Ubuntu
coolkey package

Merge lp:~serialorder/ubuntu/precise/coolkey/fixmOldCACAssertError into lp:ubuntu/precise/coolkey

Proposed by Manny Vindiola on 2013-01-15

Status:	Work in progress
Proposed branch:	lp:~serialorder/ubuntu/precise/coolkey/fixmOldCACAssertError
Merge into:	lp:ubuntu/precise/coolkey
Diff against target:	26677 lines (+13805/-12410) 49 files modified .pc/0001-Fix-working-with-empty-certificates-in-not-zero-slot.patch/src/coolkey/slot.cpp (+13/-10) .pc/Handle-pcscd-restarting/src/coolkey/Makefile.am (+82/-0) .pc/Handle-pcscd-restarting/src/coolkey/slot.cpp (+3554/-0) .pc/Handle-pcscd-restarting/src/libckyapplet/cky_card.c (+1198/-0) .pc/applied-patches (+2/-2) .pc/coolkey-cac-1.patch/src/coolkey/object.cpp (+0/-1068) .pc/coolkey-cac-1.patch/src/coolkey/slot.cpp (+0/-3547) .pc/coolkey-cac-rhl5.patch/src/coolkey/slot.cpp (+3357/-0) .pc/coolkey-cac-rhl5.patch/src/coolkey/slot.h (+600/-0) .pc/coolkey-cac-rhl5.patch/src/libckyapplet/cky_applet.c (+1345/-0) .pc/coolkey-cac-rhl5.patch/src/libckyapplet/cky_applet.h (+544/-0) .pc/coolkey-cac-rhl5.patch/src/libckyapplet/cky_base.c (+626/-0) .pc/coolkey-cac-rhl5.patch/src/libckyapplet/cky_base.h (+275/-0) .pc/coolkey-cac-rhl5.patch/src/libckyapplet/cky_factory.c (+633/-0) .pc/coolkey-cac-rhl5.patch/src/libckyapplet/cky_factory.h (+221/-0) .pc/coolkey-cac.patch/src/coolkey/slot.cpp (+0/-3357) .pc/coolkey-cac.patch/src/coolkey/slot.h (+0/-600) .pc/coolkey-cac.patch/src/libckyapplet/cky_applet.c (+0/-1345) .pc/coolkey-cac.patch/src/libckyapplet/cky_applet.h (+0/-544) .pc/coolkey-cac.patch/src/libckyapplet/cky_base.c (+0/-626) .pc/coolkey-cac.patch/src/libckyapplet/cky_base.h (+0/-275) .pc/coolkey-cac.patch/src/libckyapplet/cky_factory.c (+0/-633) .pc/coolkey-cac.patch/src/libckyapplet/cky_factory.h (+0/-221) debian/README.Debian (+11/-2) debian/changelog (+30/-27) debian/compat (+1/-1) debian/control (+4/-5) debian/coolkey.dirs (+0/-1) debian/copyright (+86/-112) debian/libckyapplet1-dev.lintian-overrides (+1/-0) debian/patches/0001-Fix-working-with-empty-certificates-in-not-zero-slot.patch (+1/-6) debian/patches/99-fixmAsserterror.patch (+16/-0) debian/patches/Handle-pcscd-restarting (+75/-0) debian/patches/coolkey-cac-1.patch (+4/-0) debian/patches/coolkey-cac-rhl5.patch (+1032/-0) debian/patches/coolkey-cac.patch (+5/-0) debian/patches/coolkey-cache-dir-move.patch (+7/-0) debian/patches/coolkey-gcc43.patch (+8/-0) debian/patches/coolkey-latest.patch (+8/-0) debian/patches/coolkey-pcsc-lite (+1/-1) debian/patches/coolkey-simple-bugs.patch (+6/-0) debian/patches/coolkey-thread-fix.patch (+13/-0) debian/patches/series (+3/-2) debian/rules (+10/-6) src/coolkey/Makefile.am (+1/-1) src/coolkey/object.cpp (+0/-4) src/coolkey/slot.cpp (+26/-14) src/libckyapplet/cky_applet.h (+1/-0) src/libckyapplet/cky_card.c (+5/-0)
To merge this branch:	bzr merge lp:~serialorder/ubuntu/precise/coolkey/fixmOldCACAssertError
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Marc Deslauriers		Needs Fixing on 2013-01-23
Ubuntu branches	2013-01-15	Pending
Review via email: mp+143333@code.launchpad.net

Description of the change

Fixes an error that caused firefox to crash when a CAC was inserted into the SCR3310.
The error was based on failing to initialize a variable.
I have verified that the package builds and that firefox no longer crashes and the CAC can be used
succesfully within firefox

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2013-01-23:

Thanks for the merge request. Here are some comments:

1- Please file a bug for this issue if you want it to get fixed in stable releases, as an SRU needs to have an associated bug. Please add the bug number to the debian/changelog file.
2- Please rebase this merge request against the dev release (Raring). Once the fix is included in raring, it can be backported to the stable releases (Quantal, Precise)
3- Please add proper tags to the patch header. (See http://dep.debian.net/deps/dep3/)
4- Please add the name of the patch to debian/changelog to make it easier to track in the future.

Thanks!

review: Needs Fixing

Unmerged revisions

13. By Manny Vindiola on 2013-01-15: Fix Firefox crash due to "Assertion `mOldCAC' failed" error
based on patch from www.spinics.net/linux/fedora/coolkey/msg00368.html
12. By Manny Vindiola on 2013-01-15: Fix "Assertion `mOldCAC' failed" error based on patch from
www.spinics.net/linux/fedora/coolkey/msg00368.html
11. By A. Maitland Bottoms <email address hidden> on 2012-04-11: * The coolkey device driver has been updated to follow the new Card
  Compatibility Container (CCC) specification, so that
  Gemalto TOPDLGX4 144K CAC cards are now supported.
* Handle pcscd restarting.
* debian/control: Standards-Version: 3.9.2 -> 3.9.3.
  Dep3 headers updated in debian/patches files;
  Dep5 Machine-readable debian/copyright

