libgcns: ArchLinux package

In real world pTemplate=NULL case is only used by PKCS#11 test suites but
no need to crash them.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

.clang-format

@@ -0,0 +1,3 @@
+BasedOnStyle: Google
+IndentWidth: 4
+

.github/ISSUE_TEMPLATE.md

@@ -1,7 +1,9 @@
 ### Problem Description
 
 <!--
-Please read about [reporting bugs](https://github.com/OpenSC/OpenSC/wiki/How-to-report-bugs-so-that-they-can-be-fixed) before opening an issue.
+Please read about reporting bugs on the wiki before opening an issue:
+
+https://github.com/OpenSC/OpenSC/wiki/How-to-write-a-good-bug-report
 -->
 
 ### Proposed Resolution
@@ -21,7 +23,7 @@ Debug output is essential to identify the problem. You can enable debugging by e
     #debug_file = opensc-debug.log
 ```
 
-Please use [Gist](https://gist.github.com/) or a similar code paster for longer logs. Before pasting here, remove your sensitive data from your log (e.g. PIN code or certificates).
+Please use a Gist (https://gist.github.com/) or a similar code paster for longer logs. Before pasting here, remove your sensitive data from your log (e.g. PIN code or certificates).
 
 ```
 Paste Log output with less than 10 lines here (between the backticks)

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,14 +1,17 @@
 <!--
 Thank you for your pull request.
 
-If this fixes a github issue, make sure to have a line saying 'Fixes #XXXX' (without quotes) in the commit message.
+If this fixes a GitHub issue, make sure to have a line saying 'Fixes #XXXX'
+(without quotes) in the commit message.
+
+Mention which card(s) are used during testing. To get the name of your card,
+run this command: `opensc-tool -n`
 -->
 
 ##### Checklist
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->
 - [ ] Documentation is added or updated
 - [ ] New files have a LGPL 2.1 license statement
-- [ ] Tested with the following card: <!-- use `opensc-tool -n` to get the name of your card -->
-	- [ ] tested PKCS#11
-	- [ ] tested Windows Minidriver
-	- [ ] tested macOS Tokend
+- [ ] PKCS#11 module is tested
+- [ ] Windows minidriver is tested
+- [ ] macOS tokend is tested

.github/add_signing_key.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -ex -o xtrace
+
+pushd .github/
+tar xvf secrets.tar
+KEY_CHAIN=mac-build.keychain
+
+# Create the keychain with a password
+security create-keychain -p travis $KEY_CHAIN
+
+# Make the custom keychain default, so xcodebuild will use it for signing
+security default-keychain -s $KEY_CHAIN
+
+# Unlock the keychain for one hour
+security unlock-keychain -p travis $KEY_CHAIN
+security set-keychain-settings -t 3600 -u $KEY_CHAIN
+
+# Add certificates to keychain and allow codesign to access them
+curl -L https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > AppleWWDRCA.cer
+security import AppleWWDRCA.cer \
+    -k ~/Library/Keychains/$KEY_CHAIN \
+    -T /usr/bin/codesign -T /usr/bin/productsign
+security import DeveloperIDApplication.cer \
+    -k ~/Library/Keychains/$KEY_CHAIN \
+    -T /usr/bin/codesign -T /usr/bin/productsign
+security import DeveloperIDInstaller.cer \
+    -k ~/Library/Keychains/$KEY_CHAIN \
+    -T /usr/bin/codesign -T /usr/bin/productsign
+security import key.p12 \
+    -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD \
+    -T /usr/bin/codesign -T /usr/bin/productsign
+security unlock-keychain -p travis $KEY_CHAIN
+
+# https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sierra-1012-code-signing-errors
+security set-key-partition-list -S apple-tool:,apple: -s -k travis $KEY_CHAIN
+popd

.github/build.sh

@@ -0,0 +1,54 @@
+#!/bin/bash -e
+
+export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig;
+
+if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
+	PR_NUMBER=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')
+	if [ "$GITHUB_BASE_REF" == "master" ]; then
+		./bootstrap.ci -s "-pr$PR_NUMBER"
+	else
+		./bootstrap.ci -s "$GITHUB_BASE_REF-pr$PR_NUMBER"
+	fi
+else
+	BRANCH=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')
+	if [ "$BRANCH" == "master" ]; then
+		./bootstrap
+	else
+		./bootstrap.ci -s "$BRANCH"
+	fi
+fi
+
+if [ "$RUNNER_OS" == "macOS" ]; then
+	./MacOSX/build
+	exit $?
+fi
+
+if [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
+	if [ "$1" == "mingw" ]; then
+		HOST=x86_64-w64-mingw32
+	elif [ "$1" == "mingw32" ]; then
+		HOST=i686-w64-mingw32
+	fi
+	unset CC
+	unset CXX
+	./configure --host=$HOST --with-completiondir=/tmp --disable-openssl --disable-readline --disable-zlib --disable-notify --prefix=$PWD/win32/opensc || cat config.log;
+	make -j 2
+	# no point in running tests on mingw
+else
+	# normal procedure
+	./configure  --disable-dependency-tracking
+	make -j 2
+	make check
+fi
+
+# this is broken in old ubuntu
+if [ "$1" == "dist" ]; then
+	make distcheck
+	make dist
+fi
+
+sudo make install
+if [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
+	# pack installed files
+	wine "C:/Program Files/Inno Setup 5/ISCC.exe" win32/OpenSC.iss
+fi

.github/push_artifacts.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -ex -o xtrace
+
+BUILDPATH=${PWD}
+BRANCH="`git log --max-count=1 --date=short --abbrev=8 --pretty=format:"%cd_%h"`"
+
+git clone --single-branch https://${GH_TOKEN}@github.com/OpenSC/Nightly.git > /dev/null 2>&1
+pushd Nightly
+git checkout -b "${BRANCH}"
+
+for file in ${BUILDPATH}/win32/Output/OpenSC*.exe ${BUILDPATH}/opensc*.tar.gz ${BUILDPATH}/OpenSC*.dmg ${BUILDPATH}/OpenSC*.msi ${BUILDPATH}/OpenSC*.zip
+do
+    if [ -f ${file} ]
+    then
+        # github only allows a maximum file size of 50MB
+        MAX_MB_FILESIZE=50
+        if [ $(du -m "$file" | cut -f 1) -ge $MAX_MB_FILESIZE ]
+        then
+            split -b ${MAX_MB_FILESIZE}m ${file} `basename ${file}`.
+        else
+            cp ${file} .
+        fi
+        git add `basename ${file}`*
+    fi
+done
+
+git commit --message "$1"
+i=0
+while [ $i -le 10 ] && ! git push --quiet --set-upstream origin "${BRANCH}"
+do
+    sleep $[ ( $RANDOM % 32 )  + 1 ]s
+    git pull --rebase origin --strategy-option ours "${BRANCH}"
+    i=$(( $i + 1 ))
+done
+popd

.github/remove_signing_key.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -ex -o xtrace
+
+pushd .github/
+security delete-keychain mac-build.keychain
+rm -f DeveloperIDApplication.cer DeveloperIDInstaller.cer key.p12
+popd

.github/setup-java.sh

@@ -0,0 +1,24 @@
+#!/bin/bash -e
+
+# Select the right java
+sudo update-java-alternatives -s java-1.8.0-openjdk-amd64
+sudo update-alternatives --get-selections | grep ^java
+export PATH="/usr/lib/jvm/java-8-openjdk-amd64/bin/:$PATH"
+export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/
+env | grep -i openjdk
+
+# VSmartcard
+./.github/setup-vsmartcard.sh
+
+# Javacard SDKs
+git clone https://github.com/martinpaljak/oracle_javacard_sdks.git
+export JC_HOME=$PWD/oracle_javacard_sdks/jc222_kit
+export JC_CLASSIC_HOME=$PWD/oracle_javacard_sdks/jc305u3_kit
+
+# jCardSim
+git clone https://github.com/arekinath/jcardsim.git
+pushd jcardsim
+env | grep -i openjdk
+export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/
+mvn initialize && mvn clean install
+popd

.github/setup-linux.sh

@@ -0,0 +1,42 @@
+#!/bin/bash -e
+
+DEPS="docbook-xsl libpcsclite-dev xsltproc gengetopt libcmocka-dev help2man pcscd check softhsm2 pcsc-tools libtool make autoconf autoconf-archive automake libssl-dev zlib1g-dev pkg-config libreadline-dev openssl git"
+
+if [ "$1" == "clang-tidy" ]; then
+	DEPS="$DEPS clang-tidy"
+elif [ "$1" == "cac" ]; then
+	DEPS="$DEPS libglib2.0-dev libnss3-dev gnutls-bin libusb-dev libudev-dev flex libnss3-tools"
+elif [ "$1" == "oseid" ]; then
+	DEPS="$DEPS socat gawk xxd"
+elif [ "$1" == "piv" -o "$1" == "isoapplet" -o "$1" == "gidsapplet" -o "$1" == "openpgp" ]; then
+	if [ "$1" == "piv" ]; then
+		DEPS="$DEPS cmake"
+	fi
+	DEPS="$DEPS ant openjdk-8-jdk"
+elif [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
+	DEPS="$DEPS wine wine32 xvfb wget"
+	sudo dpkg --add-architecture i386
+	if [ "$1" == "mingw" ]; then
+		DEPS="$DEPS binutils-mingw-w64-x86-64 gcc-mingw-w64-x86-64 mingw-w64"
+	elif [ "$1" == "mingw32" ]; then
+		DEPS="$DEPS binutils-mingw-w64-i686 gcc-mingw-w64-i686"
+	fi
+fi
+
+# make sure we do not get prompts
+export DEBIAN_FRONTEND=noninteractive
+sudo apt-get update
+sudo apt-get install -y build-essential $DEPS
+
+if [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
+	if [ ! -f "$(winepath 'C:/Program Files/Inno Setup 5/ISCC.exe')" ]; then
+		/sbin/start-stop-daemon --start --quiet --pidfile /tmp/custom_xvfb_99.pid --make-pidfile --background --exec /usr/bin/Xvfb -- :99 -ac -screen 0 1280x1024x16
+		export DISPLAY=:99.0
+		[ -d isetup ] || mkdir isetup
+		pushd isetup
+		[ -f isetup-5.5.6.exe ] || wget http://files.jrsoftware.org/is/5/isetup-5.5.6.exe
+		sleep 5 # make sure the X server is ready ?
+		wine isetup-5.5.6.exe /SILENT /VERYSILENT /SP- /SUPPRESSMSGBOXES /NORESTART
+		popd
+	fi
+fi

.github/setup-macos.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+brew install automake
+
+# gengetopt
+curl https://ftp.gnu.org/gnu/gengetopt/gengetopt-2.23.tar.xz -L --output gengetopt-2.23.tar.xz
+tar xfj gengetopt-2.23.tar.xz
+pushd gengetopt-2.23
+./configure && make
+sudo make install
+popd
+
+# help2man
+curl https://ftp.gnu.org/gnu/help2man/help2man-1.47.16.tar.xz -L --output help2man-1.47.16.tar.xz
+tar xjf help2man-1.47.16.tar.xz
+pushd help2man-1.47.16
+./configure && make
+sudo make install
+popd
+
+# openSCToken
+export PATH="/usr/local/opt/ccache/libexec:$PATH"
+git clone https://github.com/frankmorgner/OpenSCToken.git
+sudo rm -rf /Library/Developer/CommandLineTools;
+
+# TODO make the encrypted key working in github
+if [ "$GITHUB_EVENT_NAME" == "pull_request" -a -n "$encrypted_3b9f0b9d36d1_key" ]; then
+    openssl aes-256-cbc -K $encrypted_3b9f0b9d36d1_key -iv $encrypted_3b9f0b9d36d1_iv -in .github/secrets.tar.enc -out .github/secrets.tar -d;
+    .github/add_signing_key.sh;
+else
+    unset CODE_SIGN_IDENTITY INSTALLER_SIGN_IDENTITY;
+fi

.github/setup-vsmartcard.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if [ ! -d "vsmartcard" ]; then
+	git clone https://github.com/frankmorgner/vsmartcard.git
+fi
+pushd vsmartcard/virtualsmartcard
+autoreconf -vis && ./configure && make -j2 && sudo make install
+popd

.github/test-cac.sh

@@ -0,0 +1,47 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+# VSmartcard
+./.github/setup-vsmartcard.sh
+
+# libcacard
+if [ ! -d "libcacard" ]; then
+	git clone https://gitlab.freedesktop.org/spice/libcacard.git
+fi
+pushd libcacard
+./autogen.sh --prefix=/usr && make -j2 && sudo make install
+popd
+
+# virt_cacard
+if [ ! -d "virt_cacard" ]; then
+	git clone https://github.com/Jakuje/virt_cacard.git
+fi
+pushd virt_cacard
+./autogen.sh && ./configure && make
+popd
+
+sudo /etc/init.d/pcscd restart
+
+pushd src/tests/p11test/
+./p11test -s 0 -p 12345678 -i -o virt_cacard.json &
+sleep 5
+popd
+
+# virt_cacard startup
+pushd virt_cacard
+./setup-softhsm2.sh
+export SOFTHSM2_CONF=$PWD/softhsm2.conf
+./virt_cacard &
+wait $(ps aux | grep '[p]11test'| awk '{print $2}')
+kill -9 $(ps aux | grep '[v]irt_cacard'| awk '{print $2}')
+popd
+
+# cleanup -- this would break later uses of pcscd
+pushd vsmartcard/virtualsmartcard
+sudo make uninstall
+popd
+
+diff -u3 src/tests/p11test/virt_cacard{_ref,}.json

.github/test-gidsapplet.sh

@@ -0,0 +1,36 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+# setup java stuff
+. .github/setup-java.sh
+
+# GidsApplet
+git clone https://github.com/vletoux/GidsApplet.git;
+javac -classpath jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar GidsApplet/src/com/mysmartlogon/gidsApplet/*.java;
+echo "com.licel.jcardsim.card.applet.0.AID=A000000397425446590201" > gids_jcardsim.cfg;
+echo "com.licel.jcardsim.card.applet.0.Class=com.mysmartlogon.gidsApplet.GidsApplet" >> gids_jcardsim.cfg;
+echo "com.licel.jcardsim.card.ATR=3B80800101" >> gids_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.host=localhost" >> gids_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.port=35963" >> gids_jcardsim.cfg;
+
+# log errors from pcscd to console
+sudo systemctl stop pcscd.service pcscd.socket
+sudo /usr/sbin/pcscd -f &
+PCSCD_PID=$!
+
+
+# start the applet and run couple of commands against that
+java -noverify -cp GidsApplet/src/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard gids_jcardsim.cfg >/dev/null &
+PID=$!;
+sleep 5;
+opensc-tool --card-driver default --send-apdu 80b80000190bA0000003974254465902010bA00000039742544659020100;
+opensc-tool -n;
+gids-tool --initialize --pin 123456 --admin-key 000000000000000000000000000000000000000000000000 --serial 00000000000000000000000000000000;
+kill -9 $PID
+
+
+# cleanup
+sudo kill -9 $PCSCD_PID

.github/test-isoapplet.sh

@@ -0,0 +1,41 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+# setup java stuff
+./.github/setup-java.sh
+
+# The ISO applet
+git clone https://github.com/philipWendland/IsoApplet.git;
+javac -classpath jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar IsoApplet/src/net/pwendland/javacard/pki/isoapplet/*.java;
+echo "com.licel.jcardsim.card.applet.0.AID=F276A288BCFBA69D34F31001" > isoapplet_jcardsim.cfg;
+echo "com.licel.jcardsim.card.applet.0.Class=net.pwendland.javacard.pki.isoapplet.IsoApplet" >> isoapplet_jcardsim.cfg;
+echo "com.licel.jcardsim.card.ATR=3B80800101" >> isoapplet_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.host=localhost" >> isoapplet_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.port=35963" >> isoapplet_jcardsim.cfg;
+
+# log errors from pcscd to console
+sudo systemctl stop pcscd.service pcscd.socket
+sudo /usr/sbin/pcscd -f &
+PCSCD_PID=$!
+
+# start the applet and run couple of commands against that
+java -noverify -cp IsoApplet/src/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard isoapplet_jcardsim.cfg >/dev/null &
+PID=$!;
+sleep 5;
+opensc-tool --card-driver default --send-apdu 80b800001a0cf276a288bcfba69d34f310010cf276a288bcfba69d34f3100100;
+opensc-tool -n;
+pkcs15-init --create-pkcs15 --so-pin 123456 --so-puk 0123456789abcdef;
+pkcs15-tool --change-pin --pin 123456 --new-pin 654321;
+pkcs15-tool --unblock-pin --puk 0123456789abcdef --new-pin 123456;
+pkcs15-init --generate-key rsa/2048     --id 1 --key-usage decrypt,sign --auth-id FF --pin 123456;
+pkcs15-init --generate-key rsa/2048     --id 2 --key-usage decrypt      --auth-id FF --pin 123456;
+pkcs15-init --generate-key ec/secp256r1 --id 3 --key-usage sign         --auth-id FF --pin 123456;
+pkcs15-tool -D;
+pkcs11-tool -l -t -p 123456;
+kill -9 $PID;
+
+# cleanup
+sudo kill -9 $PCSCD_PID

.github/test-openpgp.sh

@@ -0,0 +1,40 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+# setup java stuff
+. .github/setup-java.sh
+
+# The OpenPGP applet
+git clone --recursive https://github.com/Yubico/ykneo-openpgp.git;
+cd ykneo-openpgp;
+ant -DJAVACARD_HOME=${JC_HOME};
+cd $TRAVIS_BUILD_DIR;
+echo "com.licel.jcardsim.card.applet.0.AID=D2760001240102000000000000010000" > openpgp_jcardsim.cfg;
+echo "com.licel.jcardsim.card.applet.0.Class=openpgpcard.OpenPGPApplet" >> openpgp_jcardsim.cfg;
+echo "com.licel.jcardsim.card.ATR=3B80800101" >> openpgp_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.host=localhost" >> openpgp_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.port=35963" >> openpgp_jcardsim.cfg;
+
+# log errors from pcscd to console
+sudo systemctl stop pcscd.service pcscd.socket
+sudo /usr/sbin/pcscd -f &
+PCSCD_PID=$!
+
+
+# start the applet and run couple of commands against that
+java -noverify -cp ykneo-openpgp/applet/bin:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard openpgp_jcardsim.cfg >/dev/null &
+PID=$!;
+sleep 5;
+opensc-tool --card-driver default --send-apdu 80b800002210D276000124010200000000000001000010D276000124010200000000000001000000;
+opensc-tool -n;
+openpgp-tool --verify CHV3 --pin 12345678 --gen-key 2;
+pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 2 --generate-key rsa/2048;
+pkcs11-tool -l -t -p 123456;
+kill -9 $PID
+
+
+# cleanup
+sudo kill -9 $PCSCD_PID

.github/test-oseid.sh

@@ -0,0 +1,54 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+if [ ! -d oseid ]; then
+	git clone https://github.com/popovec/oseid
+fi
+pushd oseid/src/
+make -f Makefile.console
+if [ ! -d tmp ]; then
+	mkdir tmp
+fi
+socat -d -d pty,link=tmp/OsEIDsim.socket,raw,echo=0 "exec:build/console/console ...,pty,raw,echo=0" &
+PID=$!
+sleep 1
+echo "# OsEIDsim" > tmp/reader.conf
+echo 'FRIENDLYNAME      "OsEIDsim"' >> tmp/reader.conf
+echo "DEVICENAME        $PWD/tmp/OsEIDsim.socket" >> tmp/reader.conf
+echo "LIBPATH           $PWD/build/console/libOsEIDsim.so.0.0.1" >> tmp/reader.conf
+echo "CHANNELID         1" >> tmp/reader.conf
+sudo mv tmp/reader.conf /etc/reader.conf.d/reader.conf
+cat /etc/reader.conf.d/reader.conf
+popd
+ 
+sudo /etc/init.d/pcscd restart
+
+# Needed for tput to not report warnings
+export TERM=xterm-256color
+
+pushd oseid/tools
+echo | ./OsEID-tool INIT
+./OsEID-tool RSA-CREATE-KEYS
+./OsEID-tool RSA-UPLOAD-KEYS
+./OsEID-tool RSA-DECRYPT-TEST
+./OsEID-tool RSA-SIGN-PKCS11-TEST
+./OsEID-tool EC-CREATE-KEYS
+./OsEID-tool EC-UPLOAD-KEYS
+./OsEID-tool EC-SIGN-TEST
+./OsEID-tool EC-SIGN-PKCS11-TEST
+./OsEID-tool EC-ECDH-TEST
+popd
+
+# this does not work as we have random key IDs in here
+#pushd src/tests/p11test/
+#./p11test -s 0 -p 11111111 -o oseid.json || true
+#diff -u3 oseid_ref.json oseid.json
+#popd
+
+# cleanup -- this would break later uses of pcscd
+kill -9 $PID
+rm oseid/src/card_mem
+sudo rm /etc/reader.conf.d/reader.conf

.github/test-piv.sh

@@ -0,0 +1,45 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+# setup java stuff
+. .github/setup-java.sh
+
+# The PIV Applet
+git clone --recursive https://github.com/arekinath/PivApplet.git
+pushd PivApplet
+JC_HOME=${JC_CLASSIC_HOME} ant dist
+popd
+
+# yubico-piv-tool is needed for PIV Applet management 
+git clone https://github.com/Yubico/yubico-piv-tool.git
+pushd yubico-piv-tool
+mkdir build
+pushd build
+cmake .. && make && sudo make install
+popd
+popd
+
+
+# log errors from pcscd to console
+sudo systemctl stop pcscd.service pcscd.socket
+sudo /usr/sbin/pcscd -f &
+PCSCD_PID=$!
+
+
+# start the applet and run couple of commands against that
+java -noverify -cp PivApplet/bin/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard PivApplet/test/jcardsim.cfg >/dev/null &
+PID=$!
+sleep 5
+opensc-tool --card-driver default --send-apdu 80b80000120ba000000308000010000100050000020F0F7f
+opensc-tool -n
+yubico-piv-tool -v 9999 -r 'Virtual PCD 00 00' -P 123456 -s 9e -a generate -A RSA2048
+yubico-piv-tool -v 9999 -r 'Virtual PCD 00 00' -P 123456 -s 9a -a generate -A ECCP256
+pkcs11-tool -l -t -p 123456
+kill -9 $PID
+
+
+# cleanup
+sudo kill -9 $PCSCD_PID

.github/workflows/cifuzz.yml

@@ -0,0 +1,28 @@
+name: CIFuzz
+on:
+  pull_request:
+    paths:
+      - '**.c'
+      - '**.h'
+jobs:
+ Fuzzing:
+   runs-on: ubuntu-latest
+   steps:
+   - name: Build Fuzzers
+     id: build
+     uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+     with:
+       oss-fuzz-project-name: 'opensc'
+       dry-run: false
+   - name: Run Fuzzers
+     uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+     with:
+       oss-fuzz-project-name: 'opensc'
+       fuzz-seconds: 600
+       dry-run: false
+   - name: Upload Crash
+     uses: actions/upload-artifact@v1
+     if: failure() && steps.build.outcome == 'success'
+     with:
+       name: artifacts
+       path: ./out/artifacts

.github/workflows/linux.yml

@@ -0,0 +1,176 @@
+name: Linux
+
+on:
+  pull_request:
+    paths:
+      - '**.c'
+      - '**.h'
+  push:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: .github/setup-linux.sh
+      - run: .github/build.sh dist
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-${{ github.sha }}
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: opensc-build
+          path:
+            opensc*.tar.gz
+
+  build-ubuntu-18:
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+      - run: .github/setup-linux.sh
+      - run: .github/build.sh
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-18-${{ github.sha }}
+
+  build-mingw:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: .github/setup-linux.sh mingw
+      - run: .github/build.sh mingw
+      - name: Cache build artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: opensc-build-mingw
+          path:
+            win32/Output/OpenSC*.exe
+
+  build-mingw32:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: .github/setup-linux.sh mingw32
+      - run: .github/build.sh mingw32
+      - name: Cache build artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: opensc-build-mingw32
+          path:
+            win32/Output/OpenSC*.exe
+
+  test-piv:
+    runs-on: ubuntu-18.04
+    needs: [build-ubuntu-18]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-18-${{ github.sha }}
+      - run: .github/setup-linux.sh piv
+      - run: .github/test-piv.sh
+
+  test-isoapplet:
+    runs-on: ubuntu-18.04
+    needs: [build-ubuntu-18]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-18-${{ github.sha }}
+      - run: .github/setup-linux.sh isoapplet
+      - run: .github/test-isoapplet.sh
+
+  test-gidsapplet:
+    runs-on: ubuntu-18.04
+    needs: [build-ubuntu-18]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-18-${{ github.sha }}
+      - run: .github/setup-linux.sh gidsapplet
+      - run: .github/test-gidsapplet.sh
+
+  test-openpgp:
+    runs-on: ubuntu-18.04
+    needs: [build-ubuntu-18]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-18-${{ github.sha }}
+      - run: .github/setup-linux.sh openpgp
+      # the openpgp sometimes fails
+      - run: .github/test-openpgp.sh || true
+
+  build-clang-tidy:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-${{ github.sha }}
+      - run: .github/setup-linux.sh clang-tidy
+      - run: .github/build.sh
+
+  test-cac:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-${{ github.sha }}
+      - run: .github/setup-linux.sh cac
+      - run: .github/test-cac.sh
+
+  test-oseid:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-${{ github.sha }}
+      - run: .github/setup-linux.sh oseid
+      - run: .github/test-oseid.sh
+
+  push-artifacts:
+    runs-on: ubuntu-latest
+    needs: [build, build-mingw]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-${{ github.sha }}
+      - name: Pull mingw build artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: opensc-build-mingw
+      - run: git config --global user.email "builds@github.com"
+      - run: git config --global user.name "Github Actions";
+      - run: .github/push_artifacts.sh "Github Actions ${GITHUB_REF}"
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'OpenSC/OpenSC' }}

.github/workflows/macos.yml

@@ -0,0 +1,39 @@
+name: OSX
+
+on:
+  pull_request:
+    paths:
+      - '**.c'
+      - '**.h'
+  push:
+
+jobs:
+  build:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: .github/setup-macos.sh
+      - run: .github/build.sh
+      - name: Cache build artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: opensc-build-macos
+          path:
+            OpenSC*.dmg
+
+  push-artifacts:
+    runs-on: macos-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Pull build artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: opensc-build-macos
+      - run: git config --global user.email "builds@github.com"
+      - run: git config --global user.name "Github Actions";
+      - run: .github/push_artifacts.sh "Github Actions ${GITHUB_REF}"
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'OpenSC/OpenSC' }}
+# TODO this fails probably because the key is not loaded in keychain before with
+# security: SecKeychainDelete: The specified keychain could not be found.
+#      - run: .github/remove_signing_key.sh; rm -f .github/secrets.tar

.gitignore

@@ -4,6 +4,7 @@ core
 archive
 acinclude.m4
 aclocal.m4
+aminclude_static.am
 autom4te.cache
 compile
 confdefs.h
@@ -22,6 +23,7 @@ mkinstalldirs
 so_locations
 stamp-h*
 tags
+test-driver
 .deps
 .libs
 .#*#
@@ -49,7 +51,6 @@ tags
 *.gz
 *.bz2
 *.[0-9]
-*.html
 *.gif
 *.css
 *.out
@@ -57,51 +58,37 @@ tags
 *.obj
 *.exp
 *.res
+*.ggo
 ChangeLog
 
-doc/tools/cardos-tool
-doc/tools/cryptoflex-tool
+doc/tools/*-tool
 doc/tools/eidenv
-doc/tools/iasecc-tool
-doc/tools/netkey-tool
-doc/tools/openpgp-tool
 doc/tools/opensc-explorer
-doc/tools/opensc-tool
-doc/tools/gids-tool
-doc/tools/piv-tool
-doc/tools/pkcs11-tool
+doc/tools/pkcs11-register
 doc/tools/pkcs15-crypt
 doc/tools/pkcs15-init
-doc/tools/pkcs15-tool
-doc/tools/sc-hsm-tool
-doc/tools/westcos-tool
-doc/tools/dnie-tool
+doc/tools/opensc-asn1
+doc/tools/opensc-notify
+doc/files/opensc.conf.5.xml
 
-etc/opensc.conf.win
-etc/opensc.conf
+etc/opensc.conf.example
 src/common/compat_getopt_main
 src/minidriver/opensc-minidriver.inf
-src/tools/cardos-tool
-src/tools/iasecc-tool
-src/tools/openpgp-tool
-src/tools/sc-hsm-tool
-src/tools/westcos-tool
-src/tools/pkcs15-tool
+src/tools/*-tool
 src/tools/pkcs15-crypt
 src/tools/pkcs15-init
-src/tools/piv-tool
 src/tools/eidenv
 src/tools/opensc-explorer
-src/tools/opensc-tool
-src/tools/gids-tool
-src/tools/rutoken-tool
 src/tools/cardos-info
-src/tools/cryptoflex-tool
-src/tools/netkey-tool
-src/tools/pkcs11-tool
-src/tools/dnie-tool
-src/tools/npa-tool
+src/tools/gcns
 src/tools/sceac-example
+src/tools/opensc-notify
+src/tools/opensc-notify.plist
+src/tools/org.opensc.notify.desktop
+src/tools/pkcs11-register
+src/tools/pkcs11-register.plist
+src/tools/pkcs11-register.desktop
+src/tools/opensc-asn1
 
 win32/OpenSC.iss
 win32/OpenSC.wxs
@@ -128,5 +115,14 @@ src/tests/lottery
 src/tests/p15dump
 src/tests/pintest
 src/tests/prngtest
+src/tests/p11test/p11test
+
+tests/*.log
+tests/*.trs
+src/tests/unittests/*.log
+src/tests/unittests/*.trs
+src/tests/unittests/asn1
+src/tests/unittests/compression
+src/tests/unittests/simpletlv
 
 version.m4.ci

.gitlab-ci.yml

@@ -0,0 +1,126 @@
+before_script:
+  # Avoid picking up PIV endpoint in CAC cards
+  - sed -e "/PIV-II/d" -i src/libopensc/ctx.c
+  # enable debug messages in the testsuite
+  - sed -e "s/^p11test_CFLAGS/#p11test_CFLAGS/g" -i src/tests/p11test/Makefile.am
+  - ./bootstrap
+  - ./configure
+  - make -j4
+  - make check
+  - make install
+  - ldconfig /usr/local/lib
+  - git clone https://github.com/PL4typus/virt_cacard.git
+  - cd virt_cacard && export CACARD_DIR=$PWD && ./autogen.sh && ./configure && make
+variables:
+  SOFTHSM2_CONF: softhsm2.conf
+  CNTNR_REGISTRY: pl4typus/opensc-images
+  FEDORA29_BUILD: fedora-29
+  FEDORA30_BUILD: fedora-30
+  UBUNTU_BUILD: ubuntu-18.04
+  DEBIAN_BUILD: debian-testing
+
+.job_base: &base_job
+  artifacts:
+    expire_in: '1 week'
+    when: on_failure
+    paths:
+      - src/tests/p11test/*.log
+
+.job_template: &functional_test
+  <<: *base_job
+  artifacts:
+    expire_in: '1 week'
+    when: on_failure
+    paths:
+      - src/tests/p11test/*.log
+      - src/tests/p11test/*.json
+      - tests/test-suite.log
+  cache:
+    paths:
+      - src/tests/p11test/*.json
+
+.virt_cacard: &virt_cacard
+  only:
+    - virt_cacard
+  script:
+    - ./setup-softhsm2.sh 
+    - cd ../src/tests/p11test/
+    - pcscd -x  
+    - ./p11test -s 0 -p 12345678 -o cac.json -i | tee cac.log &
+    - sleep 5
+    - cd $CACARD_DIR 
+    - ./virt_cacard & 
+    - cd ../src/tests/p11test/
+    - wait $(ps aux | grep '[p]11test'| awk '{print $2}')
+    - kill -9 $(ps aux | grep '[v]irt_cacard'| awk '{print $2}')
+    - if [[ -f cac_old.json ]]; then diff -u3 cac_old.json cac.json; fi
+    - cp cac.json cac_old.json
+    # cache the results for the next run
+  tags:
+    - shared
+
+.virt_cacard_valgrind: &virt_cacard_valgrind
+  only:
+    - virt_cacard
+  script:
+    - ./setup-softhsm2.sh 
+    - cd ../src/tests/p11test/
+    # remove the dlcose() calls to have reasonable traces
+    - sed '/if(pkcs11_so)/I {N;d;}' -i p11test_loader.c
+    - make
+    - pcscd -x  
+    - valgrind --leak-check=full --trace-children=yes --suppressions=p11test.supp ./p11test -s 0 -p 12345678 -i 2>&1| tee cac.log &
+    - sleep 5
+    - cd $CACARD_DIR
+    - ./virt_cacard &
+    - wait $(ps aux | grep '[v]algrind'| awk '{print $2}')
+    - kill -9 $(ps aux | grep '[v]irt_cacard'| awk '{print $2}')
+    - cd ../src/tests/p11test/
+    - grep "definitely lost:.*0 bytes in 0 blocks" cac.log
+  tags:
+    - shared
+
+################################
+##      Virtual CACard        ##
+################################
+
+Fedora29 Build and Test virt_cacard:
+  <<: *functional_test
+  image: $CI_REGISTRY/$CNTNR_REGISTRY/$FEDORA29_BUILD:latest
+  <<: *virt_cacard
+
+Fedora30 Build and Test virt_cacard:
+  <<: *functional_test
+  image: $CI_REGISTRY/$CNTNR_REGISTRY/$FEDORA30_BUILD:latest
+  <<: *virt_cacard
+
+Ubuntu18.04 Build and Test virt_cacard:
+  <<: *functional_test
+  image: $CI_REGISTRY/$CNTNR_REGISTRY/$UBUNTU_BUILD:latest
+  <<: *virt_cacard
+
+Debian-testing Build and Test virt_cacard:
+  <<: *functional_test
+  image: $CI_REGISTRY/$CNTNR_REGISTRY/$DEBIAN_BUILD:latest
+  <<: *virt_cacard
+
+Fedora29 Build and Test virt_cacard with valgrind:
+  <<: *base_job
+  image: $CI_REGISTRY/$CNTNR_REGISTRY/$FEDORA29_BUILD:latest
+  <<: *virt_cacard_valgrind
+
+Fedora30 Build and Test virt_cacard with valgrind:
+  <<: *base_job
+  image: $CI_REGISTRY/$CNTNR_REGISTRY/$FEDORA30_BUILD:latest
+  <<: *virt_cacard_valgrind
+
+Ubuntu18.04 Build and Test virt_cacard with valgrind:
+  <<: *base_job
+  image: $CI_REGISTRY/$CNTNR_REGISTRY/$UBUNTU_BUILD:latest
+  <<: *virt_cacard_valgrind
+
+Debian-testing Build and Test virt_cacard with valgrind:
+  <<: *base_job
+  image: $CI_REGISTRY/$CNTNR_REGISTRY/$DEBIAN_BUILD:latest
+  <<: *virt_cacard_valgrind
+

.travis.yml

@@ -1,95 +1,363 @@
 language: c
 
-sudo: false
-
-addons:
-  apt_packages:
-    - binutils-mingw-w64-i686
-    - binutils-mingw-w64-x86-64
-    - docbook-xsl
-    - gcc-mingw-w64-i686
-    - gcc-mingw-w64-x86-64
-    - libpcsclite-dev
-    - mingw-w64
-    - wine
-    - xsltproc
-    - gengetopt
-    - help2man
+matrix:
+  include:
+    - compiler: clang
+      os: osx
+      osx_image: xcode9.4
+      env: DO_PUSH_ARTIFACT=yes
+    - compiler: clang
+      os: osx
+      osx_image: xcode12.2
+      env: DO_PUSH_ARTIFACT=yes
+    - compiler: clang
+      os: linux
+      dist: focal
+    - compiler: gcc
+      os: linux
+      dist: bionic
+      env:
+        - DO_SIMULATION=javacard
+        - ENABLE_DOC=--enable-doc
+    - compiler: gcc
+      os: linux
+      dist: focal
+      env:
+        - DO_SIMULATION=oseid
+    - env:
+        - HOST=x86_64-w64-mingw32
+        - DO_PUSH_ARTIFACT=yes
+    - env:
+        - HOST=i686-w64-mingw32
+        - DO_PUSH_ARTIFACT=yes
+    - env: DO_COVERITY_SCAN=yes
+    - compiler: gcc
+      os: linux
+      dist: bionic
+      env:
+        - DO_SIMULATION=cac
 
 env:
   global:
-    # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created
-    #   via the "travis encrypt" command using the project repo's public key
+    # The next declaration are encrypted environment variables, created via the
+    # "travis encrypt" command using the project repo's public key
+    # COVERITY_SCAN_TOKEN
     - secure: "UkHn7wy4im8V1nebCWbAetnDSOLRUbOlF6++ovk/7Bnso1/lnhXHelyzgRxfD/oI68wm9nnRV+RQEZ9+72Ug1CyvHxyyxxkwal/tPeHH4B/L+aGdPi0id+5OZSKIm77VP3m5s102sJMJgH7DFd03+nUd0K26p0tk8ad4j1geV4c="
+    # GH_TOKEN
+    - secure: "cUAvpN/XUPMIN5cgWAbIOhghRoLXyw7SCydzGaJ1Ucqb9Ml2v5iuLLuN57YbZHTiWw03vy6rYVzzwMDrHX8r3oUALsv7ViJHG4PzIe7fAFZsZpHECmGsp6SEnue7m7BNy3FT8KYbiXxnxDO0SxmFXlrPAYR0WMZCWx2TENYcafs="
     - COVERITY_SCAN_BRANCH_PATTERN="(master|coverity.*)"
     - COVERITY_SCAN_NOTIFICATION_EMAIL="viktor.tarasov@gmail.com"
     - COVERITY_SCAN_BUILD_COMMAND="make -j 4"
     - COVERITY_SCAN_PROJECT_NAME="$TRAVIS_REPO_SLUG"
     - SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)
 
