Secure storage #3 DEV.ENGINE_PKCS11-01.03.00.00
authorAntti Lyytinen <a-lyytinen@ti.com>
Wed, 10 Dec 2014 12:14:27 +0000 (14:14 +0200)
committerAntti Lyytinen <a-lyytinen@ti.com>
Wed, 10 Dec 2014 12:14:27 +0000 (14:14 +0200)
src/engine_pkcs11.c

index 17a5fc3571eb2fc137604b48ce94612dca784e06..b79fb47ee45a5c67aeae567ae4c6da6bd037f7b0 100644 (file)
 
 #include <config.h>
 #include <stdio.h>
+#include <limits.h>
 #include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/objects.h>
 #include <openssl/engine.h>
 #include <libp11.h>
 #include "engine_pkcs11.h"
+#include <syslog.h>
 
 #ifdef _WIN32
 #define strncasecmp strnicmp
 #endif
 
-#define fail(msg) { fprintf(stderr,msg); return NULL;}
+#define fail(msg) { Log(LOG_ERR,msg); return NULL;}
 
 /** The maximum length of an internally-allocated PIN */
 #define MAX_PIN_LENGTH   32
-
+#define FLAGS_LEN 64
 /* Maximum size of a token object */
 #define MAX_OBJECT_SIZE        5000
 
@@ -160,6 +162,21 @@ static char *module = NULL;
 
 static char *init_args = NULL;
 
+static void Log(int const loglevel, char const * const format, ...)
+{
+       char tmp[256];
+       va_list args;
+
+       va_start(args, format);
+       vsnprintf(tmp, 256, format, args);
+       va_end(args);
+
+       // log it
+       syslog(loglevel, "engine_pkcs11: %s", tmp);
+       fprintf(stdout, "%s\n", tmp);
+}
+
+
 int set_module(const char *modulename)
 {
        module = modulename ? strdup(modulename) : NULL;
@@ -232,12 +249,12 @@ static int get_pin(UI_METHOD * ui_method, void *callback_data)
 
        if (!UI_add_input_string
            (ui, "PKCS#11 token PIN: ", 0, pin, 1, MAX_PIN_LENGTH)) {
-               fprintf(stderr, "UI_add_input_string failed\n");
+               Log(LOG_ERR, "UI_add_input_string failed");
                UI_free(ui);
                return 0;
        }
        if (UI_process(ui)) {
-               fprintf(stderr, "UI_process failed\n");
+               Log(LOG_ERR,  "UI_process failed");
                UI_free(ui);
                return 0;
        }
@@ -263,7 +280,7 @@ static void free_pkcs11_ctx()
 int pkcs11_finish(ENGINE * engine)
 {
        if (verbose) {
-               fprintf(stderr, "engine finish\n");
+               Log(LOG_INFO,  "engine finish");
        }
 
        free_pkcs11_ctx();
@@ -280,12 +297,12 @@ int pkcs11_finish(ENGINE * engine)
 int pkcs11_init(ENGINE * engine)
 {
        if (verbose) {
-               fprintf(stderr, "initializing engine\n");
+               Log(LOG_INFO,  "initializing engine");
        }
        ctx = PKCS11_CTX_new();
         PKCS11_CTX_init_args(ctx, init_args);
        if (PKCS11_CTX_load(ctx, module) < 0) {
-               fprintf(stderr, "unable to load module %s\n", module);
+               Log(LOG_ERR,  "unable to load module %s", module);
                return 0;
        }
        return 1;
@@ -332,8 +349,8 @@ static int hex_to_bin(const char *in, unsigned char *out, size_t * outlen)
                        else if ('A' <= c && c <= 'F')
                                c = c - 'A' + 10;
                        else {
-                               fprintf(stderr,
-                                       "hex_to_bin(): invalid char '%c' in hex string\n",
+                               Log(LOG_ERR,
+                                       "hex_to_bin(): invalid char '%c' in hex string",
                                        c);
                                *outlen = 0;
                                return 0;
@@ -343,7 +360,7 @@ static int hex_to_bin(const char *in, unsigned char *out, size_t * outlen)
                if (*in == ':')
                        in++;
                if (left <= 0) {
-                       fprintf(stderr, "hex_to_bin(): hex string too long\n");
+                       Log(LOG_ERR,  "hex_to_bin(): hex string too long");
                        *outlen = 0;
                        return 0;
                }
@@ -355,6 +372,30 @@ static int hex_to_bin(const char *in, unsigned char *out, size_t * outlen)
        return 1;
 }
 
+static int str_to_dec(char const * const inPtr, int *dst) {
+       int ret = 1;
+       long val;
+
+       char *endptr;
+
+       errno = 0;      /* To distinguish success/failure after call */
+       val = strtol(inPtr, &endptr, 10);
+
+       /* Check for various possible errors */
+       if ((errno == ERANGE && (val == LONG_MAX || val == LONG_MIN)) || (errno != 0 && val == 0)) {
+               Log(LOG_ERR, "String to dec conversion failed");
+               ret = 0;
+       }
+       if (endptr == inPtr) {
+               Log(LOG_ERR, "No digits were found");
+               ret = 0;
+       }
+       if(ret) {
+               *dst = (int)val;
+       }
+       return ret;
+}
+
 /* parse string containing slot and id information */
 
 static int parse_slot_id_string(const char *slot_id, int *slot,
@@ -374,7 +415,7 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
        if (strspn(slot_id, HEXDIGITS) == strlen(slot_id)) {
                /* ah, easiest case: only hex. */
                if ((strlen(slot_id) + 1) / 2 > *id_len) {
-                       fprintf(stderr, "id string too long!\n");
+                       Log(LOG_ERR,  "id string too long!");
                        return 0;
                }
                *slot = 0;
@@ -382,11 +423,11 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
        }
 
        /* second: slot:id. slot is an digital int. */
-       if (sscanf(slot_id, "%d", &n) == 1) {
+       if (str_to_dec(slot_id, &n) == 1) {
                i = strspn(slot_id, DIGITS);
 
                if (slot_id[i] != ':') {
-                       fprintf(stderr, "could not parse string!\n");
+                       Log(LOG_ERR,  "could not parse string!");
                        return 0;
                }
                i++;
@@ -396,12 +437,12 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
                        return 1;
                }
                if (strspn(slot_id + i, HEXDIGITS) + i != strlen(slot_id)) {
-                       fprintf(stderr, "could not parse string!\n");
+                       Log(LOG_ERR,  "could not parse string!");
                        return 0;
                }
                /* ah, rest is hex */
                if ((strlen(slot_id) - i + 1) / 2 > *id_len) {
-                       fprintf(stderr, "id string too long!\n");
+                       Log(LOG_ERR,  "id string too long!");
                        return 0;
                }
                *slot = n;
@@ -411,12 +452,12 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
        /* third: id_<id>  */
        if (strncmp(slot_id, "id_", 3) == 0) {
                if (strspn(slot_id + 3, HEXDIGITS) + 3 != strlen(slot_id)) {
-                       fprintf(stderr, "could not parse string!\n");
+                       Log(LOG_ERR,  "could not parse string!");
                        return 0;
                }
                /* ah, rest is hex */
                if ((strlen(slot_id) - 3 + 1) / 2 > *id_len) {
-                       fprintf(stderr, "id string too long!\n");
+                       Log(LOG_ERR,  "id string too long!");
                        return 0;
                }
                *slot = 0;
@@ -432,13 +473,13 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
        /* last try: it has to be slot_<slot> and then "-id_<cert>" */
 
        if (strncmp(slot_id, "slot_", 5) != 0) {
-               fprintf(stderr, "format not recognized!\n");
+               Log(LOG_ERR,  "format not recognized!");
                return 0;
        }
 
        /* slot is an digital int. */
-       if (sscanf(slot_id + 5, "%d", &n) != 1) {
-               fprintf(stderr, "slot number not deciphered!\n");
+       if (str_to_dec(slot_id + 5, &n) != 1) {
+               Log(LOG_ERR,  "slot number not deciphered!");
                return 0;
        }
 
