From: Antti Lyytinen <a-lyytinen@ti.com>
Date: Wed, 10 Dec 2014 12:14:27 +0000 (+0200)
Subject: Secure storage #3
X-Git-Tag: DEV.ENGINE_PKCS11-01.03.00.00^0
X-Git-Url: https://git.ti.com/gitweb?p=keystone-linux%2Fengine-pkcs11.git;a=commitdiff_plain;h=0b14500b0ea8b37453b6d93aac02278465e7e732

Secure storage #3
---

diff --git a/src/engine_pkcs11.c b/src/engine_pkcs11.c
index 17a5fc3..b79fb47 100644
--- a/src/engine_pkcs11.c
+++ b/src/engine_pkcs11.c
@@ -38,22 +38,24 @@
 
 #include <config.h>
 #include <stdio.h>
+#include <limits.h>
 #include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/objects.h>
 #include <openssl/engine.h>
 #include <libp11.h>
 #include "engine_pkcs11.h"
+#include <syslog.h>
 
 #ifdef _WIN32
 #define strncasecmp strnicmp
 #endif
 
-#define fail(msg) { fprintf(stderr,msg); return NULL;}
+#define fail(msg) { Log(LOG_ERR,msg); return NULL;}
 
 /** The maximum length of an internally-allocated PIN */
 #define MAX_PIN_LENGTH   32
-
+#define FLAGS_LEN 64
 /* Maximum size of a token object */
 #define MAX_OBJECT_SIZE	5000
 
@@ -160,6 +162,21 @@ static char *module = NULL;
 
 static char *init_args = NULL;
 
+static void Log(int const loglevel, char const * const format, ...)
+{
+	char tmp[256];
+	va_list args;
+
+	va_start(args, format);
+	vsnprintf(tmp, 256, format, args);
+	va_end(args);
+
+	// log it
+	syslog(loglevel, "engine_pkcs11: %s", tmp);
+	fprintf(stdout, "%s\n", tmp);
+}
+
+
 int set_module(const char *modulename)
 {
 	module = modulename ? strdup(modulename) : NULL;
@@ -232,12 +249,12 @@ static int get_pin(UI_METHOD * ui_method, void *callback_data)
 
 	if (!UI_add_input_string
 	    (ui, "PKCS#11 token PIN: ", 0, pin, 1, MAX_PIN_LENGTH)) {
-		fprintf(stderr, "UI_add_input_string failed\n");
+		Log(LOG_ERR, "UI_add_input_string failed");
 		UI_free(ui);
 		return 0;
 	}
 	if (UI_process(ui)) {
-		fprintf(stderr, "UI_process failed\n");
+		Log(LOG_ERR,  "UI_process failed");
 		UI_free(ui);
 		return 0;
 	}
@@ -263,7 +280,7 @@ static void free_pkcs11_ctx()
 int pkcs11_finish(ENGINE * engine)
 {
 	if (verbose) {
-		fprintf(stderr, "engine finish\n");
+		Log(LOG_INFO,  "engine finish");
 	}
 
 	free_pkcs11_ctx();
@@ -280,12 +297,12 @@ int pkcs11_finish(ENGINE * engine)
 int pkcs11_init(ENGINE * engine)
 {
 	if (verbose) {
-		fprintf(stderr, "initializing engine\n");
+		Log(LOG_INFO,  "initializing engine");
 	}
 	ctx = PKCS11_CTX_new();
         PKCS11_CTX_init_args(ctx, init_args);
 	if (PKCS11_CTX_load(ctx, module) < 0) {
-		fprintf(stderr, "unable to load module %s\n", module);
+		Log(LOG_ERR,  "unable to load module %s", module);
 		return 0;
 	}
 	return 1;
@@ -332,8 +349,8 @@ static int hex_to_bin(const char *in, unsigned char *out, size_t * outlen)
 			else if ('A' <= c && c <= 'F')
 				c = c - 'A' + 10;
 			else {
-				fprintf(stderr,
-					"hex_to_bin(): invalid char '%c' in hex string\n",
+				Log(LOG_ERR,
+					"hex_to_bin(): invalid char '%c' in hex string",
 					c);
 				*outlen = 0;
 				return 0;
@@ -343,7 +360,7 @@ static int hex_to_bin(const char *in, unsigned char *out, size_t * outlen)
 		if (*in == ':')
 			in++;
 		if (left <= 0) {
-			fprintf(stderr, "hex_to_bin(): hex string too long\n");
+			Log(LOG_ERR,  "hex_to_bin(): hex string too long");
 			*outlen = 0;
 			return 0;
 		}
@@ -355,6 +372,30 @@ static int hex_to_bin(const char *in, unsigned char *out, size_t * outlen)
 	return 1;
 }
 
+static int str_to_dec(char const * const inPtr, int *dst) {
+	int ret = 1;
+	long val;
+
+	char *endptr;
+
+	errno = 0;	/* To distinguish success/failure after call */
+	val = strtol(inPtr, &endptr, 10);
+
+	/* Check for various possible errors */
+	if ((errno == ERANGE && (val == LONG_MAX || val == LONG_MIN)) || (errno != 0 && val == 0)) {
+		Log(LOG_ERR, "String to dec conversion failed");
+		ret = 0;
+	}
+	if (endptr == inPtr) {
+		Log(LOG_ERR, "No digits were found");
+		ret = 0;
+	}
+	if(ret) {
+		*dst = (int)val;
+	}
+	return ret;
+}
+
 /* parse string containing slot and id information */
 
 static int parse_slot_id_string(const char *slot_id, int *slot,
@@ -374,7 +415,7 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
 	if (strspn(slot_id, HEXDIGITS) == strlen(slot_id)) {
 		/* ah, easiest case: only hex. */
 		if ((strlen(slot_id) + 1) / 2 > *id_len) {
-			fprintf(stderr, "id string too long!\n");
+			Log(LOG_ERR,  "id string too long!");
 			return 0;
 		}
 		*slot = 0;
@@ -382,11 +423,11 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
 	}
 
 	/* second: slot:id. slot is an digital int. */
-	if (sscanf(slot_id, "%d", &n) == 1) {
+	if (str_to_dec(slot_id, &n) == 1) {
 		i = strspn(slot_id, DIGITS);
 
 		if (slot_id[i] != ':') {
-			fprintf(stderr, "could not parse string!\n");
+			Log(LOG_ERR,  "could not parse string!");
 			return 0;
 		}
 		i++;
@@ -396,12 +437,12 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
 			return 1;
 		}
 		if (strspn(slot_id + i, HEXDIGITS) + i != strlen(slot_id)) {
-			fprintf(stderr, "could not parse string!\n");
+			Log(LOG_ERR,  "could not parse string!");
 			return 0;
 		}
 		/* ah, rest is hex */
 		if ((strlen(slot_id) - i + 1) / 2 > *id_len) {
-			fprintf(stderr, "id string too long!\n");
+			Log(LOG_ERR,  "id string too long!");
 			return 0;
 		}
 		*slot = n;
@@ -411,12 +452,12 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
 	/* third: id_<id>  */
 	if (strncmp(slot_id, "id_", 3) == 0) {
 		if (strspn(slot_id + 3, HEXDIGITS) + 3 != strlen(slot_id)) {
-			fprintf(stderr, "could not parse string!\n");
+			Log(LOG_ERR,  "could not parse string!");
 			return 0;
 		}
 		/* ah, rest is hex */
 		if ((strlen(slot_id) - 3 + 1) / 2 > *id_len) {
-			fprintf(stderr, "id string too long!\n");
+			Log(LOG_ERR,  "id string too long!");
 			return 0;
 		}
 		*slot = 0;
@@ -432,13 +473,13 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
 	/* last try: it has to be slot_<slot> and then "-id_<cert>" */
 
 	if (strncmp(slot_id, "slot_", 5) != 0) {
-		fprintf(stderr, "format not recognized!\n");
+		Log(LOG_ERR,  "format not recognized!");
 		return 0;
 	}
 
 	/* slot is an digital int. */
-	if (sscanf(slot_id + 5, "%d", &n) != 1) {
-		fprintf(stderr, "slot number not deciphered!\n");
+	if (str_to_dec(slot_id + 5, &n) != 1) {
+		Log(LOG_ERR,  "slot number not deciphered!");
 		return 0;
 	}
 