-matrix:
-  fast_finish: true
-  include:
-    - compiler: clang
-      os: osx
-    - compiler: gcc
-      os: osx
-    - compiler: clang
-      os: linux
-      env: ENABLE_DOC=--enable-doc
-    - compiler: gcc
-      os: linux
-      env: ENABLE_DOC=--enable-doc
-    - os: linux
-      env: HOST=x86_64-w64-mingw32
-    - os: linux
-      env: HOST=i686-w64-mingw32
-    - os: linux
-      env: DO_COVERITY_SCAN=yes
+# Commented out because of a bug in travis images for Focal:
+# https://travis-ci.community/t/clang-10-was-recently-broken-on-linux-unmet-dependencies-for-clang-10-clang-tidy-10-valgrind/11527
+#addons:
+#  apt_packages:
+#    - binutils-mingw-w64-i686
+#    - binutils-mingw-w64-x86-64
+#    - docbook-xsl
+#    - gcc-mingw-w64-i686
+#    - gcc-mingw-w64-x86-64
+#    - libpcsclite-dev
+#    - mingw-w64
+#    - xsltproc
+#    - gengetopt
+#    - libcmocka-dev
+#    - help2man
+#    - pcscd
+#    - pcsc-tools
+#    - check
+#    - ant
+#    - socat
+#    - cmake
+#    - clang-tidy
+#    - softhsm2
 
 before_install:
-  - if [ "$TRAVIS_OS_NAME" == "osx" ]; then
-        brew update;
-        brew uninstall libtool;
-        brew install libtool;
-        brew install gengetopt help2man;
+  # homebrew is dead slow in older images due to the many updates it would need to download and build.
+  # here, we build the additional dependencies manually to get around this
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then
+        curl https://ftp.gnu.org/gnu/gengetopt/gengetopt-2.23.tar.xz -L --output gengetopt-2.23.tar.xz;
+        tar xfj gengetopt-2.23.tar.xz;
+        pushd gengetopt-2.23;
+        ./configure && make;
+        sudo make install;
+        popd;
+        curl https://ftp.gnu.org/gnu/help2man/help2man-1.47.16.tar.xz -L --output help2man-1.47.16.tar.xz;
+        tar xjf help2man-1.47.16.tar.xz;
+        pushd help2man-1.47.16;
+        ./configure && make;
+        sudo make install;
+        popd;
+        export PATH="/usr/local/opt/ccache/libexec:$PATH";
+        git clone https://github.com/frankmorgner/OpenSCToken.git;
+        sudo rm -rf /Library/Developer/CommandLineTools;
+    fi
+  - if [ "$TRAVIS_OS_NAME" = "osx" -a "$TRAVIS_PULL_REQUEST" = "false" -a -n "$encrypted_3b9f0b9d36d1_key" ]; then
+        openssl aes-256-cbc -K $encrypted_3b9f0b9d36d1_key -iv $encrypted_3b9f0b9d36d1_iv -in .github/secrets.tar.enc -out .github/secrets.tar -d;
+        .github/add_signing_key.sh;
+    else
+        unset CODE_SIGN_IDENTITY INSTALLER_SIGN_IDENTITY;
+    fi
+  - if [ "${DO_SIMULATION}" = "javacard" ]; then
+        sudo apt-get install -y openjdk-8-jdk;
+        sudo update-java-alternatives -s java-1.8.0-openjdk-amd64;
+        sudo update-alternatives --get-selections | grep ^java;
+        export PATH="/usr/lib/jvm/java-8-openjdk-amd64/bin/:$PATH";
+        export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/;
+        env | grep -i openjdk;
+    fi
+  - if [ "${DO_SIMULATION}" = "cac" ]; then
+        sudo apt-get install -y libglib2.0-dev libnss3-dev  pkgconf libtool make autoconf autoconf-archive automake libsofthsm2-dev softhsm2 softhsm2-common help2man gnutls-bin libcmocka-dev libusb-dev libudev-dev flex libnss3-tools libssl-dev libpcsclite1;
+        export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig;
+    fi
+  - if [ -n "${HOST}" ]; then
+        sudo apt-get install -y wine;
+    fi
+  - if [ "$TRAVIS_DIST" == "focal" ]; then
+        sudo apt-get install -yq --allow-downgrades libc6=2.31-0ubuntu9.2 libc6-dev=2.31-0ubuntu9.2;
+    fi
+  - if [ "$TRAVIS_OS_NAME" == "linux" ]; then
+        sudo -E apt-get -yq --no-install-suggests --no-install-recommends --allow-downgrades --allow-remove-essential --allow-change-held-packages install binutils-mingw-w64-i686 binutils-mingw-w64-x86-64 docbook-xsl gcc-mingw-w64-i686 gcc-mingw-w64-x86-64 libpcsclite-dev mingw-w64 xsltproc gengetopt libcmocka-dev help2man pcscd pcsc-tools check ant socat cmake clang-tidy softhsm2;
     fi
 
 before_script:
-  - ./bootstrap
+  - if [ "$TRAVIS_BRANCH" = "master" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then
+      ./bootstrap;
+    fi
+  - if [ "$TRAVIS_BRANCH" = "master" -a "$TRAVIS_PULL_REQUEST" != "false" ]; then
+      ./bootstrap.ci -s "-pr$TRAVIS_PULL_REQUEST";
+    fi
+  - if [ "$TRAVIS_BRANCH" != "master" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then
+      ./bootstrap.ci -s "-$TRAVIS_BRANCH";
+    fi
+  - if [ "$TRAVIS_BRANCH" != "master" -a "$TRAVIS_PULL_REQUEST" != "false" ]; then
+      ./bootstrap.ci -s "-$TRAVIS_BRANCH-pr$TRAVIS_PULL_REQUEST";
+    fi
   - if [ -z "$HOST" ]; then
       CFLAGS="-Werror" ./configure $ENABLE_DOC --enable-dnie-ui;
     else
       if [ ! -f "$(winepath 'C:/Program Files (x86)/Inno Setup 5/ISCC.exe')" ]; then
         /sbin/start-stop-daemon --start --quiet --pidfile /tmp/custom_xvfb_99.pid --make-pidfile --background --exec /usr/bin/Xvfb -- :99 -ac -screen 0 1280x1024x16;
         export DISPLAY=:99.0;
-        wget http://files.jrsoftware.org/is/5/isetup-5.5.6.exe;
+        [ -d isetup ] || mkdir isetup;
+        pushd isetup;
+        [ -f isetup-5.5.6.exe ] || wget http://files.jrsoftware.org/is/5/isetup-5.5.6.exe;
         wine isetup-5.5.6.exe /SILENT /VERYSILENT /SP- /SUPPRESSMSGBOXES /NORESTART;
+        popd;
       fi;
       unset CC;
       unset CXX;
-      ./configure --host=$HOST --disable-openssl --disable-readline --disable-zlib --disable-notify --prefix=${TRAVIS_BUILD_DIR}/win32/opensc || cat config.log;
+      ./configure --host=$HOST --with-completiondir=/tmp --disable-openssl --disable-readline --disable-zlib --disable-notify --prefix=${TRAVIS_BUILD_DIR}/win32/opensc || cat config.log;
     fi
   # Optionally try to upload to Coverity Scan
-  # On error (propably quota is exhausted), just continue
+  # On error (probably quota is exhausted), just continue
   - if [ "${DO_COVERITY_SCAN}" = "yes" ]; then curl -s 'https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh' | bash || true; fi
 
+  - if [ "${DO_SIMULATION}" = "javacard" ]; then
+      set -ex;
+      git clone https://github.com/frankmorgner/vsmartcard.git;
+      cd vsmartcard/virtualsmartcard;
+      autoreconf -vis && ./configure && sudo make install;
+      cd $TRAVIS_BUILD_DIR;
+      sudo systemctl stop pcscd.service pcscd.socket;
+
+      git clone https://github.com/martinpaljak/oracle_javacard_sdks.git;
+      export JC_HOME=$PWD/oracle_javacard_sdks/jc222_kit;
+      export JC_CLASSIC_HOME=$PWD/oracle_javacard_sdks/jc305u3_kit;
+
+      git clone https://github.com/arekinath/jcardsim.git;
+      cd jcardsim;
+      env | grep -i openjdk;
+      export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/;
+      mvn initialize && mvn clean install;
+      cd $TRAVIS_BUILD_DIR;
+
+      git clone https://github.com/philipWendland/IsoApplet.git;
+      javac -classpath jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar IsoApplet/src/net/pwendland/javacard/pki/isoapplet/*.java;
+      echo "com.licel.jcardsim.card.applet.0.AID=F276A288BCFBA69D34F31001" > isoapplet_jcardsim.cfg;
+      echo "com.licel.jcardsim.card.applet.0.Class=net.pwendland.javacard.pki.isoapplet.IsoApplet" >> isoapplet_jcardsim.cfg;
+      echo "com.licel.jcardsim.card.ATR=3B80800101" >> isoapplet_jcardsim.cfg;
+      echo "com.licel.jcardsim.vsmartcard.host=localhost" >> isoapplet_jcardsim.cfg;
+      echo "com.licel.jcardsim.vsmartcard.port=35963" >> isoapplet_jcardsim.cfg;
+
+      git clone https://github.com/vletoux/GidsApplet.git;
+      javac -classpath jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar GidsApplet/src/com/mysmartlogon/gidsApplet/*.java;
+      echo "com.licel.jcardsim.card.applet.0.AID=A000000397425446590201" > gids_jcardsim.cfg;
+      echo "com.licel.jcardsim.card.applet.0.Class=com.mysmartlogon.gidsApplet.GidsApplet" >> gids_jcardsim.cfg;
+      echo "com.licel.jcardsim.card.ATR=3B80800101" >> gids_jcardsim.cfg;
+      echo "com.licel.jcardsim.vsmartcard.host=localhost" >> gids_jcardsim.cfg;
+      echo "com.licel.jcardsim.vsmartcard.port=35963" >> gids_jcardsim.cfg;
+
+      git clone --recursive https://github.com/Yubico/ykneo-openpgp.git;
+      cd ykneo-openpgp;
+      ant -DJAVACARD_HOME=${JC_HOME};
+      cd $TRAVIS_BUILD_DIR;
+      echo "com.licel.jcardsim.card.applet.0.AID=D2760001240102000000000000010000" > openpgp_jcardsim.cfg;
+      echo "com.licel.jcardsim.card.applet.0.Class=openpgpcard.OpenPGPApplet" >> openpgp_jcardsim.cfg;
+      echo "com.licel.jcardsim.card.ATR=3B80800101" >> openpgp_jcardsim.cfg;
+      echo "com.licel.jcardsim.vsmartcard.host=localhost" >> openpgp_jcardsim.cfg;
+      echo "com.licel.jcardsim.vsmartcard.port=35963" >> openpgp_jcardsim.cfg;
+
+      git clone --recursive https://github.com/arekinath/PivApplet.git;
+      cd PivApplet;
+      JC_HOME=${JC_CLASSIC_HOME} ant dist;
+      cd $TRAVIS_BUILD_DIR;
+
+      git clone https://github.com/Yubico/yubico-piv-tool.git;
+      cd yubico-piv-tool;
+      mkdir build; cd build;
+      cmake .. && make && sudo make install;
+      cd $TRAVIS_BUILD_DIR;
+      set +ex;
+    fi
+
+  - if [ "${DO_SIMULATION}" = "oseid" ]; then
+      git clone https://github.com/popovec/oseid;
+      cd oseid/src/;
+      make -f Makefile.console;
+      mkdir tmp;
+      socat -d -d pty,link=tmp/OsEIDsim.socket,raw,echo=0 "exec:build/console/console ...,pty,raw,echo=0" &
+      PID=$!;
+      sleep 1;
+      echo "# OsEIDsim" > tmp/reader.conf;
+      echo 'FRIENDLYNAME      "OsEIDsim"' >> tmp/reader.conf;
+      echo "DEVICENAME        ${TRAVIS_BUILD_DIR}/oseid/src/tmp/OsEIDsim.socket" >> tmp/reader.conf;
+      echo "LIBPATH           ${TRAVIS_BUILD_DIR}/oseid/src/build/console/libOsEIDsim.so.0.0.1" >> tmp/reader.conf;
+      echo "CHANNELID         1" >> tmp/reader.conf;
+      sudo mv tmp/reader.conf /etc/reader.conf.d/reader.conf;
+      cat /etc/reader.conf.d/reader.conf;
+      cd $TRAVIS_BUILD_DIR;
+
+      sudo /etc/init.d/pcscd restart;
+    fi
+
+  - if [ "${DO_SIMULATION}" = "cac" ]; then
+      git clone https://github.com/frankmorgner/vsmartcard.git;
+      cd vsmartcard/virtualsmartcard;
+      autoreconf -vis && ./configure && make -j4 && sudo make install;
+
+      cd $TRAVIS_BUILD_DIR;
+      git clone https://gitlab.freedesktop.org/spice/libcacard.git;
+      cd libcacard && ./autogen.sh --prefix=/usr && make -j4 && sudo make install;
+
+      cd $TRAVIS_BUILD_DIR;
+      git clone https://github.com/PL4typus/virt_cacard.git;
+      cd virt_cacard && ./autogen.sh && ./configure && make;
+
+      cd $TRAVIS_BUILD_DIR;
+      sudo /etc/init.d/pcscd restart;
+    fi
+
 script:
   - if [ "${DO_COVERITY_SCAN}" != "yes" ]; then
-      if [ $TRAVIS_OS_NAME == osx ]; then
+      if [ "${TRAVIS_OS_NAME}" = "osx" ]; then
         ./MacOSX/build;
       else
-        make;
+        make -j 4;
       fi;
     fi
-  - if [ -z "$HOST" -a "${DO_COVERITY_SCAN}" != "yes" ]; then
-      make check && make dist;
+  - if [ -z "$HOST" -a "${DO_COVERITY_SCAN}" != "yes" -a -z "$DO_SIMULATION" ]; then
+      make check && make distcheck || (cat tests/*log src/tests/unittests/*log && exit 1);
     fi
   - if [ ! -z "$HOST" -a "${DO_COVERITY_SCAN}" != "yes" ]; then
       make install;
       wine "C:/Program Files (x86)/Inno Setup 5/ISCC.exe" win32/OpenSC.iss;
     fi
 
+  - if [ "${DO_SIMULATION}" = "javacard" ]; then
+      set -ex;
+      sudo make install;
+      export LD_LIBRARY_PATH=/usr/local/lib;
+
+      sudo /usr/sbin/pcscd -f &
+      PCSCD_PID=$!;
+
+      java -noverify -cp IsoApplet/src/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard isoapplet_jcardsim.cfg >/dev/null &
+      PID=$!;
+      sleep 5;
+      opensc-tool --card-driver default --send-apdu 80b800001a0cf276a288bcfba69d34f310010cf276a288bcfba69d34f3100100;
+      opensc-tool -n;
+      pkcs15-init --create-pkcs15 --so-pin 123456 --so-puk 0123456789abcdef;
+      pkcs15-tool --change-pin --pin 123456 --new-pin 654321;
+      pkcs15-tool --unblock-pin --puk 0123456789abcdef --new-pin 123456;
+      pkcs15-init --generate-key rsa/2048     --id 1 --key-usage decrypt,sign --auth-id FF --pin 123456;
+      pkcs15-init --generate-key rsa/2048     --id 2 --key-usage decrypt      --auth-id FF --pin 123456;
+      pkcs15-init --generate-key ec/secp256r1 --id 3 --key-usage sign         --auth-id FF --pin 123456;
+      pkcs15-tool -D;
+      pkcs11-tool -l -t -p 123456;
+      kill -9 $PID;
+
+      java -noverify -cp GidsApplet/src/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard gids_jcardsim.cfg >/dev/null &
+      PID=$!;
+      sleep 5;
+      opensc-tool --card-driver default --send-apdu 80b80000190bA0000003974254465902010bA00000039742544659020100;
+      opensc-tool -n;
+      gids-tool --initialize --pin 123456 --admin-key 000000000000000000000000000000000000000000000000 --serial 00000000000000000000000000000000;
+      kill -9 $PID;
+
+      java -noverify -cp ykneo-openpgp/applet/bin:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard openpgp_jcardsim.cfg >/dev/null &
+      PID=$!;
+      sleep 5;
+      opensc-tool --card-driver default --send-apdu 80b800002210D276000124010200000000000001000010D276000124010200000000000001000000;
+      opensc-tool -n;
+      openpgp-tool --verify CHV3 --pin 12345678 --gen-key 2;
+      pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 2 --generate-key rsa/2048;
+      pkcs11-tool -l -t -p 123456;
+      kill -9 $PID;
+
+      java -noverify -cp PivApplet/bin/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard PivApplet/test/jcardsim.cfg >/dev/null &
+      PID=$!;
+      sleep 5;
+      opensc-tool --card-driver default --send-apdu 80b80000120ba000000308000010000100050000020F0F7f;
+      opensc-tool -n;
+      yubico-piv-tool -v 9999 -r 'Virtual PCD 00 00' -P 123456 -s 9e -a generate -A RSA2048;
+      yubico-piv-tool -v 9999 -r 'Virtual PCD 00 00' -P 123456 -s 9a -a generate -A ECCP256;
+      pkcs11-tool -l -t -p 123456;
+      kill -9 $PID;
+
+      sudo kill -9 $PCSCD_PID;
+
+      set +ex;
+    fi
+
+  - if [ "${DO_SIMULATION}" = "oseid" ]; then
+      set -ex;
+      sudo make install;
+      export LD_LIBRARY_PATH=/usr/local/lib;
+
+      cd oseid/tools;
+      echo | ./OsEID-tool INIT;
+      ./OsEID-tool RSA-CREATE-KEYS;
+      ./OsEID-tool RSA-UPLOAD-KEYS;
+      ./OsEID-tool RSA-DECRYPT-TEST;
+      ./OsEID-tool RSA-SIGN-PKCS11-TEST;
+      ./OsEID-tool EC-CREATE-KEYS;
+      ./OsEID-tool EC-UPLOAD-KEYS;
+      ./OsEID-tool EC-SIGN-TEST;
+      ./OsEID-tool EC-SIGN-PKCS11-TEST;
+      ./OsEID-tool EC-ECDH-TEST;
+      kill -9 $PID;
+
+      set +ex;
+    fi
+  - if [ "${DO_SIMULATION}" = "cac" ]; then
+      cd $TRAVIS_BUILD_DIR;
+      make check && sudo make install || (cat tests/*log src/tests/unittests/*log && exit 1);
+      export LD_LIBRARY_PATH=/usr/local/lib;
+      cd src/tests/p11test/;
+      ./p11test -s 0 -p 12345678 -i &
+      sleep 5;
+      cd $TRAVIS_BUILD_DIR/virt_cacard;
+      ./setup-softhsm2.sh;
+      export SOFTHSM2_CONF=$PWD/softhsm2.conf;
+      ./virt_cacard &
+      wait $(ps aux | grep '[p]11test'| awk '{print $2}');
+      kill -9 $(ps aux | grep '[v]irt_cacard'| awk '{print $2}');
+    fi
+
 after_script:
   # kill process started during compilation to finish the build, see
   # https://github.com/moodlerooms/moodle-plugin-ci/issues/33 for details
@@ -97,4 +365,22 @@ after_script:
       killall services.exe;
     fi
 
-cache: ccache
+  # keep in sync with appveyor.yml
+  - if [ "${DO_PUSH_ARTIFACT}" = "yes" -a "$TRAVIS_PULL_REQUEST" = "false" -a "$TRAVIS_REPO_SLUG" = "OpenSC/OpenSC" ]; then
+      git config --global user.email "builds@travis-ci.org";
+      git config --global user.name "Travis CI";
+      .github/push_artifacts.sh "Travis CI build ${TRAVIS_JOB_NUMBER}";
+    fi
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then
+      .github/remove_signing_key.sh;
+      rm -f .github/secrets.tar;
+    fi
+
+cache:
+  apt: true
+  ccache: true
+  directories:
+    - $HOME/.m2/
+    - openssl_bin
+    - openpace_bin
+    - isetup

COPYING

@@ -1,8 +1,8 @@
-		  GNU LESSER GENERAL PUBLIC LICENSE
-		       Version 2.1, February 1999
+                  GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 2.1, February 1999
 
  Copyright (C) 1991, 1999 Free Software Foundation, Inc.
-     59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
@@ -10,7 +10,7 @@
  as the successor of the GNU Library Public License, version 2, hence
  the version number 2.1.]
 
-			    Preamble
+                            Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
   Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,8 +111,8 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
-		  GNU LESSER GENERAL PUBLIC LICENSE
+
+                  GNU LESSER GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License Agreement applies to any software library or other
@@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
 on the Library (independent of the use of the Library in a tool for
 writing it).  Whether that is true depends on what the Library does
 and what the program that uses the Library does.
-  
+
   1. You may copy and distribute verbatim copies of the Library's
 complete source code as you receive it, in any medium, provided that
 you conspicuously and appropriately publish on each copy an
@@ -158,7 +158,7 @@ Library.
   You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
   2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
   Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
   6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
   7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
   11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
   14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -432,7 +432,7 @@ decision will be guided by the two goals of preserving the free status
 of all derivatives of our free software and of promoting the sharing
 and reuse of software generally.
 
-			    NO WARRANTY
+                            NO WARRANTY
 
   15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
 WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
@@ -455,8 +455,8 @@ FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
 SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.
 
-		     END OF TERMS AND CONDITIONS
-
+                     END OF TERMS AND CONDITIONS
+
            How to Apply These Terms to Your New Libraries
 
   If you develop a new library, and you want it to be of the greatest
@@ -485,7 +485,7 @@ convey the exclusion of warranty; and each file should have at least the
 
     You should have received a copy of the GNU Lesser General Public
     License along with this library; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 
 Also add information on how to contact you by electronic and paper mail.
 
@@ -501,4 +501,3 @@ necessary.  Here is a sample; alter the names:
 
 That's all there is to it!
 
-

MacOSX/Distribution.xml.in

@@ -1,4 +1,7 @@
 <?xml version="1.0" encoding="utf-8" standalone="no"?>
+<!--
+https://developer.apple.com/library/mac/documentation/DeveloperTools/Reference/DistributionDefinitionRef/
+-->
 <installer-gui-script minSpecVersion="2">
     <allowed-os-versions>
       <os-version min="10.10"/>
@@ -6,17 +9,57 @@
     <background file="background.jpg" mime-type="image/jpeg" scaling="tofit"/>
     <welcome file="Welcome.html" mime-type="text/html"/>
     <title>@PACKAGE_STRING@</title>
-
-    <pkg-ref id="com.apple.tokend.opensc"/>
-    <options customize="never" require-scripts="false"/>
+    <options customize="allow" require-scripts="false" rootVolumeOnly="true"/>
+    <script>
+      <![CDATA[
+	function osx_before_catalina() {
+	 if((system.compareVersions(system.version.ProductVersion, '10.15')) == -1)
+	 {
+	  return true;
+	 }
+	 else
+	 {
+	  return false;
+	 }
+	}
+	function osx_after_catalina() {
+	 if((system.compareVersions(system.version.ProductVersion, '10.15')) >= 0)
+	 {
+	  return true;
+	 }
+	 else
+	 {
+	  return false;
+	 }
+	}
+	function osx_after_yosemite() {
+	 if((system.compareVersions(system.version.ProductVersion, '10.12')) >= 0)
+	 {
+	  return true;
+	 }
+	 else
+	 {
+	  return false;
+	 }
+	}
+      ]]>
+    </script>
     <choices-outline>
-        <line choice="default">
-            <line choice="com.apple.tokend.opensc"/>
-        </line>
+        <line choice="default" />
+        <line choice="startup" />
+        <line choice="tokend" />
+        <line choice="token" />
     </choices-outline>
-    <choice id="default"/>
-    <choice id="com.apple.tokend.opensc" visible="true">
-        <pkg-ref id="com.apple.tokend.opensc"/>
+    <choice id="default" title="PKCS#11 module and smart card tools" enabled="false">
+        <pkg-ref id="org.opensc-project.mac">OpenSC.pkg</pkg-ref>
+    </choice>
+    <choice id="tokend" title="TokenD-based smart card driver" start_selected="osx_before_catalina()">
+        <pkg-ref id="org.opensc-project.tokend">OpenSC-tokend.pkg</pkg-ref>
+    </choice>
+    <choice id="token" title="CryptoTokenKit-based smart card driver" visible="osx_after_yosemite()" start_selected="osx_after_catalina()">
+        <pkg-ref id="org.opensc-project.mac.opensctoken">OpenSCToken.pkg</pkg-ref>
+    </choice>
+    <choice id="startup" title="Automatic startup items">
+        <pkg-ref id="org.opensc-project.startup">OpenSC-startup.pkg</pkg-ref>
     </choice>
-    <pkg-ref id="com.apple.tokend.opensc" onConclusion="none">OpenSC.pkg</pkg-ref>
 </installer-gui-script>

MacOSX/OpenSC_applescripts.entitlements

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.app-sandbox</key>
+    <false/>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
+  </dict>
+</plist>

MacOSX/OpenSC_binaries.entitlements

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.app-sandbox</key>
+    <false/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+  </dict>
+</plist>

MacOSX/build-package.in

@@ -1,31 +1,23 @@
 #!/bin/bash
-# Building the installer is only tested and supported on 10.9+ with Xcode 6.0.1
-# Built package targets 10.10
-# Building should also work on older versions with older revisions or slight changes, YMMV
+# Build the macOS installer for the tokend and command line tools.
+#
+# This is only tested and supported on macOS 10.10 or later, using Xcode 6.0.1.
+# Building should also work on older macOS versions with slight changes; YMMV.
 
-# You need to have  the following from homebrew or macports or fink:
-# autoconf automake libtool pkg-config
+# You need to install the following packages from homebrew or macports or fink:
+# autoconf automake libtool pkg-config help2man gengetopt
 
-# If you want to compile with OpenSCToken/CryptoTokenKit set the following:
-#ENABLE_CRYPTOTOKENKIT="--disable-pcsc  --enable-cryptotokenkit"
-# When using CryptoTokenKit, code signing is required
-#SIGNING_IDENTITY=BA3CE53D402E3C75246557E2890F929F4A778DDE
-
-if test -z "$ENABLE_CRYPTOTOKENKIT"; then
-	export MACOSX_DEPLOYMENT_TARGET="10.10"
-else
-	export MACOSX_DEPLOYMENT_TARGET="10.12"
-fi
+export MACOSX_DEPLOYMENT_TARGET="10.10"
 
 set -ex
 test -x ./configure || ./bootstrap
 BUILDPATH=${PWD}
 
-# Locate the latest OSX SDK
-SDK_PATH=$(xcrun --sdk macosx --show-sdk-path)
-
-# Set SDK path
-export CFLAGS="$CFLAGS -isysroot $SDK_PATH -arch x86_64"
+xcode_ver=$(xcodebuild -version | sed -En 's/Xcode[[:space:]](.*)/\1/p')
+base_ver="12.2"
+if [ $(echo -e $base_ver"\n"$xcode_ver | sort -V | head -1) == "$base_ver" ]; then
+	export BUILD_ARM="true"
+fi
 
 export SED=/usr/bin/sed
 PREFIX=/Library/OpenSC
@@ -36,41 +28,59 @@ if ! pkg-config libcrypto --atleast-version=1.0.1; then
 	if ! test -e $BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig; then
 		# Build OpenSSL manually, because Apple's binaries are deprecated
 		if ! test -e openssl; then
-			git clone --depth=1 https://github.com/openssl/openssl.git -b OpenSSL_1_0_2-stable
+			git clone --depth=1 https://github.com/openssl/openssl.git -b OpenSSL_1_1_1-stable
 		fi
 		cd openssl
-		KERNEL_BITS=64 ./config --prefix=$PREFIX
+		MACHINE=x86_64 ./config no-shared --prefix=$PREFIX
 		make clean
-		make update
-		make depend
-		make
-		make INSTALL_PREFIX=$BUILDPATH/openssl_bin install_sw
+		make -j 4
+		make DESTDIR=$BUILDPATH/openssl_bin install_sw
+		if test -n "${BUILD_ARM}"; then
+			make clean
+			MACHINE=arm64 KERNEL_BITS=64 ./config no-shared --prefix=$PREFIX
+			make -j 4
+			make DESTDIR=$BUILDPATH/openssl_arm64 install_sw
+			lipo -create $BUILDPATH/openssl_arm64/$PREFIX/lib/libcrypto.a $BUILDPATH/openssl_bin/$PREFIX/lib/libcrypto.a -output libcrypto.a
+			lipo -create $BUILDPATH/openssl_arm64/$PREFIX/lib/libssl.a $BUILDPATH/openssl_bin/$PREFIX/lib/libssl.a -output libssl.a
+			mv libcrypto.a $BUILDPATH/openssl_bin/$PREFIX/lib/libcrypto.a
+			mv libssl.a $BUILDPATH/openssl_bin/$PREFIX/lib/libssl.a
+		fi
 		cd ..
 	fi
 	export OPENSSL_CFLAGS="`env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openssl_bin pkg-config --static --cflags libcrypto`"
 	export OPENSSL_LIBS="`  env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openssl_bin pkg-config --static --libs   libcrypto`"
 fi
 
+# Locate the latest OSX SDK
+SDK_PATH=$(xcrun --sdk macosx --show-sdk-path)
+export CFLAGS="$CFLAGS -isysroot $SDK_PATH"
+
+if test -n "${BUILD_ARM}"; then
+	export CFLAGS="$CFLAGS -arch x86_64 -arch arm64"
+	export LDFLAGS="$LDFLAGS -arch x86_64 -arch arm64"
+fi
+export OBJCFLAGS=$CFLAGS
+
 if ! test -e $BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig; then
 	if ! test -e openpace; then
-		git clone --depth=1 https://github.com/frankmorgner/openpace.git
+		git clone --depth=1 https://github.com/frankmorgner/openpace.git -b 1.1.1
 	fi
 	cd openpace
 	autoreconf -vis
-	./configure --disable-shared --prefix=$PREFIX CRYPTO_CFLAGS="$OPENSSL_CFLAGS" CRYPTO_LIBS="$OPENSSL_LIBS"
+	./configure --disable-shared --prefix=$PREFIX CRYPTO_CFLAGS="$OPENSSL_CFLAGS" CRYPTO_LIBS="$OPENSSL_LIBS" HELP2MAN=/usr/bin/true
+	touch src/cvc-create.1 src/cvc-print.1
 	make DESTDIR=$BUILDPATH/openpace_bin install
 	cd ..
-	export OPENPACE_CFLAGS="`env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig:$BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openpace_bin pkg-config --static --cflags libeac` $OPENSSL_CFLAGS"
-	export OPENPACE_LIBS="`  env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig:$BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openpace_bin pkg-config --static --libs   libeac` $OPENSSL_LIBS"
 fi
+export OPENPACE_CFLAGS="`env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig:$BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openpace_bin pkg-config --static --cflags libeac` $OPENSSL_CFLAGS"
+export OPENPACE_LIBS="`  env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig:$BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openpace_bin pkg-config --static --libs   libeac` $OPENSSL_LIBS"
 
 if ! test -e ${BUILDPATH}/target/$PREFIX/lib/pkgconfig; then
 	./configure --prefix=$PREFIX \
 		--sysconfdir=$PREFIX/etc \
 		--enable-cvcdir=$PREFIX/etc/cvc \
 		--enable-x509dir=$PREFIX/etc/x509 \
-		$ENABLE_CRYPTOTOKENKIT \
-		--disable-notify \
+		--enable-openssl-secure-malloc=65536 \
 		--disable-dependency-tracking \
 		--enable-shared \
 		--enable-static \
@@ -82,7 +92,7 @@ if ! test -e ${BUILDPATH}/target/$PREFIX/lib/pkgconfig; then
 	make clean
 
 	# compile
-	make -j 2
+	make -j 4
 
 	# copy files
 	rm -rf ${BUILDPATH}/target
@@ -96,7 +106,25 @@ if ! test -e ${BUILDPATH}/target/$PREFIX/lib/pkgconfig; then
 	./MacOSX/libtool-bundle ${BUILDPATH}/target/$PREFIX/lib/opensc-pkcs11.so ${BUILDPATH}/target/$PREFIX/lib
 fi
 
-if test -z "$ENABLE_CRYPTOTOKENKIT"; then
+
+if ! test -e NotificationProxy; then
+	git clone http://github.com/frankmorgner/NotificationProxy.git
+fi
+if test -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
+	xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ \
+		CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
+else
+	xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/
+fi
+mkdir -p "$BUILDPATH/target/Applications/Utilities"
+osacompile -o "$BUILDPATH/target/Applications/Utilities/OpenSC Notify.app" "MacOSX/OpenSC_Notify.applescript"
+if test -n "${CODE_SIGN_IDENTITY}"; then
+	codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_applescripts.entitlements --deep --timestamp --options runtime "$BUILDPATH/target/Applications/Utilities/OpenSC Notify.app"
+fi
+
+
+# Build OpenSC.tokend when XCode version < 10
+if (( $(xcodebuild -version | sed -En 's/Xcode[[:space:]]+([0-9]+)(\.[0-9]*)*/\1/p') < 10 )); then
 	# Check out OpenSC.tokend, if not already fetched.
 	if ! test -e OpenSC.tokend; then
 		git clone http://github.com/OpenSC/OpenSC.tokend.git
@@ -106,57 +134,110 @@ if test -z "$ENABLE_CRYPTOTOKENKIT"; then
 	test -L OpenSC.tokend/build/opensc-src || ln -sf ${BUILDPATH}/src OpenSC.tokend/build/opensc-src
 
 	# Build and copy OpenSC.tokend
-	xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target
-
-	#if ! test -e $BUILDPATH/target/Library/Security/tokend/OpenSC.tokend/Contents/Resources/Applications/terminal-notifier.app; then
-		#if ! test -e terminal-notifier-1.7.1.zip; then
-			#curl -L https://github.com/julienXX/terminal-notifier/releases/download/1.7.1/terminal-notifier-1.7.1.zip > terminal-notifier-1.7.1.zip
-		#fi
-		#if ! test -e terminal-notifier-1.7.1; then
-			#unzip terminal-notifier-1.7.1.zip
-		#fi
-		#mkdir -p $BUILDPATH/target/Library/Security/tokend/OpenSC.tokend/Contents/Resources/Applications
-		#cp -r terminal-notifier-1.7.1/terminal-notifier.app $BUILDPATH/target/Library/Security/tokend/OpenSC.tokend/Contents/Resources/Applications
-	#fi
-
-	if ! test -e NotificationProxy; then
-		git clone http://github.com/frankmorgner/NotificationProxy.git
+	if test -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
+		xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend \
+		CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
+	else
+		xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend
 	fi
-	xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/Security/tokend/OpenSC.tokend/Contents/Resources/
-	mkdir -p "$BUILDPATH/target/Applications"
-	osacompile -o "$BUILDPATH/target/Applications/OpenSC Notify.app" "MacOSX/OpenSC_Notify.applescript"
+
+	TOKEND="-tokend"
 else
-	# Check out OpenSCToken, if not already fetched.
-	if ! test -e OpenSCToken; then
-		git clone http://github.com/frankmorgner/OpenSCToken.git
-	fi
-
-	# Build and copy OpenSCTokenApp
-	xcodebuild -target OpenSCTokenApp -configuration Release -project OpenSCToken/OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target
-
-	codesign --sign "$SIGNING_IDENTITY" --force --entitlements MacOSX/opensc.entitlements target/Library/OpenSC/bin/*
-	codesign --sign "$SIGNING_IDENTITY" --force --entitlements MacOSX/opensc.entitlements target/Library/OpenSC/lib/*.dylib
-	codesign --sign "$SIGNING_IDENTITY" --force --entitlements MacOSX/opensc.entitlements --deep target/Library/OpenSC/lib/opensc-pkcs11.bundle
+	# https://github.com/OpenSC/OpenSC.tokend/issues/33
+	mkdir -p ${BUILDPATH}/target_tokend
+	TOKEND=""
 fi
 
+#if ! test -e $BUILDPATH/target/Library/Security/tokend/OpenSC.tokend/Contents/Resources/Applications/terminal-notifier.app; then
+	#if ! test -e terminal-notifier-1.7.1.zip; then
+		#curl -L https://github.com/julienXX/terminal-notifier/releases/download/1.7.1/terminal-notifier-1.7.1.zip > terminal-notifier-1.7.1.zip
+	#fi
+	#if ! test -e terminal-notifier-1.7.1; then
+		#unzip terminal-notifier-1.7.1.zip
+	#fi
+	#mkdir -p $BUILDPATH/target/Library/Security/tokend/OpenSC.tokend/Contents/Resources/Applications
+	#cp -r terminal-notifier-1.7.1/terminal-notifier.app $BUILDPATH/target/Library/Security/tokend/OpenSC.tokend/Contents/Resources/Applications
+#fi
+
 imagedir=$(mktemp -d)
 
 # Prepare target root
 mkdir -p ${BUILDPATH}/target/usr/local/bin
 cp MacOSX/opensc-uninstall ${BUILDPATH}/target/usr/local/bin
 