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Manny Vindiola

Ubuntu branches

 === modified file '.pc/0001-Fix-working-with-empty-certificates-in-not-zero-slot.patch/src/coolkey/slot.cpp'
 --- .pc/0001-Fix-working-with-empty-certificates-in-not-zero-slot.patch/src/coolkey/slot.cpp	2011-07-20 13:18:57 +0000
 +++ .pc/0001-Fix-working-with-empty-certificates-in-not-zero-slot.patch/src/coolkey/slot.cpp	2013-01-15 15:55:32 +0000
@@ -589,6 +589,7 @@
      if( ! CKYCardConnection_IsConnected(conn) ) {
          int i = 0;
      //for cranky readers try again a few more times
++	status = CKYSCARDERR;
          while( i++ < 5 && status != CKYSUCCESS )
+         {
              status = CKYCardConnection_Connect(conn, readerName);
@@ -679,7 +680,13 @@
          log->log("CoolKey Select failed 0x%x\n", status);
  	status = getCACAid();
  	if (status != CKYSUCCESS) {
--	    goto loser;
++	    log->log("CAC Select failed 0x%x\n", status);
++	    if (status == CKYSCARDERR) {
++		log->log("CAC Card Failure 0x%x\n",
++				CKYCardConnection_GetLastError(conn));
++		disconnect();
++	    }
++	    return;
+ 	}
  	state |= CAC_CARD | APPLET_SELECTABLE | APPLET_PERSONALIZED;
  	/* skip the read of the cuid. We really don't need it and,
@@ -690,15 +697,6 @@
  	needLogin = 1;
          mCoolkey = 0;
  	return;
--
--loser:
--        log->log("CAC Select failed 0x%x\n", status);
--	if (status == CKYSCARDERR) {
--	    log->log("CAC Card Failure 0x%x\n",
--			CKYCardConnection_GetLastError(conn));
--	    disconnect();
--	}
--	return;
+     }
      mCoolkey = 1;
      log->log("time connect: Select Applet %d ms\n", OSTimeNow() - time);
@@ -2185,6 +2183,7 @@
+ {
      CKYStatus status;
      CKYISOStatus apduRC;
++    *nextSize = 0;
      if (mOldCAC) {
  	/* get the first 100 bytes of the cert */
@@ -3399,6 +3398,10 @@
          status = CKYApplet_ComputeCrypt(conn, keyNum, CKY_RSA_NO_PAD, direction,
  		input, NULL, output, getNonce(), &result);
+     }
++    /* map the ISO not logged in code to the coolkey one */
++    if (status == CKYISO_CONDITION_NOT_SATISFIED) {
++	status = (CKYStatus) CKYISO_UNAUTHORIZED;
++    }
      if (status != CKYSUCCESS) {
  	if ( status == CKYSCARDERR ) {
  	    handleConnectionError();
 === added directory '.pc/Handle-pcscd-restarting'
 === added directory '.pc/Handle-pcscd-restarting/src'
 === added directory '.pc/Handle-pcscd-restarting/src/coolkey'
 === added file '.pc/Handle-pcscd-restarting/src/coolkey/Makefile.am'
 --- .pc/Handle-pcscd-restarting/src/coolkey/Makefile.am	1970-01-01 00:00:00 +0000
 +++ .pc/Handle-pcscd-restarting/src/coolkey/Makefile.am	2013-01-15 15:55:32 +0000
@@ -0,0 +1,82 @@
++# ***** BEGIN COPYRIGHT BLOCK *****
++# Copyright (C) 2005 Red Hat, Inc.
++# All rights reserved.
++#
++# This library is free software; you can redistribute it and/or
++# modify it under the terms of the GNU Lesser General Public
++# License as published by the Free Software Foundation version
++# 2.1 of the License.
++#
++# This library is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public
++# License along with this library; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
++# ***** END COPYRIGHT BLOCK *****
++
++# Process this file with automake to create Makefile.in
++
++SUBDIRS =
++AM_CPP_FLAGS =
++EXTRA_DIST = coolkeypk11.def coolkeypk11.rc
++if IS_WINDOWS
++pkcs11dir = $(libdir)
++else
++pkcs11dir = $(libdir)/pkcs11
++endif
++pkcs11_LTLIBRARIES = libcoolkeypk11.la
++
++libcoolkeypk11_la_SOURCES = \
++	coolkey.cpp \
++	dllmain.cpp \
++	locking.cpp \
++	log.cpp \
++	machdep.cpp \
++	object.cpp \
++	PKCS11Exception.cpp \
++	slot.cpp    \
++	locking.h \
++	log.h \
++	machdep.h \
++	mypkcs11.h \
++	object.h \
++	params.h \
++	PKCS11Exception.h \
++	pkcs11f.h \
++	pkcs11.h \
++	pkcs11n.h \
++	pkcs11t.h \
++	slot.h \
++	$(NULL)
++
++libcoolkeypk11_la_LDFLAGS =  -avoid-version -export-symbols coolkeypk11.sym -no-undefined
++libcoolkeypk11_la_CPPFLAGS = $(CPPFLAGS) -DNSS_HIDE_NONSTANDARD_OBJECTS=1 -I$(top_srcdir)/src/libckyapplet $(PCSC_CFLAGS) $(ZLIB_CFLAGS)
++libcoolkeypk11_la_DEPENDENCIES = coolkeypk11.sym
++libcoolkeypk11_la_LIBADD = @LIBCKYAPPLET@ $(ZLIB_LIBS)
++
++
++#
++# sigh, libtool doesn't maintain Linux and Solaris versioning info in
++# their .def file. So convert a very general, easy to work an any platform
++# coreconf .def file to a simplistic but acceptable libtool .sym file
++#
++coolkeypk11.sym: coolkeypk11.def
++	grep -v ';+' $< | grep -v ';-' | sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' > $@
++
++clean-generic:
++	rm -f coolkeypk11.sym
++
++# remove the static and libtool libraries if necessary
++install-data-hook:
++	rm -f $(DESTDIR)$(pkcs11dir)/libcoolkeypk11.a
++	rm -f $(DESTDIR)$(pkcs11dir)/libcoolkeypk11.la
++if IS_WINDOWS
++	rm -f $(DESTDIR)$(pkcs11dir)/libcoolkeypk11.lib
++	mv $(DESTDIR)$(pkcs11dir)/libcoolkeypk11.dll $(DESTDIR)$(pkcs11dir)/coolkeypk11.dll
++	cp $(ZLIB_LIB)/../zlib1.dll $(DESTDIR)/$(libdir)/zlib1.dll
++endif
++
++
 === added file '.pc/Handle-pcscd-restarting/src/coolkey/slot.cpp'
 --- .pc/Handle-pcscd-restarting/src/coolkey/slot.cpp	1970-01-01 00:00:00 +0000
 +++ .pc/Handle-pcscd-restarting/src/coolkey/slot.cpp	2013-01-15 15:55:32 +0000
@@ -0,0 +1,3554 @@
++/* ***** BEGIN COPYRIGHT BLOCK *****
++ * Copyright (C) 2005 Red Hat, Inc.
++ * All rights reserved.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation version
++ * 2.1 of the License.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
++ * ***** END COPYRIGHT BLOCK *****/
++
++#include <string>
++#include "mypkcs11.h"
++#include <stdio.h>
++#include <assert.h>
++#include "log.h"
++#include "PKCS11Exception.h"
++#include <winscard.h>
++#include "slot.h"
++#include "zlib.h"
++#include "params.h"
++
++#include "machdep.h"
++
++#define MIN(x, y) ((x) < (y) ? (x) : (y))
++
++
++
++#ifdef DEBUG
++#define PRINTF(args) printf args
++#else
++#define PRINTF(args)
++#endif
++// #define DISPLAY_WHOLE_GET_DATA 1
++
++
++// The Cyberflex Access 32k egate ATR
++const CKYByte ATR[] =
++{ 0x3b, 0x75, 0x94, 0x00, 0x00, 0x62, 0x02, 0x02, 0x02, 0x01 };
++const CKYByte ATR1[] =
++{ 0x3b, 0x75, 0x94, 0x00, 0x00, 0x62, 0x02, 0x02, 0x03, 0x01 };
++const CKYByte ATR3[] =
++{ 0x3b, 0x76, 0x94, 0x00, 0x00, 0xff, 0x62, 0x76, 0x01, 0x00, 0x00 };
++/* RSA SecurID */
++const CKYByte ATR2[] =
++{  0x3B, 0x6F, 0x00, 0xFF, 0x52, 0x53, 0x41, 0x53, 0x65, 0x63, 0x75, 0x72,
++   0x49, 0x44, 0x28, 0x52, 0x29, 0x31, 0x30 };
++
++SlotList::SlotList(Log *log_) : log(log_)
++{
++    // initialize things to NULL so we can recover from an exception
++    slots = NULL;
++    numSlots = 0;
++    readerStates = NULL;
++    numReaders = 0;
++    context = NULL;
++    shuttingDown  = FALSE;
++
++    try {
++
++        context = CKYCardContext_Create(SCARD_SCOPE_USER);
++        if( context == NULL) {
++            throw PKCS11Exception(CKR_GENERAL_ERROR,
++                "Failed to create card context\n");
++        }
++	updateSlotList();
++    } catch( PKCS11Exception &) {
++        CKYCardContext_Destroy(context);
++	if (readerStates) {
++	    CKYReader_DestroyArray(readerStates, numReaders);
++	}
++        throw;
++    }
++}
++
++SlotList::~SlotList()
++{
++    if( slots ) {
++        assert( numSlots > 0 );
++        for( unsigned int i=0; i < numSlots; ++i ) {
++            delete slots[i];
++        }
++        delete [] slots;
++        slots = NULL;
++        numSlots = 0;
++    }
++    if (readerStates) {
++	CKYReader_DestroyArray(readerStates, numReaders);
++	readerStates = NULL;
++        numReaders = 0;
++    }
++    if (context) {
++	CKYCardContext_Destroy(context);
++ 	context = NULL;
++    }
++}
++void
++SlotList::shutdown()
++{
++   shuttingDown = TRUE;
++   CKYCardContext_Cancel(context);
++}
++
++void
++SlotList::updateSlotList()
++{
++    Slot **newSlots = NULL;
++    Slot **oldSlots = NULL;
++
++    readerListLock.getLock();
++
++    updateReaderList();
++
++    if (numSlots == numReaders) {
++        readerListLock.releaseLock();
++	return;
++    }
++    assert(numSlots < numReaders);
++    if (numSlots > numReaders) {
++        readerListLock.releaseLock();
++	throw PKCS11Exception(CKR_GENERAL_ERROR,
++			"Reader and slot count inconsistent\n");
++    }
++
++    try {
++	newSlots = new Slot*[numReaders];
++        if (newSlots == NULL )
++	    throw PKCS11Exception(CKR_HOST_MEMORY);
++	memset(newSlots, 0, numReaders*sizeof(Slot*));
++
++        memcpy(newSlots, slots, sizeof(slots[0]) * numSlots);
++
++	for (unsigned int i=numSlots; i < numReaders; i++) {
++	    newSlots[i] = new
++		Slot(CKYReader_GetReaderName(&readerStates[i]), log, context);
++	}
++
++	oldSlots = slots;
++	slots = newSlots;  // update the pointer first
++	numSlots = numReaders; // now update the count
++	if (oldSlots) {    // ok we can free the old value now
++	    delete [] oldSlots;
++	}
++    } catch( PKCS11Exception &) {
++        // Recover by deleting everything that was created.
++        if( newSlots ) {
++            assert(numSlots < numReaders );
++            for( unsigned int i=numSlots; i < numReaders; ++i ) {
++                if( newSlots[i] ) {
++                    delete newSlots[i];
++                }
++            }
++            delete [] newSlots;
++        }
++        readerListLock.releaseLock();
++        throw;
++    }
++    readerListLock.releaseLock();
++
++}
++
++bool
++SlotList::readerExists(const char *readerName, unsigned int *hint)
++{
++    unsigned int start = 0;
++    unsigned int i;
++
++    if (hint && (*hint < numReaders)) {
++	start = *hint;
++    }
++
++    /*
++     * We use 'hint' as a way of deciding where to
++     * start. This way we can handle the normal case where the name list
++     * and the readerState matches one for one with a single string compare.
++     */
++    for (i=start; i < numReaders; i++) {
++	if (strcmp(CKYReader_GetReaderName(&readerStates[i]),readerName) == 0) {
++	    if (hint) {
++		*hint = i+1;
++	    }
++	    return TRUE;
++	}
++    }
++    /* we guessed wrong, check the first part of the reader states */
++    for (i=0; i < start; i++) {
++	if (strcmp(CKYReader_GetReaderName(&readerStates[i]),readerName) == 0) {
++	    if (hint) {
++		*hint = i+1;
++	    }
++	    return TRUE;
++	}
++    }
++    /* OK, we've found a genuinely new reader */
++    return FALSE;
++}
++
++bool
++SlotList::readerNameExistsInList(const char *readerName,CKYReaderNameList *readerNameList)
++{
++    if( !readerName || !readerNameList) {
++        return FALSE;
++    }
++
++    int i = 0;
++    int readerNameCnt = CKYReaderNameList_GetCount(*readerNameList);
++
++    const char *curReaderName = NULL;
++    for(i=0; i < readerNameCnt; i++) {
++        curReaderName = CKYReaderNameList_GetValue(*readerNameList,i);
++
++        if(!strcmp(curReaderName,readerName)) {
++            return TRUE;
++        }
++
++    }
++
++    return FALSE;
++}
++
++/*
++ * you need to hold the ReaderList Lock before you can update the ReaderList
++ */
++#define MAX_READER_DELTA 4
++void
++SlotList::updateReaderList()
++{
++    CKYReaderNameList readerNames = NULL;
++
++    CKYStatus status = CKYCardContext_ListReaders(context, &readerNames);
++    if ( status != CKYSUCCESS ) {
++	throw PKCS11Exception(CKR_GENERAL_ERROR,
++                "Failed to list readers: 0x%x\n",
++				CKYCardContext_GetLastError(context));
++    }
++
++    if (!readerStates) {
++	/* fresh Reader State list, just create it */
++	readerStates = CKYReader_CreateArray(readerNames, (CKYSize *)&numReaders);
++
++	/* if we have no readers, make sure we have at least one to keep things
++	 * happy */
++	if (readerStates == NULL &&
++			 CKYReaderNameList_GetCount(readerNames) == 0) {
++	    readerStates = (SCARD_READERSTATE *)
++				malloc(sizeof(SCARD_READERSTATE));
++	    if (readerStates) {
++		CKYReader_Init(readerStates);
++		status = CKYReader_SetReaderName(readerStates, "E-Gate 0 0");
++		if (status != CKYSUCCESS) {
++ 		    CKYReader_DestroyArray(readerStates, 1);
++		    readerStates = NULL;
++		} else {
++		    numReaders = 1;
++		}
++	    }
++	}
++	CKYReaderNameList_Destroy(readerNames);
++
++	if (readerStates == NULL) {
++	    throw PKCS11Exception(CKR_HOST_MEMORY,
++				"Failed to allocate ReaderStates\n");
++	}
++	return;
++    }
++
++    /* it would be tempting at this point just to see if we have more readers
++     * then specified previously. The problem with this is it is possible that
++     * some readers have been deleted, so the only way to tell if we have
++     * new readers is to see if there are any readers on the list that we
++     * don't recognize.
++     */
++
++    /* first though, let's check to see if any previously removed readers have
++     * come back from the dead. If the ignored bit has been set, we do not need
++     * it any more.
++    */
++
++    const char *curReaderName = NULL;
++    unsigned long knownState = 0;
++    for(int ri = 0 ; ri < numReaders; ri ++)  {
++
++        knownState = CKYReader_GetKnownState(&readerStates[ri]);
++        if( !(knownState & SCARD_STATE_IGNORE))  {
++            continue;
++        }
++
++        curReaderName =  CKYReader_GetReaderName(&readerStates[ri]);
++        if(readerNameExistsInList(curReaderName,&readerNames)) {
++            CKYReader_SetKnownState(&readerStates[ri], knownState & ~SCARD_STATE_IGNORE);
++
++        }
++    }
++
++    const char *newReadersData[MAX_READER_DELTA];
++    const char **newReaders = &newReadersData[0];
++    unsigned int newReaderCount = 0;
++    unsigned int hint = 0;
++
++    try {
++	CKYReaderNameIterator iter;
++
++	for (iter = CKYReaderNameList_GetIterator(readerNames);
++				!CKYReaderNameIterator_End(iter);
++				iter = CKYReaderNameIterator_Next(iter)) {
++	    const char *thisReaderName = CKYReaderNameIterator_GetValue(iter);
++	    if (!readerExists(thisReaderName, &hint)) {
++		if (newReaderCount == MAX_READER_DELTA) {
++		    /* oops, we overflowed our buffer, alloc a new one right
++		     * quick. This code is very unlikely, so it's not fast,
++		     * but it's  meant to keep working, even in this weird
++		     * condition. NOTE: it assumes that we can't have any
++		     * more  new readers than candidate readers we are
++		     * checking */
++		    int maxReaders = CKYReaderNameList_GetCount(readerNames);
++		    assert(maxReaders > MAX_READER_DELTA);
++		    newReaders = new const char *[maxReaders];
++		    if (!newReaders) {
++			throw PKCS11Exception(CKR_HOST_MEMORY,
++			   "Could allocate space for %d new readers\n",
++								maxReaders);
++		    }
++		    memcpy(newReaders, newReadersData,
++				MAX_READER_DELTA*sizeof(newReadersData[0]));
++		}
++		newReaders[newReaderCount++] = thisReaderName;
++	    }
++	}
++	/* OK, we haven't added any new readers, blow out now */
++	if (newReaderCount == 0) {
++	    CKYReaderNameList_Destroy(readerNames);
++	    return;
++	}
++
++	status = CKYReader_AppendArray(&readerStates, numReaders,
++				newReaders, newReaderCount);
++	if (status != CKYSUCCESS) {
++	    throw PKCS11Exception(CKR_GENERAL_ERROR,
++			"Couldn't append %d new reader states\n",
++				newReaderCount);
++	}
++	numReaders += newReaderCount;
++
++	CKYReaderNameList_Destroy(readerNames);
++	/* free newReaders if w were forced to alloc it */
++	if (newReaders != &newReadersData[0]) {
++	    delete [] newReaders;
++	}
++	return;
++
++    } catch( PKCS11Exception &) {
++	CKYReaderNameList_Destroy(readerNames);
++	/* free newReaders if w were forced to alloc it */
++	if (newReaders != &newReadersData[0]) {
++	    delete [] newReaders;
++	}
++
++        throw;
++    }
++}
++
++
++Slot::Slot(const char *readerName_, Log *log_, CKYCardContext* context_)
++    : log(log_), readerName(NULL), personName(NULL), manufacturer(NULL),
++	slotInfoFound(false), context(context_), conn(NULL), state(UNKNOWN),
++	isVersion1Key(false), needLogin(false), fullTokenName(false),
++	mCoolkey(false), mOldCAC(false),
++#ifdef USE_SHMEM
++	shmem(readerName_),
++#endif
++	sessionHandleCounter(1), objectHandleCounter(1)
++{
++
++  tokenFWVersion.major = 0;
++  tokenFWVersion.minor = 0;
++
++
++  try {
++    conn = CKYCardConnection_Create(context);
++    if( conn == 0 ) {
++        throw PKCS11Exception(CKR_GENERAL_ERROR);
++    }
++    hwVersion.major = 255;
++    hwVersion.minor = 255;
++
++    //Initialize login state for both Version 1 keys and older keys
++    reverify = false;
++    nonceValid = false;
++    loggedIn = false;
++    pinCache.invalidate();
++    pinCache.clearPin();
++    //readSlotInfo();
++    manufacturer = strdup("Unknown");
++    if (!manufacturer) {
++	throw PKCS11Exception(CKR_HOST_MEMORY);
++    }
++    readerName = strdup(readerName_);
++    if (!readerName) {
++	throw PKCS11Exception(CKR_HOST_MEMORY);
++    }
++    CKYStatus ret = CKYBuffer_InitFromLen(&nonce, NONCE_SIZE);
++    if (ret != CKYSUCCESS) {
++	throw PKCS11Exception(CKR_HOST_MEMORY);
++    }
++    CKYBuffer_InitEmpty(&cardATR);
++    CKYBuffer_InitEmpty(&mCUID);
++    for (int i=0; i < MAX_CERT_SLOTS; i++) {
++	CKYBuffer_InitEmpty(&cardAID[i]);
++    }
++  } catch(PKCS11Exception &) {
++	if (conn) {
++	    CKYCardConnection_Destroy(conn);
++	}
++	if (manufacturer) {
++	    free(manufacturer);
++	}
++	if (readerName) {
++	    free(readerName);
++	}
++        throw;
++  }
++}
++
++void
++Slot::readSlotInfo(void)
++{
++#ifdef WIN32  /* Mac doesn't have the SCardGetAttrib function */
++    CKYStatus status;
++    CKYBuffer attrBuf;
++
++    CKYBuffer_InitEmpty(&attrBuf);
++    status = CKYCardConnection_GetAttribute(conn,
++			SCARD_ATTR_VENDOR_IFD_VERSION, &attrBuf);
++    if (status == CKYSUCCESS) {
++	const CKYByte *type = CKYBuffer_Data(&attrBuf);
++
++	if (CKYBuffer_Size(&attrBuf) == sizeof(unsigned long)) {
++	    /* buffer data is returned in machine order, not network or
++	     * applet order */
++	    unsigned long version = *(unsigned long *)type;
++	    hwVersion.major = (CK_BYTE) (version >> 24) & 0xff;
++	    hwVersion.minor = (CK_BYTE) (version >> 16) & 0xff;
++	}
++        status = CKYCardConnection_GetAttribute(conn,
++					SCARD_ATTR_VENDOR_NAME, &attrBuf);
++	if (status == CKYSUCCESS) {
++	    free(manufacturer);
++	    /* make sure manufacturer is NULL terminated */
++	    CKYBuffer_AppendChar(&attrBuf,0);
++	    manufacturer = strdup((const char *)CKYBuffer_Data(&attrBuf));
++	    slotInfoFound = true;
++	}
++    } else {
++	PRINTF(("readSlotInfo failed\n"));
++    }
++    CKYBuffer_FreeData(&attrBuf);
++#endif  /* WIN32 */
++}
++
++Slot::~Slot()
++{
++    if (conn) {
++	CKYCardConnection_Destroy(conn);
++    }
++    if (readerName) {
++	free(readerName);
++    }
++    if (personName) {
++	free(personName);
++    }
++    if (manufacturer) {
++	free(manufacturer);
++    }
++    CKYBuffer_FreeData(&nonce);
++    CKYBuffer_FreeData(&cardATR);
++    CKYBuffer_FreeData(&mCUID);
++    for (int i=0; i < MAX_CERT_SLOTS; i++) {
++	CKYBuffer_FreeData(&cardAID[i]);
++    }
++}
++
++template <class C>
++class ArrayFreer {
++  private:
++    C *ptr;
++  public:
++    ArrayFreer(C* cptr) : ptr(cptr) { }
++    ~ArrayFreer() {
++        if( ptr ) {
++            delete [] ptr;
++        }
++    }
++    void release() { ptr = NULL; }
++};
++
++CK_RV
++SlotList::getSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
++         CK_ULONG_PTR pulCount)
++{
++    CK_RV rv = CKR_OK;
++    unsigned int i;
++
++    if( pulCount == NULL ) {
++        throw PKCS11Exception(CKR_ARGUMENTS_BAD);
++    }
++
++    if (pSlotList == NULL) {
++        updateSlotList();
++    }
++
++    //
++    // first, figure out which slots have tokens present
++    //
++    bool * tokenIsPresent = new bool[numSlots];
++    if( tokenIsPresent == NULL ) {
++        throw PKCS11Exception(CKR_HOST_MEMORY);
++    }
++    ArrayFreer<bool> deleteTokIsPres(tokenIsPresent);
++
++    unsigned int numPresent = 0;
++    for( i = 0; i < numSlots; ++i ) {
++        tokenIsPresent[i] = slots[i]->isTokenPresent();
++        numPresent += tokenIsPresent[i];
++    }
++
++    //
++    // now fill in the slot list if it was supplied
++    //
++    if( pSlotList != NULL ) {
++        if( tokenPresent ) {
++            // only slots with tokens present
++            if( *pulCount >= numPresent ) {