@@ -451,7 +492,7 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
 	}
 
 	if (slot_id[i + 5] != '-') {
-		fprintf(stderr, "could not parse string!\n");
+		Log(LOG_ERR,  "could not parse string!");
 		return 0;
 	}
 
@@ -461,12 +502,12 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
 	if (strncmp(slot_id + i, "id_", 3) == 0) {
 		if (strspn(slot_id + i + 3, HEXDIGITS) + 3 + i !=
 		    strlen(slot_id)) {
-			fprintf(stderr, "could not parse string!\n");
+			Log(LOG_ERR,  "could not parse string!");
 			return 0;
 		}
 		/* ah, rest is hex */
 		if ((strlen(slot_id) - i - 3 + 1) / 2 > *id_len) {
-			fprintf(stderr, "id string too long!\n");
+			Log(LOG_ERR,  "id string too long!");
 			return 0;
 		}
 		*slot = n;
@@ -479,7 +520,7 @@ static int parse_slot_id_string(const char *slot_id, int *slot,
 		return (*label = strdup(slot_id + i + 6)) != NULL;
 	}
 
-	fprintf(stderr, "could not parse string!\n");
+	Log(LOG_ERR,  "could not parse string!");
 	return 0;
 }
 
@@ -503,7 +544,7 @@ static X509 *pkcs11_load_cert
 	PKCS11_CERT *certs, *selected_cert = NULL;
 	X509 *x509 = NULL;
 	unsigned int slot_count, cert_count, n, m;
-	char flags[64];
+	char flags[FLAGS_LEN];
 	int local_init = 0;
 
 	if (ctx == NULL) {
@@ -511,11 +552,11 @@ static X509 *pkcs11_load_cert
 		local_init = 1;
 	}
 
-	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count) < 0)
-		fail("failed to enumerate slots\n");
-
+	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count) < 0) {
+		fail("failed to enumerate slots");
+	}
 	if (verbose) {
-		fprintf(stderr, "Found %u slot%s\n", slot_count,
+		Log(LOG_INFO,  "Found %u slot%s", slot_count,
 			(slot_count <= 1) ? "" : "s");
 	}
 
@@ -524,15 +565,15 @@ static X509 *pkcs11_load_cert
 		flags[0] = '\0';
 		if (slot->token) {
 			if (!slot->token->initialized)
-				strcat(flags, "uninitialized, ");
+				strncat(flags, "uninitialized, ", (FLAGS_LEN - strlen(flags) - 1));
 			else if (!slot->token->userPinSet)
-				strcat(flags, "no pin, ");
+				strncat(flags, "no pin, ", (FLAGS_LEN - strlen(flags) - 1));
 			if (slot->token->loginRequired)
-				strcat(flags, "login, ");
+				strncat(flags, "login, ", (FLAGS_LEN - strlen(flags) - 1));
 			if (slot->token->readOnly)
-				strcat(flags, "ro, ");
+				strncat(flags, "ro, ", (FLAGS_LEN - strlen(flags) - 1));
 		} else {
-			strcpy(flags, "no token");
+			strncpy(flags, "no token", sizeof(flags));
 		}
 		if ((m = strlen(flags)) != 0) {
 			flags[m - 2] = '\0';
@@ -544,49 +585,48 @@ static X509 *pkcs11_load_cert
 		}
 
 		if (verbose) {
-			fprintf(stderr, "[%lu] %-25.25s  %-16s",
+			Log(LOG_INFO,  "[%lu] %-25.25s  %-16s",
 				PKCS11_get_slotid_from_slot(slot),
 				slot->description, flags);
 			if (slot->token) {
-				fprintf(stderr, "  (%s)",
+				Log(LOG_INFO,  "  (%s)",
 					slot->token->label[0] ?
 					slot->token->label : "no label");
 			}
-			fprintf(stderr, "\n");
 		}
 	}
 
 	if (found_slot) {
 		slot = found_slot; 
 	} else {
-		fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
+		Log(LOG_ERR,  "Invalid slot number: %d", (int)slot_nr);
 		goto err_out;
 	}
 
 	tok = slot->token;
 
 	if (tok == NULL) {
-		fprintf(stderr, "Found empty token; \n");
+		Log(LOG_ERR,  "Found empty token; ");
 		goto err_out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found slot:  %s\n", slot->description);
-		fprintf(stderr, "Found token: %s\n", slot->token->label);
+		Log(LOG_INFO,  "Found slot:  %s", slot->description);
+		Log(LOG_INFO,  "Found token: %s", slot->token->label);
 	}
 
 	if ((tok->loginRequired) && (do_login(slot))) {
-		fprintf(stderr, "failed to login\n");
+		Log(LOG_ERR,  "failed to login");
 		goto err_out;
 	}
 
 	if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
-		fprintf(stderr, "unable to enumerate certificates\n");
+		Log(LOG_ERR,  "unable to enumerate certificates");
 		goto err_out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found %u cert%s:\n", cert_count,
+		Log(LOG_INFO,  "Found %u cert%s:", cert_count,
 			(cert_count <= 1) ? "" : "s");
 	}
 
@@ -639,7 +679,7 @@ static X509 *pkcs11_load_cert
 	}
 
 	if (selected_cert == NULL) {
-		fprintf(stderr, "certificate not found.\n");
+		Log(LOG_ERR,  "certificate not found.");
 		goto err_out;
 	}
 
@@ -667,7 +707,7 @@ err_out:
 
 out:
 	if (local_init) {
-		free_pkcs11_ctx(e);
+		free_pkcs11_ctx();
 	}
 	return x509;
 }
@@ -726,7 +766,7 @@ static EVP_PKEY *pkcs11_load_key
 	PKCS11_CERT *certs;
 	EVP_PKEY *pk = NULL;
 	unsigned int slot_count, cert_count, key_count, n, m;
-	char flags[64];
+	char flags[FLAGS_LEN];
 	int local_init = 0;
 
 	if (ctx == NULL) {
@@ -735,10 +775,10 @@ static EVP_PKEY *pkcs11_load_key
 	}
 
 	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count) < 0)
-		fail("failed to enumerate slots\n");
+		fail("failed to enumerate slots");
 
 	if (verbose) {
-		fprintf(stderr, "Found %u slot%s\n", slot_count,
+		Log(LOG_INFO,  "Found %u slot%s", slot_count,
 			(slot_count <= 1) ? "" : "s");
 	}
 
@@ -747,15 +787,15 @@ static EVP_PKEY *pkcs11_load_key
 		flags[0] = '\0';
 		if (slot->token) {
 			if (!slot->token->initialized)
-				strcat(flags, "uninitialized, ");
+				strncat(flags, "uninitialized, ", FLAGS_LEN - strlen(flags) - 1);
 			else if (!slot->token->userPinSet)
-				strcat(flags, "no pin, ");
+				strncat(flags, "no pin, ", FLAGS_LEN - strlen(flags) - 1);
 			if (slot->token->loginRequired)
-				strcat(flags, "login, ");
+				strncat(flags, "login, ", FLAGS_LEN - strlen(flags) - 1);
 			if (slot->token->readOnly)
-				strcat(flags, "ro, ");
+				strncat(flags, "ro, ", FLAGS_LEN - strlen(flags) - 1);
 		} else {
-			strcpy(flags, "no token");
+			strncpy(flags, "no token", sizeof(flags));
 		}
 		if ((m = strlen(flags)) != 0) {
 			flags[m - 2] = '\0';
@@ -767,67 +807,65 @@ static EVP_PKEY *pkcs11_load_key
 		}
 
 		if (verbose) {
-			fprintf(stderr, "[%lu] %-25.25s  %-16s",
+			Log(LOG_INFO,  "[%lu] %-25.25s  %-16s",
 				PKCS11_get_slotid_from_slot(slot),
 				slot->description, flags);
 			if (slot->token) {
-				fprintf(stderr, "  (%s)",
+				Log(LOG_INFO,  "  (%s)",
 					slot->token->label[0] ?
 					slot->token->label : "no label");
 			}
-			fprintf(stderr, "\n");
 		}
 	}
 