+# Prepare startup root
+mkdir -p ${BUILDPATH}/target_startup/Library/LaunchAgents
+cp src/tools/org.opensc-project.mac.pkcs11-register.plist ${BUILDPATH}/target_startup/Library/LaunchAgents
+cp src/tools/org.opensc-project.mac.opensc-notify.plist   ${BUILDPATH}/target_startup/Library/LaunchAgents
+
+# Build OpenSCToken if possible
+if test -e OpenSCToken -a -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
+	cd OpenSCToken
+	# make sure OpenSCToken builds with the same dependencies as before
+	if ! test -e OpenSC; then
+		git clone --depth=1 file://$PWD/../../OpenSC
+	else
+		cd OpenSC && git pull && cd ..
+	fi
+	mkdir -p build
+	if ! test -e build/openssl; then
+		# build/openssl/lib/libcrypto.a is hardcoded in OpenSCToken
+		ln -sf $BUILDPATH/openssl_bin/$PREFIX build/openssl
+		# in OpenSCToken's variant of OpenSC we still use OpenSSL flags from above
+	fi
+	if ! test -e build/openpace; then
+		# build/openpace/lib/libeac.a is hardcoded in OpenSCToken
+		ln -sf $BUILDPATH/openpace_bin/$PREFIX build/openpace
+		# in OpenSCToken's variant of OpenSC we still use OpenPACE flags from above
+	fi
+	BP=${BUILDPATH}
+	. ./bootstrap
+	BUILDPATH=${BP}
+	xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token \
+		CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
+	cd ..
+
+	COMPONENT_TOKEN="--component-plist MacOSX/target_token.plist"
+else
+	# if no OpenSCToken is checked out, then we create a dummy package
+	mkdir -p ${BUILDPATH}/target_token
+fi
+
+if test -n "${CODE_SIGN_IDENTITY}"; then
+	for d in ${BUILDPATH}/target/Library/OpenSC/bin ${BUILDPATH}/target/Library/OpenSC/lib
+	do
+		# find executable files and run codesign on them
+		find ${d} -type f -perm +111 -print -exec \
+			codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_binaries.entitlements --deep --timestamp --options runtime {} \;
+	done
+fi
+
+
 # Build package
-pkgbuild --root ${BUILDPATH}/target --scripts MacOSX/scripts --identifier org.opensc-project.mac --version @PACKAGE_VERSION@ --install-location / OpenSC.pkg
+pkgbuild --root ${BUILDPATH}/target --component-plist MacOSX/target.plist --scripts MacOSX/scripts --identifier org.opensc-project.mac --version @PACKAGE_VERSION@ --install-location / OpenSC.pkg
+pkgbuild --root ${BUILDPATH}/target_tokend --component-plist MacOSX/target_tokend.plist --identifier org.opensc-project.tokend --version @PACKAGE_VERSION@ --install-location / OpenSC-tokend.pkg
+pkgbuild --root ${BUILDPATH}/target_token $COMPONENT_TOKEN --identifier org.opensc-project.mac.opensctoken --version @PACKAGE_VERSION@ --install-location / OpenSCToken.pkg
+pkgbuild --root ${BUILDPATH}/target_startup --component-plist MacOSX/target_startup.plist --identifier org.opensc-project.startup --version @PACKAGE_VERSION@ --install-location / OpenSC-startup.pkg
+
 # Build product
 productbuild --distribution MacOSX/Distribution.xml --package-path . --resources MacOSX/resources "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg"
 
+# Sign installer
+if test -n "${INSTALLER_SIGN_IDENTITY}"; then
+	productsign --sign "${INSTALLER_SIGN_IDENTITY}" "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg" "${BUILDPATH}/OpenSC @PACKAGE_VERSION@.pkg"
+	mv "${BUILDPATH}/OpenSC @PACKAGE_VERSION@.pkg" "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg"
+fi
+
 # Build "Uninstaller"
 osacompile -o "${imagedir}/OpenSC Uninstaller.app" "MacOSX/OpenSC_Uninstaller.applescript"
+if test -n "${CODE_SIGN_IDENTITY}"; then
+	codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_applescripts.entitlements --deep --timestamp --options runtime "${imagedir}/OpenSC Uninstaller.app"
+fi
 
 # Create .dmg
-rm -f OpenSC-@PACKAGE_VERSION@.dmg
+rm -f OpenSC-@PACKAGE_VERSION@$TOKEND.dmg
 i=0
-while ! hdiutil create -srcfolder "${imagedir}" -volname "@PACKAGE_NAME@" OpenSC-@PACKAGE_VERSION@.dmg
+while ! hdiutil create -srcfolder "${imagedir}" -volname "@PACKAGE_NAME@" -fs JHFS+ OpenSC-@PACKAGE_VERSION@$TOKEND.dmg
 do
 	i=$[$i+1]
 	if [ $i -gt 2 ]
@@ -165,3 +246,6 @@ do
 	fi
 done
 rm -rf ${imagedir}
+
+#if [ "$TRAVIS_EVENT_TYPE" != "pull_request" ]; then xcrun altool --notarize-app --file $(pwd)/vorteil_darwin-x86.dmg --username $OSX_NOTARIZE_USERNAME --primary-bundle-id com.vorteil.cli -p $OSX_NOTARIZE_PW -- >> /dev/null; fi;
+#if [ "$TRAVIS_EVENT_TYPE" != "pull_request" ]; then for ((i=1;i<=30;i+=1)); do xcrun stapler staple $(pwd)/vorteil_darwin-x86.dmg >> /dev/null; if [ $? = 65 ]; then echo "Waiting for notarization to complete..." && sleep 10; fi; done; fi;

MacOSX/opensc-uninstall

@@ -6,9 +6,19 @@ if [ "$(id -u)" != "0" ]; then
    exit 1
 fi
 
-# Remove symlinks to commands
-for file in /Library/OpenSC/bin/*; do
-	test -L "/usr/local/bin/$(basename $file)" && rm -f "/usr/local/bin/$(basename $file)"
+pluginkit -r -i org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken
+
+for f in \
+	/Library/OpenSC/bin/* \
+	/Library/OpenSC/etc/bash_completion.d/* \
+	/Library/OpenSC/share/doc/opensc \
+	/Library/OpenSC/share/man/man1/* \
+	/Library/OpenSC/share/man/man5/*
+do
+	a=/Library/OpenSC
+	b=/usr/local
+	l="${f/$a/$b}"
+	test -L "$l" && rm -f "$l"
 done
 
 # Remove pkcs11 libraries
@@ -16,20 +26,25 @@ rm -f /usr/local/lib/opensc-pkcs11.so
 rm -f /usr/local/lib/onepin-opensc-pkcs11.so
 
 # Remove installed files
+rm -rf /Applications/OpenSCTokenApp.app
 rm -rf "/Applications/OpenSC Notify.app"
+rm -rf /Applications/Utilities/OpenSCTokenApp.app
+rm -rf "/Applications/Utilities/OpenSC Notify.app"
 rm -rf /Library/OpenSC
 rm -rf /Library/Security/tokend/OpenSC.tokend
+rm -f  /Library/LaunchAgents/pkcs11-register.plist
+rm -f  /Library/LaunchAgents/opensc-notify.plist
 rm -rf /System/Library/Security/tokend/OpenSC.tokend
 
-if [ -e "/Library/OpenSC/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex" ]
-then
-	pluginkit -r /Library/OpenSC/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex
-fi
+# Unload launchagents
+launchctl remove pkcs11-register
+launchctl remove opensc-notify
 
 # delete receipts on 10.6+
-for file in /var/db/receipts/org.opensc-project.mac.bom /var/db/receipts/org.opensc-project.mac.plist; do
-	test -f $file && rm -f $file
-done
+pkgutil --forget org.opensc-project.mac             > /dev/null 2>/dev/null
+pkgutil --forget org.opensc-project.tokend          > /dev/null 2>/dev/null
+pkgutil --forget org.opensc-project.mac.opensctoken > /dev/null 2>/dev/null
+pkgutil --forget org.opensc-project.startup         > /dev/null 2>/dev/null
 
 # remove this script
 rm -f /usr/local/bin/opensc-uninstall

MacOSX/scripts/postinstall

@@ -1,26 +1,63 @@
 #!/bin/bash
 
-cp /Library/OpenSC/lib/opensc-pkcs11.so /usr/local/lib/opensc-pkcs11.so
-cp /Library/OpenSC/lib/onepin-opensc-pkcs11.so /usr/local/lib/onepin-opensc-pkcs11.so
-if [ -e "/Library/OpenSC/etc/opensc.conf.md5" ]
-then
-	read cs_fromfile file < "/Library/OpenSC/etc/opensc.conf.md5"
-	cs_calculated=$( md5 -q "/Library/OpenSC/etc/opensc.conf")
-	if [ "$cs_fromfile" = "$cs_calculated" ]
-	then
-		mv /Library/OpenSC/etc/opensc.conf.orig /Library/OpenSC/etc/opensc.conf
-		md5 -r /Library/OpenSC/etc/opensc.conf  > /Library/OpenSC/etc/opensc.conf.md5
-	fi
-else
-	mv /Library/OpenSC/etc/opensc.conf.orig /Library/OpenSC/etc/opensc.conf
-	md5 -r /Library/OpenSC/etc/opensc.conf  > /Library/OpenSC/etc/opensc.conf.md5
-fi
-for f in /Library/OpenSC/bin/*
-do
-	ln -sf $f /usr/local/bin
+# copy libs to /usr/local/lib
+cp /Library/OpenSC/lib/opensc-pkcs11.so \
+  /Library/OpenSC/lib/onepin-opensc-pkcs11.so \
+  /usr/local/lib/
+
+# install opensc.conf if it hasn't been locally modified
+# shellcheck disable=SC2043
+for f in /Library/OpenSC/etc/opensc.conf; do
+  if [ -e "${f}.md5" ]; then
+    read -r cs_fromfile _ < "${f}.md5"
+    cs_calculated="$(md5 -q "${f}")"
+    if [ "$cs_fromfile" != "$cs_calculated" ]; then
+      echo "config ${f} was locally modified since last install, skipping" 2>&1
+      continue
+    fi
+  fi
+  cp "${f}.orig" "$f"
+  md5 -r "$f"  >"${f}.md5"
 done
-if [ -e "/Library/OpenSC/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex" ]
-then
-	pluginkit -a /Library/OpenSC/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex
-fi
+
+# symlink other files to /usr/local
+for f in \
+  /Library/OpenSC/bin/* \
+  /Library/OpenSC/etc/bash_completion.d/* \
+  /Library/OpenSC/share/doc/*
+do
+  [ -e "$f" ] || continue # keep this or set "shopt -s nullglob"
+  a=/Library/OpenSC
+  b=/usr/local
+  l="${f/$a/$b}" # parameter expansion, returns $f where $a is replaced by $b
+  mkdir -p "$(dirname "$l")"
+  ln -sf "$f" "$l"
+done
+
+# correct past issue where a literal shell glob character was symlinked
+# e.g. /usr/local/share/man/man1/* -> /Library/OpenSC/share/man/man1/*
+# maybe remove this step post 2022?
+for f in \
+  '/usr/local/share/man/man1/*' \
+  '/usr/local/share/man/man5/*'
+do
+  [ -L "$f" ] || continue # skip unless $f is a symlink
+  t="$(readlink "$f")"
+  [ -e "$t" ] && continue # skip if the symlink target actually exists
+  a=/usr/local
+  b=/Library/OpenSC
+  [ "$t" = "${f/$a/$b}" ] || continue # skip unless the target is in the corresponding /Library/OpenSC subdirectory
+  # we can now assume that we originally made $f and can safely remove it
+  unlink "$f"
+done
+
+# register the launch agents
+for f in \
+  /Library/LaunchAgents/org.opensc-project.mac.pkcs11-register.plist \
+  /Library/LaunchAgents/org.opensc-project.mac.opensc-notify.plist
+do
+  [ -e "$f" ] || continue
+  /bin/launchctl asuser "$(id -u "$USER")" /bin/launchctl load "$f" || true
+done
+
 exit 0

MacOSX/target.plist

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+	<dict>
+		<key>BundleHasStrictIdentifier</key>
+		<true/>
+		<key>BundleIsRelocatable</key>
+		<false/>
+		<key>BundleIsVersionChecked</key>
+		<true/>
+		<key>BundleOverwriteAction</key>
+		<string>upgrade</string>
+		<key>RootRelativeBundlePath</key>
+		<string>Library/OpenSC/Applications/NotificationProxy.app</string>
+	</dict>
+</array>
+</plist>

MacOSX/target_startup.plist

@@ -1,8 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
-<dict>
-    <key>com.apple.security.smartcard</key>
-    <true/>
-</dict>
+<array/>
 </plist>

MacOSX/target_token.plist

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+	<dict>
+		<key>BundleHasStrictIdentifier</key>
+		<true/>
+		<key>BundleIsRelocatable</key>
+		<false/>
+		<key>BundleIsVersionChecked</key>
+		<true/>
+		<key>BundleOverwriteAction</key>
+		<string>upgrade</string>
+		<key>ChildBundles</key>
+		<array>
+			<dict>
+				<key>BundleOverwriteAction</key>
+				<string></string>
+				<key>RootRelativeBundlePath</key>
+				<string>Applications/Utilities/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex</string>
+			</dict>
+		</array>
+		<key>RootRelativeBundlePath</key>
+		<string>Applications/Utilities/OpenSCTokenApp.app</string>
+	</dict>
+</array>
+</plist>

MacOSX/target_tokend.plist

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array/>
+</plist>

Makefile.am

@@ -13,12 +13,12 @@ MAINTAINERCLEANFILES = \
 	$(srcdir)/packaged
 EXTRA_DIST = Makefile.mak
 
-SUBDIRS = etc src win32 doc MacOSX
+DISTCHECK_CONFIGURE_FLAGS = --with-completiondir=/tmp
+
+SUBDIRS = etc src win32 doc MacOSX tests
 
 dist_noinst_SCRIPTS = bootstrap bootstrap.ci
 dist_noinst_DATA = README \
-	solaris/Makefile solaris/README solaris/checkinstall.in \
-	solaris/opensc.conf-dist solaris/pkginfo.in solaris/proto \
 	packaging/debian.templates/changelog \
 	packaging/debian.templates/compat \
 	packaging/debian.templates/control \
@@ -28,6 +28,10 @@ dist_noinst_DATA = README \
 	packaging/debian.templates/rules
 dist_doc_DATA = NEWS
 
+include $(top_srcdir)/aminclude_static.am
+clean-local: code-coverage-clean
+distclean-local: code-coverage-dist-clean
+
 Generate-ChangeLog:
 	rm -f ChangeLog.tmp "$(srcdir)/ChangeLog"
 	test -n "$(GIT)"

Makefile.mak

@@ -2,5 +2,19 @@ SUBDIRS = etc win32 src
 
 default: all
 
+32:
+	CALL "C:\Program Files\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x86
+	$(MAKE) /f Makefile.mak opensc.msi PLATFORM=x86 OPENPACE_DIR=C:\openpace-Win32_1.0.2
+	MOVE win32\OpenSC.msi OpenSC_win32.msi
+
+64:
+	CALL "C:\Program Files\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x86_amd64
+	$(MAKE) /f Makefile.mak opensc.msi OPENPACE_DIR=C:\openpace-Win64_1.0.2
+	MOVE win32\OpenSC.msi OpenSC_win64.msi
+
+opensc.msi:
+	$(MAKE) /f Makefile.mak all OPENSSL_DEF=/DENABLE_OPENSSL OPENPACE_DEF=/DENABLE_OPENPACE"
+	@cmd /c "cd win32 && $(MAKE) /nologo /f Makefile.mak opensc.msi OPENSSL_DEF=/DENABLE_OPENSSL OPENPACE_DEF=/DENABLE_OPENPACE"
+
 all clean::
 	@for %i in ( $(SUBDIRS) ) do @cmd /c "cd %i && $(MAKE) /nologo /f Makefile.mak $@"

NEWS

@@ -1,5 +1,417 @@
 NEWS for OpenSC -- History of user visible changes
 
+# New in 0.22.0; 2021-08-10
+## General improvements
+ * Use standard paths for file cache on Linux (#2148) and OSX (#2214)
+ * Various issues of memory/buffer handling in legacy drivers mostly reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc, westcos, gpk, flex, dnie, mcrd, authentic, belpic)
+ * Add threading test to `pkcs11-tool` (#2067)
+ * Add support to generate generic secret keys (#2140)
+ * `opensc-explorer`: Print information about LCS (Life cycle status byte) (#2195)
+ * Add support for Apple's arm64 (M1) binaries, removed TokenD. A seperate installer with TokenD (and without arm64 binaries) will be available (#2179).
+ * Support for gcc11 and its new strict aliasing rules (#2241, #2260)
+ * Initial support for building with OpenSSL 3.0 (#2343)
+ * pkcs15-tool: Write data objects in binary mode (#2324)
+ * Avoid limited size of log messages (#2352)
+## PKCS#11
+ * Support for ECDSA verification (#2211)
+ * Support for ECDSA with different SHA hashes (#2190)
+ * Prevent issues in p11-kit by not returning unexpected return codes (#2207)
+ * Add support for PKCS#11 3.0: The new interfaces, profile objects and functions (#2096, #2293)
+ * Standardize the version 2 on 2.20 in the code (#2096)
+ * Fix CKA_MODIFIABLE and CKA_EXTRACTABLE  (#2176)
+ * Copy arguments of C_Initialize (#2350)
+## Minidriver
+ * Fix RSA-PSS signing (#2234)
+## OpenPGP
+ * Fix DO deletion (#2215)
+ * Add support for (X)EdDSA keys (#1960)
+## IDPrime
+ * Add support for applet version 3 and fix RSA-PSS mechanisms (#2205)
+ * Add support for applet version 4 (#2332)
+## MyEID
+ * New configuration option for opensc.conf to disable pkcs1_padding (#2193)
+ * Add support for ECDSA with different hashes (#2190)
+ * Enable more mechanisms (#2178)
+ * Fixed asking for a user pin when formatting a card (#1737)
+## IAS/ECC
+ * Added support for French CPx Healthcare cards (#2217)
+## CardOS
+ * Added ATR for new CardOS 5.4 version (#2296)
+
+# New in 0.21.0; 2020-11-24
+## General Improvements
+* fixed security problems
+  * CVE-2020-26570 (6903aebfddc466d966c7b865fae34572bf3ed23e)
+  * CVE-2020-26571
+  * CVE-2020-26572 (9d294de90d1cc66956389856e60b6944b27b4817)
+* Bump minimal required OpenSSL version to 1.0.1 (#1658)
+* Implement basic unit tests for asn1 library, compression and simpletlv parser (#1830)
+* Allow generating code coverage
+* Improve fuzzing by providing corpus from real cards (#1830)
+* Implement support for OAEP encryption
+* New separate debug level for PIN commands (d06f23e8)
+* Fix handling of card/reader insertion/removal events in pcscd
+* Many bugfixes reported by oss-fuzz, coverity and lgtm.com
+* Fixes of removed readers handling (#1970)
+* Fix Firefox crash because of invalid pcsc context (#2077)
+## PKCS#11
+* Return CKR_TOKEN_NOT_RECOGNIZED for not recognized cards (#2030)
+* Propagate ignore_user_content to PKCS#11 layer not to confuse applications (#2040)
+## Minidriver
+* Fix check of ATR length (2-to 33 characters inclusive) (#2146)
+## MacOS
+* Add installer signing for PR and master
+* Avoid app bundle relocations after installation
+* Move OpenSC to MacOS Utilities folder (#2063)
+## OpenSC tools
+### pkcs11-tool
+* Make SHA256 default for OAEP encryption
+* pkcs11-tool: allow using SW tokens (#2113)
+### opensc-explorer
+* `asn1` accepts offsets and decode records (#2090)
+* `cat` accepts records (#2090)
+## OpenPGP
+* Add new ec curves supported by GNUK (#1853)
+* First steps supporting OpenPGP 3.4
+* Add support for EC key import (#1821)
+## Rutoken
+* Add ATR for Rutoken ECP SC NFC (#2122)
+## CardOS
+* Improve detection of various CardOS 5 configurations (#1987)
+## DNIe
+* Add new DNIe CA structure for the secure channel (#2109)
+## ePass2003
+* Improve ECC support (#1859)
+* Fixed erase sequence (#2097)
+## IAS-ECC (#2070):
+* Fixed support for Idemia Cosmo cards with AWP middleware interoperability (previously broken).
+* Added support for Idemia Cosmo v8 cards.
+* PIN padding settings are now used from PKCS#15 info when available.
+* Added PIN-pad support for PIN unblock.
+## IDPrime
+* New driver for Gemalto IDPrime (only some types) (#1772)
+## eDo
+* New driver with initial support for Polish eID card (e-dowód, eDO) (#2023)
+## MCRD
+* Remove unused and broken RSA EstEID support (#2095)
+## TCOS
+* Add missing encryption certificates (#2083)
+## PIV
+* Add ATR of DOD Yubikey (#2115)
+* fixed PIV global pin bug (#2142)
+## CAC1
+* Support changing PIN with CAC Alt tokens (#2129)
+
+# New in 0.20.0; 2019-12-29
+## General Improvements
+* fixed security problems
+    * CVE-2019-6502 (#1586)
+    * CVE-2019-15946 (a3fc769)
+    * CVE-2019-15945 (412a614)
+    * CVE-2019-19480 (6ce6152284c47ba9b1d4fe8ff9d2e6a3f5ee02c7)
+    * CVE-2019-19481 (b75c002cfb1fd61cd20ec938ff4937d7b1a94278)
+    * CVE-2019-19479 (c3f23b836e5a1766c36617fe1da30d22f7b63de2)
+* Support RSA-PSS signature mechanisms using RSA-RAW (#1435)
+* Added memory locking for secrets (#1491)
+* added support for terminal colors (#1534)
+* PC/SC driver: Fixed error handling in case of changing (#1537) or removing the card reader (#1615)
+* macOS installer
+    * Add installer option to deselect tokend (#1607)
+    * Make OpenSCToken available on 10.12+ and the default on 10.15+ (2017626ed237dbdd4683a4b9410fc610618200c5)
+* Configuration
+    * rename `md_read_only` to `read_only` and use it for PKCS#11 and Minidriver (#1467)
+    * allow global use of ignore_private_certificate (#1623)
+* Build Environment
+    * Bump openssl requirement to 0.9.8 (##1459)
+    * Added support for fuzzing with AFL (#1580) and libFuzzer/OSS-Fuzz (#1697)
+    * Added CI tests for simulating GIDS, OpenPGP, PIV, IsoApplet (#1568) and MyEID (#1677) and CAC (#1757)
+    * Integrate clang-tidy with `make check` (#1673)
+    * Added support for reproducible builds (#1839)
+## PKCS#11
+* Implement write protection (CKF_WRITE_PROTECTED) based on the card profile (#1467)
+* Added C_WrapKey and C_UnwrapKey implementations (#1393)
+* Handle CKA_ALWAYS_AUTHENTICATE when creating key objects. (#1539)
+* Truncate long PKCS#11 labels with ... (#1629)
+* Fixed recognition of a token when being unplugged and reinserted (#1875)
+## Minidriver
+* Register for CardOS5 cards (#1750)
+* Add support for RSA-PSS (263b945)
+## OpenSC tools
+* Harmonize the use of option `-r`/`--reader` (#1548)
+* `goid-tool`: GoID personalization with fingerprint
+* `openpgp-tool`
+    * replace the options `-L`/` --key-length` with `-t`/`--key-type` (#1508)
+    * added options `-C`/`--card-info` and `-K`/`--key-info` (#1508)
+* `opensc-explorer`
+    * add command `pin_info` (#1487)
+    * extend `random` to allow writing to a file (#1487)
+* `opensc-minidriver-test.exe`: Tests for Microsoft CryptoAPI (#1510)
+* `opensc-notify`: Autostart on Windows
+* `pkcs11-register`:
+    * Auto-configuration of applications for use of OpenSC PKCS#11 (#1644)
+    * Autostart on Windows, macOS and Linux (#1644)
+* `opensc-tool`: Show ATR also for cards not recognized by OpenSC (#1625)
+* `pkcs11-spy`:
+    * parse CKM_AES_GCM
+    * Add support for CKA_OTP_* and CKM_*_PSS values
+    * parse EC Derive parameters (#1677)
+* `pkcs11-tool`
+    * Support for signature verification via `--verify` (#1435)
+    * Add object type `secrkey` for `--type` option (#1575)
+    * Implement Secret Key write object (#1648)
+    * Add GOSTR3410-2012 support (#1654)
+    * Add support for testing CKM_RSA_PKCS_OAEP (#1600)
+    * Add extractable option to key import (#1674)
+    * list more key access flags when listing keys (#1653)
+    * Add support for `CKA_ALLOWED_MECHANISMS` when creating new objects and listing keys (#1628)
+* `pkcs15-crypt`: * Handle keys with user consent (#1529)
+## CAC1
+New separate CAC1 driver using the old CAC specification (#1502)
+## CardOS
+* Add support for 4K RSA keys in CardOS 5 (#1776)
+* Fixed decryption with CardOS 5 (#1867)
+## Coolkey
+* Enable CoolKey driver to handle 2048-bit keys. (#1532)
+## EstEID
+* adds support for a minimalistic, small and fast card profile based on IAS-ECC issued since December 2018 (#1635)
+## GIDS
+* GIDS Decipher fix (#1881)
+* Allow RSA 4K support (#1891)
+## MICARDO
+* Remove long expired EstEID 1.0/1.1 card support (#1470)
+## MyEID
+* Add support for unwrapping a secret key with an RSA key or secret key (#1393)
+* Add support for wrapping a secret key with a secret key (#1393)
+* Support for MyEID 4K RSA (#1657)
+* Support for OsEID (#1677).
+## Gemalto GemSafe
+* add new PTeID ATRs (#1683)
+* Add support for 4K RSA keys (#1863, #1872)
+## OpenPGP
+* OpenPGP Card v3 ECC support (#1506)
+## Rutoken
+* Add Rutoken ECP SC (#1652)
+* Add Rutoken Lite (#1728)
+## SC-HSM
+* Add SmartCard-HSM 4K ATR (#1681)
+* Add missing secp384r1 curve parameter (#1696)
+## Starcos
+* Fixed decipher with 2.3 (#1496)
+* Added ATR for 2nd gen. eGK (#1668)
+* Added new ATR for 3.5 (#1882)
+* Detect and allow Globalplatform PIN encoding (#1882)
+## TCOS
+* Fix TCOS IDKey support (#1880)
+* add encryption certificate for IDKey (#1892)
+## Infocamere, Postecert, Cnipa
+* Removed profiles (#1584)
+## ACS ACOS5
+* Remove incomplete acos5 driver (#1622).
+
+# New in 0.19.0; 2018-09-13
+## General Improvements
+* fixed multiple security problems (out of bound writes/reads, #1447):
+    * CVE-2018-16391
+    * CVE-2018-16392
+    * CVE-2018-16393
+    * CVE-2018-16418
+    * CVE-2018-16419
+    * CVE-2018-16420
+    * CVE-2018-16421
+    * CVE-2018-16422
+    * CVE-2018-16423
+    * CVE-2018-16424
+    * CVE-2018-16425
+    * CVE-2018-16426
+    * CVE-2018-16427
+* Improved documentation:
+    * New manual page for opensc.conf(5)
+    * Added several missing switches in manual pages and fixed formatting
+* Win32 installer:
+    * automatically start SCardSvr
+    * added newer OpenPGP ATRs
+* macOS installer: use HFS+ for backward compatibility
+* Remove outdated solaris files
+* PC/SC driver:
+    * Workaround OMNIKEY 3x21 and 6121 Smart Card Readers wrongly identified as pinpad readers in macOS
+* Workaround cards returning short signatures without leading zeroes
+* bash completion
+    * make location directory configurable
+    * Use a new correct path by default
+* build: support for libressl-2.7+
+* Configuration
+    * Distribute minimal opensc.conf
+    * `pkcs11_enable_InitToken made` global configuration option
+    * Modify behavior of `OPENSC_DRIVER` environment variable to restrict driver list instead of forcing one driver and skipping vital parts of configuration
+    * Removed configuration options `zero_ckaid_for_ca_certs`, `force_card_driver`, `reopen_debug_file`, `paranoid-memory`
+    * Generalized configuration option `ignored_readers`
+* If card initialization fails, continue card detection with other card drivers (#1251)
+* Fixed long term card operations on Windows 8 and later (#1043)
+* reader-pcsc: allow fixing the length of a PIN
+* fixed multithreading issue on Window with OpenPACE OIDs
+## PKCS#11
+* fixed crash during `C_WaitForSlotEvent` (#1335)
+## Minidriver
+* Allow cancelling the PIN pad prompt before starting the reader transaction. Whether to start the transaction immediately or not is user-configurable for each application
+## OpenSC tools
+* `opensc-notify`
+    * add Exit button to tray icon
+    * User better description (GenericName) and a generic application icon
+    * Do not display in the application list
+* `pkcs15-tool`
+    * added support for reading ECDSA ssh keys
+* `p11test`
+    *  Filter certificates other than `CKC_X_509`
+* `opengpg-tool`
+    * allow calling -d multiple times
+    * clarify usage text
+## sc-hsm
+* Implement RSA PSS
+* Add support for SmartCard-HSM 4K (V3.0)
+## CAC
+* Remove support for CAC1 cards
+* Ignore unknown tags in properties buffer
+* Use GET PROPERTIES to recognize buffer formats
+* Unbreak encoding last tag-len-value in the data objects
+* Support HID Alt tokens without CCC
+    * They present certificates in OIDs of first AID and use other undocumented applets
+    * Inspect the tokens through the ACA applet and GET ACR APDU
+## Coolkey
+* Unbreak Get Challenge functionality
+* Make uninitialized cards working as expected with ESC
+## OpenPGP
+* add serial number to card name
+* include detailed version into card name
+* define & set LCS (lifecycle support) as extended capability
+* extend manufacturer list in pkcs15-openpgp.c
+* correctly parse hist_bytes
+* Make deciphering with AUT-key possible for OpenPGP Card >v3.2 (fixes #1352)
+* Add supported algorithms for OpenPGP Card (Fixes #1432)
+## Starcos
+* added support for 2nd generation eGK (#1451)
+## CardOS
+* create PIN in MF (`pkcs15init`)
+##  German ID card
+* fixed identifying unknown card as German ID card (#1360)
+## PIV
+* Context Specific Login Using Pin Pad Reader Fix
+* Better Handling of Reset using Discovery Object
+
+# New in 0.18.0; 2018-05-16
+## General Improvements
+* PKCS#15
+    * fixed parsing ECC parameters from TokenInfo (#1134)
+    * Added PKCS#15 emulator for DIN 66291 profile
+    * Cope with empty serial number in TokenInfo
+* Build Environment
+    * Treat compiler warnings as errors (use `--disable-strict` to avoid)
+    * MacOS
+        * optionally use CTK in package builder
+        * fixed detection of OpenPACE package
+        * macOS High Sierra: fixed dmg creation
+        * fixed DNIe UI compatibility
+* Windows: Use Dedicated md/pkcs11 installation folders instead of installing to System32/SysWOW64
+* fixed (possible) memory leaks for PIV, JPKI, PKCS#11, Minidriver
+* fixed many issues reported via compiler warnings, coverity scan and clang's static analyzer
+* beautify printed ASN.1 data, add support for ASN.1 time types
+* SimpleTLV: Skip correctly two bytes after reading 2b size (#1231)
+* added support for `keep_alive` commands for cards with multiple applets to be enabled via `opensc.conf`
+* added support for bash completion for arguments that expect filenames
+* added keyword `old` for selecting `card_drivers` via `opensc.conf`
+* improved documentation manuals for OpenSC tools
+* use `leave` as default for `disconnect_action` for PC/SC readers
+## PKCS#11
+* Make OpenSC PKCS#11 Vendor Defined attributes, mechanisms etc unique
+## Minidriver
+* added CNS ATR (#1153)
+* Add multiple PINs support to minidriver
+* protect MD entry points with `CriticalSection`
+## Tokend
+* Configuration value for not propagating certificates that require user authentication (`ignore_private_certificate`)
+## CryptoTokenKit
+* Added support for PIN pad
+* fixed codesigning of opensc tools
+* Added complete support for system integration with https://github.com/frankmorgner/OpenSCToken
+## OpenSC Tools
+* `cardos-tool`
+    * List human-readable version for CardOS 5.3
+* `pkcs11-tool`
+    * fixed overwriting digestinfo + hash for RSA-PKCS Signature
+    * Enable support for RSA-PSS signatures in pkcs11-tool
+    * Add support for RSA-OAEP
+    * Fixed #1286
+    * Add missing pkcs11-tool options to man page
+    * allow mechanism to be specified in hexadecimal
+    * fixed default module path on Windows to use opensc-pkcs11.dll
+* `pkcs11-spy`
+    * Add support for RSA-OAEP
+    * Add support for RSA-PSS
+* `pkcs15init`
+    * Fix rutokenS FCP parsing (#1259)
+* `egk-tool`
+    * Read data from German Health Care Card (Elektronische Gesundheitskarte, eGK)
+* `opensc-asn1`
+    * Parse ASN.1 from files
+* `opensc-tool`/`opensc-explorer`
+    * Allow extended APDUs
+## Authentic
+* Correctly handle APDUs with more than 256 bytes (#1205)
+## Coolkey
+* Copy labels from certificate objects to the keys
+## Common Access Card
+* Fixed infinite reading of certificate
+* Added support for Alt token card
+## MyEID
+* support for RAW RSA signature for 2048 bit keys
+## IAS/ECC
+* Support for new MinInt agent card
+## PIV
+* Get cardholder name from the first certificate if token label not specified
+* implemented keep alive command (#1256)
+* fixed signature creation with `CKA_ALWAYS_AUTHENTICATE` (i.e. PKCS#11 `C_Login(CKU_CONTEXT_SPECIFIC)`)
+## CardOS
+* fixed card name for CardOS 5
+* added ATR `"3b:d2:18:00:81:31:fe:58:c9:02:17"`
+* Try forcing `max_send_size` for PSO:DEC
+## DNIe
+* DNIe: card also supports 1920 bits (#1247)
+## GIDS
+* Fix GIDS admin authentication
+## epass 3000
+* Add ECC support
+* Fix #1073
+* Fix #1115
+* Fix buffer underrun in decipher
+* Fix #1306
+## Starcos
+* added serial number for 3.4
+* fixed setting key reference for 3.4
+* added support for PIN status queries for 3.4
+## EstEID
+* ECDSA/ECDH token support
+* Fix crash when certificate read failed (#1176)
+* Cleanup expired EstEID card ATR-s
+* Fix reading EstEID certificates with T=0 (#1193)
+## OpenPGP
+* Added support for PIN logout and status
+* factory reset is possible if LCS is supported
+* Added support for OpenPGP card V3
+* fixed selecting Applet
+* implemented keep alive command
+* Retrieve OpenPGP applet version from OpenPGP applet on YubiKey token (#1262)
+## German ID card
+* fixed recognition of newer cards
+## SC-HSM
+* Don't block generic contactless ATR
+* changed default labels of GoID
+* added PIN commands for GoID 1.0
+## Starcos
+* Added Support for Starcos 3.4 and 3.5
+## MioCOS
+* disabled by default, use `card_drivers = old;` to enable; driver will be removed soon.
+## BlueZ PKCS#15 applet
+* disabled by default, use `card_drivers = old;` to enable; driver will be removed soon.
+
 # New in 0.17.0; 2017-07-18
 ## Support for new Cards
 * CAC (Common Access Card)
@@ -75,7 +487,7 @@ NEWS for OpenSC -- History of user visible changes
     * Fixed --id for `C_GenerateKey`, DES and DES3 keygen mechanism (#857)
     * Added `--derive-pass-der` option
     * Added `--generate-random` option
-    * Add GOSTR3410 keypair generation
+    * Add GOSTR3410 key pair generation
 * `npa-tool` (new)
     * Allows read/write access to EAC tokens
     * Allows PIN management for EAC tokens
@@ -180,7 +592,7 @@ New in 0.16.0; 2016-05-15
   first support for Gids smart card
 * dnie
 * Feitian PKI card
-  new ATRs 
+  new ATRs
 * IsoApplet
   (fixes)
 * starcos
@@ -203,7 +615,7 @@ New in 0.15.0; 2015-05-11
   allow extended length APDUs
   accept no output for 'SELECT' MF and 'SELECT' DF_NAME APDUs
   fixed sc_driver_version check
-  adjusted send/receive size accoriding to card capabilities
+  adjusted send/receive size according to card capabilities
   in iso7816 make SELECT agnosting to sc_path_t's aid
 * asn1
   support multi-bytes tags
@@ -323,7 +735,7 @@ New in 0.14.0; 2014-05-31
         ECC public key encoding
         ECC ecpointQ
 * pkcs15init
-    introduce 'max-unblocks' PIN init parameter 
+    introduce 'max-unblocks' PIN init parameter
     keep cert. blob in cert-info data
     file 'content' and 'prop-attrs' in the card profile
     in profile more AC operations are parsed
@@ -345,7 +757,7 @@ New in 0.14.0; 2014-05-31
     documentation for --list-token-slots
 * default driver
     do not send possibly arbitrary APDU-s to an unknown card.
-    by default 'default' card driver is disabled 
+    by default 'default' card driver is disabled
 * sc-hsm
     Added support for
         persistent EC public keys generated from certificate signing requests
@@ -383,7 +795,7 @@ New in 0.14.0; 2014-05-31
 * myeid
     fixed file-id in myeid.profile
 * entersafe
-    fix a bug when writing public key  
+    fix a bug when writing public key
 * EstEID
     match card only based on presence of application.
 * pteid
@@ -483,7 +895,7 @@ New in 0.12.0; 2010-12-22
   card initialized by Siemens software. Removed "--split-key" option,
   as it is no longer needed.
 * Improved debugging support: debug level 3 will show everything
-  except of ASN1 and card matching debugging (usualy not needed).
+  except of ASN1 and card matching debugging (usually not needed).
 * Massive changes to libopensc. This library is now internal, only
   used by opensc-pkcs11.so and command line tools. Header files are
   no longer installed, library should not be used by other applications.
@@ -498,7 +910,7 @@ New in 0.12.0; 2010-12-22
   certificate for card label.
 * Possibility to change the default behavior for card resets via
   opensc.conf.
- 
+
 New in 0.11.12; 2009-12-18; Andreas Jellinghaus
 * Document integer problem in OpenSC and implement workaround
 * Improve entersafe profile to support private data objects
@@ -529,12 +941,12 @@ New in 0.11.7; 2009-02-26; Andreas Jellinghaus
 New in 0.11.6; 2008-08-27; Andreas Jellinghaus
 * Improved security fix: don't match for "OpenSC" in the card label.
 * New support for Feitian ePass3000 by Weitao Sun.
-* GemSafeV1 improved to handle key_ref other than 3 by Douglas E. Engert 
+* GemSafeV1 improved to handle key_ref other than 3 by Douglas E. Engert
 
 New in 0.11.5; 2008-07-31; Andreas Jellinghaus
 * Apply security fix for cardos driver and extend pkcs15-tool to
   test cards for the security vulnerability and update them.
-* Build system rewritten (NOTICE: configure options was modified). 
+* Build system rewritten (NOTICE: configure options was modified).
   The build system can produce outputs for *NIX, cygwin and native
   windows (using mingw).
 * ruToken now supported.