@@ -451,7 +492,7 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
        }
 
        if (slot_id[i + 5] != '-') {
-               fprintf(stderr, "could not parse string!\n");
+               Log(LOG_ERR,  "could not parse string!");
                return 0;
        }
 
@@ -461,12 +502,12 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
        if (strncmp(slot_id + i, "id_", 3) == 0) {
                if (strspn(slot_id + i + 3, HEXDIGITS) + 3 + i !=
                    strlen(slot_id)) {
-                       fprintf(stderr, "could not parse string!\n");
+                       Log(LOG_ERR,  "could not parse string!");
                        return 0;
                }
                /* ah, rest is hex */
                if ((strlen(slot_id) - i - 3 + 1) / 2 > *id_len) {
-                       fprintf(stderr, "id string too long!\n");
+                       Log(LOG_ERR,  "id string too long!");
                        return 0;
                }
                *slot = n;
@@ -479,7 +520,7 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
                return (*label = strdup(slot_id + i + 6)) != NULL;
        }
 
-       fprintf(stderr, "could not parse string!\n");
+       Log(LOG_ERR,  "could not parse string!");
        return 0;
 }
 
@@ -503,7 +544,7 @@ static X509 *pkcs11_load_cert
        PKCS11_CERT *certs, *selected_cert = NULL;
        X509 *x509 = NULL;
        unsigned int slot_count, cert_count, n, m;
-       char flags[64];
+       char flags[FLAGS_LEN];
        int local_init = 0;
 
        if (ctx == NULL) {
@@ -511,11 +552,11 @@ static X509 *pkcs11_load_cert
                local_init = 1;
        }
 
-       if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count) < 0)
-               fail("failed to enumerate slots\n");
-
+       if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count) < 0) {
+               fail("failed to enumerate slots");
+       }
        if (verbose) {
-               fprintf(stderr, "Found %u slot%s\n", slot_count,
+               Log(LOG_INFO,  "Found %u slot%s", slot_count,
                        (slot_count <= 1) ? "" : "s");
        }
 
@@ -524,15 +565,15 @@ static X509 *pkcs11_load_cert
                flags[0] = '\0';
                if (slot->token) {
                        if (!slot->token->initialized)
-                               strcat(flags, "uninitialized, ");
+                               strncat(flags, "uninitialized, ", (FLAGS_LEN - strlen(flags) - 1));
                        else if (!slot->token->userPinSet)
-                               strcat(flags, "no pin, ");
+                               strncat(flags, "no pin, ", (FLAGS_LEN - strlen(flags) - 1));
                        if (slot->token->loginRequired)
-                               strcat(flags, "login, ");
+                               strncat(flags, "login, ", (FLAGS_LEN - strlen(flags) - 1));
                        if (slot->token->readOnly)
-                               strcat(flags, "ro, ");
+                               strncat(flags, "ro, ", (FLAGS_LEN - strlen(flags) - 1));
                } else {
-                       strcpy(flags, "no token");
+                       strncpy(flags, "no token", sizeof(flags));
                }
                if ((m = strlen(flags)) != 0) {
                        flags[m - 2] = '\0';
@@ -544,49 +585,48 @@ static X509 *pkcs11_load_cert
                }
 
                if (verbose) {
-                       fprintf(stderr, "[%lu] %-25.25s  %-16s",
+                       Log(LOG_INFO,  "[%lu] %-25.25s  %-16s",
                                PKCS11_get_slotid_from_slot(slot),
                                slot->description, flags);
                        if (slot->token) {
-                               fprintf(stderr, "  (%s)",
+                               Log(LOG_INFO,  "  (%s)",
                                        slot->token->label[0] ?
                                        slot->token->label : "no label");
                        }
-                       fprintf(stderr, "\n");
                }
        }
 
        if (found_slot) {
                slot = found_slot; 
        } else {
-               fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
+               Log(LOG_ERR,  "Invalid slot number: %d", (int)slot_nr);
                goto err_out;
        }
 
        tok = slot->token;
 
        if (tok == NULL) {
-               fprintf(stderr, "Found empty token; \n");
+               Log(LOG_ERR,  "Found empty token; ");
                goto err_out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Found slot:  %s\n", slot->description);
-               fprintf(stderr, "Found token: %s\n", slot->token->label);
+               Log(LOG_INFO,  "Found slot:  %s", slot->description);
+               Log(LOG_INFO,  "Found token: %s", slot->token->label);
        }
 
        if ((tok->loginRequired) && (do_login(slot))) {
-               fprintf(stderr, "failed to login\n");
+               Log(LOG_ERR,  "failed to login");
                goto err_out;
        }
 
        if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
-               fprintf(stderr, "unable to enumerate certificates\n");
+               Log(LOG_ERR,  "unable to enumerate certificates");
                goto err_out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Found %u cert%s:\n", cert_count,
+               Log(LOG_INFO,  "Found %u cert%s:", cert_count,
                        (cert_count <= 1) ? "" : "s");
        }
 
@@ -639,7 +679,7 @@ static X509 *pkcs11_load_cert
        }
 
        if (selected_cert == NULL) {
-               fprintf(stderr, "certificate not found.\n");
+               Log(LOG_ERR,  "certificate not found.");
                goto err_out;
        }
 
@@ -667,7 +707,7 @@ err_out:
 
 out:
        if (local_init) {
-               free_pkcs11_ctx(e);
+               free_pkcs11_ctx();
        }
        return x509;
 }
@@ -726,7 +766,7 @@ static EVP_PKEY *pkcs11_load_key
        PKCS11_CERT *certs;
        EVP_PKEY *pk = NULL;
        unsigned int slot_count, cert_count, key_count, n, m;
-       char flags[64];
+       char flags[FLAGS_LEN];
        int local_init = 0;
 
        if (ctx == NULL) {
@@ -735,10 +775,10 @@ static EVP_PKEY *pkcs11_load_key
        }
 
        if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count) < 0)
-               fail("failed to enumerate slots\n");
+               fail("failed to enumerate slots");
 
        if (verbose) {
-               fprintf(stderr, "Found %u slot%s\n", slot_count,
+               Log(LOG_INFO,  "Found %u slot%s", slot_count,
                        (slot_count <= 1) ? "" : "s");
        }
 
@@ -747,15 +787,15 @@ static EVP_PKEY *pkcs11_load_key
                flags[0] = '\0';
                if (slot->token) {
                        if (!slot->token->initialized)
-                               strcat(flags, "uninitialized, ");
+                               strncat(flags, "uninitialized, ", FLAGS_LEN - strlen(flags) - 1);
                        else if (!slot->token->userPinSet)
-                               strcat(flags, "no pin, ");
+                               strncat(flags, "no pin, ", FLAGS_LEN - strlen(flags) - 1);
                        if (slot->token->loginRequired)
-                               strcat(flags, "login, ");
+                               strncat(flags, "login, ", FLAGS_LEN - strlen(flags) - 1);
                        if (slot->token->readOnly)
-                               strcat(flags, "ro, ");
+                               strncat(flags, "ro, ", FLAGS_LEN - strlen(flags) - 1);
                } else {
-                       strcpy(flags, "no token");
+                       strncpy(flags, "no token", sizeof(flags));
                }
                if ((m = strlen(flags)) != 0) {
                        flags[m - 2] = '\0';
@@ -767,67 +807,65 @@ static EVP_PKEY *pkcs11_load_key
                }
 
                if (verbose) {
-                       fprintf(stderr, "[%lu] %-25.25s  %-16s",
+                       Log(LOG_INFO,  "[%lu] %-25.25s  %-16s",
                                PKCS11_get_slotid_from_slot(slot),
                                slot->description, flags);
                        if (slot->token) {
-                               fprintf(stderr, "  (%s)",
+                               Log(LOG_INFO,  "  (%s)",
                                        slot->token->label[0] ?
                                        slot->token->label : "no label");
                        }
-                       fprintf(stderr, "\n");
                }
        }
 