 	if (slot_nr == -1) {
 		if (!(slot = PKCS11_find_token(ctx, slot_list, slot_count)))
-			fail("didn't find any tokens\n");
+			fail("didn't find any tokens");
 	} else if (found_slot) {
 		slot = found_slot;
 	} else {
-		fprintf(stderr, "Invalid slot number: %d\n", slot_nr);
+		Log(LOG_ERR,  "Invalid slot number: %d", slot_nr);
 		PKCS11_release_all_slots(ctx, slot_list, slot_count);
 		goto out;
 	}
 	tok = slot->token;
 
 	if (tok == NULL) {
-		fprintf(stderr, "Found empty token; \n");
+		Log(LOG_INFO,  "Found empty token; ");
 		PKCS11_release_all_slots(ctx, slot_list, slot_count);
 		goto out;
 	}
 
 	if (isPrivate && !tok->userPinSet && !tok->readOnly) {
-		fprintf(stderr, "Found slot without user PIN\n");
+		Log(LOG_INFO,  "Found slot without user PIN");
 		PKCS11_release_all_slots(ctx, slot_list, slot_count);
 		goto out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found slot:  %s\n", slot->description);
-		fprintf(stderr, "Found token: %s\n", slot->token->label);
+		Log(LOG_INFO,  "Found slot:  %s", slot->description);
+		Log(LOG_INFO,  "Found token: %s", slot->token->label);
 	}
 
 #ifdef DEBUG
 	if (PKCS11_enumerate_certs(tok, &certs, &cert_count))
-		fail("unable to enumerate certificates\n");
+		fail("unable to enumerate certificates");
 
 	if (verbose) {
-		fprintf(stderr, "Found %u certificate%s:\n", cert_count,
+		Log(LOG_INFO,  "Found %u certificate%s:", cert_count,
 			(cert_count <= 1) ? "" : "s");
 		for (n = 0; n < cert_count; n++) {
 			PKCS11_CERT *c = certs + n;
 			char *dn = NULL;
 
-			fprintf(stderr, "  %2u    %s", n + 1, c->label);
+			Log(LOG_INFO,  "  %2u	%s", n + 1, c->label);
 			if (c->x509)
 				dn = X509_NAME_oneline(X509_get_subject_name
 						       (c->x509), NULL, 0);
 			if (dn) {
-				fprintf(stderr, " (%s)", dn);
+				Log(LOG_INFO,  " (%s)", dn);
 				OPENSSL_free(dn);
 			}
-			fprintf(stderr, "\n");
 		}
 	}
 #endif
@@ -870,7 +908,7 @@ static EVP_PKEY *pkcs11_load_key
 				pin = NULL;
 				pin_length = 0;
 			}
-			fail("Login failed\n");
+			fail("Login failed");
 		}
 		/* Login successful, PIN retained in case further logins are 
 		   required. This will occur on subsequent calls to the
@@ -891,14 +929,14 @@ static EVP_PKEY *pkcs11_load_key
 
 	/* Make sure there is at least one private key on the token */
 	if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
-		fail("unable to enumerate keys\n");
+		fail("unable to enumerate keys");
 	}
 	if (key_count == 0) {
-		fail("No keys found.\n");
+		fail("No keys found.");
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found %u key%s:\n", key_count,
+		Log(LOG_INFO,  "Found %u key%s:", key_count,
 			(key_count <= 1) ? "" : "s");
 	}
 	if ((key_id_len != 0) || (key_label != NULL)) {
@@ -906,7 +944,7 @@ static EVP_PKEY *pkcs11_load_key
 			PKCS11_KEY *k = keys + n;
 
 			if (verbose) {
-				fprintf(stderr, "  %2u %c%c %s\n", n + 1,
+				Log(LOG_INFO,  "  %2u %c%c %s", n + 1,
 					k->isPrivate ? 'P' : ' ',
 					k->needLogin ? 'L' : ' ', k->label);
 			}
@@ -929,7 +967,7 @@ static EVP_PKEY *pkcs11_load_key
 	}
 
 	if (selected_key == NULL) {
-		fprintf(stderr, "key not found.\n");
+		Log(LOG_ERR,  "key not found.");
 		goto out;
 	}
 
@@ -941,7 +979,7 @@ static EVP_PKEY *pkcs11_load_key
 
 out:
 	if (local_init) {
-		free_pkcs11_ctx(e);
+		free_pkcs11_ctx();
 	}
 
 	return pk;
@@ -960,21 +998,21 @@ EVP_PKEY *pkcs11_load_public_key(ENGINE * e, const char *s_key_id,
 	n = parse_key_string(s_key_id, &slot_nr, key_id, &key_id_len,
 				&key_label, NULL);
 	if (n) {
-		fprintf(stderr,
-			"supported format: slot_<slot>:id_<id>:label_<label>\n");
-		fprintf(stderr,
-			"where <slot> is the slot number as normal integer,\n");
-		fprintf(stderr,
-			"and <id> is the id number as hex string.\n");
-		fprintf(stderr,
-			"and <label> is the textual key label string.\n");
+		Log(LOG_INFO,
+			"supported format: slot_<slot>:id_<id>:label_<label>");
+		Log(LOG_INFO,
+			"where <slot> is the slot number as normal integer,");
+		Log(LOG_INFO,
+			"and <id> is the id number as hex string.");
+		Log(LOG_INFO,
+			"and <label> is the textual key label string.");
 		return NULL;
 	}
 
 	pk = pkcs11_load_key(e, slot_nr, key_id, key_id_len, key_label,
 			ui_method, callback_data, 0);
 	if (pk == NULL)
-		fprintf(stderr, "PKCS11_load_public_key returned NULL\n");
+		Log(LOG_INFO,  "PKCS11_load_public_key returned NULL");
 
     if (key_label) free(key_label);
 	return pk;
@@ -993,21 +1031,21 @@ EVP_PKEY *pkcs11_load_private_key(ENGINE * e, const char *s_key_id,
 	n = parse_key_string(s_key_id, &slot_nr, key_id, &key_id_len,
 				&key_label, NULL);
 	if (n) {
-		fprintf(stderr,
-			"supported format: slot_<slot>:id_<id>:label_<label>\n");
-		fprintf(stderr,
-			"where <slot> is the slot number as normal integer,\n");
-		fprintf(stderr,
-			"and <id> is the id number as hex string.\n");
-		fprintf(stderr,
-			"and <label> is the textual key label string.\n");
+		Log(LOG_INFO,
+			"supported format: slot_<slot>:id_<id>:label_<label>");
+		Log(LOG_INFO,
+			"where <slot> is the slot number as normal integer,");
+		Log(LOG_INFO,
+			"and <id> is the id number as hex string.");
+		Log(LOG_INFO,
+			"and <label> is the textual key label string.");
 		return NULL;
 	}
 
 	pk = pkcs11_load_key(e, slot_nr, key_id, key_id_len, key_label,
 			ui_method, callback_data, 1);
 	if (pk == NULL)
-		fprintf(stderr, "PKCS11_get_private_key returned NULL\n");
+		Log(LOG_INFO,  "PKCS11_get_private_key returned NULL");
 
     if (key_label) free(key_label);
 	return pk;
@@ -1024,12 +1062,12 @@ int list_token_objects
 	PKCS11_CERT *certs;
 	PKCS11_KEY *keys;
 	unsigned int slot_count, cert_count, key_count, m, n, i;
-	char flags[64];
+	char flags[FLAGS_LEN];
 	int local_init = 0;
 	int ret_val = 0;
 
 	if (verbose) {
-		fprintf(stderr, "Displaying token objects from slot %d\n", (int)slot_nr);
+		Log(LOG_INFO,  "Displaying token objects from slot %d", (int)slot_nr);
 	}
 
 	if (ctx == NULL) {
@@ -1037,12 +1075,12 @@ int list_token_objects
 		local_init = 1;
 	}
 	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
-		fprintf(stderr, "failed to enumerate slots\n");
+		Log(LOG_ERR,  "failed to enumerate slots");
 		goto out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found %u slots\n", slot_count);
+		Log(LOG_INFO,  "Found %u slots", slot_count);
 	}
 