README.md

@@ -4,4 +4,23 @@ Wiki is [available online](https://github.com/OpenSC/OpenSC/wiki)
 
 Please take a look at the documentation before trying to use OpenSC.
 
-[![Travis CI Build Status](https://travis-ci.org/OpenSC/OpenSC.svg)](https://travis-ci.org/OpenSC/OpenSC/branches) [![AppVeyor CI Build Status](https://ci.appveyor.com/api/projects/status/github/OpenSC/OpenSC?branch=master&svg=true)](https://ci.appveyor.com/project/LudovicRousseau/OpenSC/branch/master) [![Coverity Scan Status](https://scan.coverity.com/projects/4026/badge.svg)](https://scan.coverity.com/projects/4026)
+[![Linux build](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml)
+[![OSX build](https://github.com/OpenSC/OpenSC/actions/workflows/macos.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/macos.yml)
+[![AppVeyor CI Build Status](https://ci.appveyor.com/api/projects/status/github/OpenSC/OpenSC?branch=master&svg=true)](https://ci.appveyor.com/project/LudovicRousseau/OpenSC/branch/master)
+[![Coverity Scan Status](https://scan.coverity.com/projects/4026/badge.svg)](https://scan.coverity.com/projects/4026)
+[![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/OpenSC/OpenSC.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/OpenSC/OpenSC/context:cpp)
+[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/opensc.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:opensc)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3908/badge)](https://bestpractices.coreinfrastructure.org/projects/3908)
+
+Build and test status of specific cards:
+
+| Cards                                                               | Status                                                                                                                            |
+|---------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
+| CAC                                                                 | [![CAC](https://gitlab.com/redhat-crypto/OpenSC/badges/cac/pipeline.svg)](https://gitlab.com/redhat-crypto/OpenSC/pipelines)      |
+| [virt_CACard](https://github.com/Jakuje/virt_cacard)                | [![virt_CACard](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |
+| [Coolkey](https://github.com/dogtagpki/coolkey/tree/master/applet)  | [![Coolkey](https://gitlab.com/redhat-crypto/OpenSC/badges/coolkey/pipeline.svg)](https://gitlab.com/redhat-crypto/OpenSC/pipelines) |
+| [PivApplet](https://github.com/arekinath/PivApplet)                 | [![PIV](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |
+| [OpenPGP Applet](https://github.com/Yubico/ykneo-openpgp/)          | [![OpenPGP](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |
+| [GidsApplet](https://github.com/vletoux/GidsApplet/)                | [![GIDS](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |
+| [IsoApplet](https://github.com/philipWendland/IsoApplet/)           | [![IsoApplet](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |
+| [OsEID (MyEID)](https://sourceforge.net/projects/oseid/)            | [![OsEID (MyEID)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |

SECURITY.md

@@ -0,0 +1,23 @@
+# Security Policy
+
+## Supported Versions
+
+OpenSC releases are made roughly once a year, unless important security is discovered.
+
+OpenSC does not release micro updates for previously released versions and does not
+backport security fixes into them.
+
+| Version  | Supported          |
+| -------- | ------------------ |
+| 0.20.0   | :white_check_mark: |
+| < 0.20.0 | :x:                |
+
+## Reporting a Vulnerability
+
+If you discovered security vulnerability in supported version of OpenSC,
+you can either fill an issue in [github](https://github.com/OpenSC/OpenSC/issues)
+(note, that these issues are public!) or you can send email to any recently active
+project developers frankmorgner(at)gmail.com, deengert(at)gmail.com and/or
+jakuje(at)gmail.com .
+
+You can expect update on the issue no later than in two weeks.

appveyor.yml

@@ -1,4 +1,4 @@
-version: 0.17.0.{build}
+version: 0.22.0.{build}
 
 platform:
   - x86
@@ -6,12 +6,26 @@ platform:
 
 configuration:
   - Release
-  - Light-Release
+  - Light
 
 environment:
+  GH_TOKEN:
+    secure: aLu3tFc7lRJbotnmnHLx/QruIHc5rLaGm1RttoEdy4QILlPXzVkCZ6loYMz0sfrY
+  PATH: C:\cygwin\bin;%PATH%
+  OPENPACE_VER: 1.1.1
+  ZLIB_VER_DOT: 1.2.11
   matrix:
-    - VSVER: 14
-    - VSVER: 12
+  # not compatible with OpenSSL 1.1.1:
+  # - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2013
+  #   VCVARSALL: "%VS120COMNTOOLS%/../../VC/vcvarsall.bat"
+  - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015
+    VCVARSALL: "%VS140COMNTOOLS%/../../VC/vcvarsall.bat"
+    DO_PUSH_ARTIFACT: yes
+  - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2017
+    VCVARSALL: "%ProgramFiles(x86)%/Microsoft Visual Studio/2017/Community/VC/Auxiliary/Build/vcvarsall.bat"
+  # not compatible with WiX 3.11.2:
+  # - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
+  #   VCVARSALL: "%ProgramFiles(x86)%/Microsoft Visual Studio/2019/Community/VC/Auxiliary/Build/vcvarsall.bat"
 
 install:
   - ps: if ($env:APPVEYOR_PULL_REQUEST_NUMBER -and $env:APPVEYOR_BUILD_NUMBER -ne ((Invoke-RestMethod `
@@ -19,23 +33,21 @@ install:
         Where-Object pullRequestId -eq $env:APPVEYOR_PULL_REQUEST_NUMBER)[0].buildNumber) { `
         throw "There are newer queued builds for this pull request, failing early." }
   - date /T & time /T
-  - set PATH=C:\cygwin\bin;%PATH%
-  - set OPENPACE_VER=1.0.3
-  - set ZLIB_VER_DOT=1.2.11
-  - ps: $env:PACKAGE_NAME=(git describe --tags)
+  - ps: $env:PACKAGE_NAME=(git describe --tags --abbrev=0)
   - ps: >-
       If ($env:Platform -Match "x86") {
-        $env:VCVARS_PLATFORM="x86"
         $env:OPENSSL_PF="Win32"
-        $env:ARTIFACT="OpenSC-win32_vs${env:VSVER}-${env:CONFIGURATION}"
+        $env:ARTIFACT="OpenSC-${env:PACKAGE_NAME}_win32"
       } Else {
-        $env:VCVARS_PLATFORM="amd64"
         $env:OPENSSL_PF="Win64"
-        $env:ARTIFACT="OpenSC-win64_vs${env:VSVER}-${env:CONFIGURATION}"
+        $env:ARTIFACT="OpenSC-${env:PACKAGE_NAME}_win64"
       }
   - ps: >-
-      If (!($env:Configuration -Like "*Light*")) {
-        $env:NMAKE_EXTRA="OPENSSL_DEF=/DENABLE_OPENSSL ${env:NMAKE_EXTRA}"
+      If ($env:Configuration -Like "*Light*") {
+        $env:ARTIFACT+="-Light"
+      } Else {
+        $env:NMAKE_EXTRA+=" OPENSSL_DEF=/DENABLE_OPENSSL OPENSSL_DIR=C:\OpenSSL-v111-${env:OPENSSL_PF}"
+        $env:NMAKE_EXTRA+=" OPENSSL_EXTRA_CFLAGS=/DOPENSSL_SECURE_MALLOC_SIZE=65536"
         If (!(Test-Path C:\zlib )) {
           appveyor DownloadFile "https://github.com/madler/zlib/archive/v${env:ZLIB_VER_DOT}.zip" -FileName zlib.zip
           7z x zlib.zip -oC:\
@@ -47,13 +59,12 @@ install:
           Rename-Item -path "c:\openpace-${env:OPENPACE_VER}" -newName "openpace"
         }
       }
-      If (!(Test-Path cngsdk.msi )) {
-          appveyor DownloadFile "http://download.microsoft.com/download/2/C/9/2C93059C-0532-42DF-8C24-9AEAFF00768E/cngsdk.msi"
+      If (!(Test-Path cpdksetup.exe )) {
+          appveyor DownloadFile "https://download.microsoft.com/download/1/7/6/176909B0-50F2-4DF3-B29B-830A17EA7E38/CPDK_RELEASE_UPDATE/cpdksetup.exe"
       }
-  - ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + "0COMNTOOLS"))
-  - echo "Using Visual Studio %VSVER%.0 at %VSCOMNTOOLS%"
-  - call "%VSCOMNTOOLS%\..\..\VC\vcvarsall.bat" %VCVARS_PLATFORM%
-  - cngsdk.msi /quiet
+  - echo "Using %APPVEYOR_BUILD_WORKER_IMAGE% with %VCVARSALL%"
+  - call "%VCVARSALL%" %Platform%
+  - cpdksetup.exe /quiet
   - uname -a
   - set
 
@@ -65,43 +76,49 @@ build_script:
           xcopy C:\zlib C:\zlib-${env:OPENSSL_PF} /e /i /y /s
           cd C:\zlib-${env:OPENSSL_PF}
           (Get-Content win32/Makefile.msc).replace('-MD', '-MT') | Set-Content win32/Makefile.msc
-          If ($env:Platform -Match "x86") {
-             nmake -f win32/Makefile.msc LOC="-DASMV -DASMINF" OBJA="inffas32.obj match686.obj" zlib.lib
-          } Else {
-             nmake -f win32/Makefile.msc AS=ml64 LOC="-DASMV -DASMINF -I." OBJA="inffasx64.obj gvmat64.obj inffas8664.obj" zlib.lib
-          }
+          nmake /nologo -f win32/Makefile.msc zlib.lib
         }
-        $env:NMAKE_EXTRA="ZLIBSTATIC_DEF=/DENABLE_ZLIB_STATIC ZLIB_INCL_DIR=/IC:\zlib-${env:OPENSSL_PF} ZLIB_LIB=C:\zlib-${env:OPENSSL_PF}\zlib.lib ${env:NMAKE_EXTRA}"
+        $env:NMAKE_EXTRA+=" ZLIBSTATIC_DEF=/DENABLE_ZLIB_STATIC ZLIB_INCL_DIR=/IC:\zlib-${env:OPENSSL_PF} ZLIB_LIB=C:\zlib-${env:OPENSSL_PF}\zlib.lib"
         If (!(Test-Path -Path "C:\openpace-${env:OPENSSL_PF}" )) {
           # build libeac.lib as a static library
           xcopy C:\openpace C:\openpace-${env:OPENSSL_PF} /e /i /y /s
           cd C:\openpace-${env:OPENSSL_PF}\src
           # OpenSSL 1.1.0
-          #cl /IC:\OpenSSL-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /DHAVE_ASN1_STRING_GET0_DATA=1 /DHAVE_DECL_OPENSSL_ZALLOC=1 /DHAVE_DH_GET0_KEY=1 /DHAVE_DH_GET0_PQG=1 /DHAVE_DH_SET0_KEY=1 /DHAVE_DH_SET0_PQG=1 /DHAVE_ECDSA_SIG_GET0=1 /DHAVE_ECDSA_SIG_SET0=1 /DHAVE_EC_KEY_METHOD=1 /DHAVE_RSA_GET0_KEY=1 /DHAVE_RSA_SET0_KEY=1 /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
+          #cl /nologo /IC:\OpenSSL-v110-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /DHAVE_ASN1_STRING_GET0_DATA=1 /DHAVE_DECL_OPENSSL_ZALLOC=1 /DHAVE_DH_GET0_KEY=1 /DHAVE_DH_GET0_PQG=1 /DHAVE_DH_SET0_KEY=1 /DHAVE_DH_SET0_PQG=1 /DHAVE_ECDSA_SIG_GET0=1 /DHAVE_ECDSA_SIG_SET0=1 /DHAVE_EC_KEY_METHOD=1 /DHAVE_RSA_GET0_KEY=1 /DHAVE_RSA_SET0_KEY=1 /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
+          # OpenSSL 1.1.1
+          cl /nologo /IC:\OpenSSL-v111-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /DHAVE_ASN1_STRING_GET0_DATA=1 /DHAVE_DECL_OPENSSL_ZALLOC=1 /DHAVE_DH_GET0_KEY=1 /DHAVE_DH_GET0_PQG=1 /DHAVE_DH_SET0_KEY=1 /DHAVE_DH_SET0_PQG=1 /DHAVE_ECDSA_SIG_GET0=1 /DHAVE_ECDSA_SIG_SET0=1 /DHAVE_EC_KEY_METHOD=1 /DHAVE_RSA_GET0_KEY=1 /DHAVE_RSA_SET0_KEY=1 /DHAVE_EC_POINT_GET_AFFINE_COORDINATES=1 /DHAVE_EC_POINT_SET_AFFINE_COORDINATES=1 /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
           # OpenSSL 1.0.2
-          cl /IC:\OpenSSL-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
-          lib /out:libeac.lib ca_lib.obj cv_cert.obj cvc_lookup.obj x509_lookup.obj eac_asn1.obj eac.obj eac_ca.obj eac_dh.obj eac_ecdh.obj eac_kdf.obj eac_lib.obj eac_print.obj eac_util.obj misc.obj pace.obj pace_lib.obj pace_mappings.obj ri.obj ri_lib.obj ta.obj ta_lib.obj objects.obj ssl_compat.obj
+          #cl /nologo /IC:\OpenSSL-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
+          lib /nologo /out:libeac.lib ca_lib.obj cv_cert.obj cvc_lookup.obj x509_lookup.obj eac_asn1.obj eac.obj eac_ca.obj eac_dh.obj eac_ecdh.obj eac_kdf.obj eac_lib.obj eac_print.obj eac_util.obj misc.obj pace.obj pace_lib.obj pace_mappings.obj ri.obj ri_lib.obj ta.obj ta_lib.obj objects.obj ssl_compat.obj
           cd C:\projects\OpenSC
         }
-        $env:NMAKE_EXTRA="OPENPACE_DEF=/DENABLE_OPENPACE OPENPACE_DIR=C:\openpace-${env:OPENSSL_PF} ${env:NMAKE_EXTRA}"
+        $env:NMAKE_EXTRA+=" OPENPACE_DEF=/DENABLE_OPENPACE OPENPACE_DIR=C:\openpace-${env:OPENSSL_PF}"
       }
-  - bash -c "exec 0</dev/null && ./bootstrap"
+  - bash -c "exec 0</dev/null && if [ \"$APPVEYOR_REPO_BRANCH\" == \"master\" -a -z \"$APPVEYOR_PULL_REQUEST_NUMBER\" ]; then ./bootstrap; fi"
+  - bash -c "exec 0</dev/null && if [ \"$APPVEYOR_REPO_BRANCH\" == \"master\" -a -n \"$APPVEYOR_PULL_REQUEST_NUMBER\" ]; then ./bootstrap.ci -s \"-pr$APPVEYOR_PULL_REQUEST_NUMBER\"; fi"
+  - bash -c "exec 0</dev/null && if [ \"$APPVEYOR_REPO_BRANCH\" != \"master\" -a -z \"$APPVEYOR_PULL_REQUEST_NUMBER\" ]; then ./bootstrap.ci -s \"-$APPVEYOR_REPO_BRANCH\"; fi"
+  - bash -c "exec 0</dev/null && if [ \"$APPVEYOR_REPO_BRANCH\" != \"master\" -a -n \"$APPVEYOR_PULL_REQUEST_NUMBER\" ]; then ./bootstrap.ci -s \"-$APPVEYOR_REPO_BRANCH-prAPPVEYOR_PULL_REQUEST_NUMBER\"; fi"
   # disable features to speed up the script
-  - bash -c "exec 0</dev/null && ./configure --disable-openssl --disable-readline --disable-zlib || cat config.log"
-  - bash -c "make -C etc opensc.conf"
-  - cp win32/winconfig.h config.h
+  - bash -c "exec 0</dev/null && ./configure --with-cygwin-native --disable-openssl --disable-readline --disable-zlib || cat config.log"
+  - bash -c "exec 0</dev/null && rm src/getopt.h"
   - nmake /f Makefile.mak %NMAKE_EXTRA%
-  - cd win32 && nmake /f Makefile.mak %NMAKE_EXTRA% VSVER=%VSVER% OpenSC.msi
-  - move OpenSC.msi %ARTIFACT%.msi
-  - appveyor PushArtifact %ARTIFACT%.msi
+  - cd win32 && nmake /nologo /f Makefile.mak %NMAKE_EXTRA% OpenSC.msi && cd ..
+  - move win32\OpenSC.msi %ARTIFACT%.msi
   # put all pdb files for dump analysis, but this consumes approx 100 MB per build
   - md %ARTIFACT%-Debug
   - ps: >-
       Get-ChildItem -recurse C:\projects\OpenSC -exclude vc*.pdb *.pdb | % {
         7z a -tzip ${env:ARTIFACT}-Debug.zip $_.FullName
       }
+  - appveyor PushArtifact %ARTIFACT%.msi
   - appveyor PushArtifact %ARTIFACT%-Debug.zip
 
+deploy_script:
+  # keep in sync with .travis.yml
+  - bash -c "git config --global user.email 'no-reply@appveyor.com'"
+  - bash -c "git config --global user.name 'AppVeyor'"
+  - bash -c "if [ \"$DO_PUSH_ARTIFACT\" = yes -a -z \"$APPVEYOR_PULL_REQUEST_NUMBER\" -a \"$APPVEYOR_REPO_NAME\" = \"OpenSC/OpenSC\" ]; then .github/push_artifacts.sh \"AppVeyor build ${APPVEYOR_BUILD_NUMBER}.${APPVEYOR_JOB_NUMBER}\"; fi"
+
 cache:
   - C:\zlib -> appveyor.yml
   - C:\zlib-Win32 -> appveyor.yml
@@ -109,18 +126,4 @@ cache:
   - C:\openpace -> appveyor.yml
   - C:\openpace-Win32 -> appveyor.yml
   - C:\openpace-Win64 -> appveyor.yml
-  - cngsdk.msi -> appveyor.yml
-
-deploy:
-  - provider: GitHub
-    tag: $(APPVEYOR_REPO_TAG_NAME)
-    release: OpenSC-$(APPVEYOR_REPO_TAG_NAME)
-    description: 'release OpenSC $(APPVEYOR_REPO_TAG_NAME)'
-    auth_token:
-      secure: NGaTqWohBQa7fgE62rEm2sp9jkv6S9FRc3YEi3T5CpaoyIY6K89FJjqzaoPLr8vj
-    artifact: /OpenSC-.*\.msi/
-    draft: false
-    prerelease: true
-    on:
-      branch: /0.16.0-rc.*/		# here branch is release tag
-      appveyor_repo_tag: true  		# deploy on tag push only
+  - cpdksetup.exe -> appveyor.yml

bootstrap.ci

@@ -10,19 +10,12 @@ OPTIONS:
    -h      Show this message
    -s      Package suffix
    -S      Use package suffix as 'g' appended with the date of last commit
-   -r      Package version revision
-   -R      Use package version revision as Git commit number from 'git describe' result
-   -b      Package branch
-   -B      Use package branch as current Git branch
 EOF
 }
 
 
 SUFFIX=
-REVISION=
-VERBOSE=
-KEEPVERSION=
-while getopts “:hs:Sr:RK” OPTION
+while getopts “:hs:S” OPTION
 do
      case $OPTION in
          h)
@@ -35,12 +28,6 @@ do
          S)
              SUFFIX=g`git log -1 --pretty=fuller --date=iso | grep CommitDate: | sed -E 's/^CommitDate:\s(.*)/\1/' | sed -E 's/(.*)-(.*)-(.*) (.*):(.*):(.*)\s+.*/\1\2\3\4\5\6/'`
              ;;
-         r)
-             REVISION=$OPTARG
-             ;;
-         R)
-             REVISION=`git describe | perl -ne 'print $1 if /^[\.0-9]*-([0-9]*)-g[a-z0-9]*$/;'`
-             ;;
          ?)
              usage
              exit
@@ -49,31 +36,17 @@ do
 done
 
 set -e
-set -x
+
 if [ -f Makefile ]; then
   make distclean
 fi
 
 rm -rf *~ *.cache config.guess config.log config.status config.sub depcomp ltmain.sh version.m4.ci
 
-if [ -n "$SUFFIX" ] || [ -n "$REVISION" ]
+if [ -n "$SUFFIX" ]
 then
-    cp -a version.m4 version.m4.tmp
-
-    if [ -n "$SUFFIX" ]
-    then
-        echo Set package suffix "$SUFFIX"
-        sed 's/^define(\[PACKAGE_SUFFIX\],\s*\[\([-~]*[0-9a-zA-Z]*\)\])$/define(\[PACKAGE_SUFFIX\], \['$SUFFIX'\])/g' version.m4.tmp > version.m4.ci
-        cp version.m4.ci version.m4.tmp
-    fi
-
-    if [ -n "$REVISION" ]
-    then
-        echo Set package revision "$REVISION"
-        sed 's/^define(\[PACKAGE_VERSION_REVISION\],\s*\[\([-~]*[0-9a-zA-Z]*\)\])$/define(\[PACKAGE_VERSION_REVISION\], \['$REVISION'\])/g' version.m4.tmp > version.m4.ci
-    fi
-
-    rm -f version.m4.tmp
+    echo Set package suffix "$SUFFIX"
+    sed 's/^define(\[PACKAGE_SUFFIX\],\s*\[\([-~]*[0-9a-zA-Z]*\)\])$/define(\[PACKAGE_SUFFIX\], \['$SUFFIX'\])/g' < version.m4 > version.m4.ci
 fi
 
 ./bootstrap

configure.ac

@@ -1,12 +1,13 @@
 dnl -*- mode: m4; -*-
 
-AC_PREREQ(2.60)
+AC_PREREQ(2.68)
 
 define([PRODUCT_NAME], [OpenSC])
 define([PRODUCT_TARNAME], [opensc])
 define([PRODUCT_BUGREPORT], [https://github.com/OpenSC/OpenSC/issues])
+define([PRODUCT_URL], [https://github.com/OpenSC/OpenSC])
 define([PACKAGE_VERSION_MAJOR], [0])
-define([PACKAGE_VERSION_MINOR], [18])
+define([PACKAGE_VERSION_MINOR], [22])
 define([PACKAGE_VERSION_FIX], [0])
 define([PACKAGE_SUFFIX], [])
 
@@ -18,14 +19,15 @@ define([VS_FF_PRODUCT_NAME], [OpenSC smartcard framework])
 define([VS_FF_PRODUCT_UPDATES], [https://github.com/OpenSC/OpenSC/releases])
 define([VS_FF_PRODUCT_URL], [https://github.com/OpenSC/OpenSC])
 
-m4_include(version.m4)
 m4_sinclude(version.m4.ci)
 
-AC_INIT([PRODUCT_NAME],[PACKAGE_VERSION_MAJOR.PACKAGE_VERSION_MINOR.PACKAGE_VERSION_FIX[]PACKAGE_SUFFIX],[PRODUCT_BUGREPORT],[PRODUCT_TARNAME])
+m4_define([openssl_minimum_version], [1.0.1])
+
+AC_INIT([PRODUCT_NAME],[PACKAGE_VERSION_MAJOR.PACKAGE_VERSION_MINOR.PACKAGE_VERSION_FIX[]PACKAGE_SUFFIX],[PRODUCT_BUGREPORT],[PRODUCT_TARNAME],[PRODUCT_URL])
 AC_CONFIG_AUX_DIR([.])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
-AM_INIT_AUTOMAKE(foreign 1.10)
+AM_INIT_AUTOMAKE(foreign 1.10 [subdir-objects])
 
 OPENSC_VERSION_MAJOR="PACKAGE_VERSION_MAJOR"
 OPENSC_VERSION_MINOR="PACKAGE_VERSION_MINOR"
@@ -41,10 +43,10 @@ OPENSC_VS_FF_PRODUCT_URL="VS_FF_PRODUCT_URL"
 
 # LT Version numbers, remember to change them just *before* a release.
 #   (Code changed:                      REVISION++)
-#   (Oldest interface removed:          OLDEST++)
+#   (Oldest interface changed/removed:  OLDEST++)
 #   (Interfaces added:                  CURRENT++, REVISION=0)
-OPENSC_LT_CURRENT="6"
-OPENSC_LT_OLDEST="6"
+OPENSC_LT_CURRENT="8"
+OPENSC_LT_OLDEST="8"
 OPENSC_LT_REVISION="0"
 OPENSC_LT_AGE="0"
 OPENSC_LT_AGE="$((${OPENSC_LT_CURRENT}-${OPENSC_LT_OLDEST}))"
@@ -77,7 +79,7 @@ AC_ARG_WITH(
 )
 
 if test "${enable_optimization}" = "no"; then
-	CFLAGS="-O0 -g"
+	CFLAGS="${CFLAGS} -O0 -g"
 fi
 
 dnl Check for some target-specific stuff
@@ -104,7 +106,6 @@ case "${host}" in
 			WIN32="yes"
 		else
 			AC_MSG_RESULT([Using cygwin])
-			CPPFLAGS="${CPPFLAGS} -DCRYPTOKI_FORCE_WIN32"
 			WIN_LIBPREFIX="cyg"
 			AC_DEFINE([USE_CYGWIN], [1], [Define if you are on Cygwin])
 		fi
@@ -123,9 +124,6 @@ case "${host}" in
 		PROFILE_DIR_DEFAULT="\$(pkgdatadir)"
 	;;
 esac
-AC_DEFINE_UNQUOTED([DEBUG_FILE], ["${DEBUG_FILE}"], [Debug file])
-AC_DEFINE_UNQUOTED([PROFILE_DIR], ["${PROFILE_DIR}"], [Directory of profiles])
-AC_DEFINE_UNQUOTED([PROFILE_DIR_DEFAULT], ["${PROFILE_DIR_DEFAULT}"], [Default directory of profiles])
 
 case "${host}" in
 	*-mingw*)
@@ -133,9 +131,20 @@ case "${host}" in
 	;;
 esac
 
-AX_CHECK_COMPILE_FLAG(-Wunknown-warning-option, [have_unknown_warning_option="yes"], [have_unknown_warning_option="no"], [-Werror])
+AX_CODE_COVERAGE()
+
+AX_CHECK_COMPILE_FLAG([-Wunknown-warning-option], [have_unknown_warning_option="yes"], [have_unknown_warning_option="no"])
 AM_CONDITIONAL([HAVE_UNKNOWN_WARNING_OPTION], [test "${have_unknown_warning_option}" = "yes"])
 
+AC_ARG_ENABLE(
+	[fuzzing],
+	[AS_HELP_STRING([--enable-fuzzing],[enable compile of fuzzing tests @<:@disabled@:>@, note that CFLAGS and FUZZING_LIBS should be set accordingly, e.g. to something like CFLAGS="-fsanitize=address,fuzzer" FUZZING_LIBS="-fsanitize=fuzzer"])],
+	,
+	[enable_fuzzing="no"]
+)
+
+AC_ARG_VAR([FUZZING_LIBS], [linker flags for fuzzing])
+
 AC_ARG_ENABLE(
 	[strict],
 	[AS_HELP_STRING([--disable-strict],[disable strict compile mode @<:@enabled@:>@])],
@@ -173,11 +182,18 @@ AC_ARG_ENABLE(
 
 AC_ARG_ENABLE(
 	[openssl],
-	[AS_HELP_STRING([--enable-openssl],[enable openssl linkage @<:@detect@:>@])],
+	[AS_HELP_STRING([--enable-openssl],[enable OpenSSL linkage @<:@detect@:>@])],
 	,
 	[enable_openssl="detect"]
 )
 
+AC_ARG_ENABLE([openssl-secure-malloc],
+    [AS_HELP_STRING([--openssl-secure-malloc=<SIZE_IN_BYTES>],
+        [Enable OpenSSL secure memory by specifying its size in bytes, must be a power of 2 @<:@disabled@:>@])],
+    [], [enable_openssl_secure_malloc=no])
+AS_IF([test $enable_openssl_secure_malloc != no],
+	[AC_DEFINE_UNQUOTED([OPENSSL_SECURE_MALLOC_SIZE],[$enable_openssl_secure_malloc],[Size of OpenSSL secure memory in bytes, must be a power of 2])])
+
 AC_ARG_ENABLE(
 	[openpace],
 	[AS_HELP_STRING([--enable-openpace],[enable OpenPACE linkage @<:@detect@:>@])],
@@ -255,6 +271,20 @@ AC_ARG_ENABLE(
 	[enable_notify="detect"]
 )
 
+AC_ARG_ENABLE(
+	[autostart-items],
+	[AS_HELP_STRING([--enable-autostart-items],[enable autostart items @<:@enabled@:>@])],
+	,
+	[enable_autostart="yes"]
+)
+
+AC_ARG_ENABLE(
+	[cmocka],
+	[AS_HELP_STRING([--enable-cmocka],[Build tests in src/tests/p11test directory @<:@detect@:>@])],
+	,
+	[enable_cmocka="detect"]
+)
+
 AC_ARG_WITH(
 	[xsl-stylesheetsdir],
 	[AS_HELP_STRING([--with-xsl-stylesheetsdir=PATH],[docbook xsl-stylesheets for svn build @<:@detect@:>@])],
@@ -262,6 +292,13 @@ AC_ARG_WITH(
 	[xslstylesheetsdir="detect"]
 )
 
+AC_ARG_WITH(
+	[completiondir],
+	[AS_HELP_STRING([--with-completiondir=PATH],[Directory of Bash completion @<:@detect@:>@])],
+	[completiondir="${withval}"],
+	[completiondir="detect"]
+)
+
 AC_ARG_WITH(
 	[pcsc-provider],
 	[AS_HELP_STRING([--with-pcsc-provider=PATH],[Path to system pcsc provider @<:@system default@:>@])],
@@ -333,7 +370,6 @@ AC_MSG_RESULT([${xslstylesheetsdir}])
 AC_MSG_CHECKING([git checkout])
 GIT_CHECKOUT="no"
 if test -n "${GIT}" -a -d "${srcdir}/.git"; then
-	AC_DEFINE([HAVE_CONFIG_VERSION_H], [1], [extra version available in config-version.h])
 	GIT_CHECKOUT="yes"
 fi
 AC_MSG_RESULT([${GIT_CHECKOUT}])
@@ -358,20 +394,19 @@ dnl C Compiler features
 AC_C_INLINE
 
 dnl Checks for header files.
-AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
 AC_HEADER_ASSERT
 AC_CHECK_HEADERS([ \
 	errno.h fcntl.h stdlib.h \
 	inttypes.h string.h strings.h \
-	sys/time.h unistd.h getopt.h sys/mman.h
+	sys/time.h unistd.h sys/mman.h \
+	sys/endian.h endian.h
 ])
 
 dnl Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
 AC_TYPE_UID_T
 AC_TYPE_SIZE_T
-AC_HEADER_TIME
 
 dnl Checks for library functions.
 AC_FUNC_ERROR_AT_LINE
@@ -379,9 +414,22 @@ AC_FUNC_STAT
 AC_FUNC_VPRINTF
 AC_CHECK_FUNCS([ \
 	getpass gettimeofday getline memset mkdir \
-	strdup strerror getopt_long getopt_long_only \
-	strlcpy strlcat strnlen sigaction
+	strdup strerror memset_s explicit_bzero \
+	strnlen sigaction
 ])
+
+# Do not check for strlcpy and strlcat in Linux because it is not implemented
+# and autotools can not detect it in AC_CHECK_DECLS because build does not fail
+# in this test.
+# https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22192
+case "${host_os}" in
+	linux*)
+		;;
+	*)
+		AC_CHECK_DECLS([strlcpy, strlcat], [], [], [[#include <string.h>]])
+		;;
+esac
+
 AC_CHECK_SIZEOF(void *)
 if test "${ac_cv_sizeof_void_p}" = 8; then
 	LIBRARY_BITNESS="64"
@@ -511,6 +559,15 @@ if test "${enable_notify}" = "yes"; then
 	fi
 fi
 
+have_cmocka="yes"
+PKG_CHECK_MODULES([CMOCKA], [cmocka >= 1.0.1],,[have_cmocka="no"])
+AC_CHECK_HEADER([setjmp.h])
+AC_CHECK_HEADER([cmocka.h],, [have_cmocka="no"],
+[#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+])
+
 AC_ARG_VAR([ZLIB_CFLAGS], [C compiler flags for zlib])
 AC_ARG_VAR([ZLIB_LIBS], [linker flags for zlib])
 if test -z "${ZLIB_LIBS}"; then
@@ -591,21 +648,16 @@ fi
 
 PKG_CHECK_MODULES(
 	[OPENSSL],
-	[libcrypto >= 0.9.7],
+	[libcrypto >= openssl_minimum_version],
 	[have_openssl="yes"],
-	[PKG_CHECK_MODULES(
-		[OPENSSL],
-		[openssl >= 0.9.7],
-		[have_openssl="yes"],
-		[AC_CHECK_LIB(
-			[crypto],
-			[RSA_version],
-			[
-				have_openssl="yes"
-				OPENSSL_LIBS="-lcrypto"
-			],
-			[have_openssl="no"]
-		)]
+	[AC_CHECK_LIB(
+		[crypto],
+		[RSA_version],
+		[
+			have_openssl="yes"
+			OPENSSL_LIBS="-lcrypto"
+		],
+		[have_openssl="no"]
 	)]
 )
 
@@ -637,6 +689,20 @@ else
 	OPENSSL_LIBS=""
 fi
 
+if test "${enable_cmocka}" = "detect"; then
+	if test "${have_cmocka}" = "yes" -a "${have_openssl}" = "yes"; then
+		enable_cmocka="yes"
+	else
+		enable_cmocka="no"
+	fi
+fi
+
+if test "${enable_cmocka}" = "yes"; then
+	if test "${have_cmocka}" != "yes"; then
+		AC_MSG_ERROR([Tests required, but cmocka is not available])
+	fi
+fi
+
 
 
 PKG_CHECK_EXISTS([libeac], [PKG_CHECK_MODULES([OPENPACE], [libeac >= 0.9])],
@@ -661,7 +727,7 @@ LIBS="$saved_LIBS"
 
 
 AC_ARG_ENABLE(cvcdir,
-              AC_HELP_STRING([--enable-cvcdir=DIR],
+              AS_HELP_STRING([--enable-cvcdir=DIR],
                              [directory containing CV certificates (default is determined by libeac)]),
                              [cvcdir="${enableval}"],
                              [cvcdir=false])
@@ -683,7 +749,7 @@ AC_SUBST(CVCDIR)
 AC_DEFINE_UNQUOTED([CVCDIR], ["${CVCDIR}"], [CVC directory])
 
 AC_ARG_ENABLE(x509dir,
-              AC_HELP_STRING([--enable-x509dir=DIR],
+              AS_HELP_STRING([--enable-x509dir=DIR],
                              [directory containing X.509 certificates (default is determined by libeac)]),
                              [x509dir="${enableval}"],
                              [x509dir=false])
@@ -810,6 +876,14 @@ if test "${enable_cryptotokenkit}" = "yes"; then
 	AC_DEFINE([ENABLE_CRYPTOTOKENKIT], [1], [Define if CryptoTokenKit is to be enabled])
 fi
 
+if test "${completiondir}" = "detect"; then
+	echo completion ${completiondir}
+	PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0],
+		[completiondir="`pkg-config --variable=completionsdir bash-completion`"],
+		[completiondir="${sysconfdir}/bash_completion.d"])
+fi
+AC_SUBST([completiondir])
+
 
