
			fprintf(stderr, "[%lu] %-25.25s  %-16s",
				PKCS11_get_slotid_from_slot(slot),
				slot->description, flags);
			if (slot->token) {
				fprintf(stderr, "  (%s)",
					slot->token->label[0] ?
					slot->token->label : "no label");
			}
			fprintf(stderr, "\n");
		}
	}

	if (slot_nr == -1) {
		if (!(slot = PKCS11_find_token(ctx, slot_list, slot_count)))
			fail("didn't find any tokens\n");
	} else if (found_slot) {
		slot = found_slot;
	} else {
		fprintf(stderr, "Invalid slot number: %d\n", slot_nr);
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return NULL;
	}
	tok = slot->token;

	if (tok == NULL) {
		fprintf(stderr, "Found empty token; \n");
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return NULL;
	}

	if (isPrivate && !tok->userPinSet && !tok->readOnly) {
		fprintf(stderr, "Found slot without user PIN\n");
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return NULL;
	}

	if (verbose) {
		fprintf(stderr, "Found slot:  %s\n", slot->description);
		fprintf(stderr, "Found token: %s\n", slot->token->label);
	}

#ifdef DEBUG
	if (PKCS11_enumerate_certs(tok, &certs, &cert_count))
		fail("unable to enumerate certificates\n");

	if (verbose) {
		fprintf(stderr, "Found %u certificate%s:\n", cert_count,
			(cert_count <= 1) ? "" : "s");
		for (n = 0; n < cert_count; n++) {
			PKCS11_CERT *c = certs + n;
			char *dn = NULL;

			fprintf(stderr, "  %2u    %s", n + 1, c->label);
			if (c->x509)
				dn = X509_NAME_oneline(X509_get_subject_name
						       (c->x509), NULL, 0);
			if (dn) {
				fprintf(stderr, " (%s)", dn);
				OPENSSL_free(dn);
			}
			fprintf(stderr, "\n");
		}
	}
#endif

	/* Perform login to the token if required */
	if (tok->loginRequired) {
		/* If the token has a secure login (i.e., an external keypad),
		   then use a NULL pin. Otherwise, check if a PIN exists. If
		   not, allocate and obtain a new PIN. */
		if (tok->secureLogin) {
			/* Free the PIN if it has already been 
			   assigned (i.e, cached by get_pin) */
			if (pin != NULL) {
				OPENSSL_cleanse(pin, pin_length);
				free(pin);
				pin = NULL;
				pin_length = 0;
			}
		} else if (pin == NULL) {
			pin = (char *)calloc(MAX_PIN_LENGTH, sizeof(char));
			pin_length = MAX_PIN_LENGTH;
			if (pin == NULL) {
				fail("Could not allocate memory for PIN");
			}
			if (!get_pin(ui_method, callback_data) ) {
				OPENSSL_cleanse(pin, pin_length);
				free(pin);
				pin = NULL;
				pin_length = 0;
				fail("No pin code was entered");
			}
		}

		/* Now login in with the (possibly NULL) pin */
		if (PKCS11_login(slot, 0, pin)) {
			/* Login failed, so free the PIN if present */
			if (pin != NULL) {
				OPENSSL_cleanse(pin, pin_length);
				free(pin);
				pin = NULL;
				pin_length = 0;
			}
			fail("Login failed\n");
		}
		/* Login successful, PIN retained in case further logins are 
		   required. This will occur on subsequent calls to the
		   pkcs11_load_key function. Subsequent login calls should be
		   relatively fast (the token should maintain its own login
		   state), although there may still be a slight performance 
		   penalty. We could maintain state noting that successful
		   login has been performed, but this state may not be updated
		   if the token is removed and reinserted between calls. It
		   seems safer to retain the PIN and peform a login on each
		   call to pkcs11_load_key, even if this may not be strictly
		   necessary. */
		/* TODO when does PIN get freed after successful login? */
		/* TODO confirm that multiple login attempts do not introduce
		   significant performance penalties */

	}

	/* Make sure there is at least one private key on the token */
	if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
		fail("unable to enumerate keys\n");
	}
	if (key_count == 0) {
		fail("No keys found.\n");
	}

	if (verbose) {
		fprintf(stderr, "Found %u key%s:\n", key_count,
			(key_count <= 1) ? "" : "s");
	}
	if ((key_id_len != 0) || (key_label != NULL)) {
		for (n = 0; n < key_count; n++) {
			PKCS11_KEY *k = keys + n;

			if (verbose) {
				fprintf(stderr, "  %2u %c%c %s\n", n + 1,
					k->isPrivate ? 'P' : ' ',
					k->needLogin ? 'L' : ' ', k->label);
			}
			if (key_label == NULL) {
				if (key_id_len != 0 && k->id_len == key_id_len
				    && memcmp(k->id, key_id, key_id_len) == 0) {
					selected_key = k;
				}
			} else {
				if (strcmp(k->label, key_label) == 0) {
					selected_key = k;
				}
			}
		}
	} else {
		selected_key = keys;	/* use first */
	}

	if (selected_key == NULL) {
		fprintf(stderr, "key not found.\n");
		return NULL;
	}

	if (isPrivate) {
		pk = PKCS11_get_private_key(selected_key);
	} else {
		pk = PKCS11_get_public_key(selected_key);
	}
	return pk;
}