 	for (n = 0; n < slot_count; n++) {
@@ -1050,15 +1088,15 @@ int list_token_objects
 		flags[0] = '\0';
 		if (slot->token) {
 			if (!slot->token->initialized)
-				strcat(flags, "uninitialized, ");
+				strncat(flags, "uninitialized, ", (FLAGS_LEN - strlen(flags) - 1));
 			else if (!slot->token->userPinSet)
-				strcat(flags, "no pin, ");
+				strncat(flags, "no pin, ", (FLAGS_LEN - strlen(flags) - 1));
 			if (slot->token->loginRequired)
-				strcat(flags, "login, ");
+				strncat(flags, "login, ", (FLAGS_LEN - strlen(flags) - 1));
 			if (slot->token->readOnly)
-				strcat(flags, "ro, ");
+				strncat(flags, "ro, ", (FLAGS_LEN - strlen(flags) - 1));
 		} else {
-			strcpy(flags, "no token");
+			strncpy(flags, "no token", sizeof(flags));
 		}
 		if ((m = strlen(flags)) != 0) {
 			flags[m - 2] = '\0';
@@ -1070,22 +1108,21 @@ int list_token_objects
 		}
 
 		if (verbose) {
-			fprintf(stderr, "[%lu] %-25.25s  %-16s",
+			Log(LOG_INFO,  "[%lu] %-25.25s  %-16s",
 				PKCS11_get_slotid_from_slot(slot),
 				slot->description, flags);
 			if (slot->token) {
-				fprintf(stderr, "  (%s)",
+				Log(LOG_INFO,  "  (%s)",
 					slot->token->label[0] ?
 					slot->token->label : "no label");
 			}
-			fprintf(stderr, "\n");
 		}
 	}
 
 	if (found_slot) {
 		slot = found_slot; 
 	} else {
-		fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
+		Log(LOG_ERR,  "Invalid slot number: %d", (int)slot_nr);
 		PKCS11_release_all_slots(ctx, slot_list, slot_count);
 		goto out;
 	}
@@ -1093,78 +1130,81 @@ int list_token_objects
 	tok = slot->token;
 
 	if (tok == NULL) {
-		fprintf(stderr, "Found empty token; \n");
+		Log(LOG_ERR,  "Found empty token; ");
 		PKCS11_release_all_slots(ctx, slot_list, slot_count);
 		goto out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found slot:  %s\n", slot->description);
-		fprintf(stderr, "Found token: %s\n", slot->token->label);
+		Log(LOG_INFO,  "Found slot:  %s", slot->description);
+		Log(LOG_INFO,  "Found token: %s", slot->token->label);
 	}
 
 	if ((tok->loginRequired) && (do_login(slot))) {
-		fprintf(stderr, "failed to login\n");
+		Log(LOG_ERR,  "failed to login");
 		PKCS11_release_all_slots(ctx, slot_list, slot_count);
 		goto out;
 	}
 
 	if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
-		fprintf(stderr, "unable to enumerate certificates\n");
+		Log(LOG_ERR,  "unable to enumerate certificates");
 		PKCS11_release_all_slots(ctx, slot_list, slot_count);
 		goto out;
 	}
 
 	for (n=0; n<cert_count; n++) {
+		char tmp[MAX_VALUE_LEN];
 		PKCS11_CERT *c = certs + n;
 		char *dn = NULL;
 
-		fprintf(stderr, "Certificate Object:\n"); 
-		fprintf(stderr, "\ttype: X.509 cert\n"); 
-		fprintf(stderr, "\tlabel: %s\n", c->label); 
-		fprintf(stderr, "\tID: "); 
-		for (i = 0; i < c->id_len; i++)
-			printf("%02x", c->id[i]);
-		printf("\n");
+		Log(LOG_INFO,  "Certificate Object:");
+		Log(LOG_INFO,  "\ttype: X.509 cert");
+		Log(LOG_INFO,  "\tlabel: %s", c->label);
+		for (i = 0; i < c->id_len; i++) {
+			snprintf(&tmp[i*2], 2, "%02x", c->id[i]);
+		}
+		Log(LOG_INFO,  "\tID: %s", tmp);
 
 		if (c->x509)
 			dn = X509_NAME_oneline(X509_get_subject_name(c->x509),
 						NULL, 0);
 		if (dn) {
-			fprintf(stderr, "\tname: %s\n", dn);
+			Log(LOG_INFO,  "\tname: %s", dn);
 			OPENSSL_free(dn);
 		}
 	}
 
 	if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
-		fprintf(stderr, "unable to enumerate keys\n");
+		Log(LOG_ERR,  "unable to enumerate keys");
 		PKCS11_release_all_slots(ctx, slot_list, slot_count);
 		goto out;
 	}
 
 	for (n=0; n<key_count; n++) {
+		char tmp[MAX_VALUE_LEN];
+
 		PKCS11_KEY *k = keys + n;
 
 		if (k->isPrivate) {
-			fprintf(stderr, "Private Key Object:\n"); 
-			fprintf(stderr, "\ttype: RSA\n"); 
+			Log(LOG_INFO,  "Private Key Object:");
+			Log(LOG_INFO,  "\ttype: RSA");
 		} else {
-			fprintf(stderr, "Public Key Object:\n");
-			fprintf(stderr, "\ttype: RSA %d bits\n",
+			Log(LOG_INFO,  "Public Key Object:");
+			Log(LOG_INFO,  "\ttype: RSA %d bits",
 				(PKCS11_get_key_size(k)*8)); 
 		}
-		fprintf(stderr, "\tlabel: %s\n", k->label); 
-		fprintf(stderr, "\tID: "); 
-		for (i = 0; i < k->id_len; i++)
-			printf("%02x", k->id[i]);
-		printf("\n");
+		Log(LOG_INFO,  "\tlabel: %s", k->label);
+		for (i = 0; i < k->id_len; i++) {
+			snprintf(&tmp[i*2], 2, "%02x", k->id[i]);
+		}
+		Log(LOG_INFO,  "\tID: %s", tmp);
 	}
 
 	ret_val = 1;
 
 out:
 	if (local_init) {
-		free_pkcs11_ctx(e);
+		free_pkcs11_ctx();
 	}
 
 	return ret_val;
@@ -1175,7 +1215,7 @@ static int do_login(PKCS11_SLOT *slot)
 	PKCS11_TOKEN *tok = slot->token;
 
 	if (pin == NULL) {
-		fprintf(stderr, "PIN not set\n");
+		Log(LOG_INFO,  "PIN not set");
 		return -1;
 	}
 
@@ -1188,7 +1228,7 @@ static int do_login(PKCS11_SLOT *slot)
 			pin = NULL;
 			pin_length = 0;
 		}
-		fprintf(stderr, "Login failed\n");
+		Log(LOG_ERR,  "Login failed");
 		return -1;
 	}
 	return 0;
@@ -1219,46 +1259,46 @@ int store_cert_cmd(ENGINE * e, const char *p)
 	unsigned char data[MAX_OBJECT_SIZE];
 	const unsigned char *pp = data;
 	int data_len = 0;
-	FILE *f;
+	FILE *f = NULL;
 	X509 *x;
 
 	if (!p || !*p) {
-		fprintf(stderr, "no parameter\n");
+		Log(LOG_ERR,  "no parameter");
 		return 0;
 	}
 
 	n = parse_cert_store_string(p, &slot_nr, cert_id, &cert_id_len,
 								&cert_label, &cert_file);
 	if (n) {
-		fprintf(stderr,
-			"supported format: slot_<slot>:id_<id>:label_<label>:cert_<filename>\n");
-		fprintf(stderr,
-			"where <slot> is the slot number as normal integer,\n");
-		fprintf(stderr,
-			"and <id> is the id number as hex string.\n");
-		fprintf(stderr,
-			"and <label> is the textual cert label string.\n");
-		fprintf(stderr,
-			"and <filename> is the cert filename with full path.\n");
+		Log(LOG_INFO,
+			"supported format: slot_<slot>:id_<id>:label_<label>:cert_<filename>");
+		Log(LOG_INFO,
+			"where <slot> is the slot number as normal integer,");
+		Log(LOG_INFO,
+			"and <id> is the id number as hex string.");
+		Log(LOG_INFO,
+			"and <label> is the textual cert label string.");
+		Log(LOG_INFO,
+			"and <filename> is the cert filename with full path.");
 		goto store_cert_err_out;
 	}
 
 	f = fopen(cert_file, "rb");
 	if (f == NULL) {
-		fprintf(stderr, "Couldn't open cert file \"%s\"\n", cert_file);
+		Log(LOG_ERR,  "Couldn't open cert file \"%s\"", cert_file);
 		goto store_cert_err_out;
 	}
 
 	data_len = fread(data, 1, sizeof(data), f);
 
 	if (data_len < 0) {
-		fprintf(stderr, "Couldn't read from file \"%s\"\n", cert_file);
+		Log(LOG_ERR,  "Couldn't read from file \"%s\"", cert_file);
 		goto store_cert_err_out;
 	}
 
 	x = d2i_X509(NULL, &pp, data_len); 
 	if (!x) {
-		fprintf(stderr, "OpenSSL cert parse error\n");
+		Log(LOG_ERR,  "OpenSSL cert parse error");
 		goto store_cert_err_out;
 	}
 