 AC_SUBST(DYN_LIB_EXT)
 AC_SUBST(LIBDIR)
@@ -833,26 +907,26 @@ if test "${enable_sm}" = "yes"; then
 	DEFAULT_SM_MODULE="${LIB_PRE}smm-local${DYN_LIB_EXT}"
 	case "${host}" in
 		*-mingw*|*-winnt*|*-cygwin*)
-			DEFAULT_SM_MODULE_PATH="\# module_path = \"\";"
+			DEFAULT_SM_MODULE_PATH="%PROGRAMFILES%\\\OpenSC Project\\\OpenSC\\\tools"
 		;;
 		*)
-			DEFAULT_SM_MODULE_PATH="module_path = \$(libdir);"
+			DEFAULT_SM_MODULE_PATH="${libdir}"
 		;;
 	esac
-	AC_DEFINE_UNQUOTED([DEFAULT_SM_MODULE], ["${DEFAULT_SM_MODULE}"], [Default SM module])
-	AC_DEFINE_UNQUOTED([DEFAULT_SM_MODULE_PATH], ["${DEFAULT_SM_MODULE_PATH}"], [Default SM module path])
 fi
 
 if test "${with_pkcs11_provider}" = "detect"; then
 	if test "${WIN32}" != "yes"; then
-		DEFAULT_PKCS11_PROVIDER="opensc-pkcs11${DYN_LIB_EXT}"
+		DEFAULT_PKCS11_PROVIDER="${libdir}/opensc-pkcs11${DYN_LIB_EXT}"
+		DEFAULT_ONEPIN_PKCS11_PROVIDER="${libdir}/onepin-opensc-pkcs11${DYN_LIB_EXT}"
 	else
 		DEFAULT_PKCS11_PROVIDER="%PROGRAMFILES%\\\OpenSC Project\\\OpenSC\\\pkcs11\\\opensc-pkcs11.dll"
+		DEFAULT_ONEPIN_PKCS11_PROVIDER="%PROGRAMFILES%\\\OpenSC Project\\\OpenSC\\\pkcs11\\\onepin-opensc-pkcs11.dll"
 	fi
 else
 	DEFAULT_PKCS11_PROVIDER="${with_pkcs11_provider}"
+	DEFAULT_ONEPIN_PKCS11_PROVIDER="${with_pkcs11_provider}"
 fi
-AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_PROVIDER], ["${DEFAULT_PKCS11_PROVIDER}"], [Default PKCS11 provider])
 
 if test "${enable_man}" = "detect"; then
 	if test "${WIN32}" = "yes"; then
@@ -871,12 +945,16 @@ if test "${enable_man}" = "yes" -o "${enable_doc}" = "yes"; then
 	AC_MSG_RESULT([ok])
 fi
 
-AC_ARG_VAR([HELP2MAN],
-           [absolute path to help2man used for man page generation of npa-tool])
-AC_PATH_PROG(HELP2MAN, help2man, not found)
 AC_ARG_VAR([GENGETOPT],
            [absolute path to gengetopt used for command line parsing of npa-tool])
 AC_PATH_PROG(GENGETOPT, gengetopt, not found)
+AC_ARG_VAR([CLANGTIDY],
+           [absolute path to clang-tidy used for static code analysis])
+AC_PATH_PROG(CLANGTIDY, clang-tidy, not found)
+TIDY_CHECKS="-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling"
+
+AX_FUNC_GETOPT_LONG
+#AH_BOTTOM([#include "common/compat_getopt.h"])
 
 OPENSC_FEATURES=""
 if test "${enable_thread_locking}" = "yes"; then
@@ -963,6 +1041,7 @@ AC_SUBST([OPENSC_LT_OLDEST])
 AC_SUBST([WIN_LIBPREFIX])
 AC_SUBST([DEFAULT_PCSC_PROVIDER])
 AC_SUBST([DEFAULT_PKCS11_PROVIDER])
+AC_SUBST([DEFAULT_ONEPIN_PKCS11_PROVIDER])
 AC_SUBST([OPTIONAL_ZLIB_CFLAGS])
 AC_SUBST([OPTIONAL_ZLIB_LIBS])
 AC_SUBST([OPTIONAL_READLINE_CFLAGS])
@@ -980,6 +1059,7 @@ AC_SUBST([PROFILE_DIR])
 AC_SUBST([PROFILE_DIR_DEFAULT])
 AC_SUBST([OPTIONAL_NOTIFY_CFLAGS])
 AC_SUBST([OPTIONAL_NOTIFY_LIBS])
+AC_SUBST([TIDY_CHECKS])
 
 AM_CONDITIONAL([ENABLE_MAN], [test "${enable_man}" = "yes"])
 AM_CONDITIONAL([ENABLE_THREAD_LOCKING], [test "${enable_thread_locking}" = "yes"])
@@ -997,21 +1077,28 @@ AM_CONDITIONAL([ENABLE_MINIDRIVER_SETUP_CUSTOMACTION], [test "${enable_minidrive
 AM_CONDITIONAL([ENABLE_SM], [test "${enable_sm}" = "yes"])
 AM_CONDITIONAL([ENABLE_DNIE_UI], [test "${enable_dnie_ui}" = "yes"])
 AM_CONDITIONAL([ENABLE_NPATOOL], [test "${ENABLE_NPATOOL}" = "yes"])
+AM_CONDITIONAL([ENABLE_AUTOSTART], [test "${enable_autostart}" = "yes"])
+AM_CONDITIONAL([ENABLE_CMOCKA], [test "${enable_cmocka}" = "yes"])
 AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"])
+AM_CONDITIONAL([ENABLE_FUZZING], [test "${enable_fuzzing}" = "yes"])
+AM_CONDITIONAL([ENABLE_SHARED], [test "${enable_shared}" = "yes"])
+AS_IF([test "${enable_shared}" = "yes"], [AC_DEFINE([ENABLE_SHARED], [1], [Enable shared libraries])])
 
 if test "${enable_pedantic}" = "yes"; then
 	enable_strict="yes";
-	CFLAGS="${CFLAGS} -pedantic"
+	CFLAGS="-pedantic ${CFLAGS}"
 fi
 if test "${enable_strict}" = "yes"; then
-	CFLAGS="${CFLAGS} -Wall -Wextra -Wno-unused-parameter -Werror"
+	CFLAGS="-Wall -Wextra -Wno-unused-parameter -Werror -Wstrict-aliasing=2 ${CFLAGS}"
 fi
 
 AC_CONFIG_FILES([
 	Makefile
 	doc/Makefile
 	doc/tools/Makefile
+	doc/files/Makefile
 	etc/Makefile
+	tests/Makefile
 	src/Makefile
 	src/common/Makefile
 	src/ui/Makefile
@@ -1025,6 +1112,9 @@ AC_CONFIG_FILES([
 	src/scconf/Makefile
 	src/tests/Makefile
 	src/tests/regression/Makefile
+	src/tests/p11test/Makefile
+	src/tests/fuzzing/Makefile
+	src/tests/unittests/Makefile
 	src/tools/Makefile
 	src/tools/versioninfo-tools.rc
 	src/tools/versioninfo-opensc-notify.rc
@@ -1043,6 +1133,7 @@ AC_CONFIG_FILES([
 	MacOSX/Distribution.xml
 	MacOSX/resources/Welcome.html
 ])
+
 AC_OUTPUT
 
 cat <<EOF
@@ -1065,6 +1156,7 @@ Product URL:             ${OPENSC_VS_FF_PRODUCT_URL}
 
 User binaries:           $(eval eval eval echo "${bindir}")
 Configuration files:     $(eval eval eval echo "${sysconfdir}")
+Bash completion:         ${completiondir}
 XSL stylesheets:         ${xslstylesheetsdir}
 
 man support:             ${enable_man}
@@ -1073,6 +1165,7 @@ thread locking support:  ${enable_thread_locking}
 zlib support:            ${enable_zlib}
 readline support:        ${enable_readline}
 OpenSSL support:         ${enable_openssl}
+OpenSSL secure memory:   ${enable_openssl_secure_malloc}
 PC/SC support:           ${enable_pcsc}
 CryptoTokenKit support:  ${enable_cryptotokenkit}
 OpenCT support:          ${enable_openct}
@@ -1080,12 +1173,14 @@ CT-API support:          ${enable_ctapi}
 minidriver support:      ${enable_minidriver}
 SM support:              ${enable_sm}
 SM default module:       ${DEFAULT_SM_MODULE}
+SM default path:         $(eval eval eval echo "${DEFAULT_SM_MODULE_PATH}")
 DNIe UI support:         ${enable_dnie_ui}
 Notification support:    ${enable_notify}
-Debug file:              ${DEBUG_FILE}
+Code coverage:           ${enable_code_coverage}
 
 PC/SC default provider:  ${DEFAULT_PCSC_PROVIDER}
-PKCS11 default provider: ${DEFAULT_PKCS11_PROVIDER}
+PKCS11 default provider: $(eval eval eval echo "${DEFAULT_PKCS11_PROVIDER}")
+PKCS11 onepin provider:  $(eval eval eval echo "${DEFAULT_ONEPIN_PKCS11_PROVIDER}")
 
 Host:                    ${host}
 Compiler:                ${CC}
@@ -1108,6 +1203,7 @@ PCSC_CFLAGS:             ${PCSC_CFLAGS}
 CRYPTOTOKENKIT_CFLAGS:   ${CRYPTOTOKENKIT_CFLAGS}
 GIO2_CFLAGS:             ${GIO2_CFLAGS}
 GIO2_LIBS:               ${GIO2_LIBS}
+FUZZING_LIBS:            ${FUZZING_LIBS}
 
 EOF
 

doc/Makefile.am

@@ -1,6 +1,6 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 
-SUBDIRS = tools
+SUBDIRS = tools files
 
 dist_noinst_SCRIPTS = html.xsl man.xsl
 dist_noinst_DATA = api.css

doc/files/Makefile.am

@@ -0,0 +1,32 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+
+dist_noinst_DATA = pkcs15-profile.5.xml opensc.conf.5.xml.in files.xml
+if ENABLE_DOC
+html_DATA = files.html
+endif
+
+if ENABLE_MAN
+man5_MANS = pkcs15-profile.5  opensc.conf.5
+endif
+
+opensc.conf.5.xml opensc.conf.5: $(srcdir)/opensc.conf.5.xml.in
+	@sed \
+		-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
+		-e 's|@docdir[@]|$(docdir)|g' \
+		-e 's|@libdir[@]|$(libdir)|g' \
+		-e 's|@DYN_LIB_EXT[@]|$(DYN_LIB_EXT)|g' \
+		-e 's|@DEFAULT_PCSC_PROVIDER[@]|$(DEFAULT_PCSC_PROVIDER)|g' \
+		-e 's|@PROFILE_DIR_DEFAULT[@]|$(PROFILE_DIR_DEFAULT)|g' \
+		-e 's|@DEFAULT_SM_MODULE[@]|$(DEFAULT_SM_MODULE)|g' \
+		< $< > opensc.conf.5.xml
+	$(AM_V_GEN)$(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl opensc.conf.5.xml 2>/dev/null
+
+files.html: $(srcdir)/files.xml $(wildcard $(srcdir)/*.5.xml) opensc.conf.5.xml
+	$(AM_V_GEN)$(XSLTPROC) --nonet --path "$(builddir):$(srcdir)/..:$(xslstylesheetsdir)/html" --xinclude -o $@ html.xsl $< 2>/dev/null
+
+%.5: $(srcdir)/%.5.xml
+	$(AM_V_GEN)sed -e 's|@pkgdatadir[@]|$(pkgdatadir)|g' < $< \
+	| $(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl $< 2>/dev/null
+
+clean-local:
+	-rm -rf $(html_DATA) $(man5_MANS) opensc.conf.5.xml

doc/files/files.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.2//EN"
+"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<book xmlns:xi="http://www.w3.org/2001/XInclude">
+	<title>OpenSC Manual Pages: Section 5</title>
+
+	<xi:include href="opensc.conf.5.xml"/>
+	<xi:include href="pkcs15-profile.5.xml"/>
+</book>

doc/files/pkcs15-profile.5.xml

@@ -27,12 +27,12 @@
 			layout, such as the path of the application DF, various PKCS #15 files within
 			that directory, and the access conditions on these files. It also defines
 			general information about PIN, key and certificate objects. Currently, there
-			is only one such generic profile, <command>pkcs15.profile</command>.
+			is only one such generic profile, <filename>pkcs15.profile</filename>.
 		</para>
 		<para>
 			The card specific profile contains additional information required during
-			card intialization, such as location of PIN files, key references etc.
-			Profiles currently reside in <command>@pkgdatadir@</command>
+			card initialization, such as location of PIN files, key references etc.
+			Profiles currently reside in <filename class="directory">@pkgdatadir@</filename>
 		</para>
 	</refsect1>
 

doc/html.xsl

@@ -5,6 +5,7 @@
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
 	<xsl:import href="docbook.xsl"/>
 	<xsl:param name="toc.section.depth" select="0"/>
+	<xsl:param name="generate.consistent.ids" select="1"/>
 	<xsl:template name="user.head.content">
 	<style type="text/css">
 		<xsl:comment>

doc/tools/Makefile.am

@@ -2,9 +2,6 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 
 EXTRA_DIST = completion-template
 
-# TODO XXX Uncomment after fixing issue #1267
-#TESTS = test-manpage.sh
-
 dist_noinst_DATA = $(wildcard $(srcdir)/*.xml)
 if ENABLE_DOC
 html_DATA = tools.html
@@ -12,35 +9,31 @@ endif
 
 if ENABLE_MAN
 man1_MANS = $(patsubst $(srcdir)/%.xml, %, $(wildcard $(srcdir)/*.1.xml))
-man5_MANS = $(patsubst $(srcdir)/%.xml, %, $(wildcard $(srcdir)/*.5.xml))
 endif
 
 completion_DATA = $(patsubst $(srcdir)/%.1.xml, %, $(wildcard $(srcdir)/*.1.xml))
-completiondir = $(sysconfdir)/bash_completion.d
 
-tools.html: $(srcdir)/tools.xml $(wildcard $(srcdir)/*.1.xml) $(wildcard $(srcdir)/*.5.xml)
-	$(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/html" --xinclude -o $@ html.xsl $<
+tools.html: $(srcdir)/tools.xml $(wildcard $(srcdir)/*.1.xml)
+	$(AM_V_GEN)$(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/html" --xinclude -o $@ html.xsl $< 2>/dev/null
 
 %.1: $(srcdir)/%.1.xml
-	sed -e 's|@pkgdatadir[@]|$(pkgdatadir)|g' < $< \
-	| $(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl $<
-
-%.5: $(srcdir)/%.5.xml
-	sed -e 's|@pkgdatadir[@]|$(pkgdatadir)|g' < $< \
-	| $(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl $<
+	$(AM_V_GEN)sed -e 's|@pkgdatadir[@]|$(pkgdatadir)|g' < $< \
+	| $(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl $< 2>/dev/null
 
 %: $(srcdir)/%.1.xml
-	@echo $< $@
-	@cat $(srcdir)/completion-template \
+	$(AM_V_GEN)cat $(srcdir)/completion-template \
 		| sed "s,ALLOPTS,\
 			$(shell sed -n 's,.*<option>\([^<]*\)</option>.*,\1,pg' $< \
 				| sort -u | grep -- '^\-' | tr '\n' ' ')," \
 		| sed "s,OPTSWITHARGS,\
 			$(shell sed -n 's,.*<option>\([^<]*\)</option>.*<replaceable>.*,\1,pg' $< \
-				| sort -u | grep -- '^\-' | tr '\n' '|' | sed 's,|$$,,')," \
+				| sort -u | grep -- '^\-' | tr '\n' '|' | sed 's,|$$,,' | grep ^ || echo "!*")," \
 		| sed "s,FILEOPTS,\
 			$(shell sed -n 's,.*<option>\([^<]*\)</option>.*<replaceable>.*filename.*,\1,pg' $< \
 				| sort -u | grep -- '^\-' | tr '\n' '|' | sed 's,|$$,,' | grep ^ || echo "!*"),"  \
+		| sed "s,PINOPTS,\
+			$(shell sed -En 's,.*<option>([^<]*)</option>.*<replaceable>\s*(newpin|pin|puk|sopin|sopuk)\s*<.*,\1,pg' $< \
+				| sort -u | grep -- '^\-' | tr '\n' '|' | sed 's,|$$,,' | grep ^ || echo "!*"),"  \
 		| sed "s,MODULEOPTS,\
 			$(shell sed -n 's,.*<option>\([^<]*\)</option>.*<replaceable>.*mod.*,\1,pg' $< \
 				| sort -u | grep -- '^\-' | tr '\n' '|' | sed 's,|$$,,' | grep ^ || echo "!*")," \
@@ -49,4 +42,4 @@ tools.html: $(srcdir)/tools.xml $(wildcard $(srcdir)/*.1.xml) $(wildcard $(srcdi
 		> $@
 
 clean-local:
-	-rm -rf $(html_DATA) $(man1_MANS) $(man5_MANS) $(completion_DATA)
+	-rm -rf $(html_DATA) $(man1_MANS) $(completion_DATA)

doc/tools/cardos-tool.1.xml

@@ -33,13 +33,6 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
 		<title>Options</title>
 		<para>
 			<variablelist>
-				<varlistentry>
-					<term>
-						<option>--card-driver</option> <replaceable>name</replaceable>,
-						<option>-c</option> <replaceable>name</replaceable></term>
-					<listitem><para>Use the card driver specified by <replaceable>name</replaceable>.
-					The default is to auto-detect the correct card driver.</para></listitem>
-				</varlistentry>
 				<varlistentry>
 					<term>
 						<option>--format</option>,
@@ -47,6 +40,13 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
 					</term>
 					<listitem><para>Format the card or token.</para></listitem>
 				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--help</option>,
+						<option>-h</option>
+					</term>
+					<listitem><para>Print help message on screen.</para></listitem>
+				</varlistentry>
 				<varlistentry>
 					<term>
 						<option>--info</option>,
@@ -56,11 +56,31 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
 				</varlistentry>
 				<varlistentry>
 					<term>
-						<option>--reader</option> <replaceable>number</replaceable>,
-						<option>-r</option> <replaceable>number</replaceable>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
 					</term>
-					<listitem><para>Specify the reader number <replaceable>number</replaceable> to use.
-					The default is reader <literal>0</literal>.</para></listitem>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--startkey</option> <replaceable>arg</replaceable>,
+						<option>-s</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem><para>Specify startkey for format.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--change-startkey</option> <replaceable>arg</replaceable>,
+						<option>-S</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem><para>Change Startkey with given APDU command.</para></listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
@@ -82,4 +102,10 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
 			</variablelist>
 		</para>
 	</refsect1>
+
+	<refsect1>
+		<title>Authors</title>
+		<para><command>cardos-tool</command> was written by
+		Andreas Jellinghaus <email>aj@dungeon.inka.de</email>.</para>
+	</refsect1>
 </refentry>

doc/tools/completion-template

@@ -3,7 +3,7 @@ _FUNCTION_NAME()
 {
     COMPREPLY=()
     local cur prev split=false
-    _get_comp_words_by_ref cur prev
+    _get_comp_words_by_ref -n : cur prev
 
     _split_longopt && split=true
 
@@ -23,6 +23,11 @@ _FUNCTION_NAME()
             _filedir
             return 0
             ;;
+        PINOPTS|--password)
+            COMPREPLY=( $( compgen -W "$(printenv | cut -d = -f 1 | xargs printf 'env:%s ')" -- $cur ) )
+            __ltrim_colon_completions "$cur"
+            return 0
+            ;;
         OPTSWITHARGS)
             return 0
             ;;

doc/tools/cryptoflex-tool.1.xml

@@ -121,7 +121,8 @@
 
 				<varlistentry>
 					<term>
-						<option>--read-key</option>
+						<option>--read-key</option>,
+						<option>-R</option>
 					</term>
 					<listitem><para>Reads a public key from the card, allowing the user to
 					extract and store or use the public key
@@ -130,12 +131,17 @@
 
 				<varlistentry>
 					<term>
-						<option>--reader</option> <replaceable>num</replaceable>,
-						<option>-r</option> <replaceable>num</replaceable>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
 					</term>
-					<listitem><para>Forces <command>cryptoflex-tool</command> to use
-					reader number <replaceable>num</replaceable> for operations. The default
-					is to use reader number 0, the first reader in the system.</para></listitem>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
 				</varlistentry>
 
 				<varlistentry>
@@ -156,6 +162,15 @@
 					<listitem><para>Verifies CHV1 before issuing commands</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--wait</option>,
+						<option>-w</option>
+					</term>
+					<listitem><para>Causes <command>cryptoflex-tool</command> to
+					wait for a card insertion.</para></listitem>
+				</varlistentry>
+
 			</variablelist>
 		</para>
 	</refsect1>
@@ -170,4 +185,10 @@
 		</para>
 	</refsect1>
 
+	<refsect1>
+		<title>Authors</title>
+		<para><command>cryptoflex-tool</command> was written by
+		Juha Yrjölä <email>juha.yrjola@iki.fi</email>.</para>
+	</refsect1>
+
 </refentry>

doc/tools/dnie-tool.1.xml

@@ -52,7 +52,7 @@
 						<option>-a</option>
 					</term>
 					<listitem><para>Displays every available information.
-					This command is equivalent to -d -i -s</para></listitem>
+					This command is equivalent to -d -i -V -s</para></listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
@@ -68,34 +68,44 @@
 						<option>-V</option>
 					</term>
 					<listitem><para>Show DNIe sw version.
-					Displays sofware version for in-card DNIe OS</para></listitem>
+					Displays software version for in-card DNIe OS</para></listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
 						<option>--pin</option> <replaceable>pin</replaceable>,
 						<option>-p</option> <replaceable>pin</replaceable>
 					</term>
-					<listitem><para>Specify the user pin <replaceable>pin</replaceable> to use.
-					If set to env:<replaceable>VARIABLE</replaceable>, the
-					value of the environment variable
-					<replaceable>VARIABLE</replaceable> is used.
-					The default is do not enter pin</para></listitem>
+					<listitem>
+						<para>
+							These options can be used to specify the PIN value
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
-						<option>--reader</option> <replaceable>number</replaceable>,
-						<option>-r</option> <replaceable>number</replaceable>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
 					</term>
-					<listitem><para>Specify the reader <replaceable>number</replaceable> to use.
-					The default is reader 0.</para></listitem>
-				</varlistentry>
-				<varlistentry>
-					<term>
-						<option>--driver</option> <replaceable>driver</replaceable>,
-						<option>-c</option> <replaceable>driver</replaceable>
-					</term>
-					<listitem><para>Specify the card driver <replaceable>driver</replaceable> to use.
-					Default is use driver from configuration file, or auto-detect if absent</para></listitem>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
@@ -118,10 +128,6 @@ to enable debug output in the opensc library.</para></listitem>
 		</para>
 	</refsect1>
 	
-	<refsect1>
-		<title>See also</title>
-		<para>opensc(7)</para>
-	</refsect1>
 	<refsect1>
 		<title>Authors</title>
 		<para><command>dnie-tool</command> was written by

doc/tools/egk-tool.1.xml

@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry id="egk-tool">
+	<refmeta>
+		<refentrytitle>egk-tool</refentrytitle>
+		<manvolnum>1</manvolnum>
+		<refmiscinfo class="productname">OpenSC</refmiscinfo>
+		<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
+		<refmiscinfo class="source">opensc</refmiscinfo>
+	</refmeta>
+
+	<refnamediv>
+		<refname>egk-tool</refname>
+		<refpurpose>displays information on the German electronic health card (elektronische Gesundheitskarte, <abbrev>eGK</abbrev>)
+		</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>egk-tool</command>
+			<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+		<para>
+			The <command>egk-tool</command> utility is used to display information stored on the German elektronic health card (elektronische Gesundheitskarte, <abbrev>eGK</abbrev>).
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Options</title>
+		<para>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--help</option>,
+						<option>-h</option></term>
+					<listitem><para>Print help and exit.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--version</option>,
+						<option>-V</option></term>
+					<listitem><para>Print version and exit.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem><para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--verbose</option>,
+						<option>-v</option>
+					</term>
+					<listitem><para>
+						Causes <command>egk-tool</command> to be more verbose.
+						Specify this flag several times to be more verbose.
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</para>
+
+		<refsect2>
+			<title>Health Care Application (<abbrev>HCA</abbrev>)</title>
+			<variablelist>
+				<varlistentry>
+					<term><option>--pd</option></term>
+					<listitem><para>
+						Show 'Persönliche Versicherungsdaten' (XML).
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--vd</option></term>
+					<listitem><para>
+						Show 'Allgemeine Versicherungsdaten' (XML).
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--gvd</option></term>
+					<listitem><para>
+						Show 'Geschützte Versicherungsdaten' (XML).
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--vsd-status</option></term>
+					<listitem><para>
+						Show 'Versichertenstammdaten-Status'.
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</refsect2>
+	</refsect1>
+
+	<refsect1>
+		<title>Authors</title>
+		<para><command>egk-tool</command> was written by
+		Frank Morgner <email>frankmorgner@gmail.com</email>.</para>
+	</refsect1>
+
+	<!--
+	<refsect1>
+		<title>Reporting Bugs</title>
+		<para>Report bugs to <ulink url="@PACKAGE_BUGREPORT@">@PACKAGE_BUGREPORT@</ulink>.</para>
+	</refsect1>
+	-->
+</refentry>

doc/tools/eidenv.1.xml

@@ -66,12 +66,17 @@
 
 				<varlistentry>
 					<term>
-						<option>--reader</option> <replaceable>num</replaceable>,
-						<option>-r</option> <replaceable>num</replaceable>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
 					</term>
-					<listitem><para>
-					Use the given reader. The default is the first reader with a card.
-					</para></listitem>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
 				</varlistentry>
 
 				<varlistentry>

doc/tools/gids-tool.1.xml

@@ -46,9 +46,25 @@
 				</varlistentry>
 				<varlistentry>
 					<term>
-						<option>--pin</option> <replaceable>argument</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>
 					</term>
-					<listitem><para>Define user PIN.</para></listitem>
+					<listitem>
+						<para>
+							This option can be used to specify the PIN value
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
@@ -75,15 +91,21 @@
 					<term>
 						<option>--new-admin-key</option> <replaceable>argument</replaceable>
 					</term>
-					<listitem><para>Define the new adminastrator key.</para></listitem>
+					<listitem><para>Define the new administrator key.</para></listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
 						<option>--reader</option> <replaceable>argument</replaceable>,
 						<option>-r</option> <replaceable>argument</replaceable>
 					</term>
-					<listitem><para>Uses reader number
-					<replaceable>argument</replaceable>.</para></listitem>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>argument</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
@@ -114,4 +136,10 @@
 		</para>
 	</refsect1>
 
+	<refsect1>
+		<title>Authors</title>
+		<para><command>gids-tool</command> was written by
+		Vincent Le Toux <email>vincent.letoux@mysmartlogon.com</email>.</para>
+	</refsect1>
+
 </refentry>

doc/tools/goid-tool.1.xml

@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry id="goid-tool">
+	<refmeta>
+		<refentrytitle>goid-tool</refentrytitle>
+		<manvolnum>1</manvolnum>
+		<refmiscinfo class="productname">OpenSC</refmiscinfo>
+		<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
+		<refmiscinfo class="source">opensc</refmiscinfo>
+	</refmeta>
+
+	<refnamediv>
+		<refname>goid-tool</refname>
+		<refpurpose>???</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>goid-tool</command>
+			<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
+			<arg><replaceable class="option">mode</replaceable></arg>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+		<para>
+			The <command>goid-tool</command> utility can be used from
+			the command line to ???
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Options</title>
+		<para>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--help</option>,
+						<option>-h</option>
+					</term>
+					<listitem><para>Print help message on screen.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--version</option>,
+						<option>-V</option>
+					</term>
+					<listitem><para>Print the OpenSC package release version.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--reader</option> <replaceable>string</replaceable>,
+						<option>-r</option> <replaceable>string</replaceable>
+					</term>
+					<listitem><para>
+						Specify the number of the reader to use. By default, the
+						first reader with present card is used. If
+						the argument is an ATR, the reader with a
+						matching card will be chosen.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--verbose</option>,
+						<option>-v</option>
+					</term>
+					<listitem><para>
+						Cause <command>goid-tool</command> to be
+						more verbose. Use it multiple times to be even more
+						verbose.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--verify-pin</option>,
+						<option>-p</option>
+					</term>
+					<listitem><para>
+						Verify PIN.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--verify-bio</option>,
+						<option>-b</option>
+					</term>
+					<listitem><para>
+						Verify finger print.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--verify-pin-or-bio</option>
+					</term>
+					<listitem><para>
+						Verify PIN or finger print (user's choice).
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</para>
+	</refsect1>
+<!-- TODO modes -->
+	<refsect1>
+		<title>See also</title>
+		<para>
+			<citerefentry>
+				<refentrytitle>pkcs11-tool</refentrytitle>
+				<manvolnum>1</manvolnum>
+			</citerefentry>
+			<citerefentry>
+				<refentrytitle>opensc.conf</refentrytitle>
+				<manvolnum>5</manvolnum>
+			</citerefentry>
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Authors</title>
+		<para><command>pkcs11-register</command> was written by
+		Frank Morgner <email>frankmorgner@gmail.com</email>.</para>
+	</refsect1>
+
+</refentry>
+
+
+

doc/tools/iasecc-tool.1.xml

@@ -34,10 +34,16 @@
 			<variablelist>
 				<varlistentry>
 					<term>
-						<option>--reader</option> <replaceable>number</replaceable>,
+						<option>--reader</option> <replaceable>arg</replaceable>,
 					</term>
-					<listitem><para>Specify the reader number <replaceable>number</replaceable> to use.
-					The default is reader <literal>0</literal>.</para></listitem>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
@@ -78,4 +84,10 @@
 			</variablelist>
 		</para>
 	</refsect1>
+
+	<refsect1>
+		<title>Authors</title>
+		<para><command>iasecc-tool</command> was written by
+		Viktor Tarasov <email>viktor.tarasov@gmail.com</email>.</para>
+	</refsect1>
 </refentry>

doc/tools/netkey-tool.1.xml

@@ -43,38 +43,45 @@
         </varlistentry>
         <varlistentry>
           <term>
-            <option>--pin</option> <replaceable>pin-value</replaceable>,
-            <option>-p</option> <replaceable>pin-value</replaceable>
+            <option>--pin</option> <replaceable>pin</replaceable>,
+            <option>-p</option> <replaceable>pin</replaceable>
           </term>
           <listitem><para>Specifies the current value of the global PIN.</para></listitem>
         </varlistentry>
         <varlistentry>
           <term>
-            <option>--puk</option> <replaceable>pin-value</replaceable>,
-            <option>-u</option> <replaceable>pin-value</replaceable>
+            <option>--puk</option> <replaceable>pin</replaceable>,
+            <option>-u</option> <replaceable>pin</replaceable>
           </term>
           <listitem><para>Specifies the current value of the global PUK.</para></listitem>
         </varlistentry>
         <varlistentry>
           <term>
-            <option>--pin0</option> <replaceable>pin-value</replaceable>,
-            <option>-0</option> <replaceable>pin-value</replaceable>
+            <option>--pin0</option> <replaceable>pin</replaceable>,
+            <option>-0</option> <replaceable>pin</replaceable>
           </term>
           <listitem><para>Specifies the current value of the local PIN0 (aka local PIN).</para></listitem>
         </varlistentry>
         <varlistentry>
           <term>
-            <option>--pin1</option> <replaceable>pin-value</replaceable>,
-            <option>-1</option> <replaceable>pin-value</replaceable>
+            <option>--pin1</option> <replaceable>pin</replaceable>,
+            <option>-1</option> <replaceable>pin</replaceable>
           </term>
           <listitem><para>Specifies the current value of the local PIN1 (aka local PUK).</para></listitem>
         </varlistentry>
         <varlistentry>
           <term>
-            <option>--reader</option> <replaceable>number</replaceable>,
-            <option>-r</option> <replaceable>number</replaceable>
+            <option>--reader</option> <replaceable>arg</replaceable>,
+            <option>-r</option> <replaceable>arg</replaceable>
           </term>
-          <listitem><para>Use smart card in specified reader. Default is reader 0.</para></listitem>
+          <listitem>
+            <para>
+              Number of the reader to use. By default, the first
+              reader with a present card is used. If
+              <replaceable>arg</replaceable> is an ATR, the
+              reader with a matching card will be chosen.
+            </para>
+          </listitem>
         </varlistentry>
         <varlistentry>
           <term>
@@ -91,7 +98,7 @@
     <title>PIN format</title>
     <para>With the <option>-p</option>, <option>-u</option>, <option>-0</option> or the <option>-1</option>
     one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
-    (i.e. 31:32:33:34:35:36). A hex-string must consists of exacly n 2-digit hexnumbers separated by n-1 colons.
+    (i.e. 31:32:33:34:35:36). A hex-string must consist of exactly n 2-digit hexnumbers separated by n-1 colons.
     Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
     length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.</para>
   </refsect1>
@@ -112,7 +119,7 @@
     current value of your global PIN. </para>
 
     <para>For most of the commands that <command>netkey-tool</command> can execute, you have
-    to specify one pin. One notable exeption is the <command>nullpin</command> command, but
+    to specify one pin. One notable exception is the <command>nullpin</command> command, but
     this command can only be executed once in the lifetime of a NetKey E4 card.</para>
 