        if (slot_nr == -1) {
                if (!(slot = PKCS11_find_token(ctx, slot_list, slot_count)))
-                       fail("didn't find any tokens\n");
+                       fail("didn't find any tokens");
        } else if (found_slot) {
                slot = found_slot;
        } else {
-               fprintf(stderr, "Invalid slot number: %d\n", slot_nr);
+               Log(LOG_ERR,  "Invalid slot number: %d", slot_nr);
                PKCS11_release_all_slots(ctx, slot_list, slot_count);
                goto out;
        }
        tok = slot->token;
 
        if (tok == NULL) {
-               fprintf(stderr, "Found empty token; \n");
+               Log(LOG_INFO,  "Found empty token; ");
                PKCS11_release_all_slots(ctx, slot_list, slot_count);
                goto out;
        }
 
        if (isPrivate && !tok->userPinSet && !tok->readOnly) {
-               fprintf(stderr, "Found slot without user PIN\n");
+               Log(LOG_INFO,  "Found slot without user PIN");
                PKCS11_release_all_slots(ctx, slot_list, slot_count);
                goto out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Found slot:  %s\n", slot->description);
-               fprintf(stderr, "Found token: %s\n", slot->token->label);
+               Log(LOG_INFO,  "Found slot:  %s", slot->description);
+               Log(LOG_INFO,  "Found token: %s", slot->token->label);
        }
 
 #ifdef DEBUG
        if (PKCS11_enumerate_certs(tok, &certs, &cert_count))
-               fail("unable to enumerate certificates\n");
+               fail("unable to enumerate certificates");
 
        if (verbose) {
-               fprintf(stderr, "Found %u certificate%s:\n", cert_count,
+               Log(LOG_INFO,  "Found %u certificate%s:", cert_count,
                        (cert_count <= 1) ? "" : "s");
                for (n = 0; n < cert_count; n++) {
                        PKCS11_CERT *c = certs + n;
                        char *dn = NULL;
 
-                       fprintf(stderr, "  %2u    %s", n + 1, c->label);
+                       Log(LOG_INFO,  "  %2u   %s", n + 1, c->label);
                        if (c->x509)
                                dn = X509_NAME_oneline(X509_get_subject_name
                                                       (c->x509), NULL, 0);
                        if (dn) {
-                               fprintf(stderr, " (%s)", dn);
+                               Log(LOG_INFO,  " (%s)", dn);
                                OPENSSL_free(dn);
                        }
-                       fprintf(stderr, "\n");
                }
        }
 #endif
@@ -870,7 +908,7 @@ static EVP_PKEY *pkcs11_load_key
                                pin = NULL;
                                pin_length = 0;
                        }
-                       fail("Login failed\n");
+                       fail("Login failed");
                }
                /* Login successful, PIN retained in case further logins are 
                   required. This will occur on subsequent calls to the
@@ -891,14 +929,14 @@ static EVP_PKEY *pkcs11_load_key
 
        /* Make sure there is at least one private key on the token */
        if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
-               fail("unable to enumerate keys\n");
+               fail("unable to enumerate keys");
        }
        if (key_count == 0) {
-               fail("No keys found.\n");
+               fail("No keys found.");
        }
 
        if (verbose) {
-               fprintf(stderr, "Found %u key%s:\n", key_count,
+               Log(LOG_INFO,  "Found %u key%s:", key_count,
                        (key_count <= 1) ? "" : "s");
        }
        if ((key_id_len != 0) || (key_label != NULL)) {
@@ -906,7 +944,7 @@ static EVP_PKEY *pkcs11_load_key
                        PKCS11_KEY *k = keys + n;
 
                        if (verbose) {
-                               fprintf(stderr, "  %2u %c%c %s\n", n + 1,
+                               Log(LOG_INFO,  "  %2u %c%c %s", n + 1,
                                        k->isPrivate ? 'P' : ' ',
                                        k->needLogin ? 'L' : ' ', k->label);
                        }
@@ -929,7 +967,7 @@ static EVP_PKEY *pkcs11_load_key
        }
 
        if (selected_key == NULL) {
-               fprintf(stderr, "key not found.\n");
+               Log(LOG_ERR,  "key not found.");
                goto out;
        }
 
@@ -941,7 +979,7 @@ static EVP_PKEY *pkcs11_load_key
 
 out:
        if (local_init) {
-               free_pkcs11_ctx(e);
+               free_pkcs11_ctx();
        }
 
        return pk;
@@ -960,21 +998,21 @@ EVP_PKEY *pkcs11_load_public_key(ENGINE * e, const char *s_key_id,
        n = parse_key_string(s_key_id, &slot_nr, key_id, &key_id_len,
                                &key_label, NULL);
        if (n) {
-               fprintf(stderr,
-                       "supported format: slot_<slot>:id_<id>:label_<label>\n");
-               fprintf(stderr,
-                       "where <slot> is the slot number as normal integer,\n");
-               fprintf(stderr,
-                       "and <id> is the id number as hex string.\n");
-               fprintf(stderr,
-                       "and <label> is the textual key label string.\n");
+               Log(LOG_INFO,
+                       "supported format: slot_<slot>:id_<id>:label_<label>");
+               Log(LOG_INFO,
+                       "where <slot> is the slot number as normal integer,");
+               Log(LOG_INFO,
+                       "and <id> is the id number as hex string.");
+               Log(LOG_INFO,
+                       "and <label> is the textual key label string.");
                return NULL;
        }
 
        pk = pkcs11_load_key(e, slot_nr, key_id, key_id_len, key_label,
                        ui_method, callback_data, 0);
        if (pk == NULL)
-               fprintf(stderr, "PKCS11_load_public_key returned NULL\n");
+               Log(LOG_INFO,  "PKCS11_load_public_key returned NULL");
 
     if (key_label) free(key_label);
        return pk;
@@ -993,21 +1031,21 @@ EVP_PKEY *pkcs11_load_private_key(ENGINE * e, const char *s_key_id,
        n = parse_key_string(s_key_id, &slot_nr, key_id, &key_id_len,
                                &key_label, NULL);
        if (n) {
-               fprintf(stderr,
-                       "supported format: slot_<slot>:id_<id>:label_<label>\n");
-               fprintf(stderr,
-                       "where <slot> is the slot number as normal integer,\n");
-               fprintf(stderr,
-                       "and <id> is the id number as hex string.\n");
-               fprintf(stderr,
-                       "and <label> is the textual key label string.\n");
+               Log(LOG_INFO,
+                       "supported format: slot_<slot>:id_<id>:label_<label>");
+               Log(LOG_INFO,
+                       "where <slot> is the slot number as normal integer,");
+               Log(LOG_INFO,
+                       "and <id> is the id number as hex string.");
+               Log(LOG_INFO,
+                       "and <label> is the textual key label string.");
                return NULL;
        }
 
        pk = pkcs11_load_key(e, slot_nr, key_id, key_id_len, key_label,
                        ui_method, callback_data, 1);
        if (pk == NULL)
-               fprintf(stderr, "PKCS11_get_private_key returned NULL\n");
+               Log(LOG_INFO,  "PKCS11_get_private_key returned NULL");
 
     if (key_label) free(key_label);
        return pk;
@@ -1024,12 +1062,12 @@ int list_token_objects
        PKCS11_CERT *certs;
        PKCS11_KEY *keys;
        unsigned int slot_count, cert_count, key_count, m, n, i;
-       char flags[64];
+       char flags[FLAGS_LEN];
        int local_init = 0;
        int ret_val = 0;
 
        if (verbose) {
-               fprintf(stderr, "Displaying token objects from slot %d\n", (int)slot_nr);
+               Log(LOG_INFO,  "Displaying token objects from slot %d", (int)slot_nr);
        }
 
        if (ctx == NULL) {
@@ -1037,12 +1075,12 @@ int list_token_objects
                local_init = 1;
        }
        if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
-               fprintf(stderr, "failed to enumerate slots\n");
+               Log(LOG_ERR,  "failed to enumerate slots");
                goto out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Found %u slots\n", slot_count);
+               Log(LOG_INFO,  "Found %u slots", slot_count);
        }
 