EVP_PKEY *pkcs11_load_public_key(ENGINE * e, const char *s_key_id,
				 UI_METHOD * ui_method, void *callback_data)
{
	int n;
	unsigned char key_id[MAX_VALUE_LEN / 2];
	size_t key_id_len = sizeof(key_id);
	char *key_label = NULL;
	int slot_nr = -1;
	EVP_PKEY *pk;

	n = parse_key_string(s_key_id, &slot_nr, key_id, &key_id_len,
				&key_label, NULL);
	if (n) {
		fprintf(stderr,
			"supported format: slot_<slot>:id_<id>:label_<label>\n");
		fprintf(stderr,
			"where <slot> is the slot number as normal integer,\n");
		fprintf(stderr,
			"and <id> is the id number as hex string.\n");
		fprintf(stderr,
			"and <label> is the textual key label string.\n");
		return NULL;
	}

	pk = pkcs11_load_key(e, slot_nr, key_id, key_id_len, key_label,
			ui_method, callback_data, 0);
	if (pk == NULL)
		fail("PKCS11_load_public_key returned NULL\n");

	return pk;
}

EVP_PKEY *pkcs11_load_private_key(ENGINE * e, const char *s_key_id,
				  UI_METHOD * ui_method, void *callback_data)
{
	int n;
	unsigned char key_id[MAX_VALUE_LEN / 2];
	size_t key_id_len = sizeof(key_id);
	char *key_label = NULL;
	int slot_nr = -1;
	EVP_PKEY *pk;

	n = parse_key_string(s_key_id, &slot_nr, key_id, &key_id_len,
				&key_label, NULL);
	if (n) {
		fprintf(stderr,
			"supported format: slot_<slot>:id_<id>:label_<label>\n");
		fprintf(stderr,
			"where <slot> is the slot number as normal integer,\n");
		fprintf(stderr,
			"and <id> is the id number as hex string.\n");
		fprintf(stderr,
			"and <label> is the textual key label string.\n");
		return NULL;
	}

	pk = pkcs11_load_key(e, slot_nr, key_id, key_id_len, key_label,
			ui_method, callback_data, 1);
	if (pk == NULL)
		fail("PKCS11_get_private_key returned NULL\n");

	return pk;
}

int list_token_objects
(
	ENGINE * e,
	long slot_nr /* slot number */
)
{
	PKCS11_SLOT *slot_list, *slot, *found_slot = NULL;
	PKCS11_TOKEN *tok;
	PKCS11_CERT *certs;
	PKCS11_KEY *keys;
	unsigned int slot_count, cert_count, key_count, m, n, i;
	char flags[64];

	if (verbose) {
		fprintf(stderr, "Displaying token objects from slot %d\n", (int)slot_nr);
	}

	if (ctx == NULL) {
		pkcs11_init(e);
	}
	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
		fprintf(stderr, "failed to enumerate slots\n");
		return 0;
	}

	if (verbose) {
		fprintf(stderr, "Found %u slots\n", slot_count);
	}

	for (n = 0; n < slot_count; n++) {
		slot = slot_list + n;
		flags[0] = '\0';
		if (slot->token) {
			if (!slot->token->initialized)
				strcat(flags, "uninitialized, ");
			else if (!slot->token->userPinSet)
				strcat(flags, "no pin, ");
			if (slot->token->loginRequired)
				strcat(flags, "login, ");
			if (slot->token->readOnly)
				strcat(flags, "ro, ");
		} else {
			strcpy(flags, "no token");
		}
		if ((m = strlen(flags)) != 0) {
			flags[m - 2] = '\0';
		}

		if (slot_nr != -1 &&
			slot_nr == PKCS11_get_slotid_from_slot(slot)) {
			found_slot = slot;
		}

		if (verbose) {
			fprintf(stderr, "[%lu] %-25.25s  %-16s",
				PKCS11_get_slotid_from_slot(slot),
				slot->description, flags);
			if (slot->token) {
				fprintf(stderr, "  (%s)",
					slot->token->label[0] ?
					slot->token->label : "no label");
			}
			fprintf(stderr, "\n");
		}
	}