@@ -1267,11 +1307,12 @@ int store_cert_cmd(ENGINE * e, const char *p)
 		cert_id_len = 0;
 
 	if (verbose) {
-		fprintf(stderr, "Storing cert(%s) in slot(%d) with label(%s) and id(",
-			cert_file, slot_nr, cert_label);
-			for (n = 0; n < cert_id_len; n++)
-				fprintf(stderr, "%02x", cert_id[n]);
-			fprintf(stderr, ")\n");
+		char tmp[MAX_VALUE_LEN];
+		for (n = 0; n < cert_id_len; n++) {
+			snprintf(&tmp[n*2], 2, "%02x", cert_id[n]);
+		}
+		Log(LOG_INFO, "Storing cert(%s) in slot(%d) with label(%s) and id(%s)",
+			cert_file, slot_nr, cert_label, tmp);
 	}
 
 	if (pkcs11_store_cert(e, slot_nr, cert_id, cert_id_len, cert_label, x))
@@ -1301,7 +1342,7 @@ static int pkcs11_store_cert
 	PKCS11_TOKEN *tok;
 	PKCS11_CERT *certs, *ret_cert = NULL;
 	unsigned int slot_count, cert_count;
-	char flags[64];
+	char flags[FLAGS_LEN];
 	int n,m;
 	int ret_val = -1;
 	int local_init = 0;
@@ -1312,12 +1353,12 @@ static int pkcs11_store_cert
 	}
 
 	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
-		fprintf(stderr, "failed to enumerate slots\n");
+		Log(LOG_ERR,  "failed to enumerate slots");
 		goto out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found %u slots\n", slot_count);
+		Log(LOG_INFO,  "Found %u slots", slot_count);
 	}
 
 	for (n = 0; n < slot_count; n++) {
@@ -1325,15 +1366,15 @@ static int pkcs11_store_cert
 		flags[0] = '\0';
 		if (slot->token) {
 			if (!slot->token->initialized)
-				strcat(flags, "uninitialized, ");
+				strncat(flags, "uninitialized, ", FLAGS_LEN - strlen(flags) - 1);
 			else if (!slot->token->userPinSet)
-				strcat(flags, "no pin, ");
+				strncat(flags, "no pin, ", FLAGS_LEN - strlen(flags) - 1);
 			if (slot->token->loginRequired)
-				strcat(flags, "login, ");
+				strncat(flags, "login, ", FLAGS_LEN - strlen(flags) - 1);
 			if (slot->token->readOnly)
-				strcat(flags, "ro, ");
+				strncat(flags, "ro, ", FLAGS_LEN - strlen(flags) - 1);
 		} else {
-			strcpy(flags, "no token");
+			strncpy(flags, "no token", sizeof(flags));
 		}
 		if ((m = strlen(flags)) != 0) {
 			flags[m - 2] = '\0';
@@ -1345,51 +1386,50 @@ static int pkcs11_store_cert
 		}
 
 		if (verbose) {
-			fprintf(stderr, "[%lu] %-25.25s  %-16s",
+			Log(LOG_INFO,  "[%lu] %-25.25s  %-16s",
 				PKCS11_get_slotid_from_slot(slot),
 				slot->description, flags);
 			if (slot->token) {
-				fprintf(stderr, "  (%s)",
+				Log(LOG_INFO,  "  (%s)",
 					slot->token->label[0] ?
 					slot->token->label : "no label");
 			}
-			fprintf(stderr, "\n");
 		}
 	}
 
 	if (found_slot) {
 		slot = found_slot; 
 	} else {
-		fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
+		Log(LOG_ERR,  "Invalid slot number: %d", (int)slot_nr);
 		goto err_out;
 	}
 
 	tok = slot->token;
 
 	if (tok == NULL) {
-		fprintf(stderr, "Found empty token; \n");
+		Log(LOG_ERR,  "Found empty token; ");
 		goto err_out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found slot:  %s\n", slot->description);
-		fprintf(stderr, "Found token: %s\n", slot->token->label);
+		Log(LOG_INFO,  "Found slot:  %s", slot->description);
+		Log(LOG_INFO,  "Found token: %s", slot->token->label);
 	}
 
 	if ((tok->loginRequired) && (do_login(slot))) {
-		fprintf(stderr, "failed to login\n");
+		Log(LOG_ERR,  "failed to login");
 		goto err_out;
 	}
 
 	/* Enumerate certs to initialize libp11 cert count */
 	if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
-		fprintf(stderr, "unable to enumerate certificates\n");
+		Log(LOG_ERR,  "unable to enumerate certificates");
 		goto err_out;
 	}
 
 	if (PKCS11_store_certificate(tok, x, cert_label, cert_id,
 								cert_id_len, &ret_cert)) {
-		fprintf(stderr, "failed to store cert\n");
+		Log(LOG_ERR,  "failed to store cert");
 		goto err_out;
 	}
 
@@ -1401,7 +1441,7 @@ err_out:
 
 out:
 	if(local_init) {
-		free_pkcs11_ctx(e);
+		free_pkcs11_ctx();
 	}
 
 	return ret_val;
@@ -1441,15 +1481,15 @@ static int parse_cert_store_string
 		/* slot identifier */
 		if (!strncmp(token, "slot_", 5)) {
 			/* slot is a decimal number */
-			if (sscanf(token + 5, "%d", slot) != 1) {
-				fprintf(stderr, "slot number not deciphered!\n");
+			if (str_to_dec(token + 5, slot) != 1) {
+				Log(LOG_ERR,  "slot number not deciphered!");
                 goto err;
 			}
 		} else if (!strncmp(token, "id_", 3)) {
 			/* certificate ID */
 			/* id is hexadecimal number */
 			if (!hex_to_bin(token + 3, id, id_len)) {
-				fprintf(stderr, "id not deciphered!\n");
+				Log(LOG_ERR,  "id not deciphered!");
                 goto err;
 			}
 		} else if (!strncmp(token, "label_", 6)) {
@@ -1457,14 +1497,14 @@ static int parse_cert_store_string
 			/*  label is string */
 			*label = strdup(token + 6);
 			if (*label == NULL) {
-				fprintf(stderr, "label not deciphered!\n");
+				Log(LOG_ERR,  "label not deciphered!");
                 goto err;
 			}
 		} else if (!strncmp(token, "cert_", 5)) {
 			/* cert file name */
 			*cert_file = strdup(token + 5);
 			if (*cert_file == NULL) {
-				fprintf(stderr, "cert file not deciphered!\n");
+				Log(LOG_ERR,  "cert file not deciphered!");
                 goto err;
 			}
 		}
@@ -1472,7 +1512,7 @@ static int parse_cert_store_string
 	} /* end while(token) */
 
 	if (*cert_file == NULL) {
-		fprintf(stderr, "cert file name not present!\n");
+		Log(LOG_ERR,  "cert file name not present!");
 		goto err;
 	}
 