        for (n = 0; n < slot_count; n++) {
@@ -1050,15 +1088,15 @@ int list_token_objects
                flags[0] = '\0';
                if (slot->token) {
                        if (!slot->token->initialized)
-                               strcat(flags, "uninitialized, ");
+                               strncat(flags, "uninitialized, ", (FLAGS_LEN - strlen(flags) - 1));
                        else if (!slot->token->userPinSet)
-                               strcat(flags, "no pin, ");
+                               strncat(flags, "no pin, ", (FLAGS_LEN - strlen(flags) - 1));
                        if (slot->token->loginRequired)
-                               strcat(flags, "login, ");
+                               strncat(flags, "login, ", (FLAGS_LEN - strlen(flags) - 1));
                        if (slot->token->readOnly)
-                               strcat(flags, "ro, ");
+                               strncat(flags, "ro, ", (FLAGS_LEN - strlen(flags) - 1));
                } else {
-                       strcpy(flags, "no token");
+                       strncpy(flags, "no token", sizeof(flags));
                }
                if ((m = strlen(flags)) != 0) {
                        flags[m - 2] = '\0';
@@ -1070,22 +1108,21 @@ int list_token_objects
                }
 
                if (verbose) {
-                       fprintf(stderr, "[%lu] %-25.25s  %-16s",
+                       Log(LOG_INFO,  "[%lu] %-25.25s  %-16s",
                                PKCS11_get_slotid_from_slot(slot),
                                slot->description, flags);
                        if (slot->token) {
-                               fprintf(stderr, "  (%s)",
+                               Log(LOG_INFO,  "  (%s)",
                                        slot->token->label[0] ?
                                        slot->token->label : "no label");
                        }
-                       fprintf(stderr, "\n");
                }
        }
 
        if (found_slot) {
                slot = found_slot; 
        } else {
-               fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
+               Log(LOG_ERR,  "Invalid slot number: %d", (int)slot_nr);
                PKCS11_release_all_slots(ctx, slot_list, slot_count);
                goto out;
        }
@@ -1093,78 +1130,81 @@ int list_token_objects
        tok = slot->token;
 
        if (tok == NULL) {
-               fprintf(stderr, "Found empty token; \n");
+               Log(LOG_ERR,  "Found empty token; ");
                PKCS11_release_all_slots(ctx, slot_list, slot_count);
                goto out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Found slot:  %s\n", slot->description);
-               fprintf(stderr, "Found token: %s\n", slot->token->label);
+               Log(LOG_INFO,  "Found slot:  %s", slot->description);
+               Log(LOG_INFO,  "Found token: %s", slot->token->label);
        }
 
        if ((tok->loginRequired) && (do_login(slot))) {
-               fprintf(stderr, "failed to login\n");
+               Log(LOG_ERR,  "failed to login");
                PKCS11_release_all_slots(ctx, slot_list, slot_count);
                goto out;
        }
 
        if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
-               fprintf(stderr, "unable to enumerate certificates\n");
+               Log(LOG_ERR,  "unable to enumerate certificates");
                PKCS11_release_all_slots(ctx, slot_list, slot_count);
                goto out;
        }
 
        for (n=0; n<cert_count; n++) {
+               char tmp[MAX_VALUE_LEN];
                PKCS11_CERT *c = certs + n;
                char *dn = NULL;
 
-               fprintf(stderr, "Certificate Object:\n"); 
-               fprintf(stderr, "\ttype: X.509 cert\n"); 
-               fprintf(stderr, "\tlabel: %s\n", c->label); 
-               fprintf(stderr, "\tID: "); 
-               for (i = 0; i < c->id_len; i++)
-                       printf("%02x", c->id[i]);
-               printf("\n");
+               Log(LOG_INFO,  "Certificate Object:");
+               Log(LOG_INFO,  "\ttype: X.509 cert");
+               Log(LOG_INFO,  "\tlabel: %s", c->label);
+               for (i = 0; i < c->id_len; i++) {
+                       snprintf(&tmp[i*2], 2, "%02x", c->id[i]);
+               }
+               Log(LOG_INFO,  "\tID: %s", tmp);
 
                if (c->x509)
                        dn = X509_NAME_oneline(X509_get_subject_name(c->x509),
                                                NULL, 0);
                if (dn) {
-                       fprintf(stderr, "\tname: %s\n", dn);
+                       Log(LOG_INFO,  "\tname: %s", dn);
                        OPENSSL_free(dn);
                }
        }
 
        if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
-               fprintf(stderr, "unable to enumerate keys\n");
+               Log(LOG_ERR,  "unable to enumerate keys");
                PKCS11_release_all_slots(ctx, slot_list, slot_count);
                goto out;
        }
 
        for (n=0; n<key_count; n++) {
+               char tmp[MAX_VALUE_LEN];
+
                PKCS11_KEY *k = keys + n;
 
                if (k->isPrivate) {
-                       fprintf(stderr, "Private Key Object:\n"); 
-                       fprintf(stderr, "\ttype: RSA\n"); 
+                       Log(LOG_INFO,  "Private Key Object:");
+                       Log(LOG_INFO,  "\ttype: RSA");
                } else {
-                       fprintf(stderr, "Public Key Object:\n");
-                       fprintf(stderr, "\ttype: RSA %d bits\n",
+                       Log(LOG_INFO,  "Public Key Object:");
+                       Log(LOG_INFO,  "\ttype: RSA %d bits",
                                (PKCS11_get_key_size(k)*8)); 
                }
-               fprintf(stderr, "\tlabel: %s\n", k->label); 
-               fprintf(stderr, "\tID: "); 
-               for (i = 0; i < k->id_len; i++)
-                       printf("%02x", k->id[i]);
-               printf("\n");
+               Log(LOG_INFO,  "\tlabel: %s", k->label);
+               for (i = 0; i < k->id_len; i++) {
+                       snprintf(&tmp[i*2], 2, "%02x", k->id[i]);
+               }
+               Log(LOG_INFO,  "\tID: %s", tmp);
        }
 
        ret_val = 1;
 
 out:
        if (local_init) {
-               free_pkcs11_ctx(e);
+               free_pkcs11_ctx();
        }
 
        return ret_val;
@@ -1175,7 +1215,7 @@ static int do_login(PKCS11_SLOT *slot)
        PKCS11_TOKEN *tok = slot->token;
 
        if (pin == NULL) {
-               fprintf(stderr, "PIN not set\n");
+               Log(LOG_INFO,  "PIN not set");
                return -1;
        }
 
@@ -1188,7 +1228,7 @@ static int do_login(PKCS11_SLOT *slot)
                        pin = NULL;
                        pin_length = 0;
                }
-               fprintf(stderr, "Login failed\n");
+               Log(LOG_ERR,  "Login failed");
                return -1;
        }
        return 0;
@@ -1219,46 +1259,46 @@ int store_cert_cmd(ENGINE * e, const char *p)
        unsigned char data[MAX_OBJECT_SIZE];
        const unsigned char *pp = data;
        int data_len = 0;
-       FILE *f;
+       FILE *f = NULL;
        X509 *x;
 
        if (!p || !*p) {
-               fprintf(stderr, "no parameter\n");
+               Log(LOG_ERR,  "no parameter");
                return 0;
        }
 
        n = parse_cert_store_string(p, &slot_nr, cert_id, &cert_id_len,
                                                                &cert_label, &cert_file);
        if (n) {
-               fprintf(stderr,
-                       "supported format: slot_<slot>:id_<id>:label_<label>:cert_<filename>\n");
-               fprintf(stderr,
-                       "where <slot> is the slot number as normal integer,\n");
-               fprintf(stderr,
-                       "and <id> is the id number as hex string.\n");
-               fprintf(stderr,
-                       "and <label> is the textual cert label string.\n");
-               fprintf(stderr,
-                       "and <filename> is the cert filename with full path.\n");
+               Log(LOG_INFO,
+                       "supported format: slot_<slot>:id_<id>:label_<label>:cert_<filename>");
+               Log(LOG_INFO,
+                       "where <slot> is the slot number as normal integer,");
+               Log(LOG_INFO,
+                       "and <id> is the id number as hex string.");
+               Log(LOG_INFO,
+                       "and <label> is the textual cert label string.");
+               Log(LOG_INFO,
+                       "and <filename> is the cert filename with full path.");
                goto store_cert_err_out;
        }
 
        f = fopen(cert_file, "rb");
        if (f == NULL) {
-               fprintf(stderr, "Couldn't open cert file \"%s\"\n", cert_file);
+               Log(LOG_ERR,  "Couldn't open cert file \"%s\"", cert_file);
                goto store_cert_err_out;
        }
 
        data_len = fread(data, 1, sizeof(data), f);
 
        if (data_len < 0) {
-               fprintf(stderr, "Couldn't read from file \"%s\"\n", cert_file);
+               Log(LOG_ERR,  "Couldn't read from file \"%s\"", cert_file);
                goto store_cert_err_out;
        }
 
        x = d2i_X509(NULL, &pp, data_len); 
        if (!x) {
-               fprintf(stderr, "OpenSSL cert parse error\n");
+               Log(LOG_ERR,  "OpenSSL cert parse error");
                goto store_cert_err_out;
        }
 