	if (found_slot) {
		slot = found_slot; 
	} else {
		fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return 0;
	}

	tok = slot->token;

	if (tok == NULL) {
		fprintf(stderr, "Found empty token; \n");
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return 0;
	}

	if (verbose) {
		fprintf(stderr, "Found slot:  %s\n", slot->description);
		fprintf(stderr, "Found token: %s\n", slot->token->label);
	}

	if ((tok->loginRequired) && (do_login(slot))) {
		fprintf(stderr, "failed to login\n");
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return 0;
	}

	if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
		fprintf(stderr, "unable to enumerate certificates\n");
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return 0;
	}

	for (n=0; n<cert_count; n++) {
		PKCS11_CERT *c = certs + n;
		char *dn = NULL;

		fprintf(stderr, "Certificate Object:\n"); 
		fprintf(stderr, "\ttype: X.509 cert\n"); 
		fprintf(stderr, "\tlabel: %s\n", c->label); 
		fprintf(stderr, "\tID: ", c->id); 
		for (i = 0; i < c->id_len; i++)
			printf("%02x", c->id[i]);
		printf("\n");

		if (c->x509)
			dn = X509_NAME_oneline(X509_get_subject_name(c->x509),
						NULL, 0);
		if (dn) {
			fprintf(stderr, "\tname: %s\n", dn);
			OPENSSL_free(dn);
		}
	}

	if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
		fprintf(stderr, "unable to enumerate keys\n");
		PKCS11_release_all_slots(ctx, slot_list, slot_count);
		return 0;
	}

	for (n=0; n<key_count; n++) {
		PKCS11_KEY *k = keys + n;

		if (k->isPrivate) {
			fprintf(stderr, "Private Key Object:\n"); 
			fprintf(stderr, "\ttype: RSA\n"); 
		} else {
			fprintf(stderr, "Public Key Object:\n");
			fprintf(stderr, "\ttype: RSA %d bits\n",
				(PKCS11_get_key_size(k)*8)); 
		}
		fprintf(stderr, "\tlabel: %s\n", k->label); 
		fprintf(stderr, "\tID: "); 
		for (i = 0; i < k->id_len; i++)
			printf("%02x", k->id[i]);
		printf("\n");
	}

	return 1;
}

static int do_login(PKCS11_SLOT *slot)
{
	PKCS11_TOKEN *tok = slot->token;

	if (pin == NULL) {
		fprintf(stderr, "PIN not set\n");
		return -1;
	}

	/* Now login in with the (possibly NULL) pin */
	if (PKCS11_login(slot, 0, pin)) {
	/* Login failed, so free the PIN if present */
		if (pin != NULL) {
			OPENSSL_cleanse(pin, pin_length);
			free(pin);
			pin = NULL;
			pin_length = 0;
		}
		fprintf(stderr, "Login failed\n");
		return -1;
	}
	return 0;
}

int store_cert_ctrl(ENGINE * e, void *p)
{
	struct {
		int slot_nr;
		unsigned char *cert_id;
		size_t cert_id_len;
		char *cert_label;
		X509 *cert;
	} *parms = p;

	if (parms->cert == NULL)
		return 0;

	if (pkcs11_store_cert(e, parms->slot_nr, parms->cert_id,
						parms->cert_id_len, parms->cert_label, parms->cert))
		return 0;

	return 1;
}

int store_cert_cmd(ENGINE * e, const char *p)
{
	int n, rv=0;
	unsigned char cert_id[MAX_VALUE_LEN / 2];
	size_t cert_id_len = sizeof(cert_id);
	char *cert_label = NULL;
	char *cert_file = NULL;
	int slot_nr = -1;
	unsigned char data[MAX_OBJECT_SIZE];
	const unsigned char *pp = data;
	int data_len = 0;
	FILE *f;
	X509 *x;

	if (!p || !*p) {
		fprintf(stderr, "no parameter\n");
		return 0;
	}

	n = parse_cert_store_string(p, &slot_nr, cert_id, &cert_id_len,
								&cert_label, &cert_file);
	if (n) {
		fprintf(stderr,
			"supported format: slot_<slot>:id_<id>:label_<label>:cert_<filename>\n");
		fprintf(stderr,
			"where <slot> is the slot number as normal integer,\n");
		fprintf(stderr,
			"and <id> is the id number as hex string.\n");
		fprintf(stderr,
			"and <label> is the textual cert label string.\n");
		fprintf(stderr,
			"and <filename> is the cert filename with full path.\n");
		goto store_cert_err_out;
	}

	f = fopen(cert_file, "rb");
	if (f == NULL) {
		fprintf(stderr, "Couldn't open cert file \"%s\"\n", cert_file);
		goto store_cert_err_out;
	}

	data_len = fread(data, 1, sizeof(data), f);

	if (data_len < 0) {
		fprintf(stderr, "Couldn't read from file \"%s\"\n", cert_file);
		goto store_cert_err_out;
	}

	x = d2i_X509(NULL, &pp, data_len); 
	if (!x) {
		fprintf(stderr, "OpenSSL cert parse error\n");
		goto store_cert_err_out;
	}