++                // we have enough space to copy the slot IDs
++                unsigned int j;
++                for( i=0, j=0; i < numSlots; ++i ) {
++                    if( tokenIsPresent[i] ) {
++                        assert(j < numPresent);
++                        pSlotList[j++] = slotIndexToID(i);
++                    }
++                }
++                assert( j == numPresent );
++            } else {
++                // not enough space
++                rv = CKR_BUFFER_TOO_SMALL;
++            }
++        } else {
++            // all slots, even without tokens present
++            if( *pulCount >= numSlots ) {
++                // we have enough space to copy the slot IDs
++                for( i=0; i < numSlots; ++i ) {
++                    pSlotList[i] = slotIndexToID(i);
++                }
++            } else {
++                // not enough space
++                rv = CKR_BUFFER_TOO_SMALL;
++            }
++        }
++    }
++
++    // set the number of slots
++    if( tokenPresent ) {
++        *pulCount = numPresent;
++    } else {
++        *pulCount = numSlots;
++    }
++
++    return rv;
++}
++
++void
++Slot::connectToToken()
++{
++    CKYStatus status = CKYSCARDERR;
++    OSTime time = OSTimeNow();
++
++    mCoolkey = 0;
++    tokenFWVersion.major = 0;
++    tokenFWVersion.minor = 0;
++
++    // try to connect to the card
++    if( ! CKYCardConnection_IsConnected(conn) ) {
++        int i = 0;
++    //for cranky readers try again a few more times
++	status = CKYSCARDERR;
++        while( i++ < 5 && status != CKYSUCCESS )
++        {
++            status = CKYCardConnection_Connect(conn, readerName);
++            if( status != CKYSUCCESS &&
++                CKYCardConnection_GetLastError(conn) == SCARD_E_PROTO_MISMATCH )
++            {
++                log->log("Unable to connect to token status %d ConnGetGetLastError %x .\n",status,CKYCardConnection_GetLastError(conn));
++
++            }
++            else
++            {
++                break;
++            }
++            OSSleep(100000);
++        }
++
++        if( status != CKYSUCCESS)
++        {
++            state = UNKNOWN;
++            return;
++        }
++    }
++
++    log->log("time connect: Connect Time %d ms\n", OSTimeNow() - time);
++    if (!slotInfoFound) {
++	readSlotInfo();
++    }
++    log->log("time connect: Read Slot %d ms\n", OSTimeNow() - time);
++
++    // Get card state. See if it is present, and if the ATR matches
++    unsigned long cardState;
++    status = CKYCardConnection_GetStatus(conn, &cardState, &cardATR);
++    if( status != CKYSUCCESS ) {
++        disconnect();
++        return;
++    }
++    log->log("time connect: connection status %d ms\n", OSTimeNow() - time);
++    if( cardState & SCARD_PRESENT ) {
++        state = CARD_PRESENT;
++    }
++
++    if (Params::hasParam("noAppletOK"))
++    {
++        state |=  APPLET_SELECTABLE;
++	mCoolkey = 1;
++    }
++
++    /* support CAC card. identify the card based on applets, not the ATRS */
++    state |= ATR_MATCH;
++
++    /* our production cards should "ALWAYS" have an applet, even if it
++     * doesn't exit */
++    if ( CKYBuffer_DataIsEqual(&cardATR, ATR3, sizeof (ATR3)) ) {
++        state |= ATR_MATCH | APPLET_SELECTABLE;
++	mCoolkey = 1;
++
++    }
++
++    Transaction trans;
++    status = trans.begin(conn);
++
++    /* CAC card are cranky after they are first inserted.
++     *  don't continue until we can convince the tranaction to work */
++    for (int count = 0; count < 10 && status == CKYSCARDERR
++       && CKYCardConnection_GetLastError(conn) == SCARD_W_RESET_CARD; count++) {
++	log->log("CAC Card Reset detected retry %d: time %d ms\n", count,
++		OSTimeNow() - time);
++        CKYCardConnection_Disconnect(conn);
++	OSSleep(100000); /* 100 ms */
++        status = CKYCardConnection_Connect(conn, readerName);
++	if (status != CKYSUCCESS) {
++	   continue;
++	}
++	status = trans.begin(conn);
++    }
++
++    /* Can't get a transaction, give up */
++    if (status != CKYSUCCESS) {
++        log->log("Transaction Failed 0x%x\n", status);
++	handleConnectionError();
++    }
++
++    // see if the applet is selectable
++
++    log->log("time connnect: Begin transaction %d ms\n", OSTimeNow() - time);
++    status = CKYApplet_SelectCoolKeyManager(conn, NULL);
++    if (status != CKYSUCCESS) {
++        log->log("CoolKey Select failed 0x%x\n", status);
++	status = getCACAid();
++	if (status != CKYSUCCESS) {
++	    log->log("CAC Select failed 0x%x\n", status);
++	    if (status == CKYSCARDERR) {
++		log->log("CAC Card Failure 0x%x\n",
++				CKYCardConnection_GetLastError(conn));
++		disconnect();
++	    }
++	    return;
++	}
++	state |= CAC_CARD | APPLET_SELECTABLE | APPLET_PERSONALIZED;
++	/* skip the read of the cuid. We really don't need it and,
++         * the only way to get it from the cac is to reset it.
++         * other apps may be running now, so resetting the cac is a bit
++         * unfriendly */
++	isVersion1Key = 0;
++	needLogin = 1;
++        mCoolkey = 0;
++	return;
++    }
++    mCoolkey = 1;
++    log->log("time connect: Select Applet %d ms\n", OSTimeNow() - time);
++
++    state |= APPLET_SELECTABLE;
++
++    // now see if the applet is personalized
++    CKYAppletRespGetLifeCycleV2 lifeCycleV2;
++    status = CKYApplet_GetLifeCycleV2(conn, &lifeCycleV2, NULL);
++    if (status != CKYSUCCESS) {
++	if (status == CKYSCARDERR) {
++	    disconnect();
++	}
++	return;
++    }
++    log->log("time connect: Get Personalization %d ms\n", OSTimeNow() - time);
++    if (lifeCycleV2.lifeCycle == CKY_APPLICATION_PERSONALIZED )
++    {
++        state |= APPLET_PERSONALIZED;
++    }
++    isVersion1Key = (lifeCycleV2.protocolMajorVersion == 1);
++    needLogin = (lifeCycleV2.pinCount != 0);
++    tokenFWVersion.major = lifeCycleV2.protocolMajorVersion;
++    tokenFWVersion.minor = lifeCycleV2.protocolMinorVersion;
++}
++
++bool
++Slot::cardStateMayHaveChanged()
++{
++    CKYStatus status;
++
++log->log("calling IsConnected\n");
++    if( !CKYCardConnection_IsConnected(conn) ) {
++        return true;
++    }
++log->log("IsConnected returned false\n");
++
++    // If the card has been removed or reset, this call will fail.
++    unsigned long cardState;
++    CKYBuffer aid;
++    CKYBuffer_InitEmpty(&aid);
++    status = CKYCardConnection_GetStatus(conn, &cardState, &aid);
++    CKYBuffer_FreeData(&aid);
++    if( status != CKYSUCCESS ) {
++        disconnect();
++        return true;
++    }
++    return false;
++}
++
++void
++Slot::invalidateLogin(bool hard)
++{
++    if (isVersion1Key) {
++	if (hard) {
++	    reverify = false; /* no need to revalidate in the future,
++	                       * we're clearing the nonce now */
++	    nonceValid = false;
++	    CKYBuffer_Zero(&nonce);
++	    CKYBuffer_Resize(&nonce,8);
++	} else {
++	    reverify = true;
++	}
++    } else {
++	loggedIn = false;
++	if (hard) {
++	    pinCache.invalidate();
++	    pinCache.clearPin();
++	}
++    }
++}
++
++void
++Slot::disconnect()
++{
++    CKYCardConnection_Disconnect(conn);
++    state = UNKNOWN;
++    closeAllSessions();
++    invalidateLogin(false);
++}
++
++CKYStatus
++Slot::getCACAid()
++{
++    CKYBuffer tBuf;
++    CKYBuffer vBuf;
++    CKYSize tlen, vlen;
++    CKYOffset toffset, voffset;
++    int certSlot = 0;
++    int i,length = 0;
++    CKYStatus status;
++
++    CKYBuffer_InitEmpty(&tBuf);
++    CKYBuffer_InitEmpty(&vBuf);
++
++    /* clear out the card AID's */
++    for (i=0; i < MAX_CERT_SLOTS; i++) {
++	CKYBuffer_Resize(&cardAID[i],0);
++    }
++
++    status = CACApplet_SelectCCC(conn,NULL);
++    if (status != CKYSUCCESS) {
++	/* are we an old CAC */
++	status = CACApplet_SelectPKI(conn, &cardAID[0], 0, NULL);
++	if (status != CKYSUCCESS) {
++	   /* no, just fail */
++	   return status;
++	}
++	/* yes, fill in the old applets */
++	mOldCAC = true;
++	for (i=1; i< MAX_CERT_SLOTS; i++) {
++	    CACApplet_SelectPKI(conn, &cardAID[i], i, NULL);
++	}
++	return CKYSUCCESS;
++    }
++    /* definately not an old CAC */
++    mOldCAC = false;
++
++    /* read the TLV */
++    status = CACApplet_ReadFile(conn, CAC_TAG_FILE, &tBuf, NULL);
++    if (status != CKYSUCCESS) {
++	goto done;
++    }
++    status = CACApplet_ReadFile(conn, CAC_VALUE_FILE, &vBuf, NULL);
++    if (status != CKYSUCCESS) {
++	goto done;
++    }
++    tlen = CKYBuffer_Size(&tBuf);
++    vlen = CKYBuffer_Size(&vBuf);
++
++    for(toffset = 2, voffset=2;
++	certSlot < MAX_CERT_SLOTS && toffset < tlen && voffset < vlen ;
++		voffset += length) {
++
++	CKYByte tag = CKYBuffer_GetChar(&tBuf, toffset);
++	length = CKYBuffer_GetChar(&tBuf, toffset+1);
++	toffset += 2;
++	if (length == 0xff) {
++	    length = CKYBuffer_GetShortLE(&tBuf, toffset);
++	    toffset +=2;
++	}
++	if (tag != CAC_TAG_CARDURL) {
++	    continue;
++	}
++	/* CARDURL tags must be at least 10 bytes long */
++	if (length < 10) {
++	    continue;
++	}
++	/* check the app type, should be TLV_APP_PKI */
++	if (CKYBuffer_GetChar(&vBuf, voffset+5) != CAC_TLV_APP_PKI) {
++	    continue;
++	}
++	status = CKYBuffer_AppendBuffer(&cardAID[certSlot], &vBuf, voffset, 5);
++	if (status != CKYSUCCESS) {
++	    goto done;
++	}
++	status = CKYBuffer_AppendBuffer(&cardAID[certSlot], &vBuf,
++								voffset+8, 2);
++	if (status != CKYSUCCESS) {
++	    goto done;
++	}
++	cardEF[certSlot] = CKYBuffer_GetShortLE(&vBuf, voffset+6);
++
++	certSlot++;
++    }
++    status = CKYSUCCESS;
++    if (certSlot == 0) {
++	status = CKYAPDUFAIL; /* probably neeed a beter error code */
++    }
++
++done:
++    CKYBuffer_FreeData(&tBuf);
++    CKYBuffer_FreeData(&vBuf);
++    return status;
++}
++
++void
++Slot::refreshTokenState()
++{
++    if( cardStateMayHaveChanged() ) {
++        log->log("card changed\n");
++	invalidateLogin(true);
++        closeAllSessions();
++	unloadObjects();
++        connectToToken();
++
++        if( state & APPLET_PERSONALIZED ) {
++            try {
++                loadObjects();
++            } catch(PKCS11Exception&) {
++                log->log("refreshTokenState: Failed to load objects.\n");
++                unloadObjects();
++            }
++        } else if (state & APPLET_SELECTABLE) {
++	    initEmpty();
++	}
++
++    }
++}
++
++bool
++Slot::isTokenPresent()
++{
++    refreshTokenState();
++    log->log("isTokenPresent, card state is 0x%x\n", state);
++    return (state & APPLET_SELECTABLE) != 0;
++}
++
++CK_SESSION_HANDLE
++makeSessionHandle(CK_SLOT_ID slotID, SessionHandleSuffix suffix)
++{
++    assert( (slotID & 0x000000ff) == slotID );
++    return (slotID << 24) | suffix;
++}
++
++void
++SlotList::decomposeSessionHandle(CK_SESSION_HANDLE hSession, CK_SLOT_ID& slotID,
++    SessionHandleSuffix& suffix) const
++{
++    slotID = hSession >> 24;
++    suffix = SessionHandleSuffix(hSession);
++    try {
++        validateSlotID(slotID);
++    } catch(PKCS11Exception&) {
++        log->log("Invalid slotID %d pulled from session handle 0x%08x\n",
++            slotID, hSession);
++        throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
++    }
++}
++
++void
++SlotList::openSession(Session::Type type, CK_SLOT_ID slotID,
++    CK_SESSION_HANDLE_PTR phSession)
++{
++    validateSlotID(slotID);
++
++    SessionHandleSuffix suffix =
++        slots[slotIDToIndex(slotID)]->openSession(type);
++
++    *phSession = makeSessionHandle(slotID, suffix);
++}
++
++void
++SlotList::closeSession(CK_SESSION_HANDLE hSession)
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->closeSession(suffix);
++}
++
++
++SessionHandleSuffix
++Slot::openSession(Session::Type type)
++{
++    ensureTokenPresent();
++    return generateNewSession(type);
++}
++
++class SessionHandleSuffixMatch {
++  private:
++    SessionHandleSuffix suffix;
++  public:
++    explicit SessionHandleSuffixMatch(SessionHandleSuffix s) : suffix(s) { }
++    bool operator()(const Session& session) {
++        return session.getHandleSuffix() == suffix;
++    }
++};
++
++bool
++Slot::isValidSession(SessionHandleSuffix handleSuffix) const
++{
++    SessionConstIter iter;
++    iter = findConstSession(handleSuffix);
++    return (iter != sessions.end());
++}
++
++void
++Slot::closeSession(SessionHandleSuffix handleSuffix)
++{
++    refreshTokenState();
++
++    SessionIter iter;
++    iter = findSession(handleSuffix);
++    if( iter == sessions.end() )  {
++        throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID,
++            "Invalid session handle suffix 0x%08x passed to closeSession\n",
++                (unsigned long)handleSuffix);
++    } else {
++        log->log("Closed session 0x%08x\n", (unsigned long)handleSuffix);
++        sessions.erase(iter);
++    }
++}
++
++CK_RV
++Slot::getSlotInfo(CK_SLOT_INFO_PTR pSlotInfo)
++{
++    static CK_VERSION firmwareVersion = {0,0};
++
++    if( pSlotInfo == NULL ) {
++        throw PKCS11Exception(CKR_ARGUMENTS_BAD);
++    }
++    pSlotInfo->flags = CKF_REMOVABLE_DEVICE | CKF_HW_SLOT;
++    /*pSlotInfo->flags = CKF_REMOVABLE_DEVICE; */
++    if( isTokenPresent() )
++        pSlotInfo->flags |= CKF_TOKEN_PRESENT;
++    memset(pSlotInfo->slotDescription, ' ', 64);
++    memcpy(pSlotInfo->slotDescription, readerName,
++        MIN(64, strlen(readerName)) );
++    memset(pSlotInfo->manufacturerID, ' ', 32);
++    memcpy(pSlotInfo->manufacturerID, manufacturer,
++        MIN(32, strlen(manufacturer)) );
++    pSlotInfo->hardwareVersion = hwVersion;
++    pSlotInfo->firmwareVersion = firmwareVersion;
++
++    return CKR_OK;
++}
++
++inline unsigned char
++hex(unsigned long digit)
++{
++    return (digit > 9 )? (char)(digit+'a'-10) : (char)(digit+'0');
++}
++
++void
++Slot::makeCUIDString(char *serialNumber, int maxSize,
++						 const unsigned char *cuids)
++{
++    signed int i; // must be signed or for loop won't exit!
++    char *cp;
++
++    memset(serialNumber, ' ', maxSize);
++    // CUID is an 8 digit hex number with leading zeros.
++    // we count down from 8 stripping hex digits. If there is not
++    // enough space, we truncate the top digits
++    unsigned long cuid =
++	((unsigned long) cuids[6]) << 24 |
++	((unsigned long) cuids[7]) << 16 |
++	((unsigned long) cuids[8]) <<  8 |
++		((unsigned long) cuids[9]) ;
++
++    for (i = MIN(maxSize,8)-1, cp= serialNumber; i >= 0;
++						cp++, i--) {
++	unsigned long digit = cuid >> (i*4);
++	// if we truncated the beginning. show that with a '*'
++	*cp = (digit > 0xf) ? '*' : hex(digit);
++	cuid -=  digit << (i*4);
++    }
++}
++
++
++void
++Slot::makeSerialString(char *serialNumber, int maxSize,
++						 const unsigned char *cuid)
++{
++    memset(serialNumber, ' ', maxSize);
++
++    // otherwise we use the eepromSerialNumber as a hex value
++    if (cuid) {
++         makeCUIDString(serialNumber, maxSize, cuid);
++    }
++    return;
++}
++
++void
++Slot::makeLabelString(char *label, int maxSize, const unsigned char *cuid)
++{
++    int personLen;
++    memset(label, ' ', maxSize);
++    if (fullTokenName) {
++	personLen = strlen(personName);
++	memcpy(label, personName, MIN(personLen, maxSize));
++        // UTF8 Truncate fixup! don't drop halfway through a UTF8 character
++	return;
++    }
++
++//
++// Legacy tokens only 'speak' english.
++//
++#define COOLKEY "CoolKey"
++#define POSSESSION " for "
++    if (!personName || personName[0] == '\0' ) {
++	const int coolKeySize = sizeof(COOLKEY) ;
++	memcpy(label, COOLKEY, coolKeySize-1);
++	makeSerialString(&label[coolKeySize], maxSize-coolKeySize, cuid);
++	return;
++    }
++    const int prefixSize = sizeof (COOLKEY POSSESSION )-1;
++    memcpy(label, COOLKEY POSSESSION, prefixSize);
++    personLen = strlen(personName);
++    memcpy(&label[prefixSize], personName,
++				MIN(personLen, maxSize-prefixSize));
++
++}
++
++void
++Slot::makeModelString(char *model, int maxSize, const unsigned char *cuid)
++{
++    char *cp = model;
++    memset(model, ' ', maxSize);
++    assert(maxSize >= 8);
++
++    if (!cuid) {
++	return;
++    }
++
++    *cp++ = hex(cuid[2] >> 4);
++    *cp++ = hex(cuid[2] & 0xf);
++    *cp++ = hex(cuid[3] >> 4);
++    *cp++ = hex(cuid[3] & 0xf);
++    *cp++ = hex(cuid[4] >> 4);
++    *cp++ = hex(cuid[4] & 0xf);
++    *cp++ = hex(cuid[5] >> 4);
++    *cp++ = hex(cuid[5] & 0xf);
++    makeCUIDString(&model[8],maxSize -8, cuid);
++
++    return;
++}
++
++struct _manList {
++     unsigned short type;
++     const char *string;
++};
++
++static const struct _manList  manList[] = {
++        { 0x4090, "Axalto" },
++        { 0x2050, "Oberthur" },
++        { 0x4780, "RSA" }
++};
++
++static int manListSize = sizeof(manList)/sizeof(manList[0]);
++
++void
++Slot::makeManufacturerString(char *man, int maxSize, const unsigned char *cuid)
++{
++    char *cp = man;
++    memset(man, ' ', maxSize);
++
++    if (!cuid) {
++	return;
++    }
++    unsigned short fabricator = ((unsigned short)cuid[0]) << 8 | cuid[1];
++
++    assert(maxSize >=4 );
++
++     /* first give the raw manufacture ID for CUID calculations */
++    *cp++ = hex(cuid[0] >> 4);
++    *cp++ = hex(cuid[0] & 0xf);
++    *cp++ = hex(cuid[1] >> 4);
++    *cp++ = hex(cuid[1] & 0xf);
++    cp++; /* leave a space */
++
++
++    for (int i=0; i < manListSize; i++) {
++	if (fabricator == manList[i].type) {
++	    int len = strlen(manList[i].string);
++	    memcpy(cp,manList[i].string, MIN(len,maxSize-5));
++	    break;
++	}
++    }
++    /* just leave the number bare if we don't recognize it */
++}
++
++CK_RV
++Slot::getTokenInfo(CK_TOKEN_INFO_PTR pTokenInfo)
++{
++    if(pTokenInfo == NULL ) {
++        throw PKCS11Exception(CKR_ARGUMENTS_BAD);
++    }
++    ensureTokenPresent();
++    const unsigned char *cuid = CKYBuffer_Data(&mCUID);
++
++    /// format the token string
++    makeLabelString((char *)pTokenInfo->label, sizeof(pTokenInfo->label),cuid);
++    makeSerialString((char *)pTokenInfo->serialNumber,
++				sizeof(pTokenInfo->serialNumber), cuid);
++    makeModelString((char *)pTokenInfo->model,
++				sizeof(pTokenInfo->model), cuid);
++    makeManufacturerString((char *)pTokenInfo->manufacturerID,
++				sizeof(pTokenInfo->manufacturerID), cuid);
++
++    pTokenInfo->flags = CKF_WRITE_PROTECTED;
++    if (state & APPLET_PERSONALIZED) {
++	pTokenInfo->flags |=  CKF_TOKEN_INITIALIZED;
++	if (needLogin) {
++	    pTokenInfo->flags |= CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED;
++	}
++    }
++    pTokenInfo->ulMaxSessionCount = CK_EFFECTIVELY_INFINITE;
++    pTokenInfo->ulSessionCount = CK_UNAVAILABLE_INFORMATION;
++    pTokenInfo->ulMaxRwSessionCount = 0;
++    pTokenInfo->ulMaxPinLen = 32;
++    pTokenInfo->ulMinPinLen = 0;
++    pTokenInfo->ulTotalPublicMemory = publicTotal;
++    pTokenInfo->ulFreePublicMemory = publicFree;
++    pTokenInfo->ulTotalPrivateMemory = CK_EFFECTIVELY_INFINITE;
++    pTokenInfo->ulFreePrivateMemory = privateFree;
++    pTokenInfo->hardwareVersion.major = cuid ? cuid[4] : 0;
++    pTokenInfo->hardwareVersion.minor = cuid ? cuid[5] : 0;
++    pTokenInfo->firmwareVersion = tokenFWVersion;
++
++
++    return CKR_OK;
++}
++
++void
++SlotList::validateSlotID(CK_SLOT_ID slotID) const
++{
++    if( slotID < 1 || slotID > numSlots ) {
++        throw PKCS11Exception(CKR_SLOT_ID_INVALID);
++    }
++}
++
++#define PKCS11_WAIT_LATENCY 500 /* 500 msec or 1/2 sec */
++#define PKCS11_CARD_ERROR_LATENCY 300
++void
++SlotList::waitForSlotEvent(CK_FLAGS flag, CK_SLOT_ID_PTR slotp, CK_VOID_PTR res)
++{
++    unsigned long timeout = (flag ==CKF_DONT_BLOCK) ? 0 : PKCS11_WAIT_LATENCY;
++    unsigned int i;
++    bool found = FALSE;
++    CKYStatus status;
++    SCARD_READERSTATE *myReaderStates = NULL;
++    unsigned int myNumReaders = 0;
++#ifndef notdef
++    do {
++	readerListLock.getLock();
++	try {
++	    updateReaderList();
++	} catch(PKCS11Exception&) {
++	    readerListLock.releaseLock();
++	    if (myReaderStates) {
++		delete [] myReaderStates;
++	    }
++	    throw;
++	}
++
++	if (myNumReaders != numReaders) {
++	    if (myReaderStates) {
++		delete [] myReaderStates;
++	    }
++	    myReaderStates = new SCARD_READERSTATE [numReaders];
++	}
++	memcpy(myReaderStates, readerStates,
++				sizeof(SCARD_READERSTATE)*numReaders);
++	myNumReaders = numReaders;
++	readerListLock.releaseLock();
++	status = CKYCardContext_WaitForStatusChange(context,