@@ -1267,11 +1307,12 @@ int store_cert_cmd(ENGINE * e, const char *p)
                cert_id_len = 0;
 
        if (verbose) {
-               fprintf(stderr, "Storing cert(%s) in slot(%d) with label(%s) and id(",
-                       cert_file, slot_nr, cert_label);
-                       for (n = 0; n < cert_id_len; n++)
-                               fprintf(stderr, "%02x", cert_id[n]);
-                       fprintf(stderr, ")\n");
+               char tmp[MAX_VALUE_LEN];
+               for (n = 0; n < cert_id_len; n++) {
+                       snprintf(&tmp[n*2], 2, "%02x", cert_id[n]);
+               }
+               Log(LOG_INFO, "Storing cert(%s) in slot(%d) with label(%s) and id(%s)",
+                       cert_file, slot_nr, cert_label, tmp);
        }
 
        if (pkcs11_store_cert(e, slot_nr, cert_id, cert_id_len, cert_label, x))
@@ -1301,7 +1342,7 @@ static int pkcs11_store_cert
        PKCS11_TOKEN *tok;
        PKCS11_CERT *certs, *ret_cert = NULL;
        unsigned int slot_count, cert_count;
-       char flags[64];
+       char flags[FLAGS_LEN];
        int n,m;
        int ret_val = -1;
        int local_init = 0;
@@ -1312,12 +1353,12 @@ static int pkcs11_store_cert
        }
 
        if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
-               fprintf(stderr, "failed to enumerate slots\n");
+               Log(LOG_ERR,  "failed to enumerate slots");
                goto out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Found %u slots\n", slot_count);
+               Log(LOG_INFO,  "Found %u slots", slot_count);
        }
 
        for (n = 0; n < slot_count; n++) {
@@ -1325,15 +1366,15 @@ static int pkcs11_store_cert
                flags[0] = '\0';
                if (slot->token) {
                        if (!slot->token->initialized)
-                               strcat(flags, "uninitialized, ");
+                               strncat(flags, "uninitialized, ", FLAGS_LEN - strlen(flags) - 1);
                        else if (!slot->token->userPinSet)
-                               strcat(flags, "no pin, ");
+                               strncat(flags, "no pin, ", FLAGS_LEN - strlen(flags) - 1);
                        if (slot->token->loginRequired)
-                               strcat(flags, "login, ");
+                               strncat(flags, "login, ", FLAGS_LEN - strlen(flags) - 1);
                        if (slot->token->readOnly)
-                               strcat(flags, "ro, ");
+                               strncat(flags, "ro, ", FLAGS_LEN - strlen(flags) - 1);
                } else {
-                       strcpy(flags, "no token");
+                       strncpy(flags, "no token", sizeof(flags));
                }
                if ((m = strlen(flags)) != 0) {
                        flags[m - 2] = '\0';
@@ -1345,51 +1386,50 @@ static int pkcs11_store_cert
                }
 
                if (verbose) {
-                       fprintf(stderr, "[%lu] %-25.25s  %-16s",
+                       Log(LOG_INFO,  "[%lu] %-25.25s  %-16s",
                                PKCS11_get_slotid_from_slot(slot),
                                slot->description, flags);
                        if (slot->token) {
-                               fprintf(stderr, "  (%s)",
+                               Log(LOG_INFO,  "  (%s)",
                                        slot->token->label[0] ?
                                        slot->token->label : "no label");
                        }
-                       fprintf(stderr, "\n");
                }
        }
 
        if (found_slot) {
                slot = found_slot; 
        } else {
-               fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
+               Log(LOG_ERR,  "Invalid slot number: %d", (int)slot_nr);
                goto err_out;
        }
 
        tok = slot->token;
 
        if (tok == NULL) {
-               fprintf(stderr, "Found empty token; \n");
+               Log(LOG_ERR,  "Found empty token; ");
                goto err_out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Found slot:  %s\n", slot->description);
-               fprintf(stderr, "Found token: %s\n", slot->token->label);
+               Log(LOG_INFO,  "Found slot:  %s", slot->description);
+               Log(LOG_INFO,  "Found token: %s", slot->token->label);
        }
 
        if ((tok->loginRequired) && (do_login(slot))) {
-               fprintf(stderr, "failed to login\n");
+               Log(LOG_ERR,  "failed to login");
                goto err_out;
        }
 
        /* Enumerate certs to initialize libp11 cert count */
        if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
-               fprintf(stderr, "unable to enumerate certificates\n");
+               Log(LOG_ERR,  "unable to enumerate certificates");
                goto err_out;
        }
 
        if (PKCS11_store_certificate(tok, x, cert_label, cert_id,
                                                                cert_id_len, &ret_cert)) {
-               fprintf(stderr, "failed to store cert\n");
+               Log(LOG_ERR,  "failed to store cert");
                goto err_out;
        }
 
@@ -1401,7 +1441,7 @@ err_out:
 
 out:
        if(local_init) {
-               free_pkcs11_ctx(e);
+               free_pkcs11_ctx();
        }
 
        return ret_val;
@@ -1441,15 +1481,15 @@ static int parse_cert_store_string
                /* slot identifier */
                if (!strncmp(token, "slot_", 5)) {
                        /* slot is a decimal number */
-                       if (sscanf(token + 5, "%d", slot) != 1) {
-                               fprintf(stderr, "slot number not deciphered!\n");
+                       if (str_to_dec(token + 5, slot) != 1) {
+                               Log(LOG_ERR,  "slot number not deciphered!");
                 goto err;
                        }
                } else if (!strncmp(token, "id_", 3)) {
                        /* certificate ID */
                        /* id is hexadecimal number */
                        if (!hex_to_bin(token + 3, id, id_len)) {
-                               fprintf(stderr, "id not deciphered!\n");
+                               Log(LOG_ERR,  "id not deciphered!");
                 goto err;
                        }
                } else if (!strncmp(token, "label_", 6)) {
@@ -1457,14 +1497,14 @@ static int parse_cert_store_string
                        /*  label is string */
                        *label = strdup(token + 6);
                        if (*label == NULL) {
-                               fprintf(stderr, "label not deciphered!\n");
+                               Log(LOG_ERR,  "label not deciphered!");
                 goto err;
                        }
                } else if (!strncmp(token, "cert_", 5)) {
                        /* cert file name */
                        *cert_file = strdup(token + 5);
                        if (*cert_file == NULL) {
-                               fprintf(stderr, "cert file not deciphered!\n");
+                               Log(LOG_ERR,  "cert file not deciphered!");
                 goto err;
                        }
                }
@@ -1472,7 +1512,7 @@ static int parse_cert_store_string
        } /* end while(token) */
 
        if (*cert_file == NULL) {
-               fprintf(stderr, "cert file name not present!\n");
+               Log(LOG_ERR,  "cert file name not present!");
                goto err;
        }
 