	/* No ID specified */
	if (cert_id_len == sizeof(cert_id))
		cert_id_len = 0;

	if (verbose) {
		fprintf(stderr, "Storing cert(%s) in slot(%d) with label(%s) and id(",
			cert_file, slot_nr, cert_label);
			for (n = 0; n < cert_id_len; n++)
				fprintf(stderr, "%02x", cert_id[n]);
			fprintf(stderr, ")\n");
	}

	if (pkcs11_store_cert(e, slot_nr, cert_id, cert_id_len, cert_label, x))
		goto store_cert_err_out;

	rv = 1;

store_cert_err_out:
	if (f) fclose(f);
	return rv;
}

static int pkcs11_store_cert
(
	ENGINE * e,
	int slot_nr,
	unsigned char *cert_id,
	size_t cert_id_len,
	char *cert_label,
	X509 *x
)
{
	PKCS11_SLOT *slot_list, *slot;
	PKCS11_SLOT *found_slot = NULL;
	PKCS11_TOKEN *tok;
	PKCS11_CERT *certs, *ret_cert = NULL;
	unsigned int slot_count, cert_count;
	char flags[64];
	int n,m;

	if (ctx == NULL) {
		pkcs11_init(e);
	}

	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
		fprintf(stderr, "failed to enumerate slots\n");
		return -1;
	}

	if (verbose) {
		fprintf(stderr, "Found %u slots\n", slot_count);
	}

	for (n = 0; n < slot_count; n++) {
		slot = slot_list + n;
		flags[0] = '\0';
		if (slot->token) {
			if (!slot->token->initialized)
				strcat(flags, "uninitialized, ");
			else if (!slot->token->userPinSet)
				strcat(flags, "no pin, ");
			if (slot->token->loginRequired)
				strcat(flags, "login, ");
			if (slot->token->readOnly)
				strcat(flags, "ro, ");
		} else {
			strcpy(flags, "no token");
		}
		if ((m = strlen(flags)) != 0) {
			flags[m - 2] = '\0';
		}

		if (slot_nr != -1 &&
			slot_nr == PKCS11_get_slotid_from_slot(slot)) {
			found_slot = slot;
		}

		if (verbose) {
			fprintf(stderr, "[%lu] %-25.25s  %-16s",
				PKCS11_get_slotid_from_slot(slot),
				slot->description, flags);
			if (slot->token) {
				fprintf(stderr, "  (%s)",
					slot->token->label[0] ?
					slot->token->label : "no label");
			}
			fprintf(stderr, "\n");
		}
	}

	if (found_slot) {
		slot = found_slot; 
	} else {
		fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
		goto err_out;
	}

	tok = slot->token;

	if (tok == NULL) {
		fprintf(stderr, "Found empty token; \n");
		goto err_out;
	}

	if (verbose) {
		fprintf(stderr, "Found slot:  %s\n", slot->description);
		fprintf(stderr, "Found token: %s\n", slot->token->label);
	}

	if ((tok->loginRequired) && (do_login(slot))) {
		fprintf(stderr, "failed to login\n");
		goto err_out;
	}

	/* Enumerate certs to initialize libp11 cert count */
	if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
		fprintf(stderr, "unable to enumerate certificates\n");
		goto err_out;
	}

	if (PKCS11_store_certificate(tok, x, cert_label, cert_id,
								cert_id_len, &ret_cert)) {
		fprintf(stderr, "failed to store cert\n");
		goto err_out;
	}

	return 0;

err_out:
	PKCS11_release_all_slots(ctx, slot_list, slot_count);
	return -1;
}

static int parse_cert_store_string
(
	const char *cert_store_str,
	int *slot,
	unsigned char *id,
	size_t * id_len,
	char **label,
	char **cert_file
)
{
	char *token;
	const char *sep = ":";
	char *str = (char *)cert_store_str;

	if (!cert_store_str)
		return -1;