++				 myReaderStates, myNumReaders, timeout);
++	if (status == CKYSUCCESS) {
++	    for (i=0; i < myNumReaders; i++) {
++		SCARD_READERSTATE *rsp = &myReaderStates[i];
++	        unsigned long eventState = CKYReader_GetEventState(rsp);
++		if (eventState & SCARD_STATE_CHANGED) {
++		    readerListLock.getLock();
++		    CKYReader_SetKnownState(&readerStates[i], eventState & ~SCARD_STATE_CHANGED);
++		    readerListLock.releaseLock();
++		    *slotp = slotIndexToID(i);
++		    found = TRUE;
++		    break;
++		}
++	    }
++	}
++
++        if (found || (flag == CKF_DONT_BLOCK) || shuttingDown) {
++            break;
++        }
++
++        #ifndef WIN32
++        if (status != CKYSUCCESS) {
++
++            if ( (CKYCardContext_GetLastError(context) ==
++                                        SCARD_E_READER_UNAVAILABLE) ||
++                (CKYCardContext_GetLastError(context) == SCARD_E_TIMEOUT))
++            {
++                OSSleep(timeout*PKCS11_CARD_ERROR_LATENCY);
++            }
++
++
++        }
++        #endif
++    } while ((status == CKYSUCCESS) ||
++       (CKYCardContext_GetLastError(context) == SCARD_E_TIMEOUT) ||
++        ( CKYCardContext_GetLastError(context) == SCARD_E_READER_UNAVAILABLE));
++#else
++    do {
++	OSSleep(100);
++    } while ((flag != CKF_DONT_BLOCK) && !shuttingDown);
++#endif
++
++    if (myReaderStates) {
++	delete [] myReaderStates;
++    }
++
++    if (!found) {
++	throw PKCS11Exception(CKR_NO_EVENT);
++    }
++    return;
++}
++
++void
++Slot::handleConnectionError()
++{
++    long error = CKYCardConnection_GetLastError(conn);
++
++    log->log("Connection Error = 0x%x\n", error);
++
++    // Force a reconnect after a token operation fails. The most
++    // common reason for it to fail is that it has been removed, but
++    // it doesn't hurt to do it in other cases either (such as a reset).
++    disconnect();
++
++    // Convert the PCSC error to a PKCS #11 error, and throw the exception.
++    CK_RV ckrv;
++    switch( error ) {
++      case SCARD_E_NO_SMARTCARD:
++      case SCARD_W_RESET_CARD:
++      case SCARD_W_REMOVED_CARD:
++        ckrv = CKR_DEVICE_REMOVED;
++        break;
++      default:
++        ckrv = CKR_DEVICE_ERROR;
++        break;
++    }
++    throw PKCS11Exception(ckrv);
++}
++
++list<ListObjectInfo>
++Slot::getObjectList()
++{
++    list<ListObjectInfo> objInfoList;
++
++    while(true) {
++	CKYISOStatus result;
++        ListObjectInfo info;
++        CKYByte seq = objInfoList.size() == 0  ? CKY_LIST_RESET : CKY_LIST_NEXT;
++	CKYStatus status=CKYApplet_ListObjects(conn, seq,  &info.obj, &result);
++	if (status != CKYSUCCESS) {
++	    // we failed because of a connection error
++	    if (status == CKYSCARDERR) {
++		handleConnectionError();
++	    }
++	    // we failed simply because we hit the end of the list
++	    // (in which case we are done)
++	    if ((result == CKYISO_SUCCESS)  || (result == CKYISO_SEQUENCE_END)) {
++		break;
++	    }
++	    // we failed fror some other reason...
++  	    throw PKCS11Exception(CKR_DEVICE_ERROR);
++	}
++
++        log->log("===Object\n");
++        log->log("===id: 0x%04x\n", info.obj.objectID);
++        log->log("===size: %d\n", info.obj.objectSize);
++        log->log("===acl: 0x%02x,0x%02x,0x%02x\n", info.obj.readACL,
++				info.obj.writeACL, info.obj.deleteACL);
++        log->log("\n");
++
++        objInfoList.push_back(info);
++    }
++
++    return objInfoList;
++}
++
++// Should already have a transaction
++void
++Slot::selectApplet()
++{
++    CKYStatus status;
++    status = CKYApplet_SelectCoolKeyManager(conn, NULL);
++    if ( status == CKYSCARDERR ) handleConnectionError();
++    if ( status != CKYSUCCESS) {
++        // could not select applet: this just means it's not there
++        disconnect();
++        throw PKCS11Exception(CKR_DEVICE_REMOVED);
++    }
++}
++
++void
++Slot::selectCACApplet(CKYByte instance)
++{
++    CKYStatus status;
++    CKYBuffer *aid = &cardAID[instance];
++
++    if (CKYBuffer_Size(aid) == 0) {
++        disconnect();
++        throw PKCS11Exception(CKR_DEVICE_REMOVED);
++	return;
++    }
++
++    status = CKYApplet_SelectFile(conn, aid, NULL);
++    if ( status == CKYSCARDERR ) handleConnectionError();
++    if ( status != CKYSUCCESS) {
++        // could not select applet: this just means it's not there
++        disconnect();
++        throw PKCS11Exception(CKR_DEVICE_REMOVED);
++    }
++    if (mOldCAC) {
++	return;
++    }
++    status = CACApplet_SelectFile(conn, cardEF[instance], NULL);
++    if ( status == CKYSCARDERR ) handleConnectionError();
++    if ( status != CKYSUCCESS) {
++        disconnect();
++        throw PKCS11Exception(CKR_DEVICE_REMOVED);
++    }
++}
++// assume we are already in a transaction
++void
++Slot::readMuscleObject(CKYBuffer *data, unsigned long objectID,
++							unsigned int objSize)
++{
++    CKYStatus status;
++
++    status = CKYApplet_ReadObjectFull(conn, objectID, 0, objSize,
++		getNonce(), data, NULL);
++    if (status == CKYSCARDERR) {
++        handleConnectionError();
++    }
++    if (status != CKYSUCCESS) {
++        throw PKCS11Exception(CKR_DEVICE_ERROR);
++    }
++    return;
++}
++
++
++class DERCertObjIDMatch {
++  private:
++    unsigned short certnum;
++    const Slot      &slot;
++  public:
++    DERCertObjIDMatch(unsigned short cn, const Slot &s) :
++		certnum(cn), slot(s) { }
++
++    bool operator()(const ListObjectInfo& info) {
++        return  (slot.getObjectClass(info.obj.objectID) == 'C')
++		&& ( slot.getObjectIndex(info.obj.objectID) == certnum );
++    }
++};
++
++class ObjectHandleMatch {
++  private:
++    CK_OBJECT_HANDLE handle;
++  public:
++    ObjectHandleMatch(CK_OBJECT_HANDLE handle_) : handle(handle_) { }
++    bool operator()(const PKCS11Object& obj) {
++        return obj.getHandle() == handle;
++    }
++};
++
++class KeyNumMatch {
++  private:
++    CKYByte keyNum;
++    const Slot &slot;
++  public:
++    KeyNumMatch(CKYByte keyNum_, const Slot &s) : keyNum(keyNum_), slot(s) { }
++    bool operator() (const PKCS11Object& obj) {
++        unsigned long objID = obj.getMuscleObjID();
++        return (slot.getObjectClass(objID) == 'k')
++               && (slot.getObjectIndex(objID) == keyNum);
++    }
++};
++
++class ObjectCertCKAIDMatch {
++  private:
++    CKYByte cka_id;
++  public:
++    ObjectCertCKAIDMatch(CKYByte cka_id_) : cka_id(cka_id_) {}
++    bool operator()(const PKCS11Object& obj) {
++	const CKYBuffer *id;
++        const CKYBuffer *objClass;
++	CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
++	objClass = obj.getAttribute(CKA_CLASS);
++        if (objClass == NULL || !CKYBuffer_DataIsEqual(objClass,
++				(CKYByte *)&certClass, sizeof(certClass))) {
++	    return false;
++        }
++ 	id = obj.getAttribute(CKA_ID);
++        return (id != NULL && CKYBuffer_DataIsEqual(id,&cka_id, 1))
++						 ? true : false;
++    }
++};
++
++CK_OBJECT_HANDLE
++Slot::generateUnusedObjectHandle()
++{
++    CK_OBJECT_HANDLE handle;
++    ObjectConstIter iter;
++    do {
++        handle = ++objectHandleCounter;
++        iter = find_if(tokenObjects.begin(), tokenObjects.end(),
++            ObjectHandleMatch(handle));
++    } while( handle == CK_INVALID_HANDLE || iter != tokenObjects.end() );
++    return handle;
++}
++
++void
++Slot::addKeyObject(list<PKCS11Object>& objectList, const ListObjectInfo& info,
++    CK_OBJECT_HANDLE handle, bool isCombined)
++{
++    ObjectConstIter iter;
++    Key keyObj(info.obj.objectID, &info.data, handle);
++    CK_OBJECT_CLASS objClass = keyObj.getClass();
++    const CKYBuffer *id;
++
++
++    if (isCombined &&
++	   ((objClass == CKO_PUBLIC_KEY) || (objClass == CKO_PRIVATE_KEY))) {
++	id = keyObj.getAttribute(CKA_ID);
++	if ((!id) || (CKYBuffer_Size(id) != 1)) {
++	    throw PKCS11Exception(CKR_DEVICE_ERROR,
++			"Missing or invalid CKA_ID value");
++	}
++	iter = find_if(objectList.begin(), objectList.end(),
++			ObjectCertCKAIDMatch(CKYBuffer_GetChar(id,0)));
++	if ( iter == objectList.end() ) {
++            // We failed to find a cert with a matching CKA_ID. This
++            // can happen if the cert is not present on the token, or
++            // the der encoded cert stored on the token was corrupted.
++	    throw PKCS11Exception(CKR_DEVICE_ERROR,
++			"Failed to find cert with matching CKA_ID value");
++	}
++	keyObj.completeKey(*iter);
++    }
++    objectList.push_back(keyObj);
++
++}
++
++void
++Slot::addObject(list<PKCS11Object>& objectList, const ListObjectInfo& info,
++    CK_OBJECT_HANDLE handle)
++{
++    objectList.push_back(PKCS11Object(info.obj.objectID, &info.data, handle));
++}
++
++void
++Slot::addCertObject(list<PKCS11Object>& objectList,
++    const ListObjectInfo& certAttrs,
++    const CKYBuffer *derCert, CK_OBJECT_HANDLE handle)
++{
++    Cert certObj(certAttrs.obj.objectID,
++				&certAttrs.data, handle, derCert);
++    if (personName == NULL) {
++	personName = strdup(certObj.getLabel());
++	fullTokenName = false;
++    }
++
++    objectList.push_back(certObj);
++}
++void
++Slot::unloadObjects()
++{
++    tokenObjects.clear();
++    free(personName);
++    personName = NULL;
++    fullTokenName = false;
++}
++
++#ifdef USE_SHMEM
++
++// The shared memory segment is used to cache the raw token objects from
++// the card so mupltiple instances do not need to read all the data in
++// by themselves. It also allows us to recover data from a token on
++// reinsertion if that token is inserted into the same 'slot' as it was
++// originally.
++//
++// There is one memory segment for each slot.
++//
++// The process that creates the shared memory segment will initialize the
++// valid byte to '0'. Otherwise the Memory Segment must be accessed while
++// in a transaction for the connection to a reader that the memory segment
++// represents is held.
++//
++// If the memory segment is not valid, does not match the CUID of the
++// current token, or does not match the current data version, the current
++// process will read the object data out of the card  and into shared memory.
++// Since access to the shared memory is protected by the interprocess
++// transaction lock on the reader, data consistancy is
++// maintained.
++//
++// shared memory is layed out as follows:
++//
++// Header:
++//  1 short  (version) shared mem layout version number (currrent 1,0)
++//  1 short  (header size) size in bytes of the shared memory header
++//  1 byte   (valid)  segment is valid or not (valid =1; not valid =0 )
++//  1 byte   (reserved) (set to zero)
++//  10 bytes (CUID)  Unique card identifier.
++//  1 short  (reserved) (set to zero)
++//  1 short  (data version) version number of the embeded data
++//  1 short  (header offset) offset to the card's data header.
++//  1 short  (data offset) offset to the uncompressed card data.
++//  1 long   (header size) size in bytes of the card's data header.
++//  1 long   (data size) size in bytes of the uncompressed data.
++//  .
++//  .
++// DataHeader:
++//  n bytes  DataHeader.
++//  .
++//  .
++// Data:
++//  n bytes   Data.
++//
++// All data in the shared memory header is stored in machine order, packing,
++//  and size. Data in the DataHeader and Data sections are stored in applet
++//  byte order.
++//
++// Shared memory segments are fixed size (equal to the object memory size of
++// the token).
++//
++
++struct SlotSegmentHeader {
++    unsigned short version;
++    unsigned short headerSize;
++    unsigned char  valid;
++    unsigned char  reserved;
++    unsigned char  cuid[10];
++    unsigned short reserved2;
++    unsigned short dataVersion;
++    unsigned short dataHeaderOffset;
++    unsigned short dataOffset;
++    unsigned long  dataHeaderSize;
++    unsigned long  dataSize;
++    unsigned long  cert2Offset;
++    unsigned long  cert2Size;
++};
++
++#define MAX_OBJECT_STORE_SIZE 15000
++//
++// previous development versions used a segment prefix of
++// "coolkeypk11s"
++//
++#define SEGMENT_PREFIX "coolkeypk11s"
++#define CAC_FAKE_CUID "CAC Certs"
++SlotMemSegment::SlotMemSegment(const char *readerName):
++	segmentAddr(NULL),  segmentSize(0), segment(NULL)
++{
++   bool needInit;
++   char *segName;
++
++   segName = new char[strlen(readerName)+sizeof(SEGMENT_PREFIX)+1];
++   if (!segName) {
++	// just run without shared memory
++	return;
++    }
++    sprintf(segName,SEGMENT_PREFIX"%s",readerName);
++    segment = SHMem::initSegment(segName, MAX_OBJECT_STORE_SIZE, needInit);
++    delete [] segName;
++    if (!segment) {
++	// just run without shared memory
++	return;
++    }
++    segmentAddr = segment->getSHMemAddr();
++    assert(segmentAddr);
++    // paranoia, shouldn't happen..
++    if (!segmentAddr) {
++	delete segment;
++	segment = NULL;
++	return;
++    }
++
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    if (needInit) {
++	segmentHeader->valid = 0;
++    }
++    segmentSize = segment->getSHMemSize();
++}
++
++SlotMemSegment::~SlotMemSegment()
++{
++    if (segment) {
++	delete segment;
++    }
++}
++
++bool
++SlotMemSegment::CUIDIsEqual(const CKYBuffer *cuid) const
++{
++    if (!segment) {
++	return false;
++    }
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++
++    return
++     CKYBuffer_DataIsEqual(cuid, (CKYByte *)segmentHeader->cuid,
++	sizeof(segmentHeader->cuid)) ? true : false;
++}
++
++void
++SlotMemSegment::setCUID(const CKYBuffer *cuid)
++{
++    if (!segment) {
++	return;
++    }
++
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++
++    if (CKYBuffer_Size(cuid) != sizeof(segmentHeader->cuid)) {
++	// should throw and exception?
++	return;
++    }
++    memcpy (segmentHeader->cuid, CKYBuffer_Data(cuid),
++					sizeof(segmentHeader->cuid));
++}
++
++const unsigned char *
++SlotMemSegment::getCUID() const
++{
++    if (!segment) {
++	return NULL;
++    }
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    return segmentHeader->cuid;
++}
++
++unsigned short
++SlotMemSegment::getVersion() const
++{
++    if (!segment) {
++	return 0;
++    }
++
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    return segmentHeader->version;
++}
++
++unsigned short
++SlotMemSegment::getDataVersion() const
++{
++    if (!segment) {
++	return 0;
++    }
++
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    return segmentHeader->dataVersion;
++}
++
++void
++SlotMemSegment::setVersion(unsigned short version)
++{
++    if (!segment) {
++	return;
++    }
++
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    segmentHeader->version = version;
++}
++
++
++void
++SlotMemSegment::setDataVersion(unsigned short version)
++{
++    if (!segment) {
++	return;
++    }
++
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    segmentHeader->dataVersion = version;
++}
++
++bool
++SlotMemSegment::isValid() const
++{
++    if (!segment) {
++	return false;
++    }
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    return segmentHeader->valid == 1;
++}
++
++void
++SlotMemSegment::readHeader(CKYBuffer *dataHeader) const
++{
++    if (!segment) {
++	return;
++    }
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    int size = segmentHeader->dataHeaderSize;
++    CKYByte *data = (CKYByte *) &segmentAddr[segmentHeader->dataHeaderOffset];
++    CKYBuffer_Replace(dataHeader, 0, data, size);
++}
++
++void
++SlotMemSegment::readData(CKYBuffer *objData) const
++{
++    if (!segment) {
++	return;
++    }
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    int size = segmentHeader->dataSize;
++    CKYByte *data = (CKYByte *) &segmentAddr[segmentHeader->dataOffset];
++    CKYBuffer_Replace(objData, 0, data, size);
++}
++
++
++void
++SlotMemSegment::writeHeader(const CKYBuffer *dataHeader)
++{
++    if (!segment) {
++	return;
++    }
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    int size = CKYBuffer_Size(dataHeader);
++    segmentHeader->headerSize = sizeof *segmentHeader;
++    segmentHeader->dataHeaderSize = size;
++    segmentHeader->dataHeaderOffset = sizeof *segmentHeader;
++    segmentHeader->dataOffset = segmentHeader->dataHeaderOffset + size;
++    CKYByte *data = (CKYByte *) &segmentAddr[segmentHeader->dataHeaderOffset];
++    memcpy(data, CKYBuffer_Data(dataHeader), size);
++}
++
++void
++SlotMemSegment::writeData(const CKYBuffer *objData)
++{
++    if (!segment) {
++	return;
++    }
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    int size = CKYBuffer_Size(objData);
++    segmentHeader->dataSize = size;
++    CKYByte *data = (CKYByte *) &segmentAddr[segmentHeader->dataOffset];
++    memcpy(data, CKYBuffer_Data(objData), size);
++}
++
++void
++SlotMemSegment::readCACCert(CKYBuffer *objData, CKYByte instance) const
++{
++    if (!segment) {
++	return;
++    }
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    int size;
++    CKYByte *data;
++
++    switch (instance) {
++    case 0:
++	data  = (CKYByte *) &segmentAddr[segmentHeader->dataHeaderOffset];
++	size = segmentHeader->dataHeaderSize;
++	break;
++    case 1:
++	data  = (CKYByte *) &segmentAddr[segmentHeader->dataOffset];
++	size = segmentHeader->dataSize;
++	break;
++    case 2:
++	data  = (CKYByte *) &segmentAddr[segmentHeader->cert2Offset];
++	size = segmentHeader->cert2Size;
++	break;
++    default:
++	CKYBuffer_Resize(objData, 0);
++	return;
++    }
++    CKYBuffer_Replace(objData, 0, data, size);
++}
++
++
++void
++SlotMemSegment::writeCACCert(const CKYBuffer *data, CKYByte instance)
++{
++    if (!segment) {
++	return;
++    }
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    int size = CKYBuffer_Size(data);
++    CKYByte *shmData;
++    switch (instance) {
++    case 0:
++	segmentHeader->headerSize = sizeof *segmentHeader;
++	segmentHeader->dataHeaderOffset = sizeof *segmentHeader;
++	segmentHeader->dataHeaderSize = size;
++	segmentHeader->dataOffset = segmentHeader->dataHeaderOffset + size;
++	segmentHeader->dataSize = 0;
++	segmentHeader->cert2Offset = segmentHeader->dataOffset;
++	segmentHeader->cert2Size = 0;
++	shmData = (CKYByte *) &segmentAddr[segmentHeader->dataHeaderOffset];
++	break;
++    case 1:
++	segmentHeader->dataSize = size;
++	segmentHeader->cert2Offset = segmentHeader->dataOffset + size;
++	segmentHeader->cert2Size = 0;
++	shmData = (CKYByte *) &segmentAddr[segmentHeader->dataOffset];
++	break;
++    case 2:
++	segmentHeader->cert2Size = size;
++	shmData = (CKYByte *) &segmentAddr[segmentHeader->cert2Offset];
++	break;
++    default:
++	return;
++    }
++    memcpy(shmData, CKYBuffer_Data(data), size);
++}
++
++void
++SlotMemSegment::clearValid(CKYByte instance)
++{
++
++    if (!segment) {
++	return;
++    }
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    switch (instance) {
++    case 0:
++	segmentHeader->headerSize = 0;
++	segmentHeader->dataHeaderSize = 0;
++	/* fall through */
++    case 1:
++	segmentHeader->dataSize = 0;
++    }
++    segmentHeader->valid = 0;
++}
++
++void
++SlotMemSegment::setValid()
++{
++    if (!segment) {
++	return;
++    }
++    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
++    segmentHeader->valid = 1;
++}
++
++#endif
++
++void
++Slot::initEmpty(void)
++{
++    // check the shared memory area first
++    // shared memory is protected by our transaction call on the card
++    //
++    Transaction trans;
++    CKYStatus status = trans.begin(conn);
++    if( status != CKYSUCCESS ) {
++        handleConnectionError();
++    }
++
++    loadReaderObject();
++    readCUID();
++}
++
++void
++Slot::readCUID(void)
++{
++    // check the shared memory area first
++    // shared memory is protected by our transaction call on the card
++    //
++    CKYStatus status;
++    if (state & CAC_CARD) {
++	status = CACApplet_SelectCardManager(conn, NULL);
++    } else {
++	status = CKYApplet_SelectCardManager(conn, NULL);
++    }
++    CKYBuffer_Resize(&mCUID, 0);
++    if (status == CKYSCARDERR) {
++	handleConnectionError();
++    }
++    status = CKYApplet_GetCUID(conn, &mCUID, NULL);
++    if (status == CKYSCARDERR) {
++	handleConnectionError();
++    }
++}
++
++list<ListObjectInfo>
++Slot::fetchSeparateObjects()
++{
++    int i;
++
++    list<ListObjectInfo> objInfoList;
++    std::list<ListObjectInfo>::iterator iter;
++
++    OSTime time = OSTimeNow();
++    readCUID();
++    selectApplet();
++    log->log(