     <para>
@@ -140,8 +147,14 @@
         </varlistentry>
         <varlistentry>
           <term>
-            <command>change</command> { <parameter>pin</parameter> | <parameter>puk</parameter> |
-          <parameter>pin0</parameter> | <parameter>pin1</parameter> } <replaceable>new-pin</replaceable>
+            <command>change</command>
+            <group choice="req">
+              <arg choice="plain">pin</arg>
+              <arg choice="plain">puk</arg>
+              <arg choice="plain">pin0</arg>
+              <arg choice="plain">pin1</arg>
+             </group>
+            <replaceable>new-pin</replaceable>
           </term>
           <listitem><para>This changes the value of the specified pin to the given new value.
           You must specify either the current value of the pin or another pin to be able to do
@@ -154,13 +167,18 @@
           </term>
           <listitem><para>This command can be executed only if the global PIN of your card is
           in nullpin-state. There's no way to return back to nullpin-state once you have changed
-          your global PIN. You don't need a pin to execute the nullpin-command. After a succesfull
+          your global PIN. You don't need a pin to execute the nullpin-command. After a successful
           nullpin-command <command>netkey-tool</command> will display your cards initial
           PUK-value.</para></listitem>
         </varlistentry>
         <varlistentry>
           <term>
-            <command>unblock</command> { <parameter>pin</parameter> | <parameter>pin0</parameter> | <parameter>pin1</parameter> }
+            <command>unblock</command>
+            <group choice="req">
+              <arg choice="plain">pin</arg>
+              <arg choice="plain">pin0</arg>
+              <arg choice="plain">pin1</arg>
+             </group>
           </term>
           <listitem><para>This unblocks the specified pin. You must specify another pin
           to be able to do this and if you don't specify a correct one,

doc/tools/npa-tool.1.xml

@@ -0,0 +1,440 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry id="npa-tool">
+	<refmeta>
+		<refentrytitle>npa-tool</refentrytitle>
+		<manvolnum>1</manvolnum>
+		<refmiscinfo class="productname">OpenSC</refmiscinfo>
+		<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
+		<refmiscinfo class="source">opensc</refmiscinfo>
+	</refmeta>
+
+	<refnamediv>
+		<refname>npa-tool</refname>
+		<refpurpose>displays information on the German eID card (neuer Personalausweis, <abbrev>nPA</abbrev>).
+		</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>npa-tool</command>
+			<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+		<para>
+			The <command>npa-tool</command> utility is used to display information
+			stored on the German eID card (neuer Personalausweis, <abbrev>nPA</abbrev>),
+			and to perform some write and verification operations.
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Options</title>
+		<para>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--help</option>,
+						<option>-h</option></term>
+					<listitem><para>Print help and exit.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--version</option>,
+						<option>-V</option></term>
+					<listitem><para>Print version and exit.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem><para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--verbose</option>,
+						<option>-v</option>
+					</term>
+					<listitem><para>
+						Causes <command>npa-tool</command> to be more verbose.
+						Specify this flag several times to be more verbose.
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</para>
+
+		<refsect2>
+			<title>Password Authenticated Connection Establishment (<abbrev>PACE</abbrev>)</title>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--pin</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>,
+						<option>-p</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>
+					</term>
+					<listitem><para>
+						Run <abbrev>PACE</abbrev> with (transport) eID-PIN.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--puk</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>,
+						<option>-u</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>
+					</term>
+					<listitem><para>
+						Run <abbrev>PACE</abbrev> with PUK.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--can</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>,
+						<option>-c</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>
+					</term>
+					<listitem><para>
+						Run <abbrev>PACE</abbrev> with Card Access Number (<abbrev>CAN</abbrev>).
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--mrz</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>,
+						<option>-m</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>
+					</term>
+					<listitem><para>
+						Run <abbrev>PACE</abbrev> with Machine Readable Zone (<abbrev>MRZ</abbrev>).
+						Enter the <abbrev>MRZ</abbrev> without newlines.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--env</option></term>
+					<listitem><para>
+						Specify whether to use environment variables <envar>PIN</envar>,
+						<envar>PUK</envar>, <envar>CAN</envar>, <envar>MRZ</envar>,
+						and <envar>NEWPIN</envar>.
+						You may want to clean your environment before enabling this.
+						(default=off)
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</refsect2>
+
+		<refsect2>
+			<title>PIN management</title>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--new-pin</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>,
+						<option>-N</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>
+					</term>
+					<listitem><para>
+						Install a new PIN.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--resume</option>,
+						<option>-R</option>
+					</term>
+					<listitem><para>
+						Resume eID-PIN (uses <abbrev>CAN</abbrev> to activate last retry).
+						(default=off)
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--unblock</option>,
+						<option>-U</option>
+					</term>
+					<listitem><para>
+						Unblock PIN (uses PUK to activate three more retries).
+						(default=off)
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</refsect2>
+
+		<refsect2>
+			<title>Terminal Authentication (<abbrev>TA</abbrev>) and Chip Authentication (<abbrev>CA</abbrev>)</title>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--cv-certificate</option> <replaceable>FILENAME</replaceable>,
+						<option>-C</option> <replaceable>FILENAME</replaceable>
+					</term>
+					<listitem><para>
+						Specify Card Verifiable (<abbrev>CV</abbrev>) certificate
+						to create a certificate chain.
+						The option can be given multiple times, in which case the
+						order is important.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--cert-desc</option> <replaceable>HEX_STRING</replaceable></term>
+					<listitem><para>
+						Certificate description to show for Terminal Authentication.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--chat</option> <replaceable>HEX_STRING</replaceable></term>
+					<listitem><para>
+						Specify the Card Holder Authorization Template
+						(<abbrev>CHAT</abbrev>) to use.
+						If not given, it defaults to the terminal's CHAT.
+						Use <literal>7F4C0E060904007F000703010203530103</literal>
+						to trigger EAC on the CAT-C (Komfortleser).
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--auxiliary-data</option> <replaceable>HEX_STRING</replaceable>,
+						<option>-A</option> <replaceable>HEX_STRING</replaceable>
+					</term>
+					<listitem><para>
+						Specify the terminal's auxiliary data.
+						If not given, the default is determined by verification
+						of validity, age and community ID.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--private-key</option> <replaceable>FILENAME</replaceable>,
+						<option>-P</option> <replaceable>FILENAME</replaceable>
+					</term>
+					<listitem><para>
+						Specify the terminal's private key.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--cvc-dir</option> <replaceable>DIRECTORY</replaceable></term>
+					<listitem><para>
+						Specify where to look for the certificate of the 
+						Country Verifying Certification Authority
+						(<abbrev>CVCA</abbrev>).
+						If not given, it defaults to
+						<filename class="directory">/home/fm/.local/etc/eac/cvc</filename>.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+					<option>--x509-dir</option> <replaceable>DIRECTORY</replaceable></term>
+					<listitem><para>
+						Specify where to look for the X.509 certificate.
+						If not given, it defaults to
+						<filename class="directory">/home/fm/.local/etc/eac/x509</filename>.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--disable-ta-checks</option></term>
+					<listitem><para>
+						Disable checking the validity period of CV certificates.
+						(default=off)
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--disable-ca-checks</option></term>
+					<listitem><para>
+						Disable passive authentication. (default=off)
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</refsect2>
+
+		<refsect2>
+			<title>Read and write data groups</title>
+			<variablelist>
+				<varlistentry>
+					<term><option>--read-dg1</option></term>
+					<listitem><para>Read data group 1: Document Type.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg2</option></term>
+					<listitem><para>Read data group 2: Issuing State.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg3</option></term>
+					<listitem><para>Read data group 3: Date of Expiry.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg4</option></term>
+					<listitem><para>Read data group 4: Given Name(s).</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg5</option></term>
+					<listitem><para>Read data group 5: Family Name.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg6</option></term>
+					<listitem><para>Read data group 6: Religious/Artistic Name.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg7</option></term>
+					<listitem><para>Read data group 7: Academic Title.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg8</option></term>
+					<listitem><para>Read data group 8: Date of Birth.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg9</option></term>
+					<listitem><para>Read data group 9: Place of Birth.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg10</option></term>
+					<listitem><para>Read data group 10: Nationality.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg11</option></term>
+					<listitem><para>Read data group 11: Sex.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg12</option></term>
+					<listitem><para>Read data group 12: Optional Data.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg13</option></term>
+					<listitem><para>Read data group 13: Birth Name.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg14</option></term>
+					<listitem><para>Read data group 14.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg15</option></term>
+					<listitem><para>Read data group 15.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg16</option></term>
+					<listitem><para>Read data group 16.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg17</option></term>
+					<listitem><para>Read data group 17: Normal Place of Residence.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg18</option></term>
+					<listitem><para>Read data group 18: Community ID.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg19</option></term>
+					<listitem><para>Read data group 19: Residence Permit I.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg20</option></term>
+					<listitem><para>Read data group 20: Residence Permit II.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--read-dg21</option></term>
+					<listitem><para>Read data group 21: Optional Data.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+					<option>--write-dg17</option> <replaceable>HEX_STRING</replaceable></term>
+					<listitem><para>Write data group 17: Normal Place of Residence.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+					<option>--write-dg18</option> <replaceable>HEX_STRING</replaceable></term>
+					<listitem><para>Write data group 18: Community ID.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+					<option>--write-dg19</option> <replaceable>HEX_STRING</replaceable></term>
+					<listitem><para>Write data group 19: Residence Permit I.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+					<option>--write-dg20</option> <replaceable>HEX_STRING</replaceable></term>
+					<listitem><para>Write data group 20: Residence Permit II.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--write-dg21</option> <replaceable>HEX_STRING</replaceable></term>
+					<listitem><para>Write data group 21: Optional Data.</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</refsect2>
+
+		<refsect2>
+			<title>Verification of validity, age and community ID</title>
+			<variablelist>
+				<varlistentry>
+					<term><option>--verify-validity</option> <replaceable>YYYYMMDD</replaceable></term>
+					<listitem><para>
+						Verify chip's validity with a reference date.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--older-than</option> <replaceable>YYYYMMDD</replaceable></term>
+					<listitem><para>
+						Verify age with a reference date.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--verify-community</option> <replaceable>HEX_STRING</replaceable></term>
+					<listitem><para>
+						Verify community ID with a reference ID.
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</refsect2>
+
+		<refsect2>
+			<title>Special options, not always useful</title>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--break</option>,
+						<option>-b</option>
+					</term>
+					<listitem><para>
+						Brute force PIN, CAN or PUK.
+						Use together with options <option>-p</option>,
+						<option>-a</option>, or <option>-u</option>.
+						(default=off)
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--translate</option> <replaceable>FILENAME</replaceable>,
+						<option>-t</option> <replaceable>FILENAME</replaceable>
+					</term>
+					<listitem><para>
+						Specify the file with APDUs of HEX_STRINGs to send
+						through the secure channel.
+						(default=`stdin')
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--tr-03110v201</option></term>
+					<listitem><para>
+						Force compliance to BSI TR-03110 version 2.01. (default=off)
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>--disable-all-checks</option></term>
+					<listitem><para>
+						 Disable all checking of fly-by-data. (default=off)
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</refsect2>
+	</refsect1>
+
+	<refsect1>
+		<title>Authors</title>
+		<para><command>npa-tool</command> was written by
+		Frank Morgner <email>frankmorgner@gmail.com</email>.</para>
+	</refsect1>
+
+	<!--
+	<refsect1>
+		<title>Reporting Bugs</title>
+		<para>Report bugs to <ulink url="@PACKAGE_BUGREPORT@">@PACKAGE_BUGREPORT@</ulink>.</para>
+	</refsect1>
+	-->
+</refentry>

doc/tools/openpgp-tool.1.xml

@@ -38,13 +38,76 @@
 		<title>Options</title>
 		<para>
 			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--card-info</option>,
+						<option>-C</option>
+					</term>
+					<listitem><para>
+						Show card information.
+					</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--del-key</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem><para>
+						Delete key indicated by <replaceable>arg</replaceable>.
+						<replaceable>arg</replaceable> can be <literal>1</literal>,
+						<literal>2</literal>, <literal>3</literal>, or
+						<literal>all</literal>.
+					</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--do</option> <replaceable>arg</replaceable>,
+						<option>-d</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem><para>
+						Dump private data object (<abbrev>DO</abbrev>)
+						indicated by <replaceable>arg</replaceable>.
+						<replaceable>arg</replaceable> can be in the form
+						<replaceable>x</replaceable>,
+						<literal>10</literal><replaceable>x</replaceable>, or
+						<literal>010</literal><replaceable>x</replaceable>
+						to access <literal>DO 010</literal><replaceable>x</replaceable>,
+						where <replaceable>x</replaceable> is <literal>1</literal>,
+						<literal>2</literal>, <literal>3</literal>, or
+						<literal>4</literal>.
+					</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--erase</option>,
+						<option>-E</option>
+					</term>
+					<listitem><para>
+						Erase (i.e. reset) the card.
+					</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--exec</option> <replaceable>prog</replaceable>,
 						<option>-x</option> <replaceable>prog</replaceable>
 					</term>
 					<listitem><para>
-					Execute the given program with data in environment variables.
+						Execute the given program with data in environment variables.
+					</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--gen-key</option> <replaceable>arg</replaceable>,
+						<option>-G</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem><para>
+						Generate key with the ID given as <replaceable>arg</replaceable>.
+						<replaceable>arg</replaceable> can be one of <literal>1</literal>,
+						<literal>2</literal>, or <literal>3</literal>.
 					</para></listitem>
 				</varlistentry>
 
@@ -54,7 +117,65 @@
 						<option>-h</option>
 					</term>
 					<listitem><para>
-					Print help message on screen.
+						Print help message on screen.
+					</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--key-info</option>,
+						<option>-K</option>
+					</term>
+					<listitem><para>
+						Show information of keys on the card.
+					</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--key-type</option> <replaceable>keytype</replaceable>,
+						<option>-t</option> <replaceable>keytype</replaceable>
+					</term>
+					<listitem><para>
+						Specify the type of the key to be generated.
+						Supported values for <replaceable>keytype</replaceable> are
+						<literal>rsa</literal> for RSA with 2048 bits,
+						<literal>rsa</literal><replaceable>LENGTH</replaceable>
+						for RSA with a bit length of <replaceable>LENGTH</replaceable>.
+
+						If not given, it defaults to <literal>rsa2048</literal>.
+					</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--pin</option> <replaceable>pin</replaceable>
+					</term>
+					<listitem>
+						<para>
+							This option can be used to specify the PIN value
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--pretty</option>
+					</term>
+					<listitem><para>
+						Print values in pretty format.
 					</para></listitem>
 				</varlistentry>
 
@@ -63,16 +184,20 @@
 						<option>--raw</option>
 					</term>
 					<listitem><para>
-					Print values in raw format, as they are stored on the card.
+						Print values in raw format, as they are stored on the card.
 					</para></listitem>
 				</varlistentry>
 
 				<varlistentry>
 					<term>
-						<option>--pretty</option>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
 					</term>
 					<listitem><para>
-					Print values in pretty format.
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
 					</para></listitem>
 				</varlistentry>
 
@@ -82,17 +207,7 @@
 						<option>-U</option>
 					</term>
 					<listitem><para>
-					Show card holder information.
-					</para></listitem>
-				</varlistentry>
-
-				<varlistentry>
-					<term>
-						<option>--reader</option> <replaceable>num</replaceable>,
-						<option>-r</option> <replaceable>num</replaceable>
-					</term>
-					<listitem><para>
-					Use the given reader.  The default is the first reader with a card.
+						Show card holder information.
 					</para></listitem>
 				</varlistentry>
 
@@ -100,49 +215,9 @@
 					<term>
 						<option>--verify</option> <replaceable>pintype</replaceable>
 					</term>
-					<listitem>
-						<para>
+					<listitem><para>
 						Verify PIN (CHV1, CHV2 or CHV3).
-						</para>
-					</listitem>
-				</varlistentry>
-
-				<varlistentry>
-					<term>
-						<option>--pin</option> <replaceable>string</replaceable>
-					</term>
-					<listitem>
-						<para>
-						The PIN text to verify. If set to
-						env:<replaceable>VARIABLE</replaceable>, the value of
-						the environment variable
-						<replaceable>VARIABLE</replaceable> is used.
-						</para>
-					</listitem>
-				</varlistentry>
-
-				<varlistentry>
-					<term>
-						<option>--gen-key</option> <replaceable>ID</replaceable>,
-						<option>-G</option> <replaceable>ID</replaceable>
-					</term>
-					<listitem>
-						<para>
-						Generate key. Specify key ID (1, 2 or 3) to generate.
-						</para>
-					</listitem>
-				</varlistentry>
-
-				<varlistentry>
-					<term>
-						<option>--key-length</option> <replaceable>bitlength</replaceable>,
-						<option>-L</option> <replaceable>bitlength</replaceable>
-					</term>
-					<listitem>
-						<para>
-						Length (default 2048 bit) of the key to be generated.
-						</para>
-					</listitem>
+					</para></listitem>
 				</varlistentry>
 
 				<varlistentry>
@@ -151,7 +226,7 @@
 						<option>-V</option>
 					</term>
 					<listitem><para>
-					Print the version of the utility and exit.
+						Print the version of the utility and exit.
 					</para></listitem>
 				</varlistentry>
 
@@ -161,7 +236,7 @@
 						<option>-v</option>
 					</term>
 					<listitem><para>
-					Verbose operation. Use several times to enable debug output.
+						Verbose operation. Use several times to enable debug output.
 					</para></listitem>
 				</varlistentry>
 
@@ -171,10 +246,9 @@
 						<option>-w</option>
 					</term>
 					<listitem><para>
-					Wait for a card to be inserted.
+						Wait for a card to be inserted.
 					</para></listitem>
 				</varlistentry>
-
 			</variablelist>
 		</para>
 	</refsect1>

doc/tools/opensc-asn1.1.xml

@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry id="opensc-asn1">
+	<refmeta>
+		<refentrytitle>opensc-asn1</refentrytitle>
+		<manvolnum>1</manvolnum>
+		<refmiscinfo class="productname">OpenSC</refmiscinfo>
+		<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
+		<refmiscinfo class="source">opensc</refmiscinfo>
+	</refmeta>
+
+	<refnamediv>
+		<refname>opensc-asn1</refname>
+		<refpurpose>parse ASN.1 data
+		</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>opensc-asn1</command>
+			<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
+			<arg choice="opt"><replaceable class="option">FILES</replaceable></arg>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+		<para>
+			The <command>opensc-asn1</command> utility is used to parse ASN.1 data.
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Options</title>
+		<para>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--help</option>,
+						<option>-h</option></term>
+					<listitem><para>Print help and exit.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--version</option>,
+						<option>-V</option></term>
+					<listitem><para>Print version and exit.</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Authors</title>
+		<para><command>opensc-asn1</command> was written by
+		Frank Morgner <email>frankmorgner@gmail.com</email>.</para>
+	</refsect1>
+
+	<!--
+	<refsect1>
+		<title>Reporting Bugs</title>
+		<para>Report bugs to <ulink url="@PACKAGE_BUGREPORT@">@PACKAGE_BUGREPORT@</ulink>.</para>
+	</refsect1>
+	-->
+</refentry>

doc/tools/opensc-notify.1.xml

@@ -0,0 +1,136 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry id="opensc-notify">
+	<refmeta>
+		<refentrytitle>opensc-notify</refentrytitle>
+		<manvolnum>1</manvolnum>
+		<refmiscinfo class="productname">OpenSC</refmiscinfo>
+		<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
+		<refmiscinfo class="source">opensc</refmiscinfo>
+	</refmeta>
+
+	<refnamediv>
+		<refname>opensc-notify</refname>
+		<refpurpose> monitor smart card events and send notifications
+		</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>opensc-notify</command>
+			<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+		<para>
+			The <command>opensc-notify</command> utility is used to
+			monitor smart card events and send the appropriate notification.
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Options</title>
+		<para>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--help</option>,
+						<option>-h</option></term>
+					<listitem><para>Print help and exit.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--version</option>,
+						<option>-V</option></term>
+					<listitem><para>Print version and exit.</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</para>
+
+		<refsect2>
+			<title>Mode: customized</title>
+			<para>
+				Send customized notifications.
+			</para>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--title</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>,
+						<option>-t</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>
+					</term>
+					<listitem><para>
+						Specify the title of the notification.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--message</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>,
+						<option>-m</option> <arg choice="opt"><replaceable>STRING</replaceable></arg>
+					</term>
+					<listitem><para>
+						Specify the main text of the notification.
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</refsect2>
+
+		<refsect2>
+			<title>Mode: standard</title>
+			<para>
+				Manually send standard notifications.
+			</para>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--notify-card-inserted</option>,
+						<option>-I</option></term>
+					<listitem><para>
+						See <parameter>notify_card_inserted</parameter>
+						in <filename>opensc.conf</filename> (default=off).
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--notify-card-removed</option>,
+						<option>-R</option></term>
+					<listitem><para>
+						See <parameter>notify_card_removed</parameter>
+						in <filename>opensc.conf</filename> (default=off).
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--notify-pin-good</option>,
+						<option>-G</option></term>
+					<listitem><para>
+						See <parameter>notify_pin_good</parameter>
+						in <filename>opensc.conf</filename> (default=off).
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--notify-pin-bad</option>,
+						<option>-B</option></term>
+					<listitem><para>
+						See <parameter>notify_pin_bad</parameter>
+						in <filename>opensc.conf</filename> (default=off).
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</refsect2>
+	</refsect1>
+
+	<refsect1>
+		<title>Authors</title>
+		<para><command>opensc-notify</command> was written by
+		Frank Morgner <email>frankmorgner@gmail.com</email>.</para>
+	</refsect1>
+
+	<!--
+	<refsect1>
+		<title>Reporting Bugs</title>
+		<para>Report bugs to <ulink url="@PACKAGE_BUGREPORT@">@PACKAGE_BUGREPORT@</ulink>.</para>
+	</refsect1>
+	-->
+</refentry>

doc/tools/opensc-tool.1.xml

@@ -35,7 +35,7 @@
 			<variablelist>
 				<varlistentry>
 					<term>
-						<option>--version</option>,
+						<option>--version</option>
 					</term>
 					<listitem><para>Print the OpenSC package release version.</para></listitem>
 				</varlistentry>
@@ -52,8 +52,18 @@
 						<option>--card-driver</option> <replaceable>driver</replaceable>,
 						<option>-c</option> <replaceable>driver</replaceable>
 					</term>
-					<listitem><para>Use the given card driver.
-					The default is auto-detected.</para></listitem>
+					<listitem><para>
+						Use the given card driver.
+						The default is to auto-detect the correct card driver.
+						The literal value <literal>?</literal> lists
+						all available card drivers.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--list-algorithms</option>,
+					</term>
+					<listitem><para>Lists algorithms supported by card</para></listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
@@ -92,18 +102,39 @@
 				</varlistentry>
 				<varlistentry>
 					<term>
-						<option>--reader</option> <replaceable>num</replaceable>,
-						<option>-r</option> <replaceable>num</replaceable>
+						<option>--get-conf-entry</option> <replaceable>conf</replaceable>,
+						<option>-G</option> <replaceable>conf</replaceable>
 					</term>
-					<listitem><para>Use the given reader number.
-					The default is <literal>0</literal>, the first reader in the system.</para></listitem>
+					<listitem><para>Get configuration key, format: section:name:key</para></listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
-						<option>--reset</option>[=<replaceable>type</replaceable>],
+						<option>--set-conf-entry</option> <replaceable>conf</replaceable>,
+						<option>-S</option> <replaceable>conf</replaceable>
+					</term>
+					<listitem><para>Set configuration key, format: section:name:key:value</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--reset</option> <arg choice="opt"><replaceable>type</replaceable></arg>,
 					</term>
 					<listitem><para>Resets the card in reader.
-					The default reset type is <literal>cold</literal>, but warm reset is also possible.</para></listitem>
+					The default reset type is <literal>cold</literal>,
+					but <literal>warm</literal> reset is also possible.</para></listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
@@ -149,4 +180,10 @@
 		</para>
 	</refsect1>
 
+	<refsect1>
+		<title>Authors</title>
+		<para><command>opensc-tool</command> was written by
+		Juha Yrjölä <email>juha.yrjola@iki.fi</email>.</para>
+	</refsect1>
+
 </refentry>

doc/tools/piv-tool.1.xml

@@ -24,7 +24,7 @@
 		<para>
 			The <command>piv-tool</command> utility can be used from the command line to perform
 			miscellaneous smart card operations on a HSPD-12 PIV smart card as defined in NIST 800-73-3.
-			It is intened for use with test cards only. It can be used to load objects, and generate
+			It is intended for use with test cards only. It can be used to load objects, and generate
 			key pairs, as well as send arbitrary APDU commands to a card after having authenticated
 			to the card using the card key provided by the card vendor.
 		</para>
@@ -53,15 +53,18 @@
 						<option>--admin</option> <replaceable>argument</replaceable>,
 						<option>-A</option> <replaceable>argument</replaceable>
 					</term>
-					<listitem><para>Authenticate to the card using a 2DES or 3DES key.
+					<listitem><para>Authenticate to the card using a 2DES, 3DES or AES key.
 					The <replaceable>argument</replaceable> of the form
 					<synopsis> {<literal>A</literal>|<literal>M</literal>}<literal>:</literal><replaceable>ref</replaceable><literal>:</literal><replaceable>alg</replaceable></synopsis>
 					is required, were <literal>A</literal> uses "EXTERNAL AUTHENTICATION"
 					and <literal>M</literal> uses "MUTUAL AUTHENTICATION".
 					<replaceable>ref</replaceable> is normally <literal>9B</literal>,
-					and <replaceable>alg</replaceable> is <literal>03</literal> for 3DES.
-					The key is provided by the card vendor, and the environment variable
-					<varname>PIV_EXT_AUTH_KEY</varname> must point to a text file containing
+					and <replaceable>alg</replaceable> is <literal>03</literal> for 3DES,
+					<literal>01</literal> for 2DES, <literal>08</literal> for AES-128,
+					<literal>0A</literal> for AES-192 or <literal>0C</literal> for AES-256.
+					The key is provided by the card vendor. The environment variable
+					<varname>PIV_EXT_AUTH_KEY</varname> must point to either a binary file
+					matching the length of the key or a text file containing
 					the key in the format:
 					<code>XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX</code>
 					</para></listitem>
@@ -94,7 +97,7 @@
 				<varlistentry>
 					<term>
 						<option>--cert</option> <replaceable>ref</replaceable>,
-						<option>-s</option> <replaceable>ref</replaceable>
+						<option>-C</option> <replaceable>ref</replaceable>
 					</term>
 					<listitem><para>Load a certificate onto the card.
 					<replaceable>ref</replaceable> is <literal>9A</literal>,
@@ -151,19 +154,17 @@
 
 				<varlistentry>
 					<term>
-						<option>--reader</option> <replaceable>num</replaceable>,
-						<option>-r</option> <replaceable>num</replaceable>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
 					</term>
-					<listitem><para>Use the given reader number. The default is
-					<literal>0</literal>, the first reader in the system.</para></listitem>
-				</varlistentry>
-				<varlistentry>
-					<term>
-						<option>--card-driver</option> <replaceable>driver</replaceable>,
-						<option>-c</option> <replaceable>driver</replaceable>
-					</term>
-					<listitem><para>Use the given card driver.
-					The default is auto-detected.</para></listitem>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
@@ -195,4 +196,10 @@
 		</para>
 	</refsect1>
 
+	<refsect1>
+		<title>Authors</title>
+		<para><command>piv-tool</command> was written by
+		Douglas E. Engert <email>deengert@gmail.com</email>.</para>
+	</refsect1>
+
 </refentry>

doc/tools/pkcs11-register.1.xml

@@ -0,0 +1,124 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry id="pkcs11-register">
+	<refmeta>
+		<refentrytitle>pkcs11-register</refentrytitle>
+		<manvolnum>1</manvolnum>
+		<refmiscinfo class="productname">OpenSC</refmiscinfo>
+		<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
+		<refmiscinfo class="source">opensc</refmiscinfo>
+	</refmeta>
+
+	<refnamediv>
+		<refname>pkcs11-register</refname>
+		<refpurpose>Simple tool to install PKCS#11 modules to known applications.</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>pkcs11-register</command>
+			<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+		<para>
+			The <command>pkcs11-register</command> utility can be used from
+			the command line to register PKCS#11 modules to various applications
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Options</title>
+		<para>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--help</option>,
+						<option>-h</option>
+					</term>
+					<listitem><para>Print help message on screen.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--version</option>,
+						<option>-V</option>
+					</term>
+					<listitem><para>Print the OpenSC package release version.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--module</option> <replaceable>filename</replaceable>,
+						<option>-m</option> <replaceable>filename</replaceable>
+					</term>
+					<listitem><para>
+						Path to the PKCS#11 module to load. The default
+						is OpenSC PKCS#11 module.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--skip-chrome</option>
+					</term>
+					<listitem><para>
+						Don't install module for Chrome browser. By default,
+						the tool attempts to install the module for Chrome
+						browser.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--skip-firefox</option>
+					</term>
+					<listitem><para>
+						Don't install module for Firefox browser. By default,
+						the tool attempts to install the module for Firefox
+						browser.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--skip-thunderbird</option>
+					</term>
+					<listitem><para>
+						Don't install module for Thunderbird mail client.
+						By default, the tool attempts to install the module
+						for Thunderbird mail client.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--skip-seamonkey</option>
+					</term>
+					<listitem><para>
+						Don't install module for Seamonkey. By default,
+						the tool attempts to install the module Seamonkey.
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>See also</title>
+		<para>
+			<citerefentry>
+				<refentrytitle>pkcs11-tool</refentrytitle>
+				<manvolnum>1</manvolnum>
+			</citerefentry>
+			<citerefentry>
+				<refentrytitle>opensc.conf</refentrytitle>
+				<manvolnum>5</manvolnum>
+			</citerefentry>
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Authors</title>
+		<para><command>pkcs11-register</command> was written by
+		Frank Morgner <email>frankmorgner@gmail.com</email>.</para>
+	</refsect1>
+
+</refentry>
+
+

doc/tools/pkcs11-tool.1.xml

@@ -77,9 +77,9 @@
 					</term>
 					<listitem>
 						<para>
-		  					Specify hash algorithm used with RSA-PKCS-PSS signature or RSA-OAEP decryption.
-          					Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may 
-          					also allow "SHA224". Default is "SHA-1".
+							Specify hash algorithm used with RSA-PKCS-PSS signature or RSA-OAEP decryption.
+							Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may 
+							also allow "SHA224". Default is "SHA-1".
 						</para>
 						<para> 
 							Note that the input to RSA-PKCS-PSS has to be of the size equal to
@@ -146,7 +146,9 @@
 					<term>
 						<option>--key-type</option> <replaceable>specification</replaceable>
 					</term>
-					<listitem><para>Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1.</para></listitem>
+					<listitem><para>Specify the type and length (bytes if symmetric) of the key to create,
+					for example RSA:1024, EC:prime256v1, GOSTR3410-2012-256:B,
+					DES:8, DES3:24, AES:16 or GENERIC:64.</para></listitem>
 				</varlistentry>
 
 				<varlistentry>
@@ -170,6 +172,13 @@
 					<listitem><para>Specify 'derive' key usage flag (EC only).</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--usage-wrap</option>
+					</term>
+					<listitem><para>Specify 'wrap' key usage flag.</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--label</option> <replaceable>name</replaceable>,
@@ -212,6 +221,13 @@
 					<listitem><para>List slots with tokens.</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--list-interfaces</option>
+					</term>
+					<listitem><para>List interfaces of PKCS #11 3.0 library.</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--login</option>,
@@ -266,7 +282,7 @@
 						<option>--moz-cert</option> <replaceable>filename</replaceable>,
 						<option>-z</option> <replaceable>filename</replaceable>
 					</term>
-					<listitem><para>Test a Mozilla-like keypair generation
+					<listitem><para>Test a Mozilla-like key pair generation
 					and certificate request. Specify the <replaceable>filename</replaceable>
 					to the certificate file.</para></listitem>
 				</varlistentry>
@@ -319,6 +335,13 @@
 					<listitem><para>Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext).</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--extractable</option>
+					</term>
+					<listitem><para>Set the CKA_EXTRACTABLE attribute (object can be extracted)</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--set-id</option> <replaceable>id</replaceable>,
@@ -396,6 +419,29 @@
 					<listitem><para>Specify the index of the slot to use.</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--object-index</option> <replaceable>index</replaceable>
+					</term>
+					<listitem><para>Specify the index of the object to use.</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--use-locking</option>
+					</term>
+					<listitem><para>Tell pkcs11 module it should use OS thread locking.
+					</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--test-threads</option> <replaceable>options</replaceable>
+					</term>
+					<listitem><para>Test a pkcs11 module's thread implication. (See source code).
+					</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--token-label</option> <replaceable>label</replaceable>
@@ -444,6 +490,26 @@
 					viewable after a login).</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--always-auth</option>
+					</term>
+					<listitem><para>Set the CKA_ALWAYS_AUTHENTICATE attribute to a private key object.
+					If set, the user has to supply the PIN for each use (sign or decrypt) with the key.</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--allowed-mechanisms</option> <replaceable>mechanisms</replaceable>
+					</term>
+					<listitem><para>Sets the CKA_ALLOWED_MECHANISMS attribute
+					to a key objects when importing an object or generating
+					a keys. The argument accepts comma-separated list of
+					algorithmsm, that can be used with the given key.</para>
+					</listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--test-ec</option>
@@ -466,8 +532,9 @@
 						<option>-y</option> <replaceable>type</replaceable>
 					</term>
 					<listitem><para>Specify the type of object to operate on.
-					Examples are <literal>cert</literal>, <literal>privkey</literal>
-					and <literal>pubkey</literal>.</para></listitem>
+					Valid value are <literal>cert</literal>, <literal>privkey</literal>,
+					<literal>pubkey</literal>, <literal>secrkey</literal> 
+					and <literal>data</literal>.</para></listitem>
 				</varlistentry>
 
 				<varlistentry>
@@ -481,6 +548,13 @@
 					non-zero number.</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--verify</option>,
+					</term>
+					<listitem><para>Verify signature of some data.</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--read-object</option>,
@@ -530,6 +604,13 @@
 					<option>--type</option> cert/privkey/pubkey).</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--signature-file</option> <replaceable>filename</replaceable>
+					</term>
+					<listitem><para>The path to the signature file for signature verification</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--signature-format</option> <replaceable>format</replaceable>
@@ -545,7 +626,7 @@
 					</term>
 					<listitem><para>Write a key or certificate object to the token.
 					<replaceable>filename</replaceable> points to the DER-encoded certificate or key file.
-                                        </para></listitem>
+					</para></listitem>
 				</varlistentry>
 
 				<varlistentry>
@@ -553,7 +634,16 @@
 						<option>--generate-random</option> <replaceable>num</replaceable>
 					</term>
 					<listitem><para>Get <replaceable>num</replaceable> bytes of random data.
-                                        </para></listitem>
+					</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--allow-sw</option>
+					</term>
+					<listitem><para>Allow using software mechanisms that do not have the CKF_HW flag set.
+					May be required when using software tokens and emulators.
+					</para></listitem>
 				</varlistentry>
 
 			</variablelist>
@@ -568,9 +658,9 @@
 
 			To read the certificate with ID <replaceable>KEY_ID</replaceable>
 			in DER format from smart card:
-				<programlisting>pkcs11-tool --read-object  --id KEY_ID --type cert --outfile cert.der</programlisting>
+				<programlisting>pkcs11-tool --read-object --id KEY_ID --type cert --output-file cert.der</programlisting>
 
-			To convert the certificate in DER formato to PEM format, use OpenSSL
+			To convert the certificate in DER format to PEM format, use OpenSSL
 			tools:
 				<programlisting>openssl x509 -inform DER -in cert.der -outform PEM > cert.pem</programlisting>
 
@@ -581,4 +671,10 @@
 		</para>
 	</refsect1>
 
+	<refsect1>
+		<title>Authors</title>
+		<para><command>pkcs11-tool</command> was written by
+		Olaf Kirch <email>okir@suse.de</email>.</para>
+	</refsect1>
+
 </refentry>

doc/tools/pkcs15-crypt.1.xml

@@ -129,22 +129,31 @@
 
 				<varlistentry>
 					<term>
-						<option>--reader</option> <replaceable>N</replaceable>,
-						<option>-r</option> <replaceable>N</replaceable>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
 					</term>
-					<listitem><para>Selects the <replaceable>N</replaceable>-th smart
-					card reader configured by the system. If unspecified,
-					<command>pkcs15-crypt</command> will use the first reader
-					found.</para></listitem>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
 				</varlistentry>
 
 				<varlistentry>
 					<term>
+						<option>--md5</option>
 						<option>--sha-1</option>
+						<option>--sha-224</option>
+						<option>--sha-256</option>
+						<option>--sha-384</option>
+						<option>--sha-512</option>
 					</term>
-					<listitem><para>This option tells <command>pkcs15-crypt</command>
-					that the input file is the result of an SHA1 hash operation,
-					rather than an MD5 hash. Again, the data must be in binary
+					<listitem><para>These options tell <command>pkcs15-crypt</command>
+					that the input file is the result of the specified hash operation.
+					By default, an MD5 hash is expected. Again, the data must be in binary
 					representation.</para></listitem>
 				</varlistentry>
 
@@ -174,9 +183,18 @@
 					</term>
 					<listitem><para>When signing with ECDSA key this option indicates
 					to <command>pkcs15-crypt</command> the signature output format.
-					Possible values are 'rs'(default) -- two concatanated
+					Possible values are 'rs'(default) -- two concatenated
 					integers (PKCS#11), 'sequence' or 'openssl' -- DER encoded sequence
-					of two integeres (OpenSSL).</para></listitem>
+					of two integers (OpenSSL).</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--wait</option>,
+						<option>-w</option>
+					</term>
+					<listitem><para>Causes <command>pkcs15-crypt</command> to
+					wait for a card insertion.</para></listitem>
 				</varlistentry>
 
 				<varlistentry>
@@ -206,4 +224,10 @@
 		</para>
 	</refsect1>
 
+	<refsect1>
+		<title>Authors</title>
+		<para><command>pkcs15-crypt</command> was written by
+		Juha Yrjölä <email>juha.yrjola@iki.fi</email>.</para>
+	</refsect1>
+
 </refentry>

doc/tools/pkcs15-init.1.xml

@@ -136,11 +136,12 @@
 				<command>pkcs15-init --generate-key " keyspec " --auth-id " nn</command>
 			</para>
 			<para>
-				where <replaceable>keyspec</replaceable> describes the algorithm and length of the
-				key to be created, such as <literal>rsa/512</literal>. This will create a 512 bit
-				RSA key. Currently, only RSA key generation is supported. Note that cards
-				usually support just a few different key lengths. Almost all cards will support
-				512 and 1024 bit keys, some will support 768 or 2048 as well.
+				where <replaceable>keyspec</replaceable> describes the algorithm and the parameters
+				of the key to be created. For example, <literal>rsa:2048</literal> generates a RSA key
+				with 2048-bit modulus. If you are generating an EC key, the curve designation must
+				be specified, for example <literal>ec:prime256v1</literal>. For symmetric key,
+				the length of key is specified in bytes, for example  <literal>AES:32</literal>
+				or <literal>DES3:24</literal>.
 			</para>
 			<para>
 				<replaceable>nn</replaceable> is the ID of a user PIN installed previously,
@@ -148,7 +149,7 @@
 			</para>
 			<para>
 				In addition to storing the private portion of the key on the card,
-				<command>pkcs15-init</command> will also store the the public portion of the
+				<command>pkcs15-init</command> will also store the public portion of the
 				key as a PKCS #15 public key object.
 			</para>
 		</refsect2>
@@ -165,16 +166,16 @@
 			</para>
 			<para>
 				In addition to storing the private portion of the key on the card,
-				<command>pkcs15-init</command> will also store the the public portion of the
+				<command>pkcs15-init</command> will also store the public portion of the
 				key as a PKCS #15 public key object.
 			</para>
 			<para>
 				Note that usage of <option>--id</option> option in the <command>pkcs15-init</command>
-                                commands to generate or to import a new key is deprecated.
-                                Better practice is to let the middleware to derive the identifier from the key material.
-                                (SHA1(modulus) for RSA, SHA1(pub) for DSA, ...).
-                                This allows easily set up relation between 'related' objects
-                                (private/public keys and certificates).
+				commands to generate or to import a new key is deprecated.
+				Better practice is to let the middleware to derive the identifier from the key material.
+				(SHA1(modulus) for RSA, SHA1(pub) for DSA, ...).
+				This allows easily set up relation between 'related' objects
+				(private/public keys and certificates).
 			</para>
 			<para>
 				In addition to the PEM key file format, <command>pkcs15-init</command> also
@@ -242,7 +243,7 @@
 				you would use
 			</para>
 			<para>
-				<command>pkcs15-init --store-secret-key /dev/urandom --secret-key-algorithm aes/256 --auth-id 01</command>
+				<command>pkcs15-init --store-secret-key /dev/urandom --secret-key-algorithm aes:256 --auth-id 01</command>
 			</para>
 			<para>
 				By default a random ID is generated for the secret key. You may specify an ID
@@ -255,12 +256,12 @@
 		<title>Options</title>
 		<para>
 			<variablelist>
-                                <varlistentry>
-                                        <term>
-                                                <option>--version</option>,
-                                        </term>
-                                        <listitem><para>Print the OpenSC package release version.</para></listitem>
-                                </varlistentry>
+				<varlistentry>
+					<term>
+						<option>--version</option>,
+					</term>
+					<listitem><para>Print the OpenSC package release version.</para></listitem>
+				</varlistentry>
 				<varlistentry>
 					<term>
 						<option>--card-profile</option> <replaceable>name</replaceable>,
@@ -287,6 +288,17 @@
 					</listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--serial</option> <replaceable>SERIAL</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Specify the serial number of the card.
+						</para>
+					</listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--erase-card</option>,
@@ -301,6 +313,18 @@
 					</listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--erase-application</option> <replaceable>AID</replaceable>
+					</term>
+					<listitem>
+						<para>
+							This will erase the application with the application identifier
+							<replaceable>AID</replaceable>.
+						</para>
+					</listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--generate-key</option> <replaceable>keyspec</replaceable>,
@@ -309,62 +333,53 @@
 					<listitem>
 						<para>
 							Tells the card to generate new key and store it on the card.
-							<replaceable>keyspec</replaceable> consists of an algorithm name
-							(currently, the only supported name is <option>RSA</option>),
-							optionally followed by a slash and the length of the key in bits.
+							<replaceable>keyspec</replaceable> consists of an algorithm name,
+							optionally followed by a colon ":", slash "/" or hyphen "-" and
+							the parameters of the key to be created.
 							It is a good idea to specify the key ID along with this command,
 							using the <option>id</option> option, otherwise an intrinsic ID
-                                                        will be calculated from the key material. Look the description of
-                                                        the 'pkcs15-id-style' attribut in the 'pkcs15.profile' for the details
-                                                        about the algorithm used to calculate intrinsic ID.
-                                                        For the multi-application cards the target PKCS#15 application can be
-                                                        specified by the hexadecimal AID value of the <option>aid</option> option.
+							will be calculated from the key material. Look the description of
+							the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
+							about the algorithm used to calculate intrinsic ID.
+							For the multi-application cards the target PKCS#15 application can be
+							specified by the hexadecimal AID value of the <option>aid</option> option.
 						</para>
 					</listitem>
 				</varlistentry>
 