	/* Default values */
	*slot = 0;
	*label = NULL;
	*cert_file = NULL;

	token = strtok(str, sep);

	while (token) {

		/* slot identifier */
		if (!strncmp(token, "slot_", 5)) {
			/* slot is a decimal number */
			if (sscanf(token + 5, "%d", slot) != 1) {
				fprintf(stderr, "slot number not deciphered!\n");
				return -1;
			}
		} else if (!strncmp(token, "id_", 3)) {
			/* certificate ID */
			/* id is hexadecimal number */
			if (!hex_to_bin(token + 3, id, id_len)) {
				fprintf(stderr, "id not deciphered!\n");
				return -1;
			}
		} else if (!strncmp(token, "label_", 6)) {
			/* label */
			/*  label is string */
			*label = strdup(token + 6);
			if (*label == NULL) {
				fprintf(stderr, "label not deciphered!\n");
				return -1;
			}
		} else if (!strncmp(token, "cert_", 5)) {
			/* cert file name */
			*cert_file = strdup(token + 5);
			if (*cert_file == NULL) {
				fprintf(stderr, "cert file not deciphered!\n");
				return -1;
			}
		}
		token = strtok(NULL, sep);
	} /* end while(token) */

	if (*cert_file == NULL) {
		fprintf(stderr, "cert file name not present!\n");
		return -1;
	}

	return 0;
}

int gen_key_cmd(ENGINE * e, const char *p)
{
	int key_size, n;
	unsigned char key_id[MAX_VALUE_LEN / 2];
	size_t key_id_len = sizeof(key_id);
	char *key_label = NULL;
	int slot_nr = -1;

	if (!p || !*p) {
		fprintf(stderr, "no parameter\n");
		return 0;
	}

	n = parse_key_gen_string(p, &slot_nr, &key_size, key_id, &key_id_len,
							 &key_label);
	if (n) {
		fprintf(stderr,
			"supported format: slot_<slot>:size_<size>:id_<id>:label_<label>\n");
		fprintf(stderr,
			"where <slot> is the slot number as normal integer,\n");
		fprintf(stderr,
			"and <size> is the RSA key size in bits.\n");
		fprintf(stderr,
			"and <id> is the id number as hex string.\n");
		fprintf(stderr,
			"and <label> is the textual cert label string.\n");
		goto gen_key_err_out;
	}

	if (verbose) {
		fprintf(stderr, "Generating %dbits RSA key in slot(%d) with label(%s) and id(",
			key_size, slot_nr, key_label);
			for (n = 0; n < key_id_len; n++)
				fprintf(stderr, "%02x", key_id[n]);
			fprintf(stderr, ")\n");
	}

	if (pkcs11_gen_key(e, slot_nr, (unsigned int)key_size, key_id, key_id_len, key_label))
		goto gen_key_err_out;

	return 1;

gen_key_err_out:
	return 0;

}

static int parse_key_gen_string
(
	const char *key_gen_str,
	int *slot,
	int *key_size,
	unsigned char *id,
	size_t * id_len,
	char **label
)
{
	char *token;
	const char *sep = ":";
	char *str = (char *)key_gen_str;

	if (!key_gen_str)
		return -1;

	/* Default values */
	*slot = 0;
	*label = NULL;
	*key_size = -1;

	token = strtok(str, sep);

	while (token) {

		/* slot identifier */
		if (!strncmp(token, "slot_", 5)) {
			/* slot is a decimal number */
			if (sscanf(token + 5, "%d", slot) != 1) {
				fprintf(stderr, "slot number not deciphered!\n");
				return -1;
			}
		} else if (!strncmp(token, "id_", 3)) {
			/* certificate ID */
			/* id is hexadecimal number */
			if (!hex_to_bin(token + 3, id, id_len)) {
				fprintf(stderr, "id not deciphered!\n");
				return -1;
			}
		} else if (!strncmp(token, "label_", 6)) {
			/* label */
			/*  label is string */
			*label = strdup(token + 6);
			if (*label == NULL) {
				fprintf(stderr, "label not deciphered!\n");
				return -1;
			}
		} else if (!strncmp(token, "size_", 5)) {
			/* key size in bits */
			if (sscanf(token + 5, "%d", key_size) != 1) {
				fprintf(stderr, "key size not deciphered!\n");
				return -1;
			}
		}
		token = strtok(NULL, sep);
	} /* end while(token) */

	if (*key_size == -1) {
		fprintf(stderr, "key size not present!\n");
		return -1;
	}

	return 0;
}

static int pkcs11_gen_key
(
	ENGINE * e,
	int slot_nr,
	unsigned int key_size,
	unsigned char *key_id,
	size_t key_id_len,
	char *key_label
)
{
	PKCS11_SLOT *slot_list, *slot;
	PKCS11_SLOT *found_slot = NULL;
	PKCS11_TOKEN *tok;
	PKCS11_KEY *keys, *ret_key = NULL;
	unsigned int slot_count, key_count;
	char flags[64];
	int n,m;