++     "time fetch separate: getting  cuid & applet select (again) %d ms\n",
++							 OSTimeNow() - time);
++
++#ifdef USE_SHMEM
++    shmem.clearValid(0);
++#endif
++
++    //
++    // get the list of objects on the muscle token
++    //
++    objInfoList = getObjectList();
++
++
++    log->log("time fetch separate:  getObjectList %d ms\n",OSTimeNow() - time);
++    //
++    // get the content of each object
++    //
++    for (i=0, iter = objInfoList.begin(); iter != objInfoList.end();
++								++iter, i++) {
++	// check the ACL to make sure this will succeed.
++	unsigned short readPerm = iter->obj.readACL;
++
++	log->log("Object has read perm 0x%04x\n", readPerm);
++	if ( (!isVersion1Key && ((readPerm & 0x2) == readPerm)) ||
++ 				(isVersion1Key && ((readPerm & 0x1))) ) {
++	    readMuscleObject(&iter->data, iter->obj.objectID,
++						iter->obj.objectSize);
++	    log->log("Object:\n");
++	    log->dump(&iter->data);
++	}
++    }
++    log->log("time fetch separate: readObjects %dms\n", OSTimeNow() - time);
++    return objInfoList;
++}
++
++list<ListObjectInfo>
++Slot::fetchCombinedObjects(const CKYBuffer *header)
++{
++    CKYBuffer objBuffer;
++    CKYStatus status;
++
++    list<ListObjectInfo> objInfoList;
++    CKYBuffer_InitEmpty(&objBuffer);
++    unsigned short compressedOffset = CKYBuffer_GetShort(
++					header, OBJ_COMP_OFFSET_OFFSET);
++    unsigned short compressedSize = CKYBuffer_GetShort(
++					header, OBJ_COMP_SIZE_OFFSET);
++    OSTime time = OSTimeNow();
++
++#ifdef USE_SHMEM
++
++    // check the shared memory area first
++    // shared memory is protected by our transaction call on the card
++    //
++    CKYBuffer_Resize(&mCUID,0);
++    CKYBuffer_AppendBuffer(&mCUID, header, OBJ_CUID_OFFSET, OBJ_CUID_SIZE);
++    unsigned short dataVersion = CKYBuffer_GetShort(
++					header, OBJ_OBJECT_VERSION_OFFSET);
++
++    if (shmem.isValid() &&  shmem.CUIDIsEqual(&mCUID) &&
++			shmem.getDataVersion() == dataVersion) {
++	shmem.readData(&objBuffer);
++    } else {
++	shmem.clearValid(0);
++	shmem.setCUID(&mCUID);
++	shmem.setVersion(SHMEM_VERSION);
++	shmem.setDataVersion(dataVersion);
++	CKYBuffer dataHeader;
++	CKYBuffer_InitFromBuffer(&dataHeader, header, 0,
++					(CKYSize) compressedOffset);
++
++	shmem.writeHeader(&dataHeader);
++	CKYBuffer_FreeData(&dataHeader);
++	log->log("time fetch combined: play with shared memory %d ms\n",
++		 OSTimeNow() - time);
++#endif
++	CKYBuffer_Reserve(&objBuffer, compressedSize);
++	CKYSize headerSize = CKYBuffer_Size(header);
++	CKYSize headerBytes = headerSize - compressedOffset;
++
++
++	CKYBuffer_AppendBuffer(&objBuffer,header,compressedOffset,headerBytes);
++	log->log("time fetch combined: "
++		"headerbytes = %d compressedOffset = %d compressedSize = %d\n",
++				headerBytes, compressedOffset, compressedSize);
++	status = CKYApplet_ReadObjectFull(conn, COMBINED_ID,
++		headerSize, compressedSize - headerBytes, getNonce(),
++						&objBuffer, NULL);
++	log->log("time fetch combined: read status = %d objectBuffSize = %d\n",
++			 status, CKYBuffer_Size(&objBuffer));
++	if (status == CKYSCARDERR) {
++	    CKYBuffer_FreeData(&objBuffer);
++	    handleConnectionError();
++	}
++	log->log("time fetch combined: "
++		"Read Object Data %d  ms (object size = %d bytes)\n",
++		 OSTimeNow() - time, compressedSize);
++	if (CKYBuffer_GetShort(header, OBJ_COMP_TYPE_OFFSET) == COMP_ZLIB) {
++	    CKYBuffer compBuffer;
++	    CKYSize guessFinalSize = CKYBuffer_Size(&objBuffer);
++	    CKYSize objSize = 0;
++	    int zret = Z_MEM_ERROR;
++
++	    CKYBuffer_InitFromCopy(&compBuffer,&objBuffer);
++	    do {
++		guessFinalSize *= 2;
++		status = CKYBuffer_Resize(&objBuffer, guessFinalSize);
++		if (status != CKYSUCCESS) {
++		    break;
++		}
++		objSize = guessFinalSize;
++		zret = uncompress((Bytef *)CKYBuffer_Data(&objBuffer),&objSize,
++			CKYBuffer_Data(&compBuffer), CKYBuffer_Size(&compBuffer));
++	    } while (zret == Z_BUF_ERROR);
++	    log->log("time fetch combined: "
++		"uncompress objects %d  ms (object size = %d bytes)\n",
++		 OSTimeNow() - time, objSize);
++
++	    CKYBuffer_FreeData(&compBuffer);
++	    if (zret != Z_OK) {
++		CKYBuffer_FreeData(&objBuffer);
++		throw PKCS11Exception(CKR_DEVICE_ERROR,
++				"Corrupted compressed object Data");
++	    }
++	    CKYBuffer_Resize(&objBuffer,objSize);
++ 	}
++
++	// uncompress...
++#ifdef USE_SHMEM
++	shmem.writeData(&objBuffer);
++	shmem.setDataVersion(dataVersion);
++	shmem.setValid();
++    }
++#endif
++
++     //
++     // now pull apart the objects
++     //
++    unsigned short offset =
++		CKYBuffer_GetShort(&objBuffer, OBJ_OBJECT_OFFSET_OFFSET);
++    unsigned short objectCount = CKYBuffer_GetShort(
++					&objBuffer, OBJ_OBJECT_COUNT_OFFSET);
++    int tokenNameSize = CKYBuffer_GetChar(&objBuffer,OBJ_TOKENNAME_SIZE_OFFSET);
++    int i;
++    CKYSize size = CKYBuffer_Size(&objBuffer);
++
++    if (offset < tokenNameSize+OBJ_TOKENNAME_OFFSET) {
++	CKYBuffer_FreeData(&objBuffer);
++	throw PKCS11Exception(CKR_DEVICE_ERROR,
++			"Tokenname/object Data overlap");
++    }
++    if (personName) {
++	free(personName);
++    }
++    personName = (char *)malloc(tokenNameSize+1);
++    memcpy(personName,CKYBuffer_Data(&objBuffer)+OBJ_TOKENNAME_OFFSET,
++								tokenNameSize);
++    personName[tokenNameSize] = 0;
++    fullTokenName = true;
++
++    for (i=0; i < objectCount && offset < size; i++) {
++	ListObjectInfo info;
++	unsigned long objectID = CKYBuffer_GetLong(&objBuffer, offset);
++	unsigned long attrsCount= CKYBuffer_GetShort(&objBuffer, offset+8);
++	unsigned long start = offset;
++	unsigned int j;
++
++	info.obj.objectID = objectID;
++	offset +=10;
++
++	/* get the length of the attribute block */
++	for (j=0; j < attrsCount; j++) {
++	    CKYByte attributeDataType=CKYBuffer_GetChar(&objBuffer, offset +4);
++
++	    offset += 5;
++
++	    switch (attributeDataType) {
++	    case DATATYPE_STRING:
++                offset += CKYBuffer_GetShort(&objBuffer, offset) + 2;
++                break;
++            case DATATYPE_BOOL_FALSE:
++	    case DATATYPE_BOOL_TRUE:
++                break;
++	    case DATATYPE_INTEGER:
++                offset += 4;
++                break;
++            }
++	}
++	if (offset > size) {
++	    CKYBuffer_FreeData(&objBuffer);
++	    throw PKCS11Exception(CKR_DEVICE_ERROR,
++			"Inconsistent combined object data");
++	}
++	CKYSize objSize = offset - start;
++	CKYBuffer_Reserve(&info.data, objSize +1);
++	// tell the object parsing code that this is a new, compact type
++	CKYBuffer_AppendChar(&info.data,1);
++	// copy the object
++	CKYBuffer_AppendBuffer(&info.data, &objBuffer, start, objSize);
++        objInfoList.push_back(info);
++    }
++    CKYBuffer_FreeData(&objBuffer);
++    log->log("fetch combined: format objects %d ms\n", OSTimeNow() - time);
++    return objInfoList;
++}
++
++CKYStatus
++Slot::readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize,
++			      bool throwException)
++{
++    CKYStatus status;
++    CKYISOStatus apduRC;
++    *nextSize = 0;
++
++    if (mOldCAC) {
++	/* get the first 100 bytes of the cert */
++	status = CACApplet_GetCertificateFirst(conn, cert, nextSize, &apduRC);
++	if (throwException && (status != CKYSUCCESS)) {
++	    handleConnectionError();
++	}
++
++        if(throwException && CKYBuffer_Size(cert) == 0) {
++            handleConnectionError();
++        }
++	return status;
++    }
++
++    CKYBuffer tBuf;
++    CKYBuffer vBuf;
++    CKYSize tlen, vlen;
++    CKYOffset toffset, voffset;
++    int length = 0;
++
++    CKYBuffer_InitEmpty(&tBuf);
++    CKYBuffer_InitEmpty(&vBuf);
++    CKYBuffer_Resize(cert, 0);
++
++    /* handle the new CAC card read */
++    /* read the TLV */
++    status = CACApplet_ReadFile(conn, CAC_TAG_FILE, &tBuf, NULL);
++    if (status != CKYSUCCESS) {
++	goto done;
++    }
++    status = CACApplet_ReadFile(conn, CAC_VALUE_FILE, &vBuf, NULL);
++    if (status != CKYSUCCESS) {
++	goto done;
++    }
++    tlen = CKYBuffer_Size(&tBuf);
++    vlen = CKYBuffer_Size(&vBuf);
++
++    /* look for the Cert out of the TLV */
++    for(toffset = 2, voffset=2; toffset < tlen && voffset < vlen ;
++		voffset += length) {
++
++	CKYByte tag = CKYBuffer_GetChar(&tBuf, toffset);
++	length = CKYBuffer_GetChar(&tBuf, toffset+1);
++	toffset += 2;
++	if (length == 0xff) {
++	    length = CKYBuffer_GetShortLE(&tBuf, toffset);
++	    toffset +=2;
++	}
++	if (tag != CAC_TAG_CERTIFICATE) {
++	    continue;
++	}
++	CKYBuffer_AppendBuffer(cert, &vBuf, voffset, length);
++	break;
++    }
++    status = CKYSUCCESS;
++
++done:
++    CKYBuffer_FreeData(&tBuf);
++    CKYBuffer_FreeData(&vBuf);
++    return status;
++}
++
++/*
++ * only necessary for old CAC cards. New CAC cards have to read the
++ * whole cert in anyway above....
++ */
++CKYStatus
++Slot::readCACCertificateAppend(CKYBuffer *cert, CKYSize nextSize)
++{
++    CKYISOStatus apduRC;
++    assert(mOldCAC);
++    return CACApplet_GetCertificateAppend(conn, cert, nextSize, &apduRC);
++}
++
++void
++Slot::loadCACCert(CKYByte instance)
++{
++    CKYStatus status = CKYSUCCESS;
++    CKYBuffer cert;
++    CKYBuffer rawCert;
++    CKYBuffer shmCert;
++    CKYSize  nextSize;
++
++    OSTime time = OSTimeNow();
++
++    CKYBuffer_InitEmpty(&cert);
++    CKYBuffer_InitEmpty(&rawCert);
++    CKYBuffer_InitEmpty(&shmCert);
++
++    //
++    // not all CAC cards have all the PKI instances
++    // catch the applet selection errors if they don't
++    //
++    try {
++        selectCACApplet(instance);
++    } catch(PKCS11Exception& e) {
++	// all CAC's must have instance '0', throw the error it
++	// they don't.
++	if (instance == 0) throw e;
++	// If the CAC doesn't have instance '2', and we were updating
++	// the shared memory, set it to valid now.
++	if ((instance == 2) && !shmem.isValid()) {
++	    shmem.setValid();
++	}
++	return;
++    }
++
++    log->log("CAC Cert %d: select CAC applet:  %d ms\n",
++						 instance, OSTimeNow() - time);
++
++    if (instance == 0) {
++	readCACCertificateFirst(&rawCert, &nextSize, true);
++	log->log("CAC Cert %d: fetch CAC Cert:  %d ms\n",
++						instance, OSTimeNow() - time);
++    }
++
++    unsigned short dataVersion = 1;
++    CKYBool needRead = 1;
++
++    /* see if it matches the shared memory */
++    if (shmem.isValid() &&  shmem.getDataVersion() == dataVersion) {
++	shmem.readCACCert(&shmCert, instance);
++	CKYSize certSize = CKYBuffer_Size(&rawCert);
++	CKYSize shmCertSize = CKYBuffer_Size(&shmCert);
++	const CKYByte *shmData = CKYBuffer_Data(&shmCert);
++
++	if (instance != 0) {
++	    needRead = 0;
++	}
++
++	if (shmCertSize >= certSize) {
++	    if (memcmp(shmData, CKYBuffer_Data(&rawCert), certSize) == 0) {
++		/* yes it does, no need to read the rest of the cert, use
++		 * the cache */
++		CKYBuffer_Replace(&rawCert, 0, shmData, shmCertSize);
++		needRead = 0;
++	    }
++	}
++	if (!needRead && (shmCertSize == 0)) {
++	    /* no cert of this type, just return */
++	    return;
++	}
++    }
++    CKYBuffer_FreeData(&shmCert);
++
++    if (needRead) {
++	/* it doesn't, read the new cert and update the cache */
++	if (instance == 0) {
++	    shmem.clearValid(0);
++	    shmem.setVersion(SHMEM_VERSION);
++	    shmem.setDataVersion(dataVersion);
++	} else {
++	    status = readCACCertificateFirst(&rawCert, &nextSize, false);
++
++	    if (status != CKYSUCCESS) {
++		/* CAC only requires the Certificate in pki '0' */
++		/* if pki '1' or '2' are empty, treat it as a non-fatal error*/
++		if (instance == 2) {
++		    /* we've attempted to read all the certs, shared memory
++		     * is now valid */
++		    shmem.setValid();
++		}
++		return;
++	    }
++	}
++
++	if (nextSize) {
++	    status = readCACCertificateAppend(&rawCert, nextSize);
++	}
++	log->log("CAC Cert %d: Fetch rest :  %d ms\n",
++						instance, OSTimeNow() - time);
++	if (status != CKYSUCCESS) {
++	    handleConnectionError();
++	}
++	shmem.writeCACCert(&rawCert, instance);
++	if (instance == 2) {
++	    shmem.setValid();
++	}
++    }
++
++
++    log->log("CAC Cert %d: Cert has been read:  %d ms\n",
++						instance, OSTimeNow() - time);
++    if (!mOldCAC || CKYBuffer_GetChar(&rawCert,0) == 1) {
++	CKYSize guessFinalSize = CKYBuffer_Size(&rawCert);
++	CKYSize certSize = 0;
++	CKYOffset offset = mOldCAC ? 1 : 0;
++	int zret = Z_MEM_ERROR;
++
++	do {
++	    guessFinalSize *= 2;
++	    status = CKYBuffer_Resize(&cert, guessFinalSize);
++	    if (status != CKYSUCCESS) {
++		    break;
++	    }
++	    certSize = guessFinalSize;
++	    zret = uncompress((Bytef *)CKYBuffer_Data(&cert),&certSize,
++			CKYBuffer_Data(&rawCert)+offset,
++			CKYBuffer_Size(&rawCert)-offset);
++	} while (zret == Z_BUF_ERROR);
++
++	if (zret != Z_OK) {
++	    CKYBuffer_FreeData(&rawCert);
++	    CKYBuffer_FreeData(&cert);
++	    throw PKCS11Exception(CKR_DEVICE_ERROR,
++				"Corrupted compressed CAC Cert");
++	}
++	CKYBuffer_Resize(&cert,certSize);
++    } else {
++	CKYBuffer_InitFromBuffer(&cert,&rawCert,1,CKYBuffer_Size(&rawCert)-1);
++    }
++    CKYBuffer_FreeData(&rawCert);
++    log->log("CAC Cert %d: Cert has been uncompressed:  %d ms\n",
++						instance, OSTimeNow() - time);
++
++    CACCert certObj(instance, &cert);
++    CACPrivKey privKey(instance, certObj);
++    CACPubKey pubKey(instance, certObj);
++    tokenObjects.push_back(privKey);
++    tokenObjects.push_back(pubKey);
++    tokenObjects.push_back(certObj);
++
++    if (personName == NULL) {
++	const char *name = certObj.getName();
++	if (name) {
++            personName = strdup(name);
++            fullTokenName = true;
++	}
++    }
++}
++
++void
++Slot::loadObjects()
++{
++    // throw away all token objects!
++
++    Transaction trans;
++    CKYBuffer header;
++    CKYBuffer_InitEmpty(&header);
++    CKYStatus status = trans.begin(conn);
++    if( status != CKYSUCCESS ) {
++        handleConnectionError();
++    }
++    OSTime time = OSTimeNow();
++
++
++    list<ListObjectInfo> objInfoList;
++    std::list<ListObjectInfo>::iterator iter;
++
++    if (state & CAC_CARD) {
++	loadCACCert(0);
++	loadCACCert(1);
++	loadCACCert(2);
++	status = trans.end();
++	loadReaderObject();
++	return;
++    }
++
++    selectApplet();
++    log->log("time load object: Select Applet (again) %d ms\n",
++						OSTimeNow() - time);
++
++
++    status = CKYApplet_ReadObjectFull(conn, COMBINED_ID, 0,
++			CKY_MAX_READ_CHUNK_SIZE, getNonce(), &header, NULL);
++    log->log("time load object: ReadCombined Header %d ms\n",
++						OSTimeNow() - time);
++    if (status == CKYSCARDERR) {
++        CKYBuffer_FreeData(&header);
++        handleConnectionError();
++    }
++    bool isCombined = (status == CKYSUCCESS) ? true : false;
++    try {
++	objInfoList = isCombined ? fetchCombinedObjects(&header)
++						: fetchSeparateObjects();
++    } catch(PKCS11Exception& e) {
++	CKYBuffer_FreeData(&header);
++	throw(e);
++    }
++    log->log("time load object: Fetch %d ms\n", OSTimeNow() - time);
++    CKYBuffer_FreeData(&header);
++    status = trans.end();
++
++    //
++    // load up the keys, certs and others.
++    //
++    for( iter = objInfoList.begin(); iter != objInfoList.end(); ++iter ) {
++	CKYByte type = getObjectClass(iter->obj.objectID);
++        if( type == 'k' ) {
++	    CK_OBJECT_HANDLE handle = generateUnusedObjectHandle();
++            addKeyObject(tokenObjects, *iter, handle, isCombined);
++        } else if( type == 'c' ) {
++            // cert attribute object. find the DER encoding
++            unsigned short certnum = getObjectIndex(iter->obj.objectID);
++            if( certnum > 9 ) {
++                //invalid object id
++                throw PKCS11Exception(CKR_DEVICE_ERROR,
++                    "Invalid object id %08x",iter->obj.objectID);
++            }
++            std::list<ListObjectInfo>::iterator derCert;
++	    /*
++	     * Old tokens stored certs separately from the attributes
++	     */
++	    if (!isCombined) {
++        	derCert = find_if(objInfoList.begin(), objInfoList.end(),
++                    DERCertObjIDMatch(certnum, *this));
++        	if( derCert == objInfoList.end() ) {
++                    throw PKCS11Exception(CKR_DEVICE_ERROR,
++			"No DER cert object for cert %d\n", certnum);
++		}
++            }
++	    CK_OBJECT_HANDLE handle = generateUnusedObjectHandle();
++            addCertObject(tokenObjects, *iter,
++			isCombined ? NULL : &derCert->data, handle);
++        } else if ( type == 'C' ) {
++	    // This is a DER Cert object (as opposed to a cert attribute
++	    // object, 'c' above).  skip it.
++        } else if (type == 'd') {
++	    CK_OBJECT_HANDLE handle = generateUnusedObjectHandle();
++	    addObject(tokenObjects, *iter, handle);
++	} else {
++            log->log("Ignoring unknown object %08x\n",iter->obj.objectID);
++        }
++    }
++    log->log("time load objects: Process %d ms\n", OSTimeNow() - time);
++
++    loadReaderObject();
++}
++
++void
++Slot::loadReaderObject(void)
++{
++    // now generate an Moz "reader" object.
++    CK_OBJECT_HANDLE handle = generateUnusedObjectHandle();
++    Reader rdr(READER_ID, handle, readerName, &cardATR, mCoolkey);
++    tokenObjects.push_back(rdr);
++}
++
++void
++Slot::closeAllSessions()
++{
++    sessions.clear();
++    log->log("cleared all sessions\n");
++}
++
++SessionHandleSuffix
++Slot::generateNewSession(Session::Type type)
++{
++    SessionHandleSuffix suffix;
++    SessionIter iter;
++
++    do {
++        suffix = (++sessionHandleCounter) & 0x00ffffff;
++        iter = findSession(suffix);
++    } while( iter != sessions.end() );
++
++    sessions.push_back(Session(suffix, type));
++
++    return suffix;
++}
++
++void
++SlotList::getSessionInfo(CK_SESSION_HANDLE hSession,
++    CK_SESSION_INFO_PTR pInfo)
++{
++
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->getSessionInfo(suffix, pInfo);
++
++    pInfo->slotID = slotID;
++}
++
++void
++Slot::ensureTokenPresent()
++{
++    if( ! isTokenPresent() ) {
++        throw PKCS11Exception(CKR_DEVICE_REMOVED);
++    }
++}
++
++SessionIter
++Slot::findSession(SessionHandleSuffix suffix)
++{
++    return find_if(sessions.begin(), sessions.end(),
++        SessionHandleSuffixMatch(suffix));
++}
++
++SessionConstIter
++Slot::findConstSession(SessionHandleSuffix suffix) const
++{
++    return find_if(sessions.begin(), sessions.end(),
++        SessionHandleSuffixMatch(suffix));
++}
++
++void
++Slot::getSessionInfo(SessionHandleSuffix handleSuffix,
++    CK_SESSION_INFO_PTR pInfo)
++{
++    refreshTokenState();
++
++    SessionIter iter = findSession(handleSuffix);
++    if( iter == sessions.end() ) {
++            throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID,
++                "Unknown session handle suffix 0x%08x passed to "
++                    "getSessionInfo\n", (unsigned long) handleSuffix);
++    } else {
++        if( iter->getType() == Session::RO ) {
++            pInfo->state = isLoggedIn() ?
++                CKS_RO_USER_FUNCTIONS : CKS_RO_PUBLIC_SESSION;
++            pInfo->flags = CKF_SERIAL_SESSION;
++        } else {
++            pInfo->state = isLoggedIn() ?
++                CKS_RW_USER_FUNCTIONS : CKS_RW_PUBLIC_SESSION;
++            pInfo->flags = CKF_RW_SESSION | CKF_SERIAL_SESSION;
++        }
++        pInfo->ulDeviceError = CKYCardConnection_GetLastError(conn);
++    }
++}
++
++void
++SlotList::login(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin,
++    CK_ULONG ulPinLen)
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->login(suffix, pPin, ulPinLen);
++}
++
++void
++Slot::testNonce()
++{
++    reverify = false;
++    if (!nonceValid) {
++	return;
++    }
++#ifdef notdef
++    Transaction trans;
++    CKYStatus status = trans.begin(conn);
++    try {
++        if ( status != CKYSUCCESS ) handleConnectionError();
++
++         selectApplet();
++    } catch (PKCS11Exception &) {
++	invalidateLogin(true);
++	return;
++    }
++
++    CKYBuffer data;
++    CKYBuffer_InitEmpty(&data);
++
++    status = CKYApplet_ReadObject(conn, 0xffffffff, 0, 1, &nonce, &data, NULL);
++    trans.end();
++    CKYBuffer_FreeData(&data);
++    if( status != CKYSUCCESS )  {
++	invalidateLogin(true);
++	return;
++    }
++#else
++    invalidateLogin(true);
++#endif
++}
++
++bool