 				<varlistentry>
 					<term>
-						<option>--options-file</option> <replaceable>filename</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>,
+						<option>--puk</option> <replaceable>puk</replaceable>,
+						<option>--so-pin</option> <replaceable>sopin</replaceable>,
+						<option>--so-puk</option> <replaceable>sopuk</replaceable>
 					</term>
 					<listitem>
 						<para>
-							Tells <command>pkcs15-init</command> to read additional options
-							from <replaceable>filename</replaceable>. The file is supposed to
-							contain one long option per line, without the leading dashes,
-							for instance:
-<programlisting>
-	pin		frank
-	puk		zappa
-</programlisting>
+							These options can be used to specify the PIN/PUK values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
 						</para>
 						<para>
-							You can specify <option>--options-file</option> several times.
-						</para>
-					</listitem>
-				</varlistentry>
-
-				<varlistentry>
-					<term>
-						<option>--pin</option>,
-						<option>--puk</option>
-						<option>--so-pin</option>,
-						<option>--so-puk</option>,
-					</term>
-					<listitem>
-						<para>
-							These options can be used to specify PIN/PUK values
-							on the command line. If set to
-							env:<replaceable>VARIABLE</replaceable>, the value
-							of the environment variable
-							<replaceable>VARIABLE</replaceable> is used. Note
-							that on most operation systems, any user can
+							Note that on most operation systems, any user can
 							display the command line of any process on the
 							system using utilities such as
-							<command>ps(1)</command>. Therefore, you should use
-							these options only on a secured system, or in an
-							options file specified with
-							<option>--options-file</option>.
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--no-so-pin</option>,
+					</term>
+					<listitem>
+						<para>
+							Do not install a SO PIN, and do not prompt for it.
 						</para>
 					</listitem>
 				</varlistentry>
@@ -403,7 +418,7 @@
 					<listitem>
 						<para>
 							<replaceable>keyspec</replaceable> describes the algorithm and length of the
-							key to be created or downloaded, such as <literal>aes/256</literal>.
+							key to be created or downloaded, such as <literal>aes:256</literal>.
 							This will create a 256 bit AES key.
 						</para>
 					</listitem>
@@ -419,13 +434,25 @@
 							Tells <command>pkcs15-init</command> to store the certificate given
 							in <option>filename</option> on the card, creating a certificate
 							object with the ID specified via the <option>--id</option> option.
-                                                        Without supplied ID an intrisic ID will be calculated from the
-                                                        certificate's public key. Look the description of the 'pkcs15-id-style'
-                                                        attribut in the 'pkcs15.profile' for the details
-                                                        about the algorithm used to calculate intrinsic ID.
+							Without supplied ID an intrinsic ID will be calculated from the
+							certificate's public key. Look the description of the 'pkcs15-id-style'
+							attribute in the 'pkcs15.profile' for the details
+							about the algorithm used to calculate intrinsic ID.
 							The file is assumed to contain the PEM encoded certificate.
-                                                        For the multi-application cards the target application can be specified
-                                                        by the hexadecimal AID value of the <option>aid</option> option.
+							For the multi-application cards the target application can be specified
+							by the hexadecimal AID value of the <option>aid</option> option.
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--store-pin</option>,
+						<option>-P</option>
+					</term>
+					<listitem>
+						<para>
+							Store a new PIN/PUK on the card.
 						</para>
 					</listitem>
 				</varlistentry>
@@ -459,11 +486,11 @@
 							formats can be specified using <option>--format</option>.
 							It is a good idea to specify the key ID along with this command,
 							using the <option>--id</option> option, otherwise an intrinsic ID
-                                                        will be calculated from the key material. Look the description of
-                                                        the 'pkcs15-id-style' attribut in the 'pkcs15.profile' for the details
-                                                        about the algorithm used to calculate intrinsic ID.
-                                                        For the multi-application cards the target PKCS#15 application can be
-                                                        specified by the hexadecimal AID value of the <option>aid</option> option.
+							will be calculated from the key material. Look the description of
+							the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
+							about the algorithm used to calculate intrinsic ID.
+							For the multi-application cards the target PKCS#15 application can be
+							specified by the hexadecimal AID value of the <option>aid</option> option.
 						</para>
 					</listitem>
 				</varlistentry>
@@ -478,6 +505,8 @@
 							secret key to the card. The file is assumed to contain the raw key.
 							They key type should be specified with <option>--secret-key-algorithm</option>
 							option.
+						</para>
+						<para>
 							You may additionally specify the key ID along with this command,
 							using the <option>--id</option> option, otherwise a random ID is generated.
 							For the multi-application cards the target PKCS#15 application can be
@@ -486,6 +515,18 @@
 					</listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--store-data</option> <replaceable>filename</replaceable>,
+						<option>-W</option> <replaceable>filename</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Store a data object.
+						</para>
+					</listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--update-certificate</option> <replaceable>filename</replaceable>,
@@ -495,11 +536,62 @@
 						<para>
 							Tells <command>pkcs15-init</command> to update the certificate
 							object with the ID specified via the <option>--id</option> option
-							with the certificate in <option>filename</option>.
+							with the certificate in <replaceable>filename</replaceable>.
 							The file is assumed to contain a PEM encoded certificate.
 						</para>
 						<para>Pay extra attention when updating mail decryption certificates, as
-						missing certificates can render e-mail messages unreadable!
+							missing certificates can render e-mail messages unreadable!
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--delete-objects</option> <replaceable>arg</replaceable>,
+						<option>-D</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Tells <command>pkcs15-init</command> to delete the
+							specified object.  <replaceable>arg</replaceable>
+							is comma-separated list containing any of
+							<literal>privkey</literal>, <literal>pubkey</literal>,
+							<literal>secrkey</literal>, <literal>cert</literal>,
+							<literal>chain</literal> or <literal>data</literal>.
+						</para>
+						<para>
+							When <literal>data</literal> is specified, an
+							-<option>--application-id</option> must also be
+							specified, in the other cases an
+							<option>--id</option> must also be specified
+						</para>
+						<para>
+							When <literal>chain</literal> is specified, the
+							certificate chain starting with the cert with
+							specified ID will be deleted, until there's a CA
+							certificate that certifies another cert on the card
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--change-attributes</option> <replaceable>arg</replaceable>,
+						<option>-A</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Tells <command>pkcs15-init</command> to change the
+							specified attribute. <replaceable>arg</replaceable>
+							is either <literal>privkey</literal>,
+							<literal>pubkey</literal>, <literal>secrkey</literal>,
+							<literal>cert</literal> or <literal>data</literal>.
+							You also have to specify the <option>--id</option>
+							of the object.
+							For now, you can only change the <option>--label</option>, e.g:
+							<programlisting>
+								pkcs15-init -A cert --id 45 -a 1 --label Jim
+							</programlisting>
 						</para>
 					</listitem>
 				</varlistentry>
@@ -517,6 +609,35 @@
 					</listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--sanity-check</option>,
+						<option>-T</option>
+					</term>
+					<listitem>
+						<para>
+							Tells <command>pkcs15-init</command> to perform a
+							card specific sanity check and possibly update
+							procedure.
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--verbose</option>,
@@ -530,6 +651,15 @@
 					</listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--wait</option>,
+						<option>-w</option>
+					</term>
+					<listitem><para>Causes <command>pkcs15-init</command> to
+							wait for a card insertion.</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--use-pinpad</option>
@@ -537,6 +667,241 @@
 					<listitem><para>Do not prompt the user; if no PINs supplied, pinpad will be used.</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--puk-id</option> <replaceable>ID</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Specify ID of PUK to use/create
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--puk-label</option> <replaceable>LABEL</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Specify label of PUK
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--public-key-label</option> <replaceable>LABEL</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Specify public key label (use with <option>--generate-key</option>)
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--cert-label</option> <replaceable>LABEL</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Specify user cert label (use with <option>--store-private-key</option>)
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--application-name</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Specify application name of data object (use with <option>--store-data-object</option>)
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--aid</option> <replaceable>AID</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Specify AID of the on-card PKCS#15 application to be binded to (in hexadecimal form)
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--output-file</option> <replaceable>filename</replaceable>
+						<option>-o</option> <replaceable>filename</replaceable>,
+					</term>
+					<listitem>
+						<para>
+							Output public portion of generated key to file
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--passphrase</option> <replaceable>PASSPHRASE</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Specify passphrase for unlocking secret key
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--authority</option>
+					</term>
+					<listitem>
+						<para>
+							Mark certificate as a CA certificate
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--key-usage</option> <replaceable>arg</replaceable>
+						<option>-u</option> <replaceable>arg</replaceable>,
+					</term>
+					<listitem>
+						<para>
+							Specifies the X.509 key usage.
+							<replaceable>arg</replaceable> is comma-separated
+							list containing any of
+							<literal>digitalSignature</literal>,
+							<literal>nonRepudiation</literal>,
+							<literal>keyEncipherment</literal>,
+							<literal>dataEncipherment</literal>,
+							<literal>keyAgreement</literal>,
+							<literal>keyCertSign</literal>,
+							<literal>cRLSign</literal>. Abbreviated names are
+							allowed if unique (e.g.
+							<literal>dataEnc</literal>).
+						</para>
+						<para>
+							The alias <literal>sign</literal> is equivalent to
+							<literal>digitalSignature,keyCertSign,cRLSign</literal>
+						</para>
+						<para>
+							The alias <literal>decrypt</literal> is equivalent to
+							<literal>keyEncipherment,dataEncipherment</literal>
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--finalize</option>
+						<option>-F</option>,
+					</term>
+					<listitem>
+						<para>
+							Finish initialization phase of the smart card
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--update-last-update</option>
+					</term>
+					<listitem>
+						<para>
+							Update 'lastUpdate' attribute of tokenInfo
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--ignore-ca-certificates</option>
+					</term>
+					<listitem>
+						<para>
+							When storing PKCS#12 ignore CA certificates
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--update-existing</option>
+					</term>
+					<listitem>
+						<para>
+							Store or update existing certificate
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--extractable</option>
+					</term>
+					<listitem>
+						<para>
+							Private key stored as an extractable key
+						</para>
+					</listitem>
+				</varlistentry>
+
+                                <varlistentry>
+					<term>
+						<option>--user-consent</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Specify user-consent. <replaceable>arg</replaceable> is an integer value.
+                                                        If > 0, the value specifies how many times the
+                                                        object can be accessed before a new authentication is required.
+                                                        If zero, the object does not require re-authentication.
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--insecure</option>
+					</term>
+					<listitem>
+						<para>
+							Insecure mode: do not require a PIN for private key
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--md-container-guid</option> <replaceable>GUID</replaceable>
+					</term>
+					<listitem>
+						<para>
+							For a new key specify GUID for a MD container
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--help</option>
+						<option>-h</option>,
+					</term>
+					<listitem>
+						<para>
+							Display help message
+						</para>
+					</listitem>
+				</varlistentry>
+
 			</variablelist>
 		</para>
 	</refsect1>
@@ -551,4 +916,10 @@
 		</para>
 	</refsect1>
 
+	<refsect1>
+		<title>Authors</title>
+		<para><command>pkcs15-init</command> was written by
+		Olaf Kirch <email>okir@suse.de</email>.</para>
+	</refsect1>
+
 </refentry>

doc/tools/pkcs15-tool.1.xml

@@ -52,8 +52,8 @@
 
 				<varlistentry>
 					<term>
-						<option>--auth-id</option> <replaceable>pin</replaceable>,
-						<option>-a</option> <replaceable>pin</replaceable>
+						<option>--auth-id</option> <replaceable>id</replaceable>,
+						<option>-a</option> <replaceable>id</replaceable>
 					</term>
 					<listitem><para>Specifies the auth id of the PIN to use for the
 					operation. This is useful with the --change-pin operation.</para></listitem>
@@ -75,11 +75,18 @@
 					<listitem><para>List all card objects.</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--list-info</option>
+					</term>
+					<listitem><para>List card objects.</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--list-applications</option>
 					</term>
-					<listitem><para>List the on-card PKCS#15 applications</para></listitem>
+					<listitem><para>List the on-card PKCS#15 applications.</para></listitem>
 				</varlistentry>
 
 				<varlistentry>
@@ -115,6 +122,18 @@
 					In such a case the <option>--verify-pin</option> option has to be used.</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--list-secret-keys</option>
+					</term>
+					<listitem><para>List all secret (symmetric) keys stored on the token. General
+					information about each secret key is listed (eg. key name, id and
+					algorithm). Actual secret key values are not displayed.
+					For some cards the PKCS#15 attributes of the private keys are protected for reading
+					and need the authentication with the User PIN.
+					In such a case the <option>--verify-pin</option> option has to be used.</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--list-pins</option>
@@ -190,8 +209,7 @@
 
 				<varlistentry>
 					<term>
-						<option>--read-certificate</option> <replaceable>cert</replaceable>,
-						<option>-r</option> <replaceable>cert</replaceable>
+						<option>--read-certificate</option> <replaceable>cert</replaceable>
 					</term>
 					<listitem><para>Reads the certificate with the given id.</para></listitem>
 				</varlistentry>
@@ -243,11 +261,32 @@
 
 				<varlistentry>
 					<term>
-						<option>--reader</option> <replaceable>num</replaceable>
+						<option>--test-update</option>,
+						<option>-T</option>,
 					</term>
-					<listitem><para>Forces <command>pkcs15-tool</command> to use reader
-					number <replaceable>num</replaceable> for operations. The default is to use
-					reader number 0, the first reader in the system.</para></listitem>
+					<listitem><para>Test if the card needs a security update</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--update</option>,
+						<option>-U</option>,
+					</term>
+					<listitem><para>Update the card with a security update</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--reader</option> <replaceable>arg</replaceable>
+					</term>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
 				</varlistentry>
 
 				<varlistentry>
@@ -269,6 +308,38 @@
 					in the OpenSC library.</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--pin</option> <replaceable>pin</replaceable>,
+						<option>--new-pin</option> <replaceable>newpin</replaceable>
+						<option>--puk</option> <replaceable>puk</replaceable>
+					</term>
+					<listitem>
+						<para>
+							These options can be used to specify the PIN/PUK values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--new-pin</option> <replaceable>pin</replaceable>
+					</term>
+					<listitem><para>Specify New PIN (when changing or unblocking)</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--verify-pin</option>
@@ -277,6 +348,23 @@
                                         (without 'auth-id' the first non-SO, non-Unblock PIN will be verified)</para></listitem>
 				</varlistentry>
 
+				<varlistentry>
+					<term>
+						<option>--test-session-pin</option>
+					</term>
+					<listitem><para>Equivalent to <option>--verify-pin</option>
+					with additional session PIN generation</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--wait</option>,
+						<option>-w</option>
+					</term>
+					<listitem><para>Causes <command>pkcs15-tool</command> to
+					wait for a card insertion.</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--use-pinpad</option>
@@ -302,4 +390,10 @@
 		</para>
 	</refsect1>
 
+	<refsect1>
+		<title>Authors</title>
+		<para><command>pkcs15-tool</command> was written by
+		Juha Yrjölä <email>juha.yrjola@iki.fi</email>.</para>
+	</refsect1>
+
 </refentry>

doc/tools/sc-hsm-tool.1.xml

@@ -120,26 +120,25 @@
 				
 				<varlistentry>
 					<term>
-						<option>--so-pin</option> <replaceable>value</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>,
+						<option>--so-pin</option> <replaceable>sopin</replaceable>,
 					</term>
 					<listitem>
-						<para>Define SO-PIN for initialization. If set to
-						env:<replaceable>VARIABLE</replaceable>, the value of
-						the environment variable
-						<replaceable>VARIABLE</replaceable> is used.</para>
-					</listitem>
-				</varlistentry>
-				
-				<varlistentry>
-					<term>
-						<option>--pin</option> <replaceable>value</replaceable>
-					</term>
-					<listitem>
-						<para>Define user PIN for initialization, wrap or
-						unwrap operation. If set to
-						env:<replaceable>VARIABLE</replaceable>, the value of
-						the environment variable
-						<replaceable>VARIABLE</replaceable> is used.</para>
+						<para>
+							These options can be used to specify the PIN values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
 					</listitem>
 				</varlistentry>
 				
@@ -151,7 +150,25 @@
 						<para>Define number of PIN retries for user PIN during initialization. Default is 3.</para>
 					</listitem>
 				</varlistentry>
-				
+
+				<varlistentry>
+					<term>
+						<option>--bio-server1</option> <replaceable>value</replaceable>
+					</term>
+					<listitem>
+						<para>The hexadecimal AID of of the biometric server for template 1. Switches on the use of the user PIN as session PIN.</para>
+					</listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--bio-server2</option> <replaceable>value</replaceable>
+					</term>
+					<listitem>
+						<para>The hexadecimal AID of of the biometric server for template 2. Switches on the use of the user PIN as session PIN.</para>
+					</listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--password</option> <replaceable>value</replaceable>
@@ -201,11 +218,17 @@
 				
 				<varlistentry>
 					<term>
-						<option>--reader</option> <replaceable>num</replaceable>,
-						<option>-r</option> <replaceable>num</replaceable>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
 					</term>
-					<listitem><para>Use the given reader number. The default is
-					<literal>0</literal>, the first reader in the system.</para></listitem>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
 				</varlistentry>
 				
 				<varlistentry>
@@ -257,4 +280,10 @@
 		</para>
 	</refsect1>
 
+	<refsect1>
+		<title>Authors</title>
+		<para><command>sc-hsm-tool</command> was written by
+		Andreas Schwier <email>andreas.schwier@cardcontact.de</email>.</para>
+	</refsect1>
+
 </refentry>

doc/tools/test-manpage.sh

@@ -1,17 +0,0 @@
-#!/bin/bash
-SOURCE_PATH=../../
-
-# find all the manual pages in src/tools
-TOOLS=`find "${SOURCE_PATH}/doc/tools" -name "*.1.xml" | sed -E -e "s|.*/([a-z0-9-]*).*|\1|"`
-ALL=1
-
-for T in $TOOLS; do
-	SWITCHES=`${SOURCE_PATH}/src/tools/${T} 2>&1 | awk '{if (match($0,"--[a-zA-Z0-9-]*",a) != 0) print a[0]} {if (match($0," -[a-zA-Z0-9]",a) != 0) print a[0]}'`
-	for S in $SWITCHES; do
-		grep -q -- "$S" ${SOURCE_PATH}/doc/tools/${T}.1.xml || { echo "${T}: missing switch $S"; ALL=0; };
-	done
-done
-if [ "$ALL" = 0 ]; then
-	echo "Not all the switches in help are documented in manual pages"
-	exit 1;
-fi

doc/tools/tools.xml

@@ -1,33 +1,29 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.2//EN"
-                      "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
 
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
-	<title>OpenSC</title>
-	<reference>
-		<referenceinfo>
-			<title>OpenSC tools</title>
-		</referenceinfo>
-		<xi:include href="eidenv.1.xml"/>
-		<xi:include href="cardos-tool.1.xml"/>
-		<xi:include href="cryptoflex-tool.1.xml"/>
-		<xi:include href="netkey-tool.1.xml"/>
-		<xi:include href="openpgp-tool.1.xml"/>
-		<xi:include href="iasecc-tool.1.xml"/>
-		<xi:include href="opensc-tool.1.xml"/>
-		<xi:include href="opensc-explorer.1.xml"/>
-		<xi:include href="piv-tool.1.xml"/>
-		<xi:include href="pkcs11-tool.1.xml"/>
-		<xi:include href="pkcs15-crypt.1.xml"/>
-		<xi:include href="pkcs15-tool.1.xml"/>
-		<xi:include href="pkcs15-init.1.xml"/>
-		<xi:include href="westcos-tool.1.xml"/>
-	</reference>
+	<title>OpenSC Manual Pages: Section 1</title>
 
-	<reference>
-		<referenceinfo>
-			<title>OpenSC file formats</title>
-		</referenceinfo>
-		<xi:include href="pkcs15-profile.5.xml"/>
-	</reference>
+	<xi:include href="cardos-tool.1.xml"/>
+	<xi:include href="cryptoflex-tool.1.xml"/>
+	<xi:include href="dnie-tool.1.xml"/>
+	<xi:include href="egk-tool.1.xml"/>
+	<xi:include href="eidenv.1.xml"/>
+	<xi:include href="gids-tool.1.xml"/>
+	<xi:include href="iasecc-tool.1.xml"/>
+	<xi:include href="netkey-tool.1.xml"/>
+	<xi:include href="npa-tool.1.xml"/>
+	<xi:include href="openpgp-tool.1.xml"/>
+	<xi:include href="opensc-asn1.1.xml"/>
+	<xi:include href="opensc-explorer.1.xml"/>
+	<xi:include href="opensc-notify.1.xml"/>
+	<xi:include href="opensc-tool.1.xml"/>
+	<xi:include href="piv-tool.1.xml"/>
+	<xi:include href="pkcs11-tool.1.xml"/>
+	<xi:include href="pkcs15-crypt.1.xml"/>
+	<xi:include href="pkcs15-init.1.xml"/>
+	<xi:include href="pkcs15-tool.1.xml"/>
+	<xi:include href="sc-hsm-tool.1.xml"/>
+	<xi:include href="westcos-tool.1.xml"/>
 </book>

doc/tools/westcos-tool.1.xml

@@ -62,8 +62,8 @@
 					<listitem><para>Finalize the card. Once finalized the default key is
 					invalidated, so PIN and PUK cannot be changed anymore without user
 					authentication.</para>
-					<para>Warning, un-finalized are insecure because PIN can be changed
-					without user authentication (knowledge of default key
+					<para>Warning, un-finalized cards are insecure because the PIN can be
+					changed without user authentication (knowledge of default key
 					is enough).</para></listitem>
 				</varlistentry>
 
@@ -73,8 +73,8 @@
 						<option>-g</option>
 					</term>
 					<listitem><para>Generate a private key on the card. The card must not have
-					been finalized and a PIN must be installed (ie. the file for ithe PIN must
-					havei been created, see option <option>-i</option>).
+					been finalized and a PIN must be installed (i.e. the file for the PIN must
+					have been created, see option <option>-i</option>).
 					By default the key length is 1536 bits. User authentication is required for
 					this operation. </para></listitem>
 				</varlistentry>
@@ -115,25 +115,28 @@
 
 				<varlistentry>
 					<term>
-						<option>--pin-value</option> <replaceable>value</replaceable>,
-						<option>-x</option> <replaceable>value</replaceable>
+						<option>--pin-value</option> <replaceable>pin</replaceable>,
+						<option>-x</option> <replaceable>pin</replaceable>
+						<option>--puk-value</option> <replaceable>puk</replaceable>,
+						<option>-y</option> <replaceable>puk</replaceable>
 					</term>
-					<listitem><para>Set value of PIN. If set to
-					env:<replaceable>VARIABLE</replaceable>, the value of
-					the environment variable
-					<replaceable>VARIABLE</replaceable> is used.</para></listitem>
-				</varlistentry>
-
-				<varlistentry>
-					<term>
-						<option>--puk-value</option> <replaceable>value</replaceable>,
-						<option>-y</option> <replaceable>value</replaceable>
-					</term>
-					<listitem><para>set value of PUK (or value of new PIN for change PIN
-					command see <option>-n</option>). If set to
-					env:<replaceable>VARIABLE</replaceable>, the value of
-					the environment variable
-					<replaceable>VARIABLE</replaceable> is used.</para></listitem>
+					<listitem>
+						<para>
+							These options can be used to specify the PIN/PUK values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>
 
 				<varlistentry>
@@ -148,12 +151,17 @@
 
 				<varlistentry>
 					<term>
-						<option>--reader</option> <replaceable>num</replaceable>,
-						<option>-r</option> <replaceable>num</replaceable>
+						<option>--reader</option> <replaceable>arg</replaceable>,
+						<option>-r</option> <replaceable>arg</replaceable>
 					</term>
-					<listitem><para>
-					Use the given reader. The default is the first reader with a card.
-					</para></listitem>
+					<listitem>
+						<para>
+							Number of the reader to use. By default, the first
+							reader with a present card is used. If
+							<replaceable>arg</replaceable> is an ATR, the
+							reader with a matching card will be chosen.
+						</para>
+					</listitem>
 				</varlistentry>
 
 				<varlistentry>
@@ -167,6 +175,7 @@
 
 				<varlistentry>
 					<term>
+						<option>--verbose</option>
 						<option>-v</option>
 					</term>
 					<listitem><para>Causes <command>westcos-tool</command> to be more

etc/Makefile.am

@@ -1,23 +1,23 @@
-CV_CERTS = DESRCACC100001
+CV_CERTS = DESRCACC100001 DESCHSMCVCA00001
 
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-DISTCLEANFILES = opensc.conf
+DISTCLEANFILES = opensc.conf.example
 
 EXTRA_DIST = $(CV_CERTS) Makefile.mak
 
 SUFFIXES = .in
 
-dist_noinst_DATA = opensc.conf.in
-nodist_noinst_DATA = opensc.conf
+dist_noinst_DATA = opensc.conf opensc.conf.example.in
+nodist_noinst_DATA = opensc.conf.example
 
 # Make sure we build this every time
 # as there is no dependency for this.
-# Can be removed if MSVC is not requried.
+# Can be removed if MSVC is not required.
 force:
-opensc.conf: opensc.conf.in force
+opensc.conf.example: opensc.conf.example.in force
 
 .in:
-	@sed \
+	$(AM_V_GEN)sed \
 		-e 's|@pkgdatadir[@]|$(pkgdatadir)|g' \
 		-e 's|@DEBUG_FILE[@]|$(DEBUG_FILE)|g' \
 		-e 's|@DEFAULT_PCSC_PROVIDER[@]|$(DEFAULT_PCSC_PROVIDER)|g' \
@@ -30,16 +30,19 @@ opensc.conf: opensc.conf.in force
 		-e 's|@PROFILE_DIR_DEFAULT[@]|$(PROFILE_DIR_DEFAULT)|g' \
 		< $< > $@
 
-install-exec-hook: opensc.conf
+install-exec-hook: opensc.conf.example
 	$(MKDIR_P) "$(DESTDIR)$(sysconfdir)"
 	if [ -f "$(DESTDIR)$(sysconfdir)/opensc.conf" ]; then \
-		$(INSTALL_DATA) opensc.conf "$(DESTDIR)$(sysconfdir)/opensc.conf.new"; \
+		$(INSTALL_DATA) $(srcdir)/opensc.conf "$(DESTDIR)$(sysconfdir)/opensc.conf.new"; \
 	else \
-		$(INSTALL_DATA) opensc.conf "$(DESTDIR)$(sysconfdir)/opensc.conf"; \
+		$(INSTALL_DATA) $(srcdir)/opensc.conf "$(DESTDIR)$(sysconfdir)/opensc.conf"; \
 	fi
+	$(MKDIR_P) "$(DESTDIR)$(docdir)"
+	$(INSTALL_DATA) opensc.conf.example "$(DESTDIR)$(docdir)/opensc.conf";
 
-uninstall-hook: opensc.conf
+uninstall-hook: opensc.conf.example
 	rm -f "$(DESTDIR)$(sysconfdir)/opensc.conf.new" "$(DESTDIR)$(sysconfdir)/opensc.conf"
+	rm -f "$(DESTDIR)$(docdir)/opensc.conf"
 
 if ENABLE_OPENPACE
 install-data-local:

etc/opensc.conf

@@ -0,0 +1,7 @@
+app default {
+	# debug = 3;
+	# debug_file = opensc-debug.txt;
+	framework pkcs15 {
+		# use_file_caching = true;
+	}
+}

etc/opensc.conf.example.in

@@ -21,41 +21,31 @@ app default {
 	#
 	# debug_file = @DEBUG_FILE@
 
-	# Reopen debug file at the every debug message.
-	#
-	# For Windows it's forced to 'true'. The reason is that
-	#   in Windows file handles can not be shared between DLL-s,
-	#   each DLL has a separate file handle table.
-	#
-	# Default: false
-	# reopen_debug_file = true;
-
 	# PKCS#15 initialization / personalization
 	# profiles directory for pkcs15-init.
 	# Default: @PROFILE_DIR_DEFAULT@
 	#
 	# profile_dir = @PROFILE_DIR@;
 
-	# Paranoid memory allocation.
-	#
-	# If set to 'true', then refuse to continue when locking of non-pageable
-	# memory fails. This can cause subtle failures but is more secure when
-	# you have a swap disk.
-	# Default: false
-	#
-	# paranoid_memory = false;
-
-	# Dsiable pop-ups of built-in GUI
+	# Disable pop-ups of built-in GUI
 	#
 	# Default: false
 	# disable_popups = true;
 
 	# Enable default card driver
-	# Default card driver is explicitely enabled for the 'opensc-explorer' and 'opensc-tool'.
+	# Default card driver is explicitly enabled for the 'opensc-explorer' and 'opensc-tool'.
 	#
 	# Default: false
 	# enable_default_driver = true;
 
+	# List of readers to ignore
+	# If any of the strings listed below is matched in a reader name (case
+	# sensitive, partial matching possible), the reader is ignored by OpenSC.
+	# Use `opensc-tool --list-readers` to see all currently connected readers.
+	#
+	# Default: empty
+	# ignored_readers = "CardMan 1021", "SPR 532";
+
 	# CT-API module configuration.
 	reader_driver ctapi {
 		# module @LIBDIR@@LIB_PRE@towitoko@DYN_LIB_EXT@ {
@@ -103,6 +93,12 @@ app default {
 		# Default: true
 		# enable_pinpad = false;
 		#
+		# Some pinpad readers can only handle one exact length of the PIN.
+		# fixed_pinlength sets this value so that OpenSC expands the padding to
+		# this length.
+		# Default: 0 (i.e. not fixed)
+		# fixed_pinlength = 6;
+		#
 		# Detect reader capabilities with escape commands (wrapped APDUs with
 		# CLA=0xFF as defined by PC/SC pt. 3 and BSI TR-03119, e.g. for getting
 		# the UID, escaped PIN commands and the reader's firmware version)
@@ -147,7 +143,7 @@ app default {
 	# statically linked drivers that may be removed in the future.
 	#
 	# A special value of 'internal' will load all
-	# statically linked drivers. If an unknown (ie. not
+	# statically linked drivers. If an unknown (i.e. not
 	# internal) driver is supplied, a separate configuration
 	# configuration block has to be written for the driver.
 	# Default: internal
@@ -178,7 +174,7 @@ app default {
 		# QES is only possible with a Comfort Reader (CAT-K), which holds a
 		# cryptographic key to authenticate itself as signature terminal (ST).
 		# We usually will use the reader's capability to sign the data.
-		# However, during developement you may specify soft certificates and
+		# However, during development you may specify soft certificates and
 		# keys for a ST below.
 		# The following example EAC PKI can be found in vicc's example data:
 		# https://github.com/frankmorgner/vsmartcard/tree/master/virtualsmartcard/npa-example-data
@@ -188,15 +184,6 @@ app default {
 		#st_key = ZZSTTERM00001.pkcs8;
 	}
 
-	# Force using specific card driver
-	#
-	# If this option is present, OpenSC will use the supplied
-	# driver with all inserted cards.
-	#
-	# Default: autodetect
-	#
-	# force_card_driver = customcos;
-
 	# Configuration block for DNIe
 	#
 	# Card DNIe has an option to show an extra warning before
@@ -215,6 +202,15 @@ app default {
 		# user_consent_app = "/usr/bin/pinentry";
 	}
 
+	card_driver edo {
+		# CAN is required to establish connection
+		# with the card. It might be overridden by
+		# EDO_CAN environment variable. Currently,
+		# it is not possible to set it in any other way.
+		#
+		#can = 123456;
+	}
+
 	# In addition to the built-in list of known cards in the
 	# card driver, you can configure a new card for the driver
 	# using the card_atr block. The goal is to centralize
@@ -276,10 +272,6 @@ app default {
 		#
 		# flags = "rng", "keep_alive", "0x80000000";
 
-		# Enable pkcs11 initialization.
-		# Default: no
-		# pkcs11_enable_InitToken = yes;
-
 		#
 		# Context: PKCS#15 emulation layer
 		#
@@ -299,10 +291,10 @@ app default {
 
 		# Context: minidriver
 		#
-		# md_read_only: Mark card as read/only card in Minidriver/BaseCSP interface (Default: false)
+		# read_only: Mark card as read/only card in Minidriver/BaseCSP interface (Default: false)
 		# md_supports_X509_enrollment: Indicate X509 enrollment support at Minidriver/BaseCSP interface (Default: false)
-		# md_guid_as_id: Use the GUID generated for the key as id in the PKCS#15 structure (Default: false - auto generated)
-		# md_guid_as_label: Use the GUID generated for the key as label in the PKCS#15 structure (Default: false - no label set)
+		# md_guid_as_id: Use the GUID generated for the key as id in the PKCS#15 structure (Default: false, i.e. auto generated)
+		# md_guid_as_label: Use the GUID generated for the key as label in the PKCS#15 structure (Default: false, i.e. no label set)
 		# md_supports_container_key_gen: Card allows generating key pairs on the card (Default: false)
 		# md_supports_container_key_import: Card allows importing private keys (Default: false)
 		#
@@ -330,21 +322,18 @@ app default {
 		# Default: "Please enter your PIN to unblock the user PIN on the PINPAD."
 		# md_pinpad_dlg_content_admin = "Content Admin";
 		#
-		# Content of the PIN pad dialog after pressing "Cancel", when the reader doesn't respond to SCardCancel
-		# md_pinpad_dlg_content_cancel = "Content Cancel";
-		#
 		# Expanded information of the PIN pad dialog
 		# Default: "This window will be closed automatically after the PIN has been submitted on the PINPAD (timeout typically after 30 seconds)."
 		# md_pinpad_dlg_expanded = "Expanded Information";
 		#
-		# Expanded information of the PIN pad dialog after pressing "Cancel", when the reader doesn't respond to SCardCancel
-		# Default: "Some readers only support canceling the operation on the PIN pad. Press Cancel or remove the card."
-		# md_pinpad_dlg_expanded_cancel = "Expanded Information Cancel";
-		#
-		# Allow the user to cancel the PIN pad dialog
+		# Allow the user to cancel the PIN pad dialog by not immediately requesting the PIN on the PIN pad
 		# Default: false
 		# md_pinpad_dlg_enable_cancel = true;
 		#
+		# Content of the verification of the PIN pad dialog
+		# Default: "Automatically request PIN immediately on PIN-Pad"
+		# md_pinpad_dlg_verification = "Verification";
+		#
 		# Time in seconds for the progress bar of the PIN pad dialog to tick. "0" removes the progress bar.
 		# Default: 30
 		# md_pinpad_dlg_timeout = 0;
@@ -399,19 +388,6 @@ app default {
 		flags = "keep_alive";
 	}
 