	if (ctx == NULL) {
		pkcs11_init(e);
	}

	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
		fprintf(stderr, "failed to enumerate slots\n");
		return -1;
	}

	if (verbose) {
		fprintf(stderr, "Found %u slots\n", slot_count);
	}

	for (n = 0; n < slot_count; n++) {
		slot = slot_list + n;
		flags[0] = '\0';
		if (slot->token) {
			if (!slot->token->initialized)
				strcat(flags, "uninitialized, ");
			else if (!slot->token->userPinSet)
				strcat(flags, "no pin, ");
			if (slot->token->loginRequired)
				strcat(flags, "login, ");
			if (slot->token->readOnly)
				strcat(flags, "ro, ");
		} else {
			strcpy(flags, "no token");
		}
		if ((m = strlen(flags)) != 0) {
			flags[m - 2] = '\0';
		}

		if (slot_nr != -1 &&
			slot_nr == PKCS11_get_slotid_from_slot(slot)) {
			found_slot = slot;
		}

		if (verbose) {
			fprintf(stderr, "[%lu] %-25.25s  %-16s",
				PKCS11_get_slotid_from_slot(slot),
				slot->description, flags);
			if (slot->token) {
				fprintf(stderr, "  (%s)",
					slot->token->label[0] ?
					slot->token->label : "no label");
			}
			fprintf(stderr, "\n");
		}
	}

	if (found_slot) {
		slot = found_slot; 
	} else {
		fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
		goto err_out;
	}

	tok = slot->token;

	if (tok == NULL) {
		fprintf(stderr, "Found empty token; \n");
		goto err_out;
	}

	if (verbose) {
		fprintf(stderr, "Found slot:  %s\n", slot->description);
		fprintf(stderr, "Found token: %s\n", slot->token->label);
	}

	if ((tok->loginRequired) && (do_login(slot))) {
		fprintf(stderr, "failed to login\n");
		goto err_out;
	}

	/* Enumerate keys to initialize libp11 key count */
	if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
		fprintf(stderr, "unable to enumerate keys\n");
		goto err_out;
	}

	if (PKCS11_generate_key(tok, EVP_PKEY_RSA, key_size, key_label,
							key_id, key_id_len)) {
		fprintf(stderr, "failed to generate RSA key pair\n");
		goto err_out;
	}

	return 0;

err_out:
	PKCS11_release_all_slots(ctx, slot_list, slot_count);
	return -1;
}

int del_obj_cmd(ENGINE * e, const char *p)
{
	int n;
	unsigned char id[MAX_VALUE_LEN / 2];
	size_t id_len = sizeof(id);
	char *label = NULL, *type = NULL;
	int slot_nr = -1;

	if (!p || !*p) {
		fprintf(stderr, "no parameter\n");
		return 0;
	}

	n = parse_del_obj_string(p, &slot_nr, &type, id, &id_len, &label);
	if (n) {
		fprintf(stderr,
			"supported format: slot_<slot>:type_<type>:id_<id>:label_<label>:\n");
		fprintf(stderr,
			"where <slot> is the slot number as normal integer,\n");
		fprintf(stderr,
			"and <type> is the object type (privkey/pubkey/cert)\n");
		fprintf(stderr,
			"and <id> is the id number as hex string.\n");
		fprintf(stderr,
			"and <label> is the textual label string.\n");
		return 0;
	}

	/* No ID specified */
	if (id_len == sizeof(id))
		id_len = 0;

	if (verbose) {
		fprintf(stderr, "Deleting object type(%s) from slot(%d) with label(%s) and id(",
			type, slot_nr, label);
			for (n = 0; n < id_len; n++)
				fprintf(stderr, "%02x", id[n]);
			fprintf(stderr, ")\n");
	}

	if (pkcs11_del_obj(e, slot_nr, type, id, id_len, label))
		return 0;

	return 1;
}

static int parse_del_obj_string
(
	const char *del_obj_str,
	int *slot,
	char **type,
	unsigned char *id,
	size_t * id_len,
	char **label
)
{
	char *token;
	const char *sep = ":";
	char *str = (char *)del_obj_str;

	if (!del_obj_str)
		return -1;