@@ -1495,32 +1535,33 @@ int gen_key_cmd(ENGINE * e, const char *p)
     int rv = 0;
 
 	if (!p || !*p) {
-		fprintf(stderr, "no parameter\n");
+		Log(LOG_ERR,  "no parameter");
 		return 0;
 	}
 
 	n = parse_key_gen_string(p, &slot_nr, &key_size, key_id, &key_id_len,
 							 &key_label);
 	if (n) {
-		fprintf(stderr,
-			"supported format: slot_<slot>:size_<size>:id_<id>:label_<label>\n");
-		fprintf(stderr,
-			"where <slot> is the slot number as normal integer,\n");
-		fprintf(stderr,
-			"and <size> is the RSA key size in bits.\n");
-		fprintf(stderr,
-			"and <id> is the id number as hex string.\n");
-		fprintf(stderr,
-			"and <label> is the textual cert label string.\n");
+		Log(LOG_INFO,
+			"supported format: slot_<slot>:size_<size>:id_<id>:label_<label>");
+		Log(LOG_INFO,
+			"where <slot> is the slot number as normal integer,");
+		Log(LOG_INFO,
+			"and <size> is the RSA key size in bits.");
+		Log(LOG_INFO,
+			"and <id> is the id number as hex string.");
+		Log(LOG_INFO,
+			"and <label> is the textual cert label string.");
 		goto gen_key_err_out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Generating %dbits RSA key in slot(%d) with label(%s) and id(",
-			key_size, slot_nr, key_label);
-			for (n = 0; n < key_id_len; n++)
-				fprintf(stderr, "%02x", key_id[n]);
-			fprintf(stderr, ")\n");
+		char tmp[MAX_VALUE_LEN];
+		for (n = 0; n < key_id_len; n++) {
+			snprintf(&tmp[n*2], 2, "%02x", key_id[n]);
+		}
+		Log(LOG_INFO, "Generating %dbits RSA key in slot(%d) with label(%s) and id(s)",
+			key_size, slot_nr, key_label, tmp);
 	}
 
 	if (pkcs11_gen_key(e, slot_nr, (unsigned int)key_size, key_id, key_id_len, key_label))
@@ -1568,15 +1609,15 @@ static int parse_key_gen_string
 		/* slot identifier */
 		if (!strncmp(token, "slot_", 5)) {
 			/* slot is a decimal number */
-			if (sscanf(token + 5, "%d", slot) != 1) {
-				fprintf(stderr, "slot number not deciphered!\n");
+			if (str_to_dec(token + 5, slot) != 1) {
+				Log(LOG_ERR,  "slot number not deciphered!");
                 goto err;
 			}
 		} else if (!strncmp(token, "id_", 3)) {
 			/* certificate ID */
 			/* id is hexadecimal number */
 			if (!hex_to_bin(token + 3, id, id_len)) {
-				fprintf(stderr, "id not deciphered!\n");
+				Log(LOG_ERR,  "id not deciphered!");
                 goto err;
 			}
 		} else if (!strncmp(token, "label_", 6)) {
@@ -1584,13 +1625,13 @@ static int parse_key_gen_string
 			/*  label is string */
 			*label = strdup(token + 6);
 			if (*label == NULL) {
-				fprintf(stderr, "label not deciphered!\n");
+				Log(LOG_ERR,  "label not deciphered!");
                 goto err;
 			}
 		} else if (!strncmp(token, "size_", 5)) {
 			/* key size in bits */
-			if (sscanf(token + 5, "%d", key_size) != 1) {
-				fprintf(stderr, "key size not deciphered!\n");
+			if (str_to_dec(token + 5, key_size) != 1) {
+				Log(LOG_ERR,  "key size not deciphered!");
                 goto err;
 			}
 		}
@@ -1598,7 +1639,7 @@ static int parse_key_gen_string
 	} /* end while(token) */
 
 	if (*key_size == -1) {
-		fprintf(stderr, "key size not present!\n");
+		Log(LOG_ERR,  "key size not present!");
         goto err;
 	}
 
@@ -1624,7 +1665,7 @@ static int pkcs11_gen_key
 	PKCS11_TOKEN *tok;
 	PKCS11_KEY *keys, *ret_key = NULL;
 	unsigned int slot_count, key_count;
-	char flags[64];
+	char flags[FLAGS_LEN];
 	int n,m;
 	int ret_val = -1;
 	int local_init = 0;
@@ -1635,12 +1676,12 @@ static int pkcs11_gen_key
 	}
 
 	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
-		fprintf(stderr, "failed to enumerate slots\n");
+		Log(LOG_ERR,  "failed to enumerate slots");
 		goto out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found %u slots\n", slot_count);
+		Log(LOG_INFO,  "Found %u slots", slot_count);
 	}
 
 	for (n = 0; n < slot_count; n++) {
@@ -1648,15 +1689,15 @@ static int pkcs11_gen_key
 		flags[0] = '\0';
 		if (slot->token) {
 			if (!slot->token->initialized)
-				strcat(flags, "uninitialized, ");
+				strncat(flags, "uninitialized, ", (FLAGS_LEN - strlen(flags) - 1));
 			else if (!slot->token->userPinSet)
-				strcat(flags, "no pin, ");
+				strncat(flags, "no pin, ", (FLAGS_LEN - strlen(flags) - 1));
 			if (slot->token->loginRequired)
-				strcat(flags, "login, ");
+				strncat(flags, "login, ", (FLAGS_LEN - strlen(flags) - 1));
 			if (slot->token->readOnly)
-				strcat(flags, "ro, ");
+				strncat(flags, "ro, ", (FLAGS_LEN - strlen(flags) - 1));
 		} else {
-			strcpy(flags, "no token");
+			strncpy(flags, "no token", sizeof(flags));
 		}
 		if ((m = strlen(flags)) != 0) {
 			flags[m - 2] = '\0';
@@ -1668,51 +1709,50 @@ static int pkcs11_gen_key
 		}
 
 		if (verbose) {
-			fprintf(stderr, "[%lu] %-25.25s  %-16s",
+			Log(LOG_INFO,  "[%lu] %-25.25s  %-16s",
 				PKCS11_get_slotid_from_slot(slot),
 				slot->description, flags);
 			if (slot->token) {
-				fprintf(stderr, "  (%s)",
+				Log(LOG_INFO,  "  (%s)",
 					slot->token->label[0] ?
 					slot->token->label : "no label");
 			}
-			fprintf(stderr, "\n");
 		}
 	}
 
 	if (found_slot) {
 		slot = found_slot; 
 	} else {
-		fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
+		Log(LOG_ERR,  "Invalid slot number: %d", (int)slot_nr);
 		goto err_out;
 	}
 
 	tok = slot->token;
 
 	if (tok == NULL) {
-		fprintf(stderr, "Found empty token; \n");
+		Log(LOG_ERR,  "Found empty token; ");
 		goto err_out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found slot:  %s\n", slot->description);
-		fprintf(stderr, "Found token: %s\n", slot->token->label);
+		Log(LOG_INFO,  "Found slot:  %s", slot->description);
+		Log(LOG_INFO,  "Found token: %s", slot->token->label);
 	}
 
 	if ((tok->loginRequired) && (do_login(slot))) {
-		fprintf(stderr, "failed to login\n");
+		Log(LOG_ERR,  "failed to login");
 		goto err_out;
 	}
 
 	/* Enumerate keys to initialize libp11 key count */
 	if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
-		fprintf(stderr, "unable to enumerate keys\n");
+		Log(LOG_ERR,  "unable to enumerate keys");
 		goto err_out;
 	}
 
 	if (PKCS11_generate_key(tok, EVP_PKEY_RSA, key_size, key_label,
 							key_id, key_id_len)) {
-		fprintf(stderr, "failed to generate RSA key pair\n");
+		Log(LOG_ERR,  "failed to generate RSA key pair");
 		goto err_out;
 	}
 