++Slot::isLoggedIn()
++{
++    if (isVersion1Key) {
++	if (reverify) {
++	    testNonce();
++	}
++	return nonceValid;
++    }
++    return loggedIn;
++}
++
++void
++Slot::login(SessionHandleSuffix handleSuffix, CK_UTF8CHAR_PTR pPin,
++    CK_ULONG ulPinLen)
++{
++    refreshTokenState();
++
++    if( ! isValidSession(handleSuffix) ) {
++        log->log("Invalid session handle suffix 0x%08x passed to "
++            "Slot::login\n", (unsigned long) handleSuffix);
++        throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
++    }
++
++    if (!isVersion1Key) {
++	pinCache.set((const char *)pPin, ulPinLen);
++    } else if (nonceValid) {
++	throw PKCS11Exception(CKR_USER_ALREADY_LOGGED_IN);
++    }
++
++    Transaction trans;
++    CKYStatus status = trans.begin(conn);
++    if(status != CKYSUCCESS ) handleConnectionError();
++
++    if (state & CAC_CARD) {
++	selectCACApplet(0);
++    } else {
++	selectApplet();
++    }
++
++    if (isVersion1Key) {
++	attemptLogin((const char *)pPin);
++    } else if (state & CAC_CARD) {
++	attemptCACLogin();
++    } else {
++	oldAttemptLogin();
++    }
++}
++
++void
++Slot::attemptCACLogin()
++{
++    loggedIn = false;
++    pinCache.invalidate();
++
++    CKYStatus status;
++    CKYISOStatus result;
++
++    status = CACApplet_VerifyPIN(conn,
++		(const char *)CKYBuffer_Data(pinCache.get()), &result);
++    if( status == CKYSCARDERR ) {
++	handleConnectionError();
++    }
++    switch( result ) {
++      case CKYISO_SUCCESS:
++        break;
++      case 0x6981:
++        throw PKCS11Exception(CKR_PIN_LOCKED);
++      default:
++	if ((result & 0xff00) == 0x6300) {
++            throw PKCS11Exception(CKR_PIN_INCORRECT);
++	}
++        throw PKCS11Exception(CKR_DEVICE_ERROR, "Applet returned 0x%04x",
++								result);
++    }
++
++    pinCache.validate();
++    loggedIn = true;
++}
++
++void
++Slot::oldAttemptLogin()
++{
++    loggedIn = false;
++    pinCache.invalidate();
++
++    CKYStatus status;
++    CKYISOStatus result;
++    status = CKYApplet_VerifyPinV0(conn, CKY_OLD_USER_PIN_NUM,
++		(const char *)CKYBuffer_Data(pinCache.get()), &result);
++    if( status == CKYSCARDERR ) {
++	handleConnectionError();
++    }
++    switch( result ) {
++      case CKYISO_SUCCESS:
++        break;
++      case CKYISO_AUTH_FAILED:
++        throw PKCS11Exception(CKR_PIN_INCORRECT);
++      case CKYISO_IDENTITY_BLOCKED:
++        throw PKCS11Exception(CKR_PIN_LOCKED);
++      default:
++        throw PKCS11Exception(CKR_DEVICE_ERROR, "Applet returned 0x%04x",
++								result);
++    }
++
++    pinCache.validate();
++    loggedIn = true;
++}
++
++// should already be in a transaction, and applet selected
++void
++Slot::attemptLogin(const char *pin)
++{
++    CKYStatus status;
++    CKYISOStatus result;
++    status = CKYApplet_VerifyPIN(conn, CKY_USER_PIN_NUM, pin, &nonce, &result);
++    if( status == CKYSCARDERR ) {
++	handleConnectionError();
++    }
++
++    switch( result ) {
++      case CKYISO_SUCCESS:
++        break;
++      case CKYISO_AUTH_FAILED:
++        throw PKCS11Exception(CKR_PIN_INCORRECT);
++      case CKYISO_IDENTITY_BLOCKED:
++        throw PKCS11Exception(CKR_PIN_LOCKED);
++      default:
++        throw PKCS11Exception(CKR_DEVICE_ERROR,
++            "Applet returned 0x%04x", result);
++    }
++    nonceValid = true;
++
++}
++
++void
++SlotList::logout(CK_SESSION_HANDLE hSession)
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->logout(suffix);
++}
++
++//
++// The old "logout All" from pre-version 1 CoolKeys.
++//
++void
++Slot::oldLogout()
++{
++    invalidateLogin(true);
++
++    Transaction trans;
++    CKYStatus status = trans.begin(conn);
++    if( status != CKYSUCCESS) handleConnectionError();
++
++    selectApplet();
++
++    status = CKYApplet_LogoutAllV0(conn, NULL);
++    if (status != CKYSUCCESS) {
++	if (status == CKYSCARDERR) {
++	    handleConnectionError();
++	}
++	throw PKCS11Exception(CKR_DEVICE_ERROR);
++    }
++}
++
++//
++//
++void
++Slot::CACLogout()
++{
++    /* use get properties which has the side effect of logging out */
++    invalidateLogin(true);
++}
++
++void
++Slot::logout(SessionHandleSuffix suffix)
++{
++    refreshTokenState();
++
++    if( !isValidSession(suffix) ) {
++        throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
++    }
++
++    if (state & CAC_CARD) {
++	CACLogout();
++	return;
++    }
++
++    if (!isVersion1Key) {
++	oldLogout();
++	return;
++    }
++
++    if (!nonceValid) {
++	throw PKCS11Exception(CKR_USER_NOT_LOGGED_IN);
++    }
++
++    Transaction trans;
++    CKYStatus status = trans.begin(conn);
++    if( status != CKYSUCCESS) handleConnectionError();
++
++    status = CKYApplet_Logout(conn, CKY_USER_PIN_NUM, getNonce(), NULL);
++    invalidateLogin(true);
++    if (status != CKYSUCCESS) {
++	if (status == CKYSCARDERR) {
++	    handleConnectionError();
++	}
++	throw PKCS11Exception(CKR_DEVICE_ERROR);
++    }
++
++}
++
++void
++SlotList::findObjectsInit(CK_SESSION_HANDLE hSession,
++        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->findObjectsInit(suffix, pTemplate, ulCount);
++}
++
++void
++Slot::findObjectsInit(SessionHandleSuffix suffix, CK_ATTRIBUTE_PTR pTemplate,
++    CK_ULONG ulCount)
++{
++    refreshTokenState();
++
++    SessionIter session = findSession(suffix);
++    if( session == sessions.end() ) {
++        throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
++    }
++
++    session->foundObjects.clear();
++
++    ObjectConstIter iter;
++    for( iter = tokenObjects.begin(); iter != tokenObjects.end(); ++iter) {
++        if( iter->matchesTemplate(pTemplate, ulCount) ) {
++            log->log("C_FindObjectsInit found matching object 0x%08x\n",
++                iter->getHandle());
++            session->foundObjects.push_back(iter->getHandle());
++        }
++    }
++
++    session->curFoundObject = session->foundObjects.begin();
++}
++
++void
++SlotList::findObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
++        CK_ULONG ulMaxObjectCount, CK_ULONG_PTR pulObjectCount)
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->findObjects(suffix, phObject,
++        ulMaxObjectCount, pulObjectCount);
++}
++
++void
++Slot::findObjects(SessionHandleSuffix suffix, CK_OBJECT_HANDLE_PTR phObject,
++        CK_ULONG ulMaxObjectCount, CK_ULONG_PTR pulObjectCount)
++{
++    refreshTokenState();
++
++    SessionIter session = findSession(suffix);
++    if( session == sessions.end() ) {
++        throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
++    }
++
++    unsigned int objectsReturned = 0;
++    while( objectsReturned < ulMaxObjectCount &&
++        session->curFoundObject != session->foundObjects.end() )
++    {
++        phObject[objectsReturned++] = *(session->curFoundObject++);
++    }
++
++    *pulObjectCount = objectsReturned;
++}
++
++void
++SlotList::getAttributeValue(CK_SESSION_HANDLE hSession,
++    CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
++    const
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->getAttributeValue(suffix, hObject,
++        pTemplate, ulCount);
++}
++
++void
++Slot::getAttributeValue(SessionHandleSuffix suffix,
++    CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
++{
++    refreshTokenState();
++
++    if( ! isValidSession(suffix) ) {
++        throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
++    }
++
++    ObjectConstIter iter = find_if(tokenObjects.begin(), tokenObjects.end(),
++        ObjectHandleMatch(hObject));
++
++    if( iter == tokenObjects.end() ) {
++        throw PKCS11Exception(CKR_OBJECT_HANDLE_INVALID);
++    }
++
++    iter->getAttributeValue(pTemplate, ulCount, log);
++}
++
++void
++SlotList::signInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
++        CK_OBJECT_HANDLE hKey)
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->signInit(suffix, pMechanism, hKey);
++}
++
++void
++SlotList::decryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
++        CK_OBJECT_HANDLE hKey)
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->decryptInit(suffix, pMechanism, hKey);
++}
++
++void
++SlotList::sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
++        CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
++        CK_ULONG_PTR pulSignatureLen)
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->sign(suffix, pData, ulDataLen,
++        pSignature, pulSignatureLen);
++}
++
++void
++SlotList::decrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
++        CK_ULONG ulDataLen, CK_BYTE_PTR pDecryptedData,
++        CK_ULONG_PTR pulDecryptedDataLen)
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->decrypt(suffix, pData, ulDataLen,
++        pDecryptedData, pulDecryptedDataLen);
++}
++
++void
++SlotList::seedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
++        CK_ULONG ulDataLen)
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->seedRandom(suffix, pData, ulDataLen);
++}
++
++void
++SlotList::generateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
++        CK_ULONG ulDataLen)
++{
++    CK_SLOT_ID slotID;
++    SessionHandleSuffix suffix;
++
++    decomposeSessionHandle(hSession, slotID, suffix);
++
++    slots[slotIDToIndex(slotID)]->generateRandom(suffix, pData, ulDataLen);
++}
++
++void
++Slot::ensureValidSession(SessionHandleSuffix suffix)
++{
++    if( ! isValidSession(suffix) ) {
++        throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
++    }
++}
++
++//
++// Looks up an object and pulls the key number from the Muscle Object ID.
++// Keys in Muscle have IDs of the form 'kn  ', where 'n' is the key number
++// from 0-9.
++//
++CKYByte
++Slot::objectHandleToKeyNum(CK_OBJECT_HANDLE hKey)
++{
++    ObjectConstIter iter = find_if(tokenObjects.begin(), tokenObjects.end(),
++        ObjectHandleMatch(hKey));
++
++    if( iter == tokenObjects.end() ) {
++        // no such object
++        throw PKCS11Exception(CKR_KEY_HANDLE_INVALID);
++    }
++
++    if( getObjectClass(iter->getMuscleObjID()) != 'k' ) {
++        throw PKCS11Exception(CKR_KEY_HANDLE_INVALID);
++    }
++    unsigned short keyNum = getObjectIndex(iter->getMuscleObjID());
++    if( keyNum > 9 ) {
++        throw PKCS11Exception(CKR_KEY_HANDLE_INVALID);
++    }
++    return keyNum & 0xFF;
++}
++
++void
++Slot::signInit(SessionHandleSuffix suffix, CK_MECHANISM_PTR pMechanism,
++        CK_OBJECT_HANDLE hKey)
++{
++    refreshTokenState();
++    SessionIter session = findSession(suffix);
++    if( session == sessions.end() ) {
++        throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
++    }
++    session->signatureState.initialize(objectHandleToKeyNum(hKey));
++}
++
++void
++Slot::decryptInit(SessionHandleSuffix suffix, CK_MECHANISM_PTR pMechanism,
++        CK_OBJECT_HANDLE hKey)
++{
++    refreshTokenState();
++    SessionIter session = findSession(suffix);
++    if( session == sessions.end() ) {
++        throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
++    }
++    session->decryptionState.initialize(objectHandleToKeyNum(hKey));
++}
++
++/**
++ * Padding algorithm defined in RSA's PKCS #1.
++ * to: pre-allocated buffer to receive the padded data
++ * toLen: the length of the buffer. This should be the same as the size
++ *      of the RSA modulus.  (toLen - 3) > fromLen.
++ * from: data to be padded.
++ * fromLen: size of data to be padded. fromLen < (toLen-3).
++ * Returns: nonzero for success, zero for failure.
++ */
++static void
++padRSAType1(const CKYBuffer *raw, CKYBuffer *padded)
++{
++    int i = 0;
++    unsigned int padLen = CKYBuffer_Size(padded) - 3 - CKYBuffer_Size(raw);
++
++    /* First byte: 00 */
++    CKYBuffer_SetChar(padded, i++, 0x00);
++
++    /* Second Byte: Block Type == 01 */
++    CKYBuffer_SetChar(padded, i++, 0x01);
++
++    /* Padding String, each byte is 0xFF for block type 01 */
++    CKYBuffer_SetChars(padded, i, 0xFF, padLen);
++    i += padLen;
++
++    /* Separator byte: 00 */
++    CKYBuffer_SetChar(padded, i++, 0x00);
++
++    /* Finally, the data */
++    CKYBuffer_Replace(padded, i, CKYBuffer_Data(raw), CKYBuffer_Size(raw));
++}
++
++static void
++stripRSAPadding(CKYBuffer *stripped, const CKYBuffer *padded)
++{
++    unsigned int size = CKYBuffer_Size(padded);
++    if( size < 2 ) {
++        throw PKCS11Exception(CKR_ENCRYPTED_DATA_INVALID);
++    }
++    if( CKYBuffer_GetChar(padded,0) != 0 ) {
++        throw PKCS11Exception(CKR_ENCRYPTED_DATA_INVALID);
++    }
++
++    unsigned int dataStart = 3;
++
++    CKYByte blockType = CKYBuffer_GetChar(padded, 1);
++    // There are three block types in PKCS #1 padding: 00, 01, and 02.
++    switch(blockType) {
++      case 0x00:
++        // The padding string is all zeroes. The first nonzero byte
++        // is the beginning of the data.
++        for( ; dataStart < size; ++dataStart ) {
++            if( CKYBuffer_GetChar(padded,dataStart) != 0 ) {
++                break;
++            }
++        }
++        if( dataStart == size ) {
++            throw PKCS11Exception(CKR_ENCRYPTED_DATA_INVALID);
++        }
++        break;
++      case 0x01:
++        // The padding string is all 0xFF, followed by a 0x00 separator byte,
++        // and then the data.
++        for( ; dataStart < size; ++dataStart ) {
++            if( CKYBuffer_GetChar(padded,dataStart) == 0xff ) {
++                // padding, continue;
++            } else if( CKYBuffer_GetChar(padded,dataStart) == 0x00 ) {
++                // end of padding
++                break;
++            } else {
++                // invalid character
++                throw PKCS11Exception(CKR_ENCRYPTED_DATA_INVALID);
++            }
++        }
++        if( dataStart == size  ) {
++            // we never found the separator byte
++            throw PKCS11Exception(CKR_ENCRYPTED_DATA_INVALID);
++        }
++        dataStart++; // data starts after separator byte
++        break;
++      case 0x02:
++        // padding is non-zero. First non-zero byte is the separator,
++        // and then the data.
++        for( ; dataStart < size; ++dataStart) {
++            if( CKYBuffer_GetChar(padded,dataStart) == 0x00 ) {
++                break;
++            }
++        }
++        if( dataStart == size ) {
++            // we never found the separator byte
++            throw PKCS11Exception(CKR_ENCRYPTED_DATA_INVALID);
++        }
++        dataStart++; // data starts after separator byte
++        break;
++      default:
++        throw PKCS11Exception(CKR_ENCRYPTED_DATA_INVALID,
++            "Unknown PKCS#1 block type %x", blockType);
++    }
++
++    CKYStatus status = CKYBuffer_Replace(stripped, 0,
++		CKYBuffer_Data(padded)+dataStart, size-dataStart);
++    if (status != CKYSUCCESS) {
++	throw PKCS11Exception(CKR_HOST_MEMORY);
++    }
++}
++
++class RSASignatureParams : public CryptParams {
++  public:
++    RSASignatureParams(unsigned int keysize) : CryptParams(keysize) { }
++
++    CKYByte getDirection() const { return CKY_DIR_ENCRYPT; }
++
++    CryptOpState& getOpState(Session& session) const {
++        return session.signatureState;
++    }
++
++    void padInput(CKYBuffer *paddedInput, const CKYBuffer *unpaddedInput) const {
++        // RSA_NO_PAD requires RSA PKCS #1 Type 1 padding
++  	CKYStatus status = CKYBuffer_Resize(paddedInput,getKeySize()/8);
++	if (status != CKYSUCCESS) {
++	    throw PKCS11Exception(CKR_HOST_MEMORY);
++	}
++        padRSAType1(unpaddedInput, paddedInput);
++        return;
++    }
++
++    void
++    unpadOutput(CKYBuffer *unpaddedOutput, const CKYBuffer *paddedOutput) const {
++        // no need to unpad ciphertext
++	CKYBuffer_Replace(unpaddedOutput, 0, CKYBuffer_Data(paddedOutput),
++					CKYBuffer_Size(paddedOutput));
++
++    }
++};
++
++class RSADecryptParams: public CryptParams {
++  public:
++    RSADecryptParams(unsigned int keysize) : CryptParams(keysize) { }
++
++    CKYByte getDirection() const { return CKY_DIR_DECRYPT; }
++
++    CryptOpState& getOpState(Session& session) const {
++        return session.decryptionState;
++    }
++
++    void padInput(CKYBuffer *paddedInput, const CKYBuffer *unpaddedInput) const {
++        // no need to unpad ciphertext
++	CKYBuffer_Replace(paddedInput, 0, CKYBuffer_Data(unpaddedInput),
++					CKYBuffer_Size(unpaddedInput));
++    }
++
++    void
++    unpadOutput(CKYBuffer *unpaddedOutput, const CKYBuffer *paddedOutput) const {
++        // strip off PKCS #1 padding
++        stripRSAPadding( unpaddedOutput, paddedOutput );
++	return;
++    }
++};
++
++void
++Slot::sign(SessionHandleSuffix suffix, CK_BYTE_PTR pData,
++        CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
++        CK_ULONG_PTR pulSignatureLen)
++{
++    RSASignatureParams params(CryptParams::DEFAULT_KEY_SIZE);
++    cryptRSA(suffix, pData, ulDataLen, pSignature, pulSignatureLen,
++        params);
++}
++
++void
++Slot::decrypt(SessionHandleSuffix suffix, CK_BYTE_PTR pData,
++        CK_ULONG ulDataLen, CK_BYTE_PTR pDecryptedData,
++        CK_ULONG_PTR pulDecryptedDataLen)
++{
++    RSADecryptParams params(CryptParams::DEFAULT_KEY_SIZE);
++    cryptRSA(suffix, pData, ulDataLen, pDecryptedData, pulDecryptedDataLen,
++        params);
++}
++
++void
++Slot::cryptRSA(SessionHandleSuffix suffix, CK_BYTE_PTR pInput,
++        CK_ULONG ulInputLen, CK_BYTE_PTR pOutput,
++        CK_ULONG_PTR pulOutputLen, CryptParams& params)
++{
++    refreshTokenState();
++    SessionIter session = findSession(suffix);
++    if( session == sessions.end() ) {
++        throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
++    }
++    // version 1 keys may not need login. We catch the error
++    // on the operation. The token will not allow us to sign with
++    // a protected key unless we are logged in.
++    // can be removed when version 0 support is depricated.
++    if (!isVersion1Key && ! isLoggedIn() ) {
++        throw PKCS11Exception(CKR_USER_NOT_LOGGED_IN);
++    }
++    CryptOpState& opState = params.getOpState(*session);
++    CKYBuffer *result = &opState.result;
++    CKYByte keyNum = opState.keyNum;
++
++    unsigned int keySize = getKeySize(keyNum);
++
++    if(keySize != CryptParams::DEFAULT_KEY_SIZE)
++        params.setKeySize(keySize);
++
++    if( CKYBuffer_Size(result) == 0 ) {
++        // we haven't already peformed the decryption, so do it now.
++        if( pInput == NULL || ulInputLen == 0) {
++            throw PKCS11Exception(CKR_DATA_LEN_RANGE);
++        }
++	// OK, this is gross. We should get our own C++ like buffer
++        // management at this point. This code has nothing to do with
++	// the applet, it shouldn't be using applet specific buffers.
++        CKYBuffer input;
++        CKYBuffer inputPad;
++        CKYBuffer output;
++        CKYBuffer_InitEmpty(&output);
++        CKYBuffer_InitEmpty(&inputPad);
++	CKYStatus status = CKYBuffer_InitFromData(&input, pInput, ulInputLen);
++ 	if (status != CKYSUCCESS) {
++	    throw PKCS11Exception(CKR_HOST_MEMORY);
++  	}
++	try {
++	    params.padInput(&inputPad, &input);
++            performRSAOp(&output, &inputPad, keyNum, params.getDirection());
++	    params.unpadOutput(result, &output);
++	    CKYBuffer_FreeData(&input);
++	    CKYBuffer_FreeData(&inputPad);
++	    CKYBuffer_FreeData(&output);
++	} catch(PKCS11Exception& e) {
++	    CKYBuffer_FreeData(&input);
++	    CKYBuffer_FreeData(&inputPad);
++	    CKYBuffer_FreeData(&output);
++	    throw(e);
++	}
++    }
++
++    if( pulOutputLen == NULL ) {
++        throw PKCS11Exception(CKR_DATA_INVALID,
++            "output length is NULL");
++    }
++
++    if( pOutput != NULL ) {
++        if( *pulOutputLen < CKYBuffer_Size(result) ) {
++            *pulOutputLen = CKYBuffer_Size(result);
++            throw PKCS11Exception(CKR_BUFFER_TOO_SMALL);
++        }
++        memcpy(pOutput, CKYBuffer_Data(result), CKYBuffer_Size(result));
++    }
++    *pulOutputLen = CKYBuffer_Size(result);
++}
++
++const CKYBuffer *
++Slot::getNonce()
++{
++    if (!isVersion1Key) {
++	return NULL;
++    }
++    return &nonce;
++}
++
++void
++Slot::performRSAOp(CKYBuffer *output, const CKYBuffer *input,
++					CKYByte keyNum, CKYByte direction)
++{
++    //
++    // establish a transaction
++    //
++    Transaction trans;
++    CKYStatus status = trans.begin(conn);