	/* Default values */
	*slot = 0;
	*label = NULL;
	*type = NULL;

	token = strtok(str, sep);

	while (token) {

		/* slot identifier */
		if (!strncmp(token, "slot_", 5)) {
			/* slot is a decimal number */
			if (sscanf(token + 5, "%d", slot) != 1) {
				fprintf(stderr, "slot number not deciphered!\n");
				return -1;
			}
		} else if (!strncmp(token, "id_", 3)) {
			/* certificate ID */
			/* id is hexadecimal number */
			if (!hex_to_bin(token + 3, id, id_len)) {
				fprintf(stderr, "id not deciphered!\n");
				return -1;
			}
		} else if (!strncmp(token, "label_", 6)) {
			/* label */
			/*  label is string */
			*label = strdup(token + 6);
			if (*label == NULL) {
				fprintf(stderr, "label not deciphered!\n");
				return -1;
			}
		} else if (!strncmp(token, "type_", 5)) {
			/* Object type */
			*type = strdup(token + 5);
			if (*type == NULL) {
				fprintf(stderr, "type not deciphered!\n");
				return -1;
			}
		}
		token = strtok(NULL, sep);
	} /* end while(token) */

	if (*type == NULL) {
		fprintf(stderr, "type not present!\n");
		return -1;
	}

	return 0;
}

static int pkcs11_del_obj
(
	ENGINE * e,
	int slot_nr,
	char *type_str,
	unsigned char *id,
	size_t id_len,
	char *label
)
{
	PKCS11_SLOT *slot_list, *slot;
	PKCS11_SLOT *found_slot = NULL;
	PKCS11_TOKEN *tok;
	PKCS11_KEY *keys, *ret_key = NULL;
	unsigned int slot_count, key_count;
	char flags[64];
	int n,m, type, retval = -1;
#define TYPE_PRIVKEY	1
#define TYPE_PUBKEY	2
#define TYPE_CERT	3

	if (!strcmp(type_str, "privkey")) {
		type = TYPE_PRIVKEY;
	} else if (!strcmp(type_str, "pubkey")) {
		type = TYPE_PUBKEY;
	} else if (!strcmp(type_str, "cert")) {
		type = TYPE_CERT;
	} else {
		fprintf(stderr, "invalid object type(%s)\n", type_str);
		return retval;
	}

	if (ctx == NULL) {
		pkcs11_init(e);
	}

	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
		fprintf(stderr, "failed to enumerate slots\n");
		return retval;
	}

	if (verbose) {
		fprintf(stderr, "Found %u slots\n", slot_count);
	}

	for (n = 0; n < slot_count; n++) {
		slot = slot_list + n;
		flags[0] = '\0';
		if (slot->token) {
			if (!slot->token->initialized)
				strcat(flags, "uninitialized, ");
			else if (!slot->token->userPinSet)
				strcat(flags, "no pin, ");
			if (slot->token->loginRequired)
				strcat(flags, "login, ");
			if (slot->token->readOnly)
				strcat(flags, "ro, ");
		} else {
			strcpy(flags, "no token");
		}
		if ((m = strlen(flags)) != 0) {
			flags[m - 2] = '\0';
		}

		if (slot_nr != -1 &&
			slot_nr == PKCS11_get_slotid_from_slot(slot)) {
			found_slot = slot;
		}

		if (verbose) {
			fprintf(stderr, "[%lu] %-25.25s  %-16s",
				PKCS11_get_slotid_from_slot(slot),
				slot->description, flags);
			if (slot->token) {
				fprintf(stderr, "  (%s)",
					slot->token->label[0] ?
					slot->token->label : "no label");
			}
			fprintf(stderr, "\n");
		}
	}

	if (found_slot) {
		slot = found_slot; 
	} else {
		fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
		goto err_out;
	}

	tok = slot->token;

	if (tok == NULL) {
		fprintf(stderr, "Found empty token; \n");
		goto err_out;
	}

	if (verbose) {
		fprintf(stderr, "Found slot:  %s\n", slot->description);
		fprintf(stderr, "Found token: %s\n", slot->token->label);
	}

	if ((tok->loginRequired) && (do_login(slot))) {
		fprintf(stderr, "failed to login\n");
		goto err_out;
	}

	switch(type) {
		case TYPE_CERT:
			if (PKCS11_remove_certificate(tok, label, id, id_len)) {
				fprintf(stderr, "failed to delete certificate\n");
				goto err_out;
			}
			break;

		case TYPE_PUBKEY:
			if (PKCS11_remove_public_key(tok, label, id, id_len)) {
				fprintf(stderr, "failed to delete public key\n");
				goto err_out;
			}
			break;

		case TYPE_PRIVKEY:
			if (PKCS11_remove_private_key(tok, label, id, id_len)) {
				fprintf(stderr, "failed to delete private key\n");
				goto err_out;
			}
			break;

		default:
			fprintf(stderr, "object type(%s) not supported\n", type_str);
			goto err_out;
			break;
	}

	retval = 0;
err_out:
	PKCS11_release_all_slots(ctx, slot_list, slot_count);
	return retval;
}