@@ -1723,7 +1763,7 @@ err_out:
 	PKCS11_release_all_slots(ctx, slot_list, slot_count);
 out:
 	if (local_init) {
-		free_pkcs11_ctx(e);
+		free_pkcs11_ctx();
 	}
 	return ret_val;
 }
@@ -1738,35 +1778,37 @@ int del_obj_cmd(ENGINE * e, const char *p)
     int rv = 0;
 
 	if (!p || !*p) {
-		fprintf(stderr, "no parameter\n");
+		Log(LOG_ERR,  "no parameter");
 		return 0;
 	}
 
 	n = parse_del_obj_string(p, &slot_nr, &type, id, &id_len, &label);
 	if (n) {
-		fprintf(stderr,
-			"supported format: slot_<slot>:type_<type>:id_<id>:label_<label>\n");
-		fprintf(stderr,
-			"where <slot> is the slot number as normal integer,\n");
-		fprintf(stderr,
-			"and <type> is the object type (privkey/pubkey/cert)\n");
-		fprintf(stderr,
-			"and <id> is the id number as hex string.\n");
-		fprintf(stderr,
-			"and <label> is the textual label string.\n");
+		Log(LOG_INFO,
+			"supported format: slot_<slot>:type_<type>:id_<id>:label_<label>");
+		Log(LOG_INFO,
+			"where <slot> is the slot number as normal integer,");
+		Log(LOG_INFO,
+			"and <type> is the object type (privkey/pubkey/cert)");
+		Log(LOG_INFO,
+			"and <id> is the id number as hex string.");
+		Log(LOG_INFO,
+			"and <label> is the textual label string.");
 		goto err;
 	}
 
 	/* No ID specified */
-	if (id_len == sizeof(id))
+	if (id_len == sizeof(id)) {
 		id_len = 0;
+	}
 
 	if (verbose) {
-		fprintf(stderr, "Deleting object type(%s) from slot(%d) with label(%s) and id(",
-			type, slot_nr, label);
-			for (n = 0; n < id_len; n++)
-				fprintf(stderr, "%02x", id[n]);
-			fprintf(stderr, ")\n");
+		char tmp[MAX_VALUE_LEN];
+		for (n = 0; n < id_len; n++) {
+			snprintf(&tmp[n*2], 2, "%02x", id[n]);
+		}
+		Log(LOG_INFO, "Deleting object type(%s) from slot(%d) with label(%s) and id(%s)",
+			type, slot_nr, label, tmp);
 	}
 
 	if (pkcs11_del_obj(e, slot_nr, type, id, id_len, label))
@@ -1814,15 +1856,15 @@ static int parse_del_obj_string
 		/* slot identifier */
 		if (!strncmp(token, "slot_", 5)) {
 			/* slot is a decimal number */
-			if (sscanf(token + 5, "%d", slot) != 1) {
-				fprintf(stderr, "slot number not deciphered!\n");
+			if (str_to_dec(token + 5, slot) != 1) {
+				Log(LOG_ERR,  "slot number not deciphered!");
                 goto err;
 			}
 		} else if (!strncmp(token, "id_", 3)) {
 			/* certificate ID */
 			/* id is hexadecimal number */
 			if (!hex_to_bin(token + 3, id, id_len)) {
-				fprintf(stderr, "id not deciphered!\n");
+				Log(LOG_ERR,  "id not deciphered!");
                 goto err;
 			}
 		} else if (!strncmp(token, "label_", 6)) {
@@ -1830,14 +1872,14 @@ static int parse_del_obj_string
 			/*  label is string */
 			*label = strdup(token + 6);
 			if (*label == NULL) {
-				fprintf(stderr, "label not deciphered!\n");
+				Log(LOG_ERR,  "label not deciphered!");
                 goto err;
 			}
 		} else if (!strncmp(token, "type_", 5)) {
 			/* Object type */
 			*type = strdup(token + 5);
 			if (*type == NULL) {
-				fprintf(stderr, "type not deciphered!\n");
+				Log(LOG_ERR,  "type not deciphered!");
                 goto err;
 			}
 		}
@@ -1845,7 +1887,7 @@ static int parse_del_obj_string
 	} /* end while(token) */
 
 	if (*type == NULL) {
-		fprintf(stderr, "type not present!\n");
+		Log(LOG_ERR,  "type not present!");
         goto err;
 	}
 
@@ -1872,7 +1914,7 @@ static int pkcs11_del_obj
 	PKCS11_TOKEN *tok;
 	PKCS11_KEY *keys, *ret_key = NULL;
 	unsigned int slot_count, key_count;
-	char flags[64];
+	char flags[FLAGS_LEN];
 	int n,m, type, retval = -1;
 	int local_init = 0;
 #define TYPE_PRIVKEY	1
@@ -1886,7 +1928,7 @@ static int pkcs11_del_obj
 	} else if (!strcmp(type_str, "cert")) {
 		type = TYPE_CERT;
 	} else {
-		fprintf(stderr, "invalid object type(%s)\n", type_str);
+		Log(LOG_ERR,  "invalid object type(%s)", type_str);
 		goto out;
 	}
 
@@ -1896,12 +1938,12 @@ static int pkcs11_del_obj
 	}
 
 	if (PKCS11_enumerate_slots(ctx, &slot_list, &slot_count)) {
-		fprintf(stderr, "failed to enumerate slots\n");
+		Log(LOG_ERR,  "failed to enumerate slots");
 		goto out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found %u slots\n", slot_count);
+		Log(LOG_INFO,  "Found %u slots", slot_count);
 	}
 
 	for (n = 0; n < slot_count; n++) {
@@ -1909,15 +1951,15 @@ static int pkcs11_del_obj
 		flags[0] = '\0';
 		if (slot->token) {
 			if (!slot->token->initialized)
-				strcat(flags, "uninitialized, ");
+				strncat(flags, "uninitialized, ", (FLAGS_LEN - strlen(flags) - 1));
 			else if (!slot->token->userPinSet)
-				strcat(flags, "no pin, ");
+				strncat(flags, "no pin, ", (FLAGS_LEN - strlen(flags) - 1));
 			if (slot->token->loginRequired)
-				strcat(flags, "login, ");
+				strncat(flags, "login, ", (FLAGS_LEN - strlen(flags) - 1));
 			if (slot->token->readOnly)
-				strcat(flags, "ro, ");
+				strncat(flags, "ro, ", (FLAGS_LEN - strlen(flags) - 1));
 		} else {
-			strcpy(flags, "no token");
+			strncpy(flags, "no token", sizeof(flags));
 		}
 		if ((m = strlen(flags)) != 0) {
 			flags[m - 2] = '\0';
@@ -1929,66 +1971,65 @@ static int pkcs11_del_obj
 		}
 
 		if (verbose) {
-			fprintf(stderr, "[%lu] %-25.25s  %-16s",
+			Log(LOG_INFO, "[%lu] %-25.25s  %-16s",
 				PKCS11_get_slotid_from_slot(slot),
 				slot->description, flags);
 			if (slot->token) {
-				fprintf(stderr, "  (%s)",
+				Log(LOG_INFO, "  (%s)",
 					slot->token->label[0] ?
 					slot->token->label : "no label");
 			}
-			fprintf(stderr, "\n");
 		}
 	}
 
 	if (found_slot) {
 		slot = found_slot; 
 	} else {
-		fprintf(stderr, "Invalid slot number: %d\n", (int)slot_nr);
+		Log(LOG_ERR,  "Invalid slot number: %d", (int)slot_nr);
 		goto err_out;
 	}
 
 	tok = slot->token;
 
 	if (tok == NULL) {
-		fprintf(stderr, "Found empty token; \n");
+		Log(LOG_ERR,  "Found empty token; ");
 		goto err_out;
 	}
 
 	if (verbose) {
-		fprintf(stderr, "Found slot:  %s\n", slot->description);
-		fprintf(stderr, "Found token: %s\n", slot->token->label);
+		Log(LOG_INFO,  "Found slot:  %s", slot->description);
+		Log(LOG_INFO,  "Found token: %s", slot->token->label);
 	}
 
 	if ((tok->loginRequired) && (do_login(slot))) {
-		fprintf(stderr, "failed to login\n");
+		Log(LOG_ERR,  "failed to login");
 		goto err_out;
 	}
 
 	switch(type) {
 		case TYPE_CERT:
 			if (PKCS11_remove_certificate(tok, label, id, id_len)) {
-				fprintf(stderr, "failed to delete certificate\n");
+				Log(LOG_ERR,  "failed to delete certificate");
 				goto err_out;
 			}
 			break;
 