@@ -1495,32 +1535,33 @@ int gen_key_cmd(ENGINE * e, const char *p)
     int rv = 0;
 
        if (!p || !*p) {
-               fprintf(stderr, "no parameter\n");
+               Log(LOG_ERR,  "no parameter");
                return 0;
        }
 
        n = parse_key_gen_string(p, &slot_nr, &key_size, key_id, &key_id_len,
                                                         &key_label);
        if (n) {
-               fprintf(stderr,
-                       "supported format: slot_<slot>:size_<size>:id_<id>:label_<label>\n");
-               fprintf(stderr,
-                       "where <slot> is the slot number as normal integer,\n");
-               fprintf(stderr,
-                       "and <size> is the RSA key size in bits.\n");
-               fprintf(stderr,
-                       "and <id> is the id number as hex string.\n");
-               fprintf(stderr,
-                       "and <label> is the textual cert label string.\n");
+               Log(LOG_INFO,
+                       "supported format: slot_<slot>:size_<size>:id_<id>:label_<label>");
+               Log(LOG_INFO,
+                       "where <slot> is the slot number as normal integer,");
+               Log(LOG_INFO,
+                       "and <size> is the RSA key size in bits.");
+               Log(LOG_INFO,
+                       "and <id> is the id number as hex string.");
+               Log(LOG_INFO,
+                       "and <label> is the textual cert label string.");
                goto gen_key_err_out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Generating %dbits RSA key in slot(%d) with label(%s) and id(",
-                       key_size, slot_nr, key_label);
-                       for (n = 0; n < key_id_len; n++)
-                               fprintf(stderr, "%02x", key_id[n]);
-                       fprintf(stderr, ")\n");
+               char tmp[MAX_VALUE_LEN];
+               for (n = 0; n < key_id_len; n++) {
+                       snprintf(&tmp[n*2], 2, "%02x", key_id[n]);
+               }
+               Log(LOG_INFO, "Generating %dbits RSA key in slot(%d) with label(%s) and id(s)",
+                       key_size, slot_nr, key_label, tmp);
        }
 
        if (pkcs11_gen_key(e, slot_nr, (unsigned int)key_size, key_id, key_id_len, key_label))
@@ -1568,15 +1609,15 @@ static int parse_key_gen_string
                /* slot identifier */
                if (!strncmp(token, "slot_", 5)) {
                        /* slot is a decimal number */
-                       if (sscanf(token + 5, "%d", slot) != 1) {
-                               fprintf(stderr, "slot number not deciphered!\n");
+                       if (str_to_dec(token + 5, slot) != 1) {
+                               Log(LOG_ERR,  "slot number not deciphered!");
                 goto err;
                        }
                } else if (!strncmp(token, "id_", 3)) {
                        /* certificate ID */
                        /* id is hexadecimal number */
                        if (!hex_to_bin(token + 3, id, id_len)) {
-                               fprintf(stderr, "id not deciphered!\n");
+                               Log(LOG_ERR,  "id not deciphered!");
                 goto err;
                        }
                } else if (!strncmp(token, "label_", 6)) {
@@ -1584,13 +1625,13 @@ static int parse_key_gen_string
                        /*  label is string */
                        *label = strdup(token + 6);
                        if (*label == NULL) {
-                               fprintf(stderr, "label not deciphered!\n");
+                               Log(LOG_ERR,  "label not deciphered!");
                 goto err;
                        }
                } else if (!strncmp(token, "size_", 5)) {
                        /* key size in bits */
-                       if (sscanf(token + 5, "%d", key_size) != 1) {
-                               fprintf(stderr, "key size not deciphered!\n");
+                       if (str_to_dec(token + 5, key_size) != 1) {
+                               Log(LOG_ERR,  "key size not deciphered!");
                 goto err;
                        }
                }
@@ -1598,7 +1639,7 @@ static int parse_key_gen_string
        } /* end while(token) */
 
        if (*key_size == -1) {
-               fprintf(stderr, "key size not present!\n");
+               Log(LOG_ERR,  "key size not present!");
         goto err;
        }
 
@@ -1624,7 +1665,7 @@ static int pkcs11_gen_key
        PKCS11_TOKEN *tok;
        PKCS11_KEY *keys, *ret_key = NULL;
        unsigned int slot_count, key_count;
-       char flags[64];
+       char flags[FLAGS_LEN];
        int n,m;
        int ret_val = -1;
        int local_init = 0;
@@ -1635,12 +1676,12 @@ static int pkcs11_gen_key
        }
 
        if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
-               fprintf(stderr, "failed to enumerate slots\n");
+               Log(LOG_ERR,  "failed to enumerate slots");
                goto out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Found %u slots\n", slot_count);
+               Log(LOG_INFO,  "Found %u slots", slot_count);
        }
 
        for (n = 0; n < slot_count; n++) {
@@ -1648,15 +1689,15 @@ static int pkcs11_gen_key
                flags[0] = '\0';
                if (slot->token) {
                        if (!slot->token->initialized)
-                               strcat(flags, "uninitialized, ");
+                               strncat(flags, "uninitialized, ", (FLAGS_LEN - strlen(flags) - 1));
                        else if (!slot->token->userPinSet)
-                               strcat(flags, "no pin, ");
+                               strncat(flags, "no pin, ", (FLAGS_LEN - strlen(flags) - 1));
                        if (slot->token->loginRequired)
-                               strcat(flags, "login, ");
+                               strncat(flags, "login, ", (FLAGS_LEN - strlen(flags) - 1));
                        if (slot->token->readOnly)
-                               strcat(flags, "ro, ");
+                               strncat(flags, "ro, ", (FLAGS_LEN - strlen(flags) - 1));
                } else {
-                       strcpy(flags, "no token");
+                       strncpy(flags, "no token", sizeof(flags));
                }
                if ((m = strlen(flags)) != 0) {
                        flags[m - 2] = '\0';
@@ -1668,51 +1709,50 @@ static int pkcs11_gen_key
                }
 
                if (verbose) {
-                       fprintf(stderr, "[%lu] %-25.25s  %-16s",
+                       Log(LOG_INFO,  "[%lu] %-25.25s  %-16s",
                                PKCS11_get_slotid_from_slot(slot),
                                slot->description, flags);
                        if (slot->token) {
-                               fprintf(stderr, "  (%s)",
+                               Log(LOG_INFO,  "  (%s)",
                                        slot->token->label[0] ?
                                        slot->token->label : "no label");
                        }
-                       fprintf(stderr, "\n");
                }
        }
 
        if (found_slot) {
                slot = found_slot; 
        } else {
-               fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
+               Log(LOG_ERR,  "Invalid slot number: %d", (int)slot_nr);
                goto err_out;
        }
 
        tok = slot->token;
 
        if (tok == NULL) {
-               fprintf(stderr, "Found empty token; \n");
+               Log(LOG_ERR,  "Found empty token; ");
                goto err_out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Found slot:  %s\n", slot->description);
-               fprintf(stderr, "Found token: %s\n", slot->token->label);
+               Log(LOG_INFO,  "Found slot:  %s", slot->description);
+               Log(LOG_INFO,  "Found token: %s", slot->token->label);
        }
 
        if ((tok->loginRequired) && (do_login(slot))) {
-               fprintf(stderr, "failed to login\n");
+               Log(LOG_ERR,  "failed to login");
                goto err_out;
        }
 
        /* Enumerate keys to initialize libp11 key count */
        if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
-               fprintf(stderr, "unable to enumerate keys\n");
+               Log(LOG_ERR,  "unable to enumerate keys");
                goto err_out;
        }
 
        if (PKCS11_generate_key(tok, EVP_PKEY_RSA, key_size, key_label,
                                                        key_id, key_id_len)) {
-               fprintf(stderr, "failed to generate RSA key pair\n");
+               Log(LOG_ERR,  "failed to generate RSA key pair");
                goto err_out;
        }
 