int get_pubkey_cmd(ENGINE * e, const char *p)
{
	int n, rv = 0;
	unsigned char key_id[MAX_VALUE_LEN / 2];
	size_t key_id_len = sizeof(key_id);
	char *key_label = NULL;
	char *key_file = NULL;
	int slot_nr = -1;
	unsigned char *pp, *data = NULL;
	int data_len = 0;
	FILE *f;
	EVP_PKEY *pk;
	RSA *rsa;

	if (!p || !*p) {
		fprintf(stderr, "no parameter\n");
		return 0;
	}

	n = parse_key_string(p, &slot_nr, key_id, &key_id_len,
				&key_label, &key_file);
	if (n) {
		fprintf(stderr,
			"supported format: slot_<slot>:id_<id>:label_<label>:key_<filename>\n");
		fprintf(stderr,
			"where <slot> is the slot number as normal integer,\n");
		fprintf(stderr,
			"and <id> is the id number as hex string.\n");
		fprintf(stderr,
			"and <label> is the textual key label string.\n");
		fprintf(stderr,
			"and <filename> is the key filename with full path.\n");
		goto get_pubkey_err_out;
	}

	f = fopen(key_file, "wb");
	if (f == NULL) {
		fprintf(stderr, "Couldn't open key file \"%s\"\n", key_file);
		goto get_pubkey_err_out;
	}

	/* No ID specified */
	if (key_id_len == sizeof(key_id))
		key_id_len = 0;

	if (verbose) {
		fprintf(stderr, "Getting public key in slot(%d) with label(%s) and id(",
			slot_nr, key_label);
			for (n = 0; n < key_id_len; n++)
				fprintf(stderr, "%02x", key_id[n]);
			fprintf(stderr, ")\n");
	}

	pk = pkcs11_load_key(e, slot_nr, key_id, key_id_len, key_label, NULL, NULL, 0);
	if (pk == NULL) {
		fprintf(stderr, "PKCS11_load_public_key returned NULL\n");
		goto get_pubkey_err_out;
	}

	rsa = EVP_PKEY_get1_RSA(pk);
	if (rsa == NULL) {
		fprintf(stderr, "Couldn't retrieve RSA key form EVP_PKEY\n");
		goto get_pubkey_err_out;
	}

#if 0
	/* To store in DER format */
	data_len = i2d_RSAPublicKey(rsa, NULL); 
	if ((data = (unsigned char *)malloc(data_len)) == NULL) {
		fprintf(stderr, "couldn't allocate memory for key\n");
		goto get_pubkey_err_out;
	}
	pp = data;
	data_len = i2d_RSAPublicKey(rsa, &pp); 
	n = fwrite(data, 1, data_len, f);

	if (n != data_len) {
		fprintf(stderr, "Couldn't write to file \"%s\"\n", key_file);
		goto get_pubkey_err_out;
	}
#endif
	if (!PEM_write_RSA_PUBKEY(f, rsa)) {
		fprintf(stderr, "Couldn't write to file \"%s\"\n", key_file);
		goto get_pubkey_err_out;
	}

	rv = 1;

get_pubkey_err_out:
	if (f) fclose(f);
	if (data) free(data);
	return rv;

}

static int parse_key_string
(
	const char *key_get_str,
	int *slot,
	unsigned char *id,
	size_t * id_len,
	char **label,
	char **key_file
)
{
	char *token;
	const char *sep = ":";
	char *str = (char *)key_get_str;

	if (!key_get_str)
		return -1;

	/* Default values */
	*slot = 0;
	*label = NULL;
	*key_file = NULL;

	token = strtok(str, sep);

	while (token) {

		/* slot identifier */
		if (!strncmp(token, "slot_", 5)) {
			/* slot is a decimal number */
			if (sscanf(token + 5, "%d", slot) != 1) {
				fprintf(stderr, "slot number not deciphered!\n");
				return -1;
			}
		} else if (!strncmp(token, "id_", 3)) {
			/* certificate ID */
			/* id is hexadecimal number */
			if (!hex_to_bin(token + 3, id, id_len)) {
				fprintf(stderr, "id not deciphered!\n");
				return -1;
			}
		} else if (!strncmp(token, "label_", 6)) {
			/* label */
			/*  label is string */
			*label = strdup(token + 6);
			if (*label == NULL) {
				fprintf(stderr, "label not deciphered!\n");
				return -1;
			}
		} else if ((key_file) && (!strncmp(token, "key_", 4))) {
			/* key file name */
			*key_file = strdup(token + 4);
			if (*key_file == NULL) {
				fprintf(stderr, "key file not deciphered!\n");
				return -1;
			}
		}
		token = strtok(NULL, sep);
	} /* end while(token) */

	if ((key_file) && (*key_file == NULL)) {
		fprintf(stderr, "key file name not present!\n");
		return -1;
	}

	return 0;
}