-	# Micardo driver sometimes only play together with T=0
-	# In theory only the 'cold' ATR should be specified, as T=0 will
-	# be the preferred protocol once you boot it up with T=0, but be
-	# paranoid.
-	#
-	# D-Trust cards are also based on micardo and need T=0 for some reason
-	card_atr 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23 {
-		force_protocol = t0;
-	}
-	card_atr 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6 {
-		force_protocol = t0;
-	}
-
 	# Oberthur's AuthentIC v3.2.2
 	card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:00:70:0A:90:00:8B {
 		type = 11100;
@@ -429,7 +405,7 @@ app default {
 		name = "Gemalto MultiApp IAS/ECC v1.0.1";
 		secure_messaging = local_gemalto_iam;
 		# secure_messaging = local_adele;
-		md_read_only = false;
+		read_only = false;
 		md_supports_X509_enrollment = true;
 	}
 	card_atr 3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00 {
@@ -437,7 +413,7 @@ app default {
 		driver = "iasecc";
 		name = "Gemalto MultiApp IAS/ECC v1.0.1";
 		secure_messaging = local_gemalto_iam;
-		md_read_only = false;
+		read_only = false;
 		md_supports_X509_enrollment = true;
 	}
 	#card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:08:00:07:90:00:FE {
@@ -456,7 +432,7 @@ app default {
 	#	type = 25005;
 	#	driver = "iasecc";
 	#	name = "Morpho MI IAS/ECC v1.0.1";
-	#	md_read_only = false;
+	#	read_only = false;
 	#	md_supports_X509_enrollment = true;
 	#	secure_messaging = local_morpho_mi;
 	#}
@@ -464,7 +440,7 @@ app default {
 		type = 25004;
 		driver = "iasecc";
 		name = "Amos IAS/ECC v1.0.1";
-		md_read_only = false;
+		read_only = false;
 		md_supports_X509_enrollment = true;
 		secure_messaging = local_amos;
 	}
@@ -472,7 +448,7 @@ app default {
 		type = 25004;
 		driver = "iasecc";
 		name = "Amos IAS/ECC v1.0.1";
-		md_read_only = false;
+		read_only = false;
 		md_supports_X509_enrollment = true;
 		secure_messaging = local_amos_eid;
 	}
@@ -480,7 +456,7 @@ app default {
 	# SmartCard-HSM with contact-based interface or USB-Stick
 	card_atr 3B:FE:18:00:00:81:31:FE:45:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:FA {
 		driver = "sc-hsm";
-		md_read_only = false;
+		read_only = false;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -489,7 +465,16 @@ app default {
 	# SmartCard-HSM with contact-less interface
 	card_atr 3B:8E:80:01:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:18 {
 		driver = "sc-hsm";
-		md_read_only = false;
+		read_only = false;
+		md_supports_X509_enrollment = true;
+		md_supports_container_key_gen = true;
+		md_guid_as_label = true;
+	}
+
+	# SmartCard-HSM 4k with contact-based interface or USB-Stick
+	card_atr 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c {
+		driver = "sc-hsm";
+		read_only = false;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -498,7 +483,7 @@ app default {
 	# SmartCard-HSM with fingerprint sensor and PIN pad
 	card_atr 3B:80:80:01:01 {
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -507,8 +492,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -524,7 +507,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -533,8 +516,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -549,7 +530,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -558,8 +539,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -574,7 +553,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -583,8 +562,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -599,7 +576,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -608,8 +585,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -624,7 +599,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -633,8 +608,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -649,7 +622,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -658,8 +631,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -674,7 +645,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -683,8 +654,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -699,7 +668,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -708,8 +677,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -724,7 +691,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -733,8 +700,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -750,7 +715,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -759,8 +724,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -776,7 +739,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -785,8 +748,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -802,7 +763,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -811,8 +772,6 @@ app default {
 		md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte.";
 		md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein.";
 		md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen.";
-		md_pinpad_dlg_expanded_cancel = "Die Karte unterstützt das Abbrechen ausschließlich am PIN-Pad. Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen oder entfernen Sie die Karte.";
-		md_pinpad_dlg_allow_cancel = false;
 		md_pinpad_dlg_timeout = 30;
 		notify_card_inserted = "GoID erkannt";
 		notify_card_inserted_text = "";
@@ -827,8 +786,8 @@ app default {
 		# name of external SM module
 		# module_name = @DEFAULT_SM_MODULE@;
 		# directory with external SM module
-		# Default: defined by windows register
-		@DEFAULT_SM_MODULE_PATH@
+		# Default: @DEFAULT_SM_MODULE_PATH@
+		# module_path = @DEFAULT_SM_MODULE_PATH@;
 
 		# specific data to tune the module initialization
 		# module_data = "Here can be your SM module init data";
@@ -851,7 +810,7 @@ app default {
 
 	secure_messaging local_gemalto_iam  {
 		module_name = @DEFAULT_SM_MODULE@;
-		@DEFAULT_SM_MODULE_PATH@
+		# module_path = @DEFAULT_SM_MODULE_PATH@;
 		# module_data = "";
 		type = acl;	     # transmit, acl
 
@@ -870,7 +829,7 @@ app default {
 
 	secure_messaging local_amos  {
 		module_name = @DEFAULT_SM_MODULE@;
-		@DEFAULT_SM_MODULE_PATH@
+		# module_path = @DEFAULT_SM_MODULE_PATH@;
 		# module_data = "";
 		mode = acl;
 		ifd_serial = "11:22:33:44:55:66:77:88";
@@ -880,7 +839,7 @@ app default {
 
 	secure_messaging local_amos_eid  {
 		module_name = @DEFAULT_SM_MODULE@;
-		@DEFAULT_SM_MODULE_PATH@
+		# module_path = @DEFAULT_SM_MODULE_PATH@;
 		# module_data = "";
 		mode = acl;
 		ifd_serial = "11:22:33:44:55:66:77:88";
@@ -890,7 +849,7 @@ app default {
 
 	secure_messaging local_adele  {
 		module_name = @DEFAULT_SM_MODULE@;
-		@DEFAULT_SM_MODULE_PATH@
+		# module_path = @DEFAULT_SM_MODULE_PATH@;
 		# module_data = "";
 		type = acl;	     # transmit, acl
 
@@ -920,11 +879,10 @@ app default {
 		# Whether to use the cache files in the user's
 		# home directory.
 		#
-		# At the moment you have to 'teach' the card
-		# to the system by running command: pkcs15-tool -L
+		# Note: If caching is done by a system process, caching may be placed
+		# inaccessible from the user account. Use a global caching directory if
+		# you wish to share the cached information.
 		#
-		# WARNING: Caching shouldn't be used in setuid root
-		# applications.
 		# Default: false
 		# use_file_caching = true;
 		#
@@ -933,7 +891,7 @@ app default {
 		# (with certificate check)  where $HOME is not set
 		# Default: path in user home
 		# file_cache_dir = /var/lib/opensc/cache
-                #
+
 		# Use PIN caching?
 		# Default: true
 		# use_pin_caching = false;
@@ -945,8 +903,15 @@ app default {
 		# Older PKCS#11 applications not supporting CKA_ALWAYS_AUTHENTICATE
 		# may need to set this to get signatures to work with some cards.
 		# Default: false
+		# It is recommended to enable also use_pin_caching to allow OpenSC
+		# to pass the pin to the card when needed.
 		# pin_cache_ignore_user_consent = true;
-		#
+
+		# How to handle a PIN-protected certificate
+		# Valid values: protect, declassify, ignore.
+		# Default: ignore in tokend, protect otherwise
+		# private_certificate = declassify;
+
 		# Enable pkcs15 emulation.
 		# Default: yes
 		# enable_pkcs15_emulation = no;
@@ -964,7 +929,7 @@ app default {
 		# enable_builtin_emulation = no;
 		#
 		# List of the builtin pkcs15 emulators to test
-		# Default: esteid, openpgp, tcos, starcert, itacns, infocamere, postecert, actalis, atrust-acos, gemsafeGPK, gemsafeV1, tccardos, PIV-II;
+		# Default: esteid, openpgp, tcos, starcert, itacns, actalis, atrust-acos, gemsafeGPK, gemsafeV1, tccardos, PIV-II;
 		# builtin_emulators = openpgp;
 
 		# additional settings per driver
@@ -978,12 +943,16 @@ app default {
 			# module = @LIBDIR@@LIB_PRE@p15emu_custom@DYN_LIB_EXT@;
 		# }
 
+		# Enable initialization and card recognition in PKCS#11 layer.
+		# Default: no
+		# pkcs11_enable_InitToken = yes;
+
 		# some additional application parameters:
 		# - type (generic, protected) used to distinguish the common access application
 		#   and application for which authentication to perform some operation cannot be
 		#   obtained with the common procedures (ex. object creation protected by secure messaging).
-		#   Used by PKCS#11 module configurated to expose restricted number of slots.
-		#   (for ex. configurated to expose only User PIN slot, User and Sign PINs slots, ...)
+		#   Used by PKCS#11 module configured to expose restricted number of slots.
+		#   (for ex. configured to expose only User PIN slot, User and Sign PINs slots, ...)
 		#
 		# - disable: do not expose application in PKCS15 framework
 		#            default 'false'
@@ -1028,15 +997,6 @@ app opensc-pkcs11 {
 		# (max_virtual_slots/slots_per_card) limits the number of readers
 		# that can be used on the system. Default is then 16/4=4 readers.
 
-		# Normally, the pkcs11 module will create
-		# the full number of slots defined above by
-		# num_slots. If there are fewer pins/keys on
-		# the card, the remaining keys will be empty
-		# (and you will be able to create new objects
-		# within them).
-		# Default: true
-		# hide_empty_tokens = false;
-
 		# By default, the OpenSC PKCS#11 module will not lock your card
 		# once you authenticate to the card via C_Login.
 		#
@@ -1071,7 +1031,7 @@ app opensc-pkcs11 {
 		# abusing an existing login or they may logout unnoticed.
 		#
 		# With this setting enabled the login state of the token is tracked and
-		# cached (including the PIN). Every transaction is preceeded by
+		# cached (including the PIN). Every transaction is preceded by
 		# restoring the login state.  After every transaction a logout is
 		# performed. This setting by default also enables `lock_login` (see
 		# above) to disable access for other applications during the atomic
@@ -1105,7 +1065,7 @@ app opensc-pkcs11 {
 		#    init_pin_in_so_session:  C_InitPIN() in CKU_SO logged session:
 		#       User PIN 'UNBLOCK' is protected by SOPIN. (PUK == SOPIN).
 		#       # Actually this style works only for the PKCS15 contents without SOPIN.
-		#       # For those with SOPIN, this mode will be usefull for the cards without
+		#       # For those with SOPIN, this mode will be useful for the cards without
 		#       #   modes 00 and 01 of ISO command 'RESET RETRY COUNTER'. --vt
 		#
 		# Default: none
@@ -1120,26 +1080,11 @@ app opensc-pkcs11 {
 		# Default: false
 		# create_puk_slot = true;
 
-		# Report as 'zero' the CKA_ID attribute of CA certificate
-		# For the unknown reason the middleware of the manufacturer of gemalto (axalto, gemplus)
-		# card reports as '0' the CKA_ID of CA cartificates.
-		# Maybe someone else will need it. (Would be nice to know who and what for -- VTA)
-		#
-		# Default: false
-		# zero_ckaid_for_ca_certs = true;
-
-		# List of readers to ignore
-		# If any of the strings listed below is matched (case sensitive) in a reader name,
-		# the reader is ignored by the PKCS#11 module.
-		#
-		# Default: empty
-		# ignored_readers = "CardMan 1021", "SPR 532";
-
 		# Symbolic names of PINs for which slots are created
 		# Card can contain more then one PINs or more then one on-card application with
 		#   its own PINs. Normally, to access all of them with the PKCS#11 API a slot has to be
 		#   created for all of them. Many slots could be ennoying for some of widely used application,
-		#   like FireFox. This configuration parameter allows to select the PIN(s)
+		#   like FireFox. This configuration parameter allows one to select the PIN(s)
 		#   for which PKCS#11 slot will be created.
 		# Actually recognised following symbolic names:
 		#  'user', 'sign', 'all'

m4/ax_ac_append_to_file.m4

@@ -0,0 +1,32 @@
+# ===========================================================================
+#   https://www.gnu.org/software/autoconf-archive/ax_ac_append_to_file.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_AC_APPEND_TO_FILE([FILE],[DATA])
+#
+# DESCRIPTION
+#
+#   Appends the specified data to the specified Autoconf is run. If you want
+#   to append to a file when configure is run use AX_APPEND_TO_FILE instead.
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Allan Caffee <allan.caffee@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 10
+
+AC_DEFUN([AX_AC_APPEND_TO_FILE],[
+AC_REQUIRE([AX_FILE_ESCAPES])
+m4_esyscmd(
+AX_FILE_ESCAPES
+[
+printf "%s" "$2" >> "$1"
+])
+])

m4/ax_ac_print_to_file.m4

@@ -0,0 +1,32 @@
+# ===========================================================================
+#   https://www.gnu.org/software/autoconf-archive/ax_ac_print_to_file.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_AC_PRINT_TO_FILE([FILE],[DATA])
+#
+# DESCRIPTION
+#
+#   Writes the specified data to the specified file when Autoconf is run. If
+#   you want to print to a file when configure is run use AX_PRINT_TO_FILE
+#   instead.
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Allan Caffee <allan.caffee@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 10
+
+AC_DEFUN([AX_AC_PRINT_TO_FILE],[
+m4_esyscmd(
+AC_REQUIRE([AX_FILE_ESCAPES])
+[
+printf "%s" "$2" > "$1"
+])
+])

m4/ax_add_am_macro_static.m4

@@ -0,0 +1,28 @@
+# ===========================================================================
+#  https://www.gnu.org/software/autoconf-archive/ax_add_am_macro_static.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_ADD_AM_MACRO_STATIC([RULE])
+#
+# DESCRIPTION
+#
+#   Adds the specified rule to $AMINCLUDE.
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Tom Howard <tomhoward@users.sf.net>
+#   Copyright (c) 2009 Allan Caffee <allan.caffee@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 8
+
+AC_DEFUN([AX_ADD_AM_MACRO_STATIC],[
+  AC_REQUIRE([AX_AM_MACROS_STATIC])
+  AX_AC_APPEND_TO_FILE(AMINCLUDE_STATIC,[$1])
+])

m4/ax_am_macros_static.m4

@@ -0,0 +1,38 @@
+# ===========================================================================
+#   https://www.gnu.org/software/autoconf-archive/ax_am_macros_static.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_AM_MACROS_STATIC
+#
+# DESCRIPTION
+#
+#   Adds support for macros that create Automake rules. You must manually
+#   add the following line
+#
+#     include $(top_srcdir)/aminclude_static.am
+#
+#   to your Makefile.am files.
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Tom Howard <tomhoward@users.sf.net>
+#   Copyright (c) 2009 Allan Caffee <allan.caffee@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 11
+
+AC_DEFUN([AMINCLUDE_STATIC],[aminclude_static.am])
+
+AC_DEFUN([AX_AM_MACROS_STATIC],
+[
+AX_AC_PRINT_TO_FILE(AMINCLUDE_STATIC,[
+# ]AMINCLUDE_STATIC[ generated automatically by Autoconf
+# from AX_AM_MACROS_STATIC on ]m4_esyscmd([LC_ALL=C date])[
+])
+])

m4/ax_check_gnu_make.m4

@@ -0,0 +1,95 @@
+# ===========================================================================
+#    https://www.gnu.org/software/autoconf-archive/ax_check_gnu_make.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_GNU_MAKE([run-if-true],[run-if-false])
+#
+# DESCRIPTION
+#
+#   This macro searches for a GNU version of make. If a match is found:
+#
+#     * The makefile variable `ifGNUmake' is set to the empty string, otherwise
+#       it is set to "#". This is useful for including a special features in a
+#       Makefile, which cannot be handled by other versions of make.
+#     * The makefile variable `ifnGNUmake' is set to #, otherwise
+#       it is set to the empty string. This is useful for including a special
+#       features in a Makefile, which can be handled
+#       by other versions of make or to specify else like clause.
+#     * The variable `_cv_gnu_make_command` is set to the command to invoke
+#       GNU make if it exists, the empty string otherwise.
+#     * The variable `ax_cv_gnu_make_command` is set to the command to invoke
+#       GNU make by copying `_cv_gnu_make_command`, otherwise it is unset.
+#     * If GNU Make is found, its version is extracted from the output of
+#       `make --version` as the last field of a record of space-separated
+#       columns and saved into the variable `ax_check_gnu_make_version`.
+#     * Additionally if GNU Make is found, run shell code run-if-true
+#       else run shell code run-if-false.
+#
+#   Here is an example of its use:
+#
+#   Makefile.in might contain:
+#
+#     # A failsafe way of putting a dependency rule into a makefile
+#     $(DEPEND):
+#             $(CC) -MM $(srcdir)/*.c > $(DEPEND)
+#
+#     @ifGNUmake@ ifeq ($(DEPEND),$(wildcard $(DEPEND)))
+#     @ifGNUmake@ include $(DEPEND)
+#     @ifGNUmake@ else
+#     fallback code
+#     @ifGNUmake@ endif
+#
+#   Then configure.in would normally contain:
+#
+#     AX_CHECK_GNU_MAKE()
+#     AC_OUTPUT(Makefile)
+#
+#   Then perhaps to cause gnu make to override any other make, we could do
+#   something like this (note that GNU make always looks for GNUmakefile
+#   first):
+#
+#     if  ! test x$_cv_gnu_make_command = x ; then
+#             mv Makefile GNUmakefile
+#             echo .DEFAULT: > Makefile ;
+#             echo \  $_cv_gnu_make_command \$@ >> Makefile;
+#     fi
+#
+#   Then, if any (well almost any) other make is called, and GNU make also
+#   exists, then the other make wraps the GNU make.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 John Darrington <j.darrington@elvis.murdoch.edu.au>
+#   Copyright (c) 2015 Enrico M. Crisostomo <enrico.m.crisostomo@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 12
+
+AC_DEFUN([AX_CHECK_GNU_MAKE],dnl
+  [AC_PROG_AWK
+  AC_CACHE_CHECK([for GNU make],[_cv_gnu_make_command],[dnl
+    _cv_gnu_make_command="" ;
+dnl Search all the common names for GNU make
+    for a in "$MAKE" make gmake gnumake ; do
+      if test -z "$a" ; then continue ; fi ;
+      if "$a" --version 2> /dev/null | grep GNU 2>&1 > /dev/null ; then
+        _cv_gnu_make_command=$a ;
+        AX_CHECK_GNU_MAKE_HEADLINE=$("$a" --version 2> /dev/null | grep "GNU Make")
+        ax_check_gnu_make_version=$(echo ${AX_CHECK_GNU_MAKE_HEADLINE} | ${AWK} -F " " '{ print $(NF); }')
+        break ;
+      fi
+    done ;])
+dnl If there was a GNU version, then set @ifGNUmake@ to the empty string, '#' otherwise
+  AS_VAR_IF([_cv_gnu_make_command], [""], [AS_VAR_SET([ifGNUmake], ["#"])],   [AS_VAR_SET([ifGNUmake], [""])])
+  AS_VAR_IF([_cv_gnu_make_command], [""], [AS_VAR_SET([ifnGNUmake], [""])],   [AS_VAR_SET([ifnGNUmake], ["#"])])
+  AS_VAR_IF([_cv_gnu_make_command], [""], [AS_UNSET(ax_cv_gnu_make_command)], [AS_VAR_SET([ax_cv_gnu_make_command], [${_cv_gnu_make_command}])])
+  AS_VAR_IF([_cv_gnu_make_command], [""],[$2],[$1])
+  AC_SUBST([ifGNUmake])
+  AC_SUBST([ifnGNUmake])
+])

m4/ax_code_coverage.m4

@@ -0,0 +1,272 @@
+# ===========================================================================
+#     https://www.gnu.org/software/autoconf-archive/ax_code_coverage.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CODE_COVERAGE()
+#
+# DESCRIPTION
+#
+#   Defines CODE_COVERAGE_CPPFLAGS, CODE_COVERAGE_CFLAGS,
+#   CODE_COVERAGE_CXXFLAGS and CODE_COVERAGE_LIBS which should be included
+#   in the CPPFLAGS, CFLAGS CXXFLAGS and LIBS/LIBADD variables of every
+#   build target (program or library) which should be built with code
+#   coverage support. Also add rules using AX_ADD_AM_MACRO_STATIC; and
+#   $enable_code_coverage which can be used in subsequent configure output.
+#   CODE_COVERAGE_ENABLED is defined and substituted, and corresponds to the
+#   value of the --enable-code-coverage option, which defaults to being
+#   disabled.
+#
+#   Test also for gcov program and create GCOV variable that could be
+#   substituted.
+#
+#   Note that all optimization flags in CFLAGS must be disabled when code
+#   coverage is enabled.
+#
+#   Usage example:
+#
+#   configure.ac:
+#
+#     AX_CODE_COVERAGE
+#
+#   Makefile.am:
+#
+#     include $(top_srcdir)/aminclude_static.am
+#
+#     my_program_LIBS = ... $(CODE_COVERAGE_LIBS) ...
+#     my_program_CPPFLAGS = ... $(CODE_COVERAGE_CPPFLAGS) ...
+#     my_program_CFLAGS = ... $(CODE_COVERAGE_CFLAGS) ...
+#     my_program_CXXFLAGS = ... $(CODE_COVERAGE_CXXFLAGS) ...
+#
+#     clean-local: code-coverage-clean
+#     distclean-local: code-coverage-dist-clean
+#
+#   This results in a "check-code-coverage" rule being added to any
+#   Makefile.am which do "include $(top_srcdir)/aminclude_static.am"
+#   (assuming the module has been configured with --enable-code-coverage).
+#   Running `make check-code-coverage` in that directory will run the
+#   module's test suite (`make check`) and build a code coverage report
+#   detailing the code which was touched, then print the URI for the report.
+#
+#   This code was derived from Makefile.decl in GLib, originally licensed
+#   under LGPLv2.1+.
+#
+# LICENSE
+#
+#   Copyright (c) 2012, 2016 Philip Withnall
+#   Copyright (c) 2012 Xan Lopez
+#   Copyright (c) 2012 Christian Persch
+#   Copyright (c) 2012 Paolo Borelli
+#   Copyright (c) 2012 Dan Winship
+#   Copyright (c) 2015,2018 Bastien ROUCARIES
+#
+#   This library is free software; you can redistribute it and/or modify it
+#   under the terms of the GNU Lesser General Public License as published by
+#   the Free Software Foundation; either version 2.1 of the License, or (at
+#   your option) any later version.
+#
+#   This library is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
+#   General Public License for more details.
+#
+#   You should have received a copy of the GNU Lesser General Public License
+#   along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+#serial 32
+
+m4_define(_AX_CODE_COVERAGE_RULES,[
+AX_ADD_AM_MACRO_STATIC([
+# Code coverage
+#
+# Optional:
+#  - CODE_COVERAGE_DIRECTORY: Top-level directory for code coverage reporting.
+#    Multiple directories may be specified, separated by whitespace.
+#    (Default: \$(top_builddir))
+#  - CODE_COVERAGE_OUTPUT_FILE: Filename and path for the .info file generated
+#    by lcov for code coverage. (Default:
+#    \$(PACKAGE_NAME)-\$(PACKAGE_VERSION)-coverage.info)
+#  - CODE_COVERAGE_OUTPUT_DIRECTORY: Directory for generated code coverage
+#    reports to be created. (Default:
+#    \$(PACKAGE_NAME)-\$(PACKAGE_VERSION)-coverage)
+#  - CODE_COVERAGE_BRANCH_COVERAGE: Set to 1 to enforce branch coverage,
+#    set to 0 to disable it and leave empty to stay with the default.
+#    (Default: empty)
+#  - CODE_COVERAGE_LCOV_SHOPTS_DEFAULT: Extra options shared between both lcov
+#    instances. (Default: based on $CODE_COVERAGE_BRANCH_COVERAGE)
+#  - CODE_COVERAGE_LCOV_SHOPTS: Extra options to shared between both lcov
+#    instances. (Default: $CODE_COVERAGE_LCOV_SHOPTS_DEFAULT)
+#  - CODE_COVERAGE_LCOV_OPTIONS_GCOVPATH: --gcov-tool pathtogcov
+#  - CODE_COVERAGE_LCOV_OPTIONS_DEFAULT: Extra options to pass to the
+#    collecting lcov instance. (Default: $CODE_COVERAGE_LCOV_OPTIONS_GCOVPATH)
+#  - CODE_COVERAGE_LCOV_OPTIONS: Extra options to pass to the collecting lcov
+#    instance. (Default: $CODE_COVERAGE_LCOV_OPTIONS_DEFAULT)
+#  - CODE_COVERAGE_LCOV_RMOPTS_DEFAULT: Extra options to pass to the filtering
+#    lcov instance. (Default: empty)
+#  - CODE_COVERAGE_LCOV_RMOPTS: Extra options to pass to the filtering lcov
+#    instance. (Default: $CODE_COVERAGE_LCOV_RMOPTS_DEFAULT)
+#  - CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT: Extra options to pass to the
+#    genhtml instance. (Default: based on $CODE_COVERAGE_BRANCH_COVERAGE)
+#  - CODE_COVERAGE_GENHTML_OPTIONS: Extra options to pass to the genhtml
+#    instance. (Default: $CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT)
+#  - CODE_COVERAGE_IGNORE_PATTERN: Extra glob pattern of files to ignore
+#
+# The generated report will be titled using the \$(PACKAGE_NAME) and
+# \$(PACKAGE_VERSION). In order to add the current git hash to the title,
+# use the git-version-gen script, available online.
+# Optional variables
+# run only on top dir
+if CODE_COVERAGE_ENABLED
+ ifeq (\$(abs_builddir), \$(abs_top_builddir))
+CODE_COVERAGE_DIRECTORY ?= \$(top_builddir)
+CODE_COVERAGE_OUTPUT_FILE ?= \$(PACKAGE_NAME)-\$(PACKAGE_VERSION)-coverage.info
+CODE_COVERAGE_OUTPUT_DIRECTORY ?= \$(PACKAGE_NAME)-\$(PACKAGE_VERSION)-coverage
+
+CODE_COVERAGE_BRANCH_COVERAGE ?=
+CODE_COVERAGE_LCOV_SHOPTS_DEFAULT ?= \$(if \$(CODE_COVERAGE_BRANCH_COVERAGE),\
+--rc lcov_branch_coverage=\$(CODE_COVERAGE_BRANCH_COVERAGE))
+CODE_COVERAGE_LCOV_SHOPTS ?= \$(CODE_COVERAGE_LCOV_SHOPTS_DEFAULT)
+CODE_COVERAGE_LCOV_OPTIONS_GCOVPATH ?= --gcov-tool \"\$(GCOV)\"
+CODE_COVERAGE_LCOV_OPTIONS_DEFAULT ?= \$(CODE_COVERAGE_LCOV_OPTIONS_GCOVPATH)
+CODE_COVERAGE_LCOV_OPTIONS ?= \$(CODE_COVERAGE_LCOV_OPTIONS_DEFAULT)
+CODE_COVERAGE_LCOV_RMOPTS_DEFAULT ?=
+CODE_COVERAGE_LCOV_RMOPTS ?= \$(CODE_COVERAGE_LCOV_RMOPTS_DEFAULT)
+CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT ?=\
+\$(if \$(CODE_COVERAGE_BRANCH_COVERAGE),\
+--rc genhtml_branch_coverage=\$(CODE_COVERAGE_BRANCH_COVERAGE))
+CODE_COVERAGE_GENHTML_OPTIONS ?= \$(CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT)
+CODE_COVERAGE_IGNORE_PATTERN ?=
+
+GITIGNOREFILES = \$(GITIGNOREFILES) \$(CODE_COVERAGE_OUTPUT_FILE) \$(CODE_COVERAGE_OUTPUT_DIRECTORY)
+code_coverage_v_lcov_cap = \$(code_coverage_v_lcov_cap_\$(V))
+code_coverage_v_lcov_cap_ = \$(code_coverage_v_lcov_cap_\$(AM_DEFAULT_VERBOSITY))
+code_coverage_v_lcov_cap_0 = @echo \"  LCOV   --capture\" \$(CODE_COVERAGE_OUTPUT_FILE);
+code_coverage_v_lcov_ign = \$(code_coverage_v_lcov_ign_\$(V))
+code_coverage_v_lcov_ign_ = \$(code_coverage_v_lcov_ign_\$(AM_DEFAULT_VERBOSITY))
+code_coverage_v_lcov_ign_0 = @echo \"  LCOV   --remove /tmp/*\" \$(CODE_COVERAGE_IGNORE_PATTERN);
+code_coverage_v_genhtml = \$(code_coverage_v_genhtml_\$(V))
+code_coverage_v_genhtml_ = \$(code_coverage_v_genhtml_\$(AM_DEFAULT_VERBOSITY))
+code_coverage_v_genhtml_0 = @echo \"  GEN   \" \"\$(CODE_COVERAGE_OUTPUT_DIRECTORY)\";
+code_coverage_quiet = \$(code_coverage_quiet_\$(V))
+code_coverage_quiet_ = \$(code_coverage_quiet_\$(AM_DEFAULT_VERBOSITY))
+code_coverage_quiet_0 = --quiet
+
+# sanitizes the test-name: replaces with underscores: dashes and dots
+code_coverage_sanitize = \$(subst -,_,\$(subst .,_,\$(1)))
+
+# Use recursive makes in order to ignore errors during check
+check-code-coverage:
+	-\$(AM_V_at)\$(MAKE) \$(AM_MAKEFLAGS) -k check
+	\$(AM_V_at)\$(MAKE) \$(AM_MAKEFLAGS) code-coverage-capture
+
+# Capture code coverage data
+code-coverage-capture: code-coverage-capture-hook
+	\$(code_coverage_v_lcov_cap)\$(LCOV) \$(code_coverage_quiet) \$(addprefix --directory ,\$(CODE_COVERAGE_DIRECTORY)) --capture --output-file \"\$(CODE_COVERAGE_OUTPUT_FILE).tmp\" --test-name \"\$(call code_coverage_sanitize,\$(PACKAGE_NAME)-\$(PACKAGE_VERSION))\" --no-checksum --compat-libtool \$(CODE_COVERAGE_LCOV_SHOPTS) \$(CODE_COVERAGE_LCOV_OPTIONS)
+	\$(code_coverage_v_lcov_ign)\$(LCOV) \$(code_coverage_quiet) \$(addprefix --directory ,\$(CODE_COVERAGE_DIRECTORY)) --remove \"\$(CODE_COVERAGE_OUTPUT_FILE).tmp\" \"/tmp/*\" \$(CODE_COVERAGE_IGNORE_PATTERN) --output-file \"\$(CODE_COVERAGE_OUTPUT_FILE)\" \$(CODE_COVERAGE_LCOV_SHOPTS) \$(CODE_COVERAGE_LCOV_RMOPTS)
+	-@rm -f \"\$(CODE_COVERAGE_OUTPUT_FILE).tmp\"
+	\$(code_coverage_v_genhtml)LANG=C \$(GENHTML) \$(code_coverage_quiet) \$(addprefix --prefix ,\$(CODE_COVERAGE_DIRECTORY)) --output-directory \"\$(CODE_COVERAGE_OUTPUT_DIRECTORY)\" --title \"\$(PACKAGE_NAME)-\$(PACKAGE_VERSION) Code Coverage\" --legend --show-details \"\$(CODE_COVERAGE_OUTPUT_FILE)\" \$(CODE_COVERAGE_GENHTML_OPTIONS)
+	@echo \"file://\$(abs_builddir)/\$(CODE_COVERAGE_OUTPUT_DIRECTORY)/index.html\"
+
+code-coverage-clean:
+	-\$(LCOV) --directory \$(top_builddir) -z
+	-rm -rf \"\$(CODE_COVERAGE_OUTPUT_FILE)\" \"\$(CODE_COVERAGE_OUTPUT_FILE).tmp\" \"\$(CODE_COVERAGE_OUTPUT_DIRECTORY)\"
+	-find . \\( -name \"*.gcda\" -o -name \"*.gcno\" -o -name \"*.gcov\" \\) -delete
+
+code-coverage-dist-clean:
+
+A][M_DISTCHECK_CONFIGURE_FLAGS = \$(A][M_DISTCHECK_CONFIGURE_FLAGS) --disable-code-coverage
+ else # ifneq (\$(abs_builddir), \$(abs_top_builddir))
+check-code-coverage:
+
+code-coverage-capture: code-coverage-capture-hook
+
+code-coverage-clean:
+
+code-coverage-dist-clean:
+ endif # ifeq (\$(abs_builddir), \$(abs_top_builddir))
+else #! CODE_COVERAGE_ENABLED
+# Use recursive makes in order to ignore errors during check
+check-code-coverage:
+	@echo \"Need to reconfigure with --enable-code-coverage\"
+# Capture code coverage data
+code-coverage-capture: code-coverage-capture-hook
+	@echo \"Need to reconfigure with --enable-code-coverage\"
+
+code-coverage-clean:
+
+code-coverage-dist-clean:
+
+endif #CODE_COVERAGE_ENABLED
+# Hook rule executed before code-coverage-capture, overridable by the user
+code-coverage-capture-hook:
+
+.PHONY: check-code-coverage code-coverage-capture code-coverage-dist-clean code-coverage-clean code-coverage-capture-hook
+])
+])
+
+AC_DEFUN([_AX_CODE_COVERAGE_ENABLED],[
+	AX_CHECK_GNU_MAKE([],[AC_MSG_ERROR([not using GNU make that is needed for coverage])])
+	AC_REQUIRE([AX_ADD_AM_MACRO_STATIC])
+	# check for gcov
+	AC_CHECK_TOOL([GCOV],
+		  [$_AX_CODE_COVERAGE_GCOV_PROG_WITH],
+		  [:])
+	AS_IF([test "X$GCOV" = "X:"],
+	      [AC_MSG_ERROR([gcov is needed to do coverage])])
+	AC_SUBST([GCOV])
+
+	dnl Check if gcc is being used
+	AS_IF([ test "$GCC" = "no" ], [
+		AC_MSG_ERROR([not compiling with gcc, which is required for gcov code coverage])
+	      ])
+
+	AC_CHECK_PROG([LCOV], [lcov], [lcov])
+	AC_CHECK_PROG([GENHTML], [genhtml], [genhtml])
+
+	AS_IF([ test x"$LCOV" = x ], [
+		AC_MSG_ERROR([To enable code coverage reporting you must have lcov installed])
+	      ])
+
+	AS_IF([ test x"$GENHTML" = x ], [
+		AC_MSG_ERROR([Could not find genhtml from the lcov package])
+	])
+
+	dnl Build the code coverage flags
+	dnl Define CODE_COVERAGE_LDFLAGS for backwards compatibility
+	CODE_COVERAGE_CPPFLAGS="-DNDEBUG"
+	CODE_COVERAGE_CFLAGS="-O0 -g -fprofile-arcs -ftest-coverage"
+	CODE_COVERAGE_CXXFLAGS="-O0 -g -fprofile-arcs -ftest-coverage"
+	CODE_COVERAGE_LIBS="-lgcov"
+
+	AC_SUBST([CODE_COVERAGE_CPPFLAGS])
+	AC_SUBST([CODE_COVERAGE_CFLAGS])
+	AC_SUBST([CODE_COVERAGE_CXXFLAGS])
+	AC_SUBST([CODE_COVERAGE_LIBS])
+])
+
+AC_DEFUN([AX_CODE_COVERAGE],[
+	dnl Check for --enable-code-coverage
+
+	# allow to override gcov location
+	AC_ARG_WITH([gcov],
+	  [AS_HELP_STRING([--with-gcov[=GCOV]], [use given GCOV for coverage (GCOV=gcov).])],
+	  [_AX_CODE_COVERAGE_GCOV_PROG_WITH=$with_gcov],
+	  [_AX_CODE_COVERAGE_GCOV_PROG_WITH=gcov])
+
+	AC_MSG_CHECKING([whether to build with code coverage support])
+	AC_ARG_ENABLE([code-coverage],
+	  AS_HELP_STRING([--enable-code-coverage],
+	  [Whether to enable code coverage support]),,
+	  enable_code_coverage=no)
+
+	AM_CONDITIONAL([CODE_COVERAGE_ENABLED], [test "x$enable_code_coverage" = xyes])
+	AC_SUBST([CODE_COVERAGE_ENABLED], [$enable_code_coverage])
+	AC_MSG_RESULT($enable_code_coverage)
+
+	AS_IF([ test "x$enable_code_coverage" = xyes ], [
+		_AX_CODE_COVERAGE_ENABLED
+	      ])
+
+	_AX_CODE_COVERAGE_RULES
+])

m4/ax_file_escapes.m4

@@ -0,0 +1,30 @@
+# ===========================================================================
+#     https://www.gnu.org/software/autoconf-archive/ax_file_escapes.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_FILE_ESCAPES
+#
+# DESCRIPTION
+#
+#   Writes the specified data to the specified file.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Tom Howard <tomhoward@users.sf.net>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 8
+
+AC_DEFUN([AX_FILE_ESCAPES],[
+AX_DOLLAR="\$"
+AX_SRB="\\135"
+AX_SLB="\\133"
+AX_BS="\\\\"
+AX_DQ="\""
+])

m4/m4_ax_func_getopt_long.m4

@@ -0,0 +1,62 @@
+# ===========================================================================
+#   https://www.gnu.org/software/autoconf-archive/ax_func_getopt_long.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_FUNC_GETOPT_LONG
+#
+# DESCRIPTION
+#
+#   Check for getopt_long support.
+#
+#   This assume that the standard getopt.h file (from GNU libc) is available
+#   as src/common/compat_getopt.h. If needed, this file will be linked as getopt.h, but
+#   we want to default to the system's getopt.h file. (See
+#   http://sources.redhat.com/ml/automake/2000-09/msg00041.html for an
+#   explanation about why using the system's getopt.h file is important.)
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Alexandre Duret-Lutz <adl@gnu.org>
+#
+#   This program is free software; you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation; either version 2 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <https://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 6
+
+AU_ALIAS([ADL_FUNC_GETOPT_LONG], [AX_FUNC_GETOPT_LONG])
+AC_DEFUN([AX_FUNC_GETOPT_LONG],
+ [AC_PREREQ(2.49)dnl
+  # clean out junk possibly left behind by a previous configuration
+  rm -f src/getopt.h
+  # Check for getopt_long support
+  AC_CHECK_HEADERS([getopt.h])
+  AC_CHECK_FUNCS([getopt_long],,
+   [# FreeBSD has a gnugetopt library for this
+    AC_CHECK_LIB([gnugetopt],[getopt_long],[AC_DEFINE([HAVE_GETOPT_LONG])],
+     [# use the OpenSC replacement
+      AC_CONFIG_LINKS([src/getopt.h:src/common/compat_getopt.h])])])])

solaris/Makefile

@@ -1,39 +0,0 @@
-PACKAGE=OSCopensc
-PACKAGE_NAME=opensc
-VERSION=CVS
-PWD=pwd
-CONFIGURE_PREFIX=$(PWD:sh)/..
-CONFIGURE=${CONFIGURE_PREFIX}/configure
-CONFIGURE_ARGS=--