++    if( status != CKYSUCCESS ) handleConnectionError();
++
++    //
++    // select the applet
++    //
++    if (state & CAC_CARD) {
++	selectCACApplet(keyNum);
++    } else {
++	selectApplet();
++    }
++
++    CKYISOStatus result;
++    int loginAttempted = 0;
++retry:
++    if (state & CAC_CARD) {
++        status = CACApplet_SignDecrypt(conn, input, output, &result);
++    } else {
++        status = CKYApplet_ComputeCrypt(conn, keyNum, CKY_RSA_NO_PAD, direction,
++		input, NULL, output, getNonce(), &result);
++    }
++    /* map the ISO not logged in code to the coolkey one */
++    if (status == CKYISO_CONDITION_NOT_SATISFIED) {
++	status = (CKYStatus) CKYISO_UNAUTHORIZED;
++    }
++    if (status != CKYSUCCESS) {
++	if ( status == CKYSCARDERR ) {
++	    handleConnectionError();
++	}
++        if (result == CKYISO_DATA_INVALID) {
++            throw PKCS11Exception(CKR_DATA_INVALID);
++	}
++	// version0 keys could be logged out in the middle by someone else,
++	// reauthenticate... This code can go away when we depricate.
++        // version0 applets.
++	if (!isVersion1Key && !loginAttempted  &&
++					(result == CKYISO_UNAUTHORIZED)) {
++	    // try to reauthenticate
++	    try {
++		oldAttemptLogin();
++	    } catch(PKCS11Exception& ) {
++		// attemptLogin can throw things like CKR_PIN_INCORRECT
++		// that don't make sense from a crypto operation. This is
++		// a result of pin caching. We will reformat any login
++		// exception to a CKR_DEVICE_ERROR.
++		throw PKCS11Exception(CKR_DEVICE_ERROR);
++	    }
++	    loginAttempted = true;
++	    goto retry; // easier to understand than a while loop in this case.
++	}
++ 	throw PKCS11Exception( result == CKYISO_UNAUTHORIZED ?
++		 CKR_USER_NOT_LOGGED_IN : CKR_DEVICE_ERROR);
++    }
++}
++
++void
++Slot::seedRandom(SessionHandleSuffix suffix, CK_BYTE_PTR pData,
++        CK_ULONG ulDataLen)
++{
++    if (state & CAC_CARD) {
++	/* should throw unsupported */
++	throw PKCS11Exception(CKR_DEVICE_ERROR);
++    }
++
++    Transaction trans;
++    CKYStatus status = trans.begin(conn);
++    if( status != CKYSUCCESS ) handleConnectionError();
++
++    CKYBuffer random;
++    CKYBuffer seed;
++    CKYOffset offset = 0;
++    CKYISOStatus result;
++    int i;
++
++    CKYBuffer_InitEmpty(&random);
++    CKYBuffer_InitFromData(&seed, pData, ulDataLen);
++
++
++    while (ulDataLen) {
++	CKYByte len = (CKYByte) MIN(ulDataLen, 0xff);
++
++	status = CKYApplet_GetRandom(conn, &random, len, &result);
++	if (status != CKYSUCCESS) break;
++
++	for (i=0; i < len ; i++) {
++	    CKYBuffer_SetChar(&random, i,
++			CKYBuffer_GetChar(&random,i) ^
++			CKYBuffer_GetChar(&seed,i+offset));
++	}
++	status = CKYApplet_SeedRandom(conn, &random, &result);
++	if (status != CKYSUCCESS) break;
++
++	ulDataLen -= (unsigned char)len;
++	offset += (unsigned char)len;
++    }
++
++    CKYBuffer_FreeData(&random);
++    CKYBuffer_FreeData(&seed);
++
++    if (status != CKYSUCCESS) {
++	if ( status == CKYSCARDERR ) {
++	    handleConnectionError();
++	}
++	throw PKCS11Exception(CKR_DEVICE_ERROR);
++    }
++}
++
++void
++Slot::generateRandom(SessionHandleSuffix suffix, const CK_BYTE_PTR pData,
++        CK_ULONG ulDataLen)
++{
++    if (state & CAC_CARD) {
++	/* should throw unsupported */
++	throw PKCS11Exception(CKR_DEVICE_ERROR);
++    }
++
++    Transaction trans;
++    CKYStatus status = trans.begin(conn);
++    if( status != CKYSUCCESS ) handleConnectionError();
++
++    CKYBuffer random;
++    CKYBuffer_InitEmpty(&random);
++
++    CKYISOStatus result;
++
++    while (ulDataLen) {
++	CKYByte len = (CKYByte) MIN(ulDataLen, 0xff);
++
++	status = CKYApplet_GetRandomAppend(conn, &random, len, &result);
++	if (status != CKYSUCCESS) break;
++
++	ulDataLen -= (unsigned char)len;
++    }
++    CKYBuffer_FreeData(&random);
++
++    if (status != CKYSUCCESS) {
++	if ( status == CKYSCARDERR ) {
++	    handleConnectionError();
++	}
++	throw PKCS11Exception(CKR_DEVICE_ERROR);
++    }
++}
++
++#define MAX_NUM_KEYS 8
++unsigned int
++Slot::getKeySize(CKYByte keyNum)
++{
++    unsigned int keySize = CryptParams::DEFAULT_KEY_SIZE;
++    int modSize = 0;
++
++    if(keyNum >= MAX_NUM_KEYS) {
++        return keySize;
++    }
++
++    ObjectConstIter iter;
++    iter = find_if(tokenObjects.begin(), tokenObjects.end(),
++        KeyNumMatch(keyNum,*this));
++
++    if( iter == tokenObjects.end() ) {
++        return keySize;
++    }
++
++    CKYBuffer const *modulus = iter->getAttribute(CKA_MODULUS);
++
++    if(modulus) {
++        modSize = CKYBuffer_Size(modulus);
++        if(CKYBuffer_GetChar(modulus,0) == 0x0) {
++            modSize--;
++        }
++        if(modSize > 0)
++            keySize = modSize * 8;
++    }
++
++    return keySize;
++}
 === added directory '.pc/Handle-pcscd-restarting/src/libckyapplet'
 === added file '.pc/Handle-pcscd-restarting/src/libckyapplet/cky_card.c'
 --- .pc/Handle-pcscd-restarting/src/libckyapplet/cky_card.c	1970-01-01 00:00:00 +0000
 +++ .pc/Handle-pcscd-restarting/src/libckyapplet/cky_card.c	2013-01-15 15:55:32 +0000
@@ -0,0 +1,1198 @@
++/* ***** BEGIN COPYRIGHT BLOCK *****
++ * Copyright (C) 2005 Red Hat, Inc.
++ * All rights reserved.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation version
++ * 2.1 of the License.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
++ * ***** END COPYRIGHT BLOCK ***** */
++
++#include <winscard.h>
++#include <stdlib.h>
++#include <string.h>
++#include "cky_basei.h" /* friend class */
++#include "cky_base.h"
++#include "cky_card.h"
++#include "dynlink.h"
++
++#ifndef WINAPI
++#define WINAPI
++#endif
++
++#ifndef SCARD_E_NO_READERS_AVAILABLE
++#define SCARD_E_NO_READERS_AVAILABLE ((unsigned long)0x8010002EL)
++#endif
++
++#define NEW(type,count) (type *)malloc((count)*sizeof(type))
++
++/*
++ * protect against scard API not being installed.
++ */
++
++typedef long (WINAPI * SCardEstablishContextFn) (
++    unsigned long dwScope,
++    const void * pvReserved1,
++    const void * pvReserved2,
++    LPSCARDCONTEXT phContext);
++
++typedef long (WINAPI * SCardReleaseContextFn) (
++    SCARDCONTEXT hContext);
++
++typedef long (WINAPI * SCardBeginTransactionFn) (
++    long hCard);
++
++typedef long (WINAPI * SCardEndTransactionFn) (
++    long hCard,
++    unsigned long dwDisposition);
++
++typedef long (WINAPI * SCardConnectFn) (
++    SCARDCONTEXT hContext,
++    const char *szReader,
++    unsigned long dwShareMode,
++    unsigned long dwPreferredProtocols,
++    long *phCard,
++    unsigned long *pdwActiveProtocol);
++
++typedef long (WINAPI * SCardDisconnectFn) (
++    long hCard,
++    unsigned long dwDisposition);
++
++typedef long (WINAPI * SCardTransmitFn) (
++    long hCard,
++    LPCSCARD_IO_REQUEST pioSendPci,
++    const unsigned char *pbSendBuffer,
++    unsigned long cbSendLength,
++    LPSCARD_IO_REQUEST pioRecvPci,
++    unsigned char *pbRecvBuffer,
++    unsigned long *pcbRecvLength);
++
++typedef long (WINAPI * SCardReconnectFn) (
++    long hCard,
++    unsigned long dwShareMode,
++    unsigned long dwPreferredProtocols,
++    unsigned long dwInitialization,
++    unsigned long *pdwActiveProtocol);
++
++typedef long (WINAPI * SCardListReadersFn) (
++    SCARDCONTEXT hContext,
++    const char *mszGroups,
++    char *mszReaders,
++    unsigned long *pcchReaders);
++
++typedef long (WINAPI * SCardStatusFn) (
++    long hCard,
++    char *mszReaderNames,
++    unsigned long *pcchReaderLen,
++    unsigned long *pdwState,
++    unsigned long *pdwProtocol,
++    unsigned char *pbAtr,
++    unsigned long *pcbAtrLen);
++
++typedef long (WINAPI * SCardGetAttribFn) (
++    long hCard,
++    unsigned long dwAttId,
++    char *pbAttr,
++    unsigned long *pchAttrLen);
++
++typedef long (WINAPI * SCardGetStatusChangeFn) (
++    SCARDCONTEXT hContext,
++    unsigned long dwTimeout,
++    SCARD_READERSTATE *rgReaderStates,
++    unsigned long cReaders);
++
++typedef long (WINAPI * SCardCancelFn) (
++    SCARDCONTEXT hContext);
++
++typedef struct _SCard {
++    SCardEstablishContextFn SCardEstablishContext;
++    SCardReleaseContextFn SCardReleaseContext;
++    SCardBeginTransactionFn SCardBeginTransaction;
++    SCardEndTransactionFn SCardEndTransaction;
++    SCardConnectFn SCardConnect;
++    SCardDisconnectFn SCardDisconnect;
++    SCardTransmitFn SCardTransmit;
++    SCardReconnectFn SCardReconnect;
++    SCardListReadersFn SCardListReaders;
++    SCardStatusFn SCardStatus;
++    SCardGetAttribFn SCardGetAttrib;
++    SCardGetStatusChangeFn SCardGetStatusChange;
++    SCardCancelFn SCardCancel;
++    SCARD_IO_REQUEST *SCARD_PCI_T0_;
++    SCARD_IO_REQUEST *SCARD_PCI_T1_;
++} SCard;
++
++#define GET_ADDRESS(library, scard, name) \
++    status= ckyShLibrary_getAddress(library,  \
++			(void**) &scard->name, MAKE_DLL_SYMBOL(name)); \
++    if (status != CKYSUCCESS) { \
++        goto fail; \
++    }
++
++#ifdef WIN32
++#define SCARD_LIB_NAME "winscard.dll"
++#else
++#ifdef MAC
++#define SCARD_LIB_NAME "PCSC.Framework/PCSC"
++#else
++#ifdef LINUX
++#define SCARD_LIB_NAME "libpcsclite.so"
++#else
++#ifndef SCARD_LIB_NAME
++#error "define wincard library for this platform"
++#endif
++#endif
++#endif
++#endif
++
++static SCard *
++ckySCard_Init(void)
++{
++    ckyShLibrary library;
++    CKYStatus status;
++    SCard *scard = NEW(SCard, 1);
++
++    if (!scard) {
++	return NULL;
++    }
++
++    library = ckyShLibrary_open(SCARD_LIB_NAME);
++    if (!library) {
++	goto fail;
++    }
++
++    GET_ADDRESS(library, scard, SCardEstablishContext);
++    GET_ADDRESS(library, scard, SCardReleaseContext);
++    GET_ADDRESS(library, scard, SCardBeginTransaction);
++    GET_ADDRESS(library, scard, SCardEndTransaction);
++    /* expands to SCardConnectA on Windows */
++    GET_ADDRESS(library, scard, SCardConnect);
++    GET_ADDRESS(library, scard, SCardDisconnect);
++    GET_ADDRESS(library, scard, SCardTransmit);
++    GET_ADDRESS(library, scard, SCardReconnect);
++    /* expands to SCardListReadersA on Windows  */
++    GET_ADDRESS(library, scard, SCardListReaders);
++    /* expands to SCardStatusA on Windows */
++    GET_ADDRESS(library, scard, SCardStatus);
++#ifdef WIN32
++    GET_ADDRESS(library, scard, SCardGetAttrib);
++#endif
++    /* SCardGetStatusChangeA */
++    GET_ADDRESS(library, scard, SCardGetStatusChange);
++    GET_ADDRESS(library, scard, SCardCancel);
++
++    status = ckyShLibrary_getAddress( library,
++	(void**) &scard->SCARD_PCI_T0_, MAKE_DLL_SYMBOL(g_rgSCardT0Pci));
++    if( status != CKYSUCCESS ) {
++        goto fail;
++    }
++
++    status = ckyShLibrary_getAddress( library,
++        (void**) &scard->SCARD_PCI_T1_, MAKE_DLL_SYMBOL(g_rgSCardT1Pci));
++    if( status != CKYSUCCESS ) {
++        goto fail;
++    }
++    return scard;
++
++fail:
++    if (library) {
++	ckyShLibrary_close(library);
++    }
++    free(scard);
++    return NULL;
++}
++/*
++ * Implement CKYReaderNameLists and CKYCardConnectionLists
++ */
++/* make the list code happy */
++static void
++CKYReaderName_Destroy(char *data) {
++    free(data);
++}
++
++#include "cky_list.i"   /* implemnentation of the lists define by cky_list.h */
++CKYLIST_IMPLEMENT(CKYReaderName, char *)
++CKYLIST_IMPLEMENT(CKYCardConnection, CKYCardConnection *)
++
++
++/*
++ * CKReader objects represent Readers attached to the system.
++ * The objects themselves are really SCard SCARD_READERSTATE objects.
++ * These objects are used in 2 ways:
++ *   1) the application creates static SCARD_READERSTATE's and use
++ * CKYReader_Init() to initialize the structure. In this case
++ * the application can call any of the reader 'methods' (functions
++ * starting with CKReader) on these objects. When finished the
++ * application is responsible for calling CKYReader_FreeData() to free
++ * any data held by the reader object.
++ *   2) Acquire an array of readers with CKYReader_CreateArray(). In this
++ * case the application can call any method on any particular array member
++ * In the end the Application is responsible for calling
++ * CKYReader_DestroyArray() to free the entire array.
++ */
++
++void
++CKYReader_Init(SCARD_READERSTATE *reader)
++{
++    reader->szReader = NULL;
++    reader->pvUserData = 0;
++    reader->cbAtr = 0;
++    reader->dwCurrentState = SCARD_STATE_UNAWARE;
++}
++
++void
++CKYReader_FreeData(SCARD_READERSTATE *reader)
++{
++    if (reader->szReader) {
++	free((void *)reader->szReader);
++    }
++    CKYReader_Init(reader);
++}
++
++CKYStatus
++CKYReader_SetReaderName(SCARD_READERSTATE *reader, const char *name)
++{
++    free((void *)reader->szReader);
++    reader->szReader = strdup(name);
++    return (reader->szReader)? CKYSUCCESS: CKYNOMEM;
++}
++
++const char *
++CKYReader_GetReaderName(const SCARD_READERSTATE *reader)
++{
++    return reader->szReader;
++}
++
++/* see openSC or PCSC for the semantics of Known State and Event States */
++CKYStatus
++CKYReader_SetKnownState(SCARD_READERSTATE *reader, unsigned long state)
++{
++    reader->dwCurrentState = state;
++    return CKYSUCCESS;
++}
++
++unsigned long
++CKYReader_GetKnownState(const SCARD_READERSTATE *reader)
++{
++    return reader->dwCurrentState;
++}
++
++unsigned long
++CKYReader_GetEventState(const SCARD_READERSTATE *reader)
++{
++    return reader->dwEventState;
++}
++
++/* Caller must have init'ed the buffer before calling
++ * any data in the existing buffer is overwritten */
++CKYStatus
++CKYReader_GetATR(const SCARD_READERSTATE *reader, CKYBuffer *buf)
++{
++    CKYStatus ret;
++
++    ret = CKYBuffer_Resize(buf, reader->cbAtr);
++    if (ret != CKYSUCCESS) {
++	return ret;
++    }
++    return CKYBuffer_Replace(buf, 0, reader->rgbAtr, reader->cbAtr);
++}
++
++SCARD_READERSTATE *
++CKYReader_CreateArray(const CKYReaderNameList readerNames,
++					unsigned long *returnReaderCount)
++{
++    unsigned long i,j;
++    unsigned long readerCount;
++    SCARD_READERSTATE *readers;
++    CKYStatus ret;
++
++    readerCount=CKYReaderNameList_GetCount(readerNames);
++    if (readerCount == 0) {
++	return NULL;
++    }
++    readers = NEW(SCARD_READERSTATE, readerCount);
++    if (readers == NULL) {
++	return NULL;
++    }
++
++    for (i=0; i < readerCount; i++) {
++	CKYReader_Init(&readers[i]);
++	ret = CKYReader_SetReaderName(&readers[i],
++			CKYReaderNameList_GetValue(readerNames,i));
++	if (ret != CKYSUCCESS) {
++	    break;
++	}
++    }
++    if (ret != CKYSUCCESS) {
++	for (j=0; j < i;  j++) {
++	    CKYReader_FreeData(&readers[j]);
++	}
++	free(readers);
++	return NULL;
++    }
++    if (returnReaderCount) {
++ 	*returnReaderCount=readerCount;
++    }
++
++    return readers;
++}
++
++/*
++ * add more reader states to an existing reader state array.
++ * The existing reader will have a new pointer, which will be updated only
++ * after the new one is complete, and before the old one is freed. The 'add'
++ * array is not modified or freed.
++ */
++CKYStatus
++CKYReader_AppendArray(SCARD_READERSTATE **array, unsigned long arraySize,
++	 const char **readerNames, unsigned long numReaderNames)
++{
++    unsigned long i,j;
++    SCARD_READERSTATE *readers;
++    SCARD_READERSTATE *old;
++    CKYStatus ret = CKYSUCCESS;
++
++    readers = NEW(SCARD_READERSTATE, arraySize+numReaderNames);
++    if (readers == NULL) {
++	return CKYNOMEM;
++    }
++    /* copy the original readers, inheriting all the pointer memory */
++    memcpy(readers, *array, arraySize*sizeof(SCARD_READERSTATE));
++
++    /* initialize and add the new reader states. */
++    for (i=0; i < numReaderNames; i++) {
++	CKYReader_Init(&readers[i+arraySize]);
++	ret = CKYReader_SetReaderName(&readers[i+arraySize],readerNames[i]);
++	if (ret != CKYSUCCESS) {
++	    break;
++	}
++    }
++
++    /* we failed, only free the new reader states, ownership of the new
++     * ones will revert back to the original */
++    if (ret != CKYSUCCESS) {
++	for (j=0; j < i;  j++) {
++	    CKYReader_FreeData(&readers[j+arraySize]);
++	}
++	free(readers);
++	return ret;
++    }
++
++    /* Now we swap the readers states */
++    old = *array;
++    *array = readers;
++    /* it's now safe to free the old one */
++    free(old);
++
++    return CKYSUCCESS;
++}
++
++void
++CKYReader_DestroyArray(SCARD_READERSTATE *reader, unsigned long readerCount)
++{
++    unsigned long i;
++
++    for (i=0; i < readerCount; i++) {
++	CKYReader_FreeData(&reader[i]);
++    }
++    free(reader);
++}
++
++/*
++ * CKYCardContexts are wrapped access to the SCard Context, which is
++ * part of the openSC/ Microsoft PCSC interface. Applications will
++ * typically open one context to get access to the SCard Subsystem.
++ *
++ * To protect ourselves from systems without the SCard library installed,
++ * the SCard calls are looked up from the library and called through
++ * a function pointer.
++ */
++struct _CKYCardContext {
++    SCARDCONTEXT  context;
++    SCard         *scard;
++    unsigned long scope;
++    unsigned long lastError;
++};
++
++
++static CKYStatus
++ckyCardContext_init(CKYCardContext *ctx)
++{
++    static SCard *scard;
++
++    ctx->lastError = 0;
++    ctx->context = 0;
++    if (!scard) {
++	scard = ckySCard_Init();
++	if (!scard) {
++	   return CKYNOSCARD;
++	}
++    }
++    ctx->scard = scard;
++    return CKYSUCCESS;
++}
++
++static CKYStatus
++ckyCardContext_release(CKYCardContext *ctx)
++{
++    unsigned long rv = ctx->scard->SCardReleaseContext(ctx->context);
++    ctx->context = 0;
++    if (rv != SCARD_S_SUCCESS) {
++	ctx->lastError = rv;
++	return CKYSCARDERR;
++    }
++    return CKYSUCCESS;
++}
++
++static CKYStatus
++ckyCardContext_establish(CKYCardContext *ctx, unsigned long scope)
++{
++    unsigned long rv;
++
++    if (ctx->context) {
++	ckyCardContext_release(ctx);
++    }
++    rv = ctx->scard->SCardEstablishContext(scope, NULL, NULL, &ctx->context);
++    if (rv != SCARD_S_SUCCESS) {
++	ctx->lastError = rv;
++	return CKYSCARDERR;
++    }
++    return CKYSUCCESS;
++}
++
++CKYCardContext *
++CKYCardContext_Create(unsigned long scope)
++{
++    CKYCardContext *ctx;
++    CKYStatus ret;
++
++    ctx = NEW(CKYCardContext, 1);
++    if (ctx == NULL) {
++	return NULL;
++    }
++    ret = ckyCardContext_init(ctx);
++    if (ret != CKYSUCCESS) {
++	CKYCardContext_Destroy(ctx);
++	return NULL;
++    }
++    ctx->scope = scope;
++    ret = ckyCardContext_establish(ctx, scope);
++#ifdef MAC
++/* Apple won't establish a connnection if pcscd is not running. Because of
++ * the way securityd controls pcscd, this may not necessarily be an error
++ * condition. Detect this case and continue. We'll establish the connection
++ * later..
++ */
++    if (ctx->lastError == SCARD_F_INTERNAL_ERROR) {
++	ctx->context = 0; /* make sure it's not established */
++	return ctx;
++    }
++#endif
++    if (ret != CKYSUCCESS) {
++	CKYCardContext_Destroy(ctx);
++	return NULL;
++    }
++    return ctx;
++}
++
++CKYStatus
++CKYCardContext_Destroy(CKYCardContext *ctx)
++{
++    CKYStatus ret = CKYSUCCESS;
++    if (ctx == NULL) {
++	return CKYSUCCESS;
++    }
++    if (ctx->context) {
++	ret = ckyCardContext_release(ctx);
++    }
++    free(ctx);
++    return ret;
++}
++
++SCARDCONTEXT
++CKYCardContext_GetContext(const CKYCardContext *ctx)
++{
++    return ctx->context;
++}
++
++CKYStatus
++CKYCardContext_ListReaders(CKYCardContext *ctx, CKYReaderNameList *readerNames)
++{
++    unsigned long readerLen;
++    unsigned long rv;
++    char * readerStr = NULL;
++    char *cur;
++    char ** readerList;
++    int count,i;
++
++
++    /* return NULL in the case nothing is found, or there is an error */
++    *readerNames = NULL;
++
++    /* if we aren't established yet, do so now */
++    if (!ctx->context) {
++	CKYStatus ret = ckyCardContext_establish(ctx, ctx->scope);
++ 	if (ret != CKYSUCCESS) {
++
++#ifdef MAC
++	    if (ctx->lastError == SCARD_F_INTERNAL_ERROR) {
++		/* Still can't establish, just treat it as 'zero' readers */
++		return CKYSUCCESS;
++	    }
++#endif
++	    return ret;
++	}
++    }
++
++    /* get the initial length */
++    readerLen = 0;
++    rv = ctx->scard->SCardListReaders(ctx->context, NULL /*groups*/,
++							NULL, &readerLen);
++    /* handle the other errors from SCardListReaders */
++    if (rv == SCARD_E_NO_READERS_AVAILABLE) {