@@ -1723,7 +1763,7 @@ err_out:
        PKCS11_release_all_slots(ctx, slot_list, slot_count);
 out:
        if (local_init) {
-               free_pkcs11_ctx(e);
+               free_pkcs11_ctx();
        }
        return ret_val;
 }
@@ -1738,35 +1778,37 @@ int del_obj_cmd(ENGINE * e, const char *p)
     int rv = 0;
 
        if (!p || !*p) {
-               fprintf(stderr, "no parameter\n");
+               Log(LOG_ERR,  "no parameter");
                return 0;
        }
 
        n = parse_del_obj_string(p, &slot_nr, &type, id, &id_len, &label);
        if (n) {
-               fprintf(stderr,
-                       "supported format: slot_<slot>:type_<type>:id_<id>:label_<label>\n");
-               fprintf(stderr,
-                       "where <slot> is the slot number as normal integer,\n");
-               fprintf(stderr,
-                       "and <type> is the object type (privkey/pubkey/cert)\n");
-               fprintf(stderr,
-                       "and <id> is the id number as hex string.\n");
-               fprintf(stderr,
-                       "and <label> is the textual label string.\n");
+               Log(LOG_INFO,
+                       "supported format: slot_<slot>:type_<type>:id_<id>:label_<label>");
+               Log(LOG_INFO,
+                       "where <slot> is the slot number as normal integer,");
+               Log(LOG_INFO,
+                       "and <type> is the object type (privkey/pubkey/cert)");
+               Log(LOG_INFO,
+                       "and <id> is the id number as hex string.");
+               Log(LOG_INFO,
+                       "and <label> is the textual label string.");
                goto err;
        }
 
        /* No ID specified */
-       if (id_len == sizeof(id))
+       if (id_len == sizeof(id)) {
                id_len = 0;
+       }
 
        if (verbose) {
-               fprintf(stderr, "Deleting object type(%s) from slot(%d) with label(%s) and id(",
-                       type, slot_nr, label);
-                       for (n = 0; n < id_len; n++)
-                               fprintf(stderr, "%02x", id[n]);
-                       fprintf(stderr, ")\n");
+               char tmp[MAX_VALUE_LEN];
+               for (n = 0; n < id_len; n++) {
+                       snprintf(&tmp[n*2], 2, "%02x", id[n]);
+               }
+               Log(LOG_INFO, "Deleting object type(%s) from slot(%d) with label(%s) and id(%s)",
+                       type, slot_nr, label, tmp);
        }
 
        if (pkcs11_del_obj(e, slot_nr, type, id, id_len, label))
@@ -1814,15 +1856,15 @@ static int parse_del_obj_string
                /* slot identifier */
                if (!strncmp(token, "slot_", 5)) {
                        /* slot is a decimal number */
-                       if (sscanf(token + 5, "%d", slot) != 1) {
-                               fprintf(stderr, "slot number not deciphered!\n");
+                       if (str_to_dec(token + 5, slot) != 1) {
+                               Log(LOG_ERR,  "slot number not deciphered!");
                 goto err;
                        }
                } else if (!strncmp(token, "id_", 3)) {
                        /* certificate ID */
                        /* id is hexadecimal number */
                        if (!hex_to_bin(token + 3, id, id_len)) {
-                               fprintf(stderr, "id not deciphered!\n");
+                               Log(LOG_ERR,  "id not deciphered!");
                 goto err;
                        }
                } else if (!strncmp(token, "label_", 6)) {
@@ -1830,14 +1872,14 @@ static int parse_del_obj_string
                        /*  label is string */
                        *label = strdup(token + 6);
                        if (*label == NULL) {
-                               fprintf(stderr, "label not deciphered!\n");
+                               Log(LOG_ERR,  "label not deciphered!");
                 goto err;
                        }
                } else if (!strncmp(token, "type_", 5)) {
                        /* Object type */
                        *type = strdup(token + 5);
                        if (*type == NULL) {
-                               fprintf(stderr, "type not deciphered!\n");
+                               Log(LOG_ERR,  "type not deciphered!");
                 goto err;
                        }
                }
@@ -1845,7 +1887,7 @@ static int parse_del_obj_string
        } /* end while(token) */
 
        if (*type == NULL) {
-               fprintf(stderr, "type not present!\n");
+               Log(LOG_ERR,  "type not present!");
         goto err;
        }
 
@@ -1872,7 +1914,7 @@ static int pkcs11_del_obj
        PKCS11_TOKEN *tok;
        PKCS11_KEY *keys, *ret_key = NULL;
        unsigned int slot_count, key_count;
-       char flags[64];
+       char flags[FLAGS_LEN];
        int n,m, type, retval = -1;
        int local_init = 0;
 #define TYPE_PRIVKEY   1
@@ -1886,7 +1928,7 @@ static int pkcs11_del_obj
        } else if (!strcmp(type_str, "cert")) {
                type = TYPE_CERT;
        } else {
-               fprintf(stderr, "invalid object type(%s)\n", type_str);
+               Log(LOG_ERR,  "invalid object type(%s)", type_str);
                goto out;
        }
 
@@ -1896,12 +1938,12 @@ static int pkcs11_del_obj
        }
 
        if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
-               fprintf(stderr, "failed to enumerate slots\n");
+               Log(LOG_ERR,  "failed to enumerate slots");
                goto out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Found %u slots\n", slot_count);
+               Log(LOG_INFO,  "Found %u slots", slot_count);
        }
 
        for (n = 0; n < slot_count; n++) {
@@ -1909,15 +1951,15 @@ static int pkcs11_del_obj
                flags[0] = '\0';
                if (slot->token) {
                        if (!slot->token->initialized)
-                               strcat(flags, "uninitialized, ");
+                               strncat(flags, "uninitialized, ", (FLAGS_LEN - strlen(flags) - 1));
                        else if (!slot->token->userPinSet)
-                               strcat(flags, "no pin, ");
+                               strncat(flags, "no pin, ", (FLAGS_LEN - strlen(flags) - 1));
                        if (slot->token->loginRequired)
-                               strcat(flags, "login, ");
+                               strncat(flags, "login, ", (FLAGS_LEN - strlen(flags) - 1));
                        if (slot->token->readOnly)
-                               strcat(flags, "ro, ");
+                               strncat(flags, "ro, ", (FLAGS_LEN - strlen(flags) - 1));
                } else {
-                       strcpy(flags, "no token");
+                       strncpy(flags, "no token", sizeof(flags));
                }
                if ((m = strlen(flags)) != 0) {
                        flags[m - 2] = '\0';
@@ -1929,66 +1971,65 @@ static int pkcs11_del_obj
                }
 
                if (verbose) {
-                       fprintf(stderr, "[%lu] %-25.25s  %-16s",
+                       Log(LOG_INFO, "[%lu] %-25.25s  %-16s",
                                PKCS11_get_slotid_from_slot(slot),
                                slot->description, flags);
                        if (slot->token) {
-                               fprintf(stderr, "  (%s)",
+                               Log(LOG_INFO, "  (%s)",
                                        slot->token->label[0] ?
                                        slot->token->label : "no label");
                        }
-                       fprintf(stderr, "\n");
                }
        }
 
        if (found_slot) {
                slot = found_slot; 
        } else {
-               fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
+               Log(LOG_ERR,  "Invalid slot number: %d", (int)slot_nr);
                goto err_out;
        }
 
        tok = slot->token;
 
        if (tok == NULL) {
-               fprintf(stderr, "Found empty token; \n");
+               Log(LOG_ERR,  "Found empty token; ");
                goto err_out;
        }
 
        if (verbose) {
-               fprintf(stderr, "Found slot:  %s\n", slot->description);
-               fprintf(stderr, "Found token: %s\n", slot->token->label);
+               Log(LOG_INFO,  "Found slot:  %s", slot->description);
+               Log(LOG_INFO,  "Found token: %s", slot->token->label);
        }
 
        if ((tok->loginRequired) && (do_login(slot))) {
-               fprintf(stderr, "failed to login\n");
+               Log(LOG_ERR,  "failed to login");
                goto err_out;
        }
 
        switch(type) {
                case TYPE_CERT:
                        if (PKCS11_remove_certificate(tok, label, id, id_len)) {
-                               fprintf(stderr, "failed to delete certificate\n");
+                               Log(LOG_ERR,  "failed to delete certificate");
                                goto err_out;
                        }
                        break;
 