 		case TYPE_PUBKEY:
 			if (PKCS11_remove_public_key(tok, label, id, id_len)) {
-				fprintf(stderr, "failed to delete public key\n");
+				Log(LOG_ERR,  "failed to delete public key");
 				goto err_out;
 			}
 			break;
 
 		case TYPE_PRIVKEY:
 			if (PKCS11_remove_private_key(tok, label, id, id_len)) {
-				fprintf(stderr, "failed to delete private key\n");
+				Log(LOG_ERR,  "failed to delete private key");
 				goto err_out;
 			}
 			break;
 
 		default:
-			fprintf(stderr, "object type(%s) not supported\n", type_str);
+			Log(LOG_ERR,  "object type(%s) not supported", type_str);
 			goto err_out;
 			break;
 	}
@@ -1998,7 +2039,7 @@ err_out:
 	PKCS11_release_all_slots(ctx, slot_list, slot_count);
 out:
 	if (local_init) {
-		free_pkcs11_ctx(e);
+		free_pkcs11_ctx();
 	}
 	return retval;
 }
@@ -2013,34 +2054,34 @@ int get_pubkey_cmd(ENGINE * e, const char *p)
 	int slot_nr = -1;
 	unsigned char *pp, *data = NULL;
 	int data_len = 0;
-	FILE *f;
+	FILE *f = NULL;
 	EVP_PKEY *pk;
 	RSA *rsa;
 
 	if (!p || !*p) {
-		fprintf(stderr, "no parameter\n");
+		Log(LOG_ERR,  "no parameter");
 		return 0;
 	}
 
 	n = parse_key_string(p, &slot_nr, key_id, &key_id_len,
 				&key_label, &key_file);
 	if (n) {
-		fprintf(stderr,
-			"supported format: slot_<slot>:id_<id>:label_<label>:key_<filename>\n");
-		fprintf(stderr,
-			"where <slot> is the slot number as normal integer,\n");
-		fprintf(stderr,
-			"and <id> is the id number as hex string.\n");
-		fprintf(stderr,
-			"and <label> is the textual key label string.\n");
-		fprintf(stderr,
-			"and <filename> is the key filename with full path.\n");
+		Log(LOG_INFO,
+			"supported format: slot_<slot>:id_<id>:label_<label>:key_<filename>");
+		Log(LOG_INFO,
+			"where <slot> is the slot number as normal integer,");
+		Log(LOG_INFO,
+			"and <id> is the id number as hex string.");
+		Log(LOG_INFO,
+			"and <label> is the textual key label string.");
+		Log(LOG_INFO,
+			"and <filename> is the key filename with full path.");
 		goto get_pubkey_err_out;
 	}
 
 	f = fopen(key_file, "wb");
 	if (f == NULL) {
-		fprintf(stderr, "Couldn't open key file \"%s\"\n", key_file);
+		Log(LOG_ERR,  "Couldn't open key file \"%s\"", key_file);
 		goto get_pubkey_err_out;
 	}
 
@@ -2049,22 +2090,23 @@ int get_pubkey_cmd(ENGINE * e, const char *p)
 		key_id_len = 0;
 
 	if (verbose) {
-		fprintf(stderr, "Getting public key in slot(%d) with label(%s) and id(",
-			slot_nr, key_label);
-			for (n = 0; n < key_id_len; n++)
-				fprintf(stderr, "%02x", key_id[n]);
-			fprintf(stderr, ")\n");
+		char tmp[MAX_VALUE_LEN];
+		for (n = 0; n < key_id_len; n++) {
+			snprintf(&tmp[n*2], 2, "%02x", key_id[n]);
+		}
+		Log(LOG_INFO, "Getting public key in slot(%d) with label(%s) and id(%s)",
+			slot_nr, key_label, tmp);
 	}
 
 	pk = pkcs11_load_key(e, slot_nr, key_id, key_id_len, key_label, NULL, NULL, 0);
 	if (pk == NULL) {
-		fprintf(stderr, "PKCS11_load_public_key returned NULL\n");
+		Log(LOG_ERR,  "PKCS11_load_public_key returned NULL");
 		goto get_pubkey_err_out;
 	}
 
 	rsa = EVP_PKEY_get1_RSA(pk);
 	if (rsa == NULL) {
-		fprintf(stderr, "Couldn't retrieve RSA key form EVP_PKEY\n");
+		Log(LOG_ERR,  "Couldn't retrieve RSA key form EVP_PKEY");
 		goto get_pubkey_err_out;
 	}
 
@@ -2072,7 +2114,7 @@ int get_pubkey_cmd(ENGINE * e, const char *p)
 	/* To store in DER format */
 	data_len = i2d_RSAPublicKey(rsa, NULL); 
 	if ((data = (unsigned char *)malloc(data_len)) == NULL) {
-		fprintf(stderr, "couldn't allocate memory for key\n");
+		Log(LOG_ERR,  "couldn't allocate memory for key");
 		goto get_pubkey_err_out;
 	}
 	pp = data;
@@ -2080,12 +2122,12 @@ int get_pubkey_cmd(ENGINE * e, const char *p)
 	n = fwrite(data, 1, data_len, f);
 
 	if (n != data_len) {
-		fprintf(stderr, "Couldn't write to file \"%s\"\n", key_file);
+		Log(LOG_ERR,  "Couldn't write to file \"%s\"", key_file);
 		goto get_pubkey_err_out;
 	}
 #endif
 	if (!PEM_write_RSA_PUBKEY(f, rsa)) {
-		fprintf(stderr, "Couldn't write to file \"%s\"\n", key_file);
+		Log(LOG_ERR,  "Couldn't write to file \"%s\"", key_file);
 		goto get_pubkey_err_out;
 	}
 
@@ -2114,18 +2156,19 @@ static int parse_key_string
 	char *str, *lasts;
     int rv = -1;
 
-	if (!key_get_str)
+	if (!key_get_str) {
 		return -1;
-
+	}
 	str = strdup(key_get_str);
-	if (str == NULL)
+	if (str == NULL) {
 		return -1;
-
+	}
 	/* Default values */
 	*slot = 0;
 	*label = NULL;
-	if (key_file) *key_file = NULL;
-
+	if (key_file) {
+		*key_file = NULL;
+	}
 	token = strtok_r(str, sep, &lasts);
 
 	while (token) {
@@ -2133,15 +2176,15 @@ static int parse_key_string
 		/* slot identifier */
 		if (!strncmp(token, "slot_", 5)) {
 			/* slot is a decimal number */
-			if (sscanf(token + 5, "%d", slot) != 1) {
-				fprintf(stderr, "slot number not deciphered!\n");
+			if (str_to_dec(token + 5, slot) != 1) {
+				Log(LOG_ERR,  "slot number not deciphered!");
 				goto err;
 			}
 		} else if (!strncmp(token, "id_", 3)) {
 			/* certificate ID */
 			/* id is hexadecimal number */
 			if (!hex_to_bin(token + 3, id, id_len)) {
-				fprintf(stderr, "id not deciphered!\n");
+				Log(LOG_ERR,  "id not deciphered!");
 				goto err;
 			}
 		} else if (!strncmp(token, "label_", 6)) {
@@ -2149,14 +2192,14 @@ static int parse_key_string
 			/*  label is string */
 			*label = strdup(token + 6);
 			if (*label == NULL) {
-				fprintf(stderr, "label not deciphered!\n");
+				Log(LOG_ERR,  "label not deciphered!");
 				goto err;
 			}
 		} else if ((key_file) && (!strncmp(token, "key_", 4))) {
 			/* key file name */
 			*key_file = strdup(token + 4);
 			if (*key_file == NULL) {
-				fprintf(stderr, "key file not deciphered!\n");
+				Log(LOG_ERR,  "key file not deciphered!");
 				goto err;
 			}
 		}
@@ -2164,7 +2207,7 @@ static int parse_key_string
 	} /* end while(token) */
 
 	if ((key_file) && (*key_file == NULL)) {
-		fprintf(stderr, "key file name not present!\n");
+		Log(LOG_ERR,  "key file name not present!");
 		goto err;
 	}