++	/* not really an error: there are no readers */
++	return CKYSUCCESS;
++    }
++
++    if( rv != SCARD_S_SUCCESS ) {
++	ctx->lastError = rv;
++        return CKYSCARDERR;
++    }
++
++    /* if no readers, return OK and a NULL list */
++    if (readerLen == 0) {
++	return CKYSUCCESS;
++    }
++
++    /*
++     * Keep trying to read in the buffer, allowing that the required buffer
++     * length may change between calls to SCardListReaders.
++     */
++    do {
++	if (readerLen < 1 || readerLen > CKY_OUTRAGEOUS_MALLOC_SIZE) {
++	    return CKYNOMEM;
++	}
++	readerStr = NEW(char,readerLen);
++	if (readerStr == NULL) {
++	    return CKYNOMEM;
++	}
++
++        rv = ctx->scard->SCardListReaders(ctx->context, NULL /*groups*/,
++                readerStr, &readerLen);
++
++	/* we've found it, pop out with readerStr allocated */
++	if (rv == SCARD_S_SUCCESS) {
++            break;
++	}
++
++	/* Nope, free the reader we allocated */
++	free(readerStr);
++	readerStr = NULL;
++
++    } while( rv == SCARD_E_INSUFFICIENT_BUFFER );
++
++    /* handle the other errors from SCardListReaders */
++    if (rv == SCARD_E_NO_READERS_AVAILABLE) {
++	/* not really an error: there are no readers */
++	ctx->lastError = SCARD_E_NO_READERS_AVAILABLE;
++	return CKYSUCCESS;
++    }
++    if (rv != SCARD_S_SUCCESS) {
++	/* stash the error and fail */
++	ctx->lastError = rv;
++	return CKYSCARDERR;
++    }
++
++    /*
++     * Windows returns the list of readers as a series of null terminated
++     * strings, terminated with an additional NULL. For example, if there
++     * are three readers name "Reader 1", "Reader 2", "Reader 3", the returned
++     * readerStr would look like: "Reader 1\0Reader 2\0Reader N\0\0".
++     *
++     * We need to return a list of ReaderNames. This is currently a pointer
++     * to an array of string pointers, terminated by a NULL.
++     *
++     * +--------------+
++     * | Reader 1 ptr |   -> "Reader 1"
++     * +--------------+
++     * | Reader 2 ptr |   -> "Reader 2"
++     * +--------------+
++     * | Reader N ptr |   -> "Reader N"
++     * +--------------+
++     * |     NULL     |
++     * +--------------+
++     *
++     * NOTE: This code explicitly knows the underlying format for
++     *  CKYReaderNameLists defined in cky_list.i. If cky_list.i is changes,
++     *  this code will need to be changed as well.
++     */
++    /* find the count of readers */
++    for (cur = readerStr, count = 0; *cur; cur += strlen(cur)+1, count++ )
++	/* Empty */ ;
++    readerList = NEW(char *,count+1);
++    if (readerList == NULL) {
++	goto fail;
++    }
++
++    /* now copy the readers into the array */
++    for (i=0, cur=readerStr; i < count ; cur+=strlen(cur) +1, i++) {
++	readerList[i] = strdup(cur);
++	if (readerList[i] == NULL) {
++	    goto fail;
++	}
++    }
++    readerList[count] = NULL;
++    free(readerStr);;
++    *readerNames = (CKYReaderNameList) readerList;
++    return CKYSUCCESS;
++
++fail:
++    if (readerStr) {
++	free(readerStr);
++    }
++    if (readerList) {
++	CKYReaderNameList_Destroy((CKYReaderNameList) readerList);
++    }
++    return CKYNOMEM;
++}
++
++/*
++ * The original C++ API had to very similiar functions that returned
++ * either reader names or connections based on ATR. This is a single
++ * function that can return both. The exported interface calls this
++ * one with one of the lists set to NULL.
++ *
++ * NOTE: this function "knows" the underlying format for lists and
++ * hand builds the related lists.
++ */
++CKYStatus
++ckyCardContext_findReadersByATR(CKYCardContext *ctx,
++				CKYReaderNameList *returnReaders,
++				CKYCardConnectionList *returnConn,
++				const CKYBuffer *targetATR)
++{
++    CKYReaderNameList readerNames;
++    CKYBuffer ATR;
++    CKYCardConnection **connList = NULL;
++    CKYCardConnection **connPtr  = NULL;
++    char **readerList = NULL;
++    char **readerPtr = NULL;
++    int readerCount, i;
++    CKYStatus ret;
++
++    CKYBuffer_InitEmpty(&ATR);
++
++    /* if we aren't established yet, do so now */
++    if (!ctx->context) {
++	ret = ckyCardContext_establish(ctx, ctx->scope);
++ 	if (ret != CKYSUCCESS) {
++	    return ret;
++	}
++    }
++
++    /* initialize our returned values to empty */
++    if (returnReaders) {
++	*returnReaders = NULL;
++    }
++    if (returnConn) {
++	*returnConn = NULL;
++    }
++
++    ret = CKYCardContext_ListReaders(ctx, &readerNames);
++    if (ret != CKYSUCCESS) {
++	return ret;
++    }
++
++    readerCount = CKYReaderNameList_GetCount(readerNames);
++
++    /* none found, return success */
++    if (readerCount == 0) {
++	CKYReaderNameList_Destroy(readerNames);
++	return CKYSUCCESS;
++    }
++
++    /* now initialize our name and connection lists */
++    if (returnConn) {
++	connList = NEW(CKYCardConnection *, readerCount);
++	connPtr = connList;
++	if (connList == NULL) {
++	    goto fail;
++	}
++    }
++    if (returnReaders) {
++	readerList = NEW(char *, readerCount);
++	readerPtr = readerList;
++	if (readerList == NULL) {
++	    goto fail;
++	}
++    }
++
++    ret = CKYBuffer_Resize(&ATR, CKY_MAX_ATR_LEN);
++    if (ret != CKYSUCCESS) {
++	goto fail;
++    }
++
++    /* now walk the reader list trying to get connections */
++    for (i=0; i < readerCount ; i++) {
++	CKYCardConnection * conn = CKYCardConnection_Create(ctx);
++	unsigned long state;
++	const char *thisReader = CKYReaderNameList_GetValue(readerNames, i);
++
++
++	if (!conn) {
++	    goto loop;
++	}
++	ret = CKYCardConnection_Connect(conn, thisReader);
++	if (ret != CKYSUCCESS) {
++	    goto loop;
++	}
++	ret = CKYCardConnection_GetStatus(conn, &state, &ATR);
++	if (ret != CKYSUCCESS) {
++	    goto loop;
++	}
++	if (CKYBuffer_IsEqual(targetATR, &ATR)) {
++	    if (connPtr) {
++		*connPtr++ = conn; /* adopt */
++		conn = NULL;
++	    }
++	    if (readerPtr) {
++		*readerPtr++ = strdup(thisReader);
++	    }
++	}
++
++loop:
++	/* must happen each time through the loop */
++	if (conn) {
++	    CKYCardConnection_Destroy(conn);
++	}
++    }
++
++    /* done with the reader names now */
++    CKYReaderNameList_Destroy(readerNames);
++    /* and the ATR buffer */
++    CKYBuffer_FreeData(&ATR);
++
++    /* terminate out lists and return them */
++    if (readerPtr) {
++	*readerPtr = NULL;
++	*returnReaders = (CKYReaderNameList) readerList;
++    }
++    if (connPtr) {
++	*connPtr = NULL;
++	*returnConn = (CKYCardConnectionList) connList;
++    }
++    return CKYSUCCESS;
++
++fail:
++    if (readerNames) {
++	CKYReaderNameList_Destroy(readerNames);
++    }
++    if (connList) {
++	free(connList);
++    }
++    if (readerList) {
++	free(readerList);
++    }
++    CKYBuffer_FreeData(&ATR);
++    return CKYNOMEM;
++}
++
++CKYStatus
++CKYCardContext_FindCardsByATR(CKYCardContext *ctx,
++		CKYCardConnectionList *cardList, const CKYBuffer *targetATR)
++{
++  return ckyCardContext_findReadersByATR(ctx, NULL, cardList, targetATR);
++}
++
++CKYStatus
++CKYCardContext_FindReadersByATR(CKYCardContext *ctx,
++		CKYReaderNameList *readerNames, const CKYBuffer *targetATR)
++{
++  return ckyCardContext_findReadersByATR(ctx, readerNames, NULL, targetATR);
++}
++
++CKYCardConnection *
++CKYCardContext_CreateConnection(CKYCardContext *ctx)
++{
++    return CKYCardConnection_Create(ctx);
++}
++
++CKYStatus
++CKYCardContext_WaitForStatusChange(CKYCardContext *ctx,
++    		SCARD_READERSTATE *readers, unsigned long readerCount,
++							unsigned long timeout)
++{
++    unsigned long rv;
++
++    /* if we aren't established yet, do so now */
++    if (!ctx->context) {
++	CKYStatus ret = ckyCardContext_establish(ctx, ctx->scope);
++ 	if (ret != CKYSUCCESS) {
++	    return ret;
++	}
++    }
++    rv = ctx->scard->SCardGetStatusChange(ctx->context, timeout,
++							readers, readerCount);
++    if (rv != SCARD_S_SUCCESS) {
++	ctx->lastError = rv;
++	return CKYSCARDERR;
++    }
++    return CKYSUCCESS;
++}
++
++CKYStatus
++CKYCardContext_Cancel(CKYCardContext *ctx)
++{
++    unsigned long rv;
++
++    /* if we aren't established yet, we can't be in change status then */
++    if (!ctx->context) {
++	return CKYSUCCESS;
++    }
++    rv = ctx->scard->SCardCancel(ctx->context);
++
++    if (rv != SCARD_S_SUCCESS) {
++	ctx->lastError = rv;
++	return CKYSCARDERR;
++    }
++    return CKYSUCCESS;
++}
++
++unsigned long
++CKYCardContext_GetLastError(const CKYCardContext *ctx)
++{
++    return ctx->lastError;
++}
++
++/*
++ * Connections represent the connection to the actual smart cards.
++ * Applications usually has  one of these for each card inserted in
++ * the system. Connections are where we can get information about
++ * each card, as well as transmit commands (APDU's) to the card.
++ */
++/* In the originaly C++ library, lastError was set to the last return
++ * code from any SCARD call. In this C version of the library, lastError
++ * is the last non-successful SCARD call. lastError will be set
++ * if the function returns CKYSCARDERR.
++ */
++struct _CKYCardConnection {
++    const CKYCardContext *ctx;
++    SCard            *scard;     /* cache a copy from the context */
++    SCARDHANDLE      cardHandle;
++    unsigned long    lastError;
++    CKYBool           inTransaction;
++    unsigned long    protocol;
++};
++
++static void
++ckyCardConnection_init(CKYCardConnection *conn, const CKYCardContext *ctx)
++{
++    conn->ctx = ctx;
++    conn->scard = ctx->scard;
++    conn->cardHandle = 0;
++    conn->lastError = 0;
++    conn->inTransaction = 0;
++    conn->protocol = SCARD_PROTOCOL_T0;
++}
++
++CKYCardConnection *
++CKYCardConnection_Create(const CKYCardContext *ctx)
++{
++    CKYCardConnection *conn;
++
++    /* don't even try if we don't have a Card Context */
++    if (ctx == NULL) {
++	return NULL;
++    }
++
++    conn = NEW(CKYCardConnection, 1);
++    if (conn == NULL) {
++	return NULL;
++    }
++    ckyCardConnection_init(conn, ctx);
++    return conn;
++}
++
++
++CKYStatus
++CKYCardConnection_Destroy(CKYCardConnection *conn)
++{
++    if (conn == NULL) {
++	return CKYSUCCESS;
++    }
++    if (conn->inTransaction) {
++	CKYCardConnection_EndTransaction(conn);
++    }
++    CKYCardConnection_Disconnect(conn);
++    free(conn);
++    return CKYSUCCESS;
++}
++
++CKYStatus
++CKYCardConnection_Connect(CKYCardConnection *conn, const char *readerName)
++{
++    CKYStatus ret;
++    unsigned long rv;
++
++    ret = CKYCardConnection_Disconnect(conn);
++    if (ret != CKYSUCCESS) {
++	return ret;
++    }
++    rv = conn->scard->SCardConnect( conn->ctx->context, readerName,
++	SCARD_SHARE_SHARED, SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, &conn->cardHandle, &conn->protocol);
++    if (rv != SCARD_S_SUCCESS) {
++	conn->lastError = rv;
++	return CKYSCARDERR;
++    }
++    return CKYSUCCESS;
++}
++
++CKYStatus
++CKYCardConnection_Disconnect(CKYCardConnection *conn)
++{
++    unsigned long rv;
++    if (conn->cardHandle == 0) {
++	return CKYSUCCESS;
++    }
++    rv = conn->scard->SCardDisconnect( conn->cardHandle, SCARD_LEAVE_CARD);
++    conn->cardHandle = 0;
++    if (rv != SCARD_S_SUCCESS) {
++	conn->lastError = rv;
++	return CKYSCARDERR;
++    }
++    return CKYSUCCESS;
++}
++
++CKYBool
++CKYCardConnection_IsConnected(const CKYCardConnection *conn)
++{
++    return (conn->cardHandle != 0);
++}
++
++CKYStatus
++ckyCardConnection_reconnectRaw(CKYCardConnection *conn, unsigned long init)
++{
++    unsigned long rv;
++    unsigned long protocol;
++
++    rv = conn->scard->SCardReconnect(conn->cardHandle,
++	SCARD_SHARE_SHARED, SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1 , init, &protocol);
++    if (rv != SCARD_S_SUCCESS) {
++	conn->lastError = rv;
++	return CKYSCARDERR;
++    }
++    return CKYSUCCESS;
++}
++
++CKYStatus
++CKYCardConnection_Reconnect(CKYCardConnection *conn)
++{
++    return ckyCardConnection_reconnectRaw(conn, SCARD_LEAVE_CARD);
++}
++
++CKYStatus CKYCardConnection_Reset(CKYCardConnection *conn)
++{
++    return ckyCardConnection_reconnectRaw(conn, SCARD_RESET_CARD);
++}
++
++CKYStatus
++CKYCardConnection_BeginTransaction(CKYCardConnection *conn)
++{
++    unsigned long rv;
++    rv = conn->scard->SCardBeginTransaction(conn->cardHandle);
++    if (rv != SCARD_S_SUCCESS) {
++	conn->lastError = rv;
++ 	return CKYSCARDERR;
++    }
++    conn->inTransaction = 1;
++    return CKYSUCCESS;
++}
++
++CKYStatus
++CKYCardConnection_EndTransaction(CKYCardConnection *conn)
++{
++    unsigned long rv;
++    if (!conn->inTransaction) {
++	return CKYSUCCESS; /* C++ library returns success in this case, but
++		           * it may be better to return an error ? */
++    }
++    rv = conn->scard->SCardEndTransaction(conn->cardHandle, SCARD_LEAVE_CARD);
++    conn->inTransaction = 0;
++    if (rv != SCARD_S_SUCCESS) {
++	conn->lastError = rv;
++ 	return CKYSCARDERR;
++    }
++    return CKYSUCCESS;
++}
++
++CKYStatus
++CKYCardConnection_TransmitAPDU(CKYCardConnection *conn, CKYAPDU *apdu,
++							CKYBuffer *response)
++{
++    CKYStatus ret;
++    unsigned long rv;
++
++    ret = CKYBuffer_Resize(response, CKYAPDU_MAX_LEN);
++    if (ret != CKYSUCCESS) {
++	return ret;
++    }
++
++    if( conn->protocol == SCARD_PROTOCOL_T0 ) {
++        rv = conn->scard->SCardTransmit(conn->cardHandle,
++            conn->scard->SCARD_PCI_T0_,
++	    CKYBuffer_Data(&apdu->apduBuf), CKYBuffer_Size(&apdu->apduBuf),
++	    NULL, response->data, &response->len);
++    }  else  {
++        rv = conn->scard->SCardTransmit(conn->cardHandle,
++            conn->scard->SCARD_PCI_T1_,
++            CKYBuffer_Data(&apdu->apduBuf), CKYBuffer_Size(&apdu->apduBuf),
++            NULL, response->data, &response->len);
++    }
++
++    if (rv != SCARD_S_SUCCESS) {
++	conn->lastError =rv;
++	return CKYSCARDERR;
++    }
++
++    return CKYSUCCESS;
++}
++
++CKYStatus
++CKYCardConnection_ExchangeAPDU(CKYCardConnection *conn, CKYAPDU *apdu,
++							CKYBuffer *response)
++{
++    CKYStatus ret;
++
++    ret = CKYCardConnection_TransmitAPDU(conn, apdu, response);
++    if (ret != CKYSUCCESS) {
++	return ret;
++    }
++
++    if (CKYBuffer_Size(response) == 2 && CKYBuffer_GetChar(response,0) == 0x61) {
++	/* get the response */
++	CKYAPDU getResponseAPDU;
++
++	CKYAPDU_Init(&getResponseAPDU);
++	CKYAPDU_SetCLA(&getResponseAPDU, 0x00);
++	CKYAPDU_SetINS(&getResponseAPDU, 0xc0);
++	CKYAPDU_SetP1(&getResponseAPDU, 0x00);
++	CKYAPDU_SetP2(&getResponseAPDU, 0x00);
++	CKYAPDU_SetReceiveLen(&getResponseAPDU, CKYBuffer_GetChar(response,1));
++	ret = CKYCardConnection_TransmitAPDU(conn, &getResponseAPDU, response);
++	CKYAPDU_FreeData(&getResponseAPDU);
++    }
++    return ret;
++}
++
++CKYStatus
++CKYCardConnection_GetStatus(CKYCardConnection *conn,
++				unsigned long *state, CKYBuffer *ATR)
++{
++    unsigned long readerLen = 0;
++    unsigned long protocol;
++    unsigned long rv;
++    CKYSize atrLen;
++    char *readerStr;
++    CKYStatus ret;
++
++
++    /*
++     * Get initial length. We have to do all this because the Muscle
++     * implementation of PCSC requires us to supply a non-NULL argument
++     * for readerName before it will tell us the ATR, which is all we really
++     * care about.
++     */
++    rv = conn->scard->SCardStatus(conn->cardHandle,
++	    NULL /*readerName*/, &readerLen, state, &protocol, NULL, &atrLen);
++    if ( rv != SCARD_S_SUCCESS ) {
++	conn->lastError = rv;
++        return CKYSCARDERR;
++    }
++
++    do {
++	if (readerLen < 1 || readerLen > CKY_OUTRAGEOUS_MALLOC_SIZE) {
++	    return CKYNOMEM;
++	}
++	/* Mac & Linux return '0' or ATR length, just use the max value */
++	if (atrLen == 0) {
++	    atrLen = CKY_MAX_ATR_LEN;
++	}
++	if (atrLen < 1 || atrLen > CKY_OUTRAGEOUS_MALLOC_SIZE) {
++	    return CKYNOMEM;
++	}
++	ret = CKYBuffer_Resize(ATR, atrLen);
++	if (ret != CKYSUCCESS) {
++	    return ret;
++	}
++	readerStr = NEW(char, readerLen);
++	if (readerStr == NULL) {
++	    return CKYNOMEM;
++	}
++
++	rv = conn->scard->SCardStatus(conn->cardHandle, readerStr, &readerLen,
++                state, &protocol, ATR->data, &atrLen);
++	ATR->len = atrLen;
++	free(readerStr);
++    } while (rv == SCARD_E_INSUFFICIENT_BUFFER);
++
++    if (rv != SCARD_S_SUCCESS) {
++	conn->lastError = rv;
++	return CKYSCARDERR;
++    }
++    return CKYSUCCESS;
++}
++
++CKYStatus
++CKYCardConnection_GetAttribute(CKYCardConnection *conn,
++				unsigned long attrID, CKYBuffer *attrBuf)
++{
++#ifdef WIN32
++    unsigned long len = 0;
++    unsigned long rv;
++
++    /*
++     * Get initial length. We have to do all this because the Muscle
++     * implementation of PCSC requires us to supply a non-NULL argument
++     * for readerName before it will tell us the ATR, which is all we really
++     * care about.
++     */
++    rv = conn->scard->SCardGetAttrib(conn->cardHandle, attrID, NULL, &len);
++    if ( rv != SCARD_S_SUCCESS ) {
++	conn->lastError = rv;
++        return CKYSCARDERR;
++    }
++    CKYBuffer_Resize(attrBuf, len);
++
++    rv = conn->scard->SCardGetAttrib(conn->cardHandle, attrID,
++						attrBuf->data, &attrBuf->len);
++    if( rv != SCARD_S_SUCCESS ) {
++	conn->lastError = rv;
++        return CKYSCARDERR;
++    }
++    return CKYSUCCESS;
++#else
++    conn->lastError = -1;
++    return CKYSCARDERR;
++#endif
++}
++
++const CKYCardContext *
++CKYCardConnection_GetContext(const CKYCardConnection *conn)
++{
++    return conn->ctx;
++}
++
++unsigned long
++CKYCardConnection_GetLastError(const CKYCardConnection *conn)
++{
++    return conn->lastError;
++}
 === modified file '.pc/applied-patches'
 --- .pc/applied-patches	2011-12-14 11:44:21 +0000
 +++ .pc/applied-patches	2013-01-15 15:55:32 +0000
@@ -5,6 +5,6 @@
  coolkey-latest.patch
  coolkey-simple-bugs.patch
  coolkey-thread-fix.patch
--coolkey-cac.patch
--coolkey-cac-1.patch
++coolkey-cac-rhl5.patch
 -Fix-working-with-empty-certificates-in-not-zero-slot.patch
++Handle-pcscd-restarting
 === removed directory '.pc/coolkey-cac-1.patch'
 === removed directory '.pc/coolkey-cac-1.patch/src'
 === removed directory '.pc/coolkey-cac-1.patch/src/coolkey'
 === removed file '.pc/coolkey-cac-1.patch/src/coolkey/object.cpp'
 --- .pc/coolkey-cac-1.patch/src/coolkey/object.cpp	2010-12-22 19:12:07 +0000
 +++ .pc/coolkey-cac-1.patch/src/coolkey/object.cpp	1970-01-01 00:00:00 +0000
@@ -1,1068 +0,0 @@
--/* ***** BEGIN COPYRIGHT BLOCK *****
-- * Copyright (C) 2005 Red Hat, Inc.
-- * All rights reserved.
-- *
-- * This library is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU Lesser General Public
-- * License as published by the Free Software Foundation version
-- * 2.1 of the License.
-- *
-- * This library is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-- * Lesser General Public License for more details.
-- *
-- * You should have received a copy of the GNU Lesser General Public
-- * License along with this library; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-- * ***** END COPYRIGHT BLOCK *****/
--
--#include "mypkcs11.h"
--#include "PKCS11Exception.h"
--#include "object.h"
--#include <algorithm>
--#include <string.h>
--
--using std::find_if;
--
--
--bool AttributeMatch::operator()(const PKCS11Attribute& cmp)
--{
--    return (attr->type == cmp.getType()) &&
--	CKYBuffer_DataIsEqual(cmp.getValue(),
--			(const CKYByte *)attr->pValue, attr->ulValueLen);
--}
--
--class AttributeTypeMatch
--{
--  private:
--    CK_ATTRIBUTE_TYPE type;
--  public:
--    AttributeTypeMatch(CK_ATTRIBUTE_TYPE type_) : type(type_) { }
--    bool operator()(const PKCS11Attribute& cmp) {
--        return cmp.getType() == type;
--    }
--};
--
--PKCS11Object::PKCS11Object(unsigned long muscleObjID_,CK_OBJECT_HANDLE handle_)
--    : muscleObjID(muscleObjID_), handle(handle_), label(NULL), name(NULL)
--{
--    CKYBuffer_InitEmpty(&pubKey);
--}
--
--PKCS11Object::PKCS11Object(unsigned long muscleObjID_, const CKYBuffer *data,
--    CK_OBJECT_HANDLE handle_) :  muscleObjID(muscleObjID_), handle(handle_),
--			label(NULL), name(NULL)
--{
--    CKYBuffer_InitEmpty(&pubKey);
--
--    CKYByte type = CKYBuffer_GetChar(data,0);
--    // verify object ID is what we think it is
--    if( CKYBuffer_GetLong(data,1) != muscleObjID  ) {
--        throw PKCS11Exception(CKR_DEVICE_ERROR,
--            "PKCS #11 actual object id does not match stated id");
--    }
--    if (type == 0) {

Ubuntucoolkey package