                case TYPE_PUBKEY:
                        if (PKCS11_remove_public_key(tok, label, id, id_len)) {
-                               fprintf(stderr, "failed to delete public key\n");
+                               Log(LOG_ERR,  "failed to delete public key");
                                goto err_out;
                        }
                        break;
 
                case TYPE_PRIVKEY:
                        if (PKCS11_remove_private_key(tok, label, id, id_len)) {
-                               fprintf(stderr, "failed to delete private key\n");
+                               Log(LOG_ERR,  "failed to delete private key");
                                goto err_out;
                        }
                        break;
 
                default:
-                       fprintf(stderr, "object type(%s) not supported\n", type_str);
+                       Log(LOG_ERR,  "object type(%s) not supported", type_str);
                        goto err_out;
                        break;
        }
@@ -1998,7 +2039,7 @@ err_out:
        PKCS11_release_all_slots(ctx, slot_list, slot_count);
 out:
        if (local_init) {
-               free_pkcs11_ctx(e);
+               free_pkcs11_ctx();
        }
        return retval;
 }
@@ -2013,34 +2054,34 @@ int get_pubkey_cmd(ENGINE * e, const char *p)
        int slot_nr = -1;
        unsigned char *pp, *data = NULL;
        int data_len = 0;
-       FILE *f;
+       FILE *f = NULL;
        EVP_PKEY *pk;
        RSA *rsa;
 
        if (!p || !*p) {
-               fprintf(stderr, "no parameter\n");
+               Log(LOG_ERR,  "no parameter");
                return 0;
        }
 
        n = parse_key_string(p, &slot_nr, key_id, &key_id_len,
                                &key_label, &key_file);
        if (n) {
-               fprintf(stderr,
-                       "supported format: slot_<slot>:id_<id>:label_<label>:key_<filename>\n");
-               fprintf(stderr,
-                       "where <slot> is the slot number as normal integer,\n");
-               fprintf(stderr,
-                       "and <id> is the id number as hex string.\n");
-               fprintf(stderr,
-                       "and <label> is the textual key label string.\n");
-               fprintf(stderr,
-                       "and <filename> is the key filename with full path.\n");
+               Log(LOG_INFO,
+                       "supported format: slot_<slot>:id_<id>:label_<label>:key_<filename>");
+               Log(LOG_INFO,
+                       "where <slot> is the slot number as normal integer,");
+               Log(LOG_INFO,
+                       "and <id> is the id number as hex string.");
+               Log(LOG_INFO,
+                       "and <label> is the textual key label string.");
+               Log(LOG_INFO,
+                       "and <filename> is the key filename with full path.");
                goto get_pubkey_err_out;
        }
 
        f = fopen(key_file, "wb");
        if (f == NULL) {
-               fprintf(stderr, "Couldn't open key file \"%s\"\n", key_file);
+               Log(LOG_ERR,  "Couldn't open key file \"%s\"", key_file);
                goto get_pubkey_err_out;
        }
 
@@ -2049,22 +2090,23 @@ int get_pubkey_cmd(ENGINE * e, const char *p)
                key_id_len = 0;
 
        if (verbose) {
-               fprintf(stderr, "Getting public key in slot(%d) with label(%s) and id(",
-                       slot_nr, key_label);
-                       for (n = 0; n < key_id_len; n++)
-                               fprintf(stderr, "%02x", key_id[n]);
-                       fprintf(stderr, ")\n");
+               char tmp[MAX_VALUE_LEN];
+               for (n = 0; n < key_id_len; n++) {
+                       snprintf(&tmp[n*2], 2, "%02x", key_id[n]);
+               }
+               Log(LOG_INFO, "Getting public key in slot(%d) with label(%s) and id(%s)",
+                       slot_nr, key_label, tmp);
        }
 
        pk = pkcs11_load_key(e, slot_nr, key_id, key_id_len, key_label, NULL, NULL, 0);
        if (pk == NULL) {
-               fprintf(stderr, "PKCS11_load_public_key returned NULL\n");
+               Log(LOG_ERR,  "PKCS11_load_public_key returned NULL");
                goto get_pubkey_err_out;
        }
 
        rsa = EVP_PKEY_get1_RSA(pk);
        if (rsa == NULL) {
-               fprintf(stderr, "Couldn't retrieve RSA key form EVP_PKEY\n");
+               Log(LOG_ERR,  "Couldn't retrieve RSA key form EVP_PKEY");
                goto get_pubkey_err_out;
        }
 
@@ -2072,7 +2114,7 @@ int get_pubkey_cmd(ENGINE * e, const char *p)
        /* To store in DER format */
        data_len = i2d_RSAPublicKey(rsa, NULL); 
        if ((data = (unsigned char *)malloc(data_len)) == NULL) {
-               fprintf(stderr, "couldn't allocate memory for key\n");
+               Log(LOG_ERR,  "couldn't allocate memory for key");
                goto get_pubkey_err_out;
        }
        pp = data;
@@ -2080,12 +2122,12 @@ int get_pubkey_cmd(ENGINE * e, const char *p)
        n = fwrite(data, 1, data_len, f);
 
        if (n != data_len) {
-               fprintf(stderr, "Couldn't write to file \"%s\"\n", key_file);
+               Log(LOG_ERR,  "Couldn't write to file \"%s\"", key_file);
                goto get_pubkey_err_out;
        }
 #endif
        if (!PEM_write_RSA_PUBKEY(f, rsa)) {
-               fprintf(stderr, "Couldn't write to file \"%s\"\n", key_file);
+               Log(LOG_ERR,  "Couldn't write to file \"%s\"", key_file);
                goto get_pubkey_err_out;
        }
 
@@ -2114,18 +2156,19 @@ static int parse_key_string
        char *str, *lasts;
     int rv = -1;
 
-       if (!key_get_str)
+       if (!key_get_str) {
                return -1;
-
+       }
        str = strdup(key_get_str);
-       if (str == NULL)
+       if (str == NULL) {
                return -1;
-
+       }
        /* Default values */
        *slot = 0;
        *label = NULL;
-       if (key_file) *key_file = NULL;
-
+       if (key_file) {
+               *key_file = NULL;
+       }
        token = strtok_r(str, sep, &lasts);
 
        while (token) {
@@ -2133,15 +2176,15 @@ static int parse_key_string
                /* slot identifier */
                if (!strncmp(token, "slot_", 5)) {
                        /* slot is a decimal number */
-                       if (sscanf(token + 5, "%d", slot) != 1) {
-                               fprintf(stderr, "slot number not deciphered!\n");
+                       if (str_to_dec(token + 5, slot) != 1) {
+                               Log(LOG_ERR,  "slot number not deciphered!");
                                goto err;
                        }
                } else if (!strncmp(token, "id_", 3)) {
                        /* certificate ID */
                        /* id is hexadecimal number */
                        if (!hex_to_bin(token + 3, id, id_len)) {
-                               fprintf(stderr, "id not deciphered!\n");
+                               Log(LOG_ERR,  "id not deciphered!");
                                goto err;
                        }
                } else if (!strncmp(token, "label_", 6)) {
@@ -2149,14 +2192,14 @@ static int parse_key_string
                        /*  label is string */
                        *label = strdup(token + 6);
                        if (*label == NULL) {
-                               fprintf(stderr, "label not deciphered!\n");
+                               Log(LOG_ERR,  "label not deciphered!");
                                goto err;
                        }
                } else if ((key_file) && (!strncmp(token, "key_", 4))) {
                        /* key file name */
                        *key_file = strdup(token + 4);
                        if (*key_file == NULL) {
-                               fprintf(stderr, "key file not deciphered!\n");
+                               Log(LOG_ERR,  "key file not deciphered!");
                                goto err;
                        }
                }
@@ -2164,7 +2207,7 @@ static int parse_key_string
        } /* end while(token) */
 
        if ((key_file) && (*key_file == NULL)) {
-               fprintf(stderr, "key file name not present!\n");
+               Log(LOG_ERR,  "key file name not present!");
                goto err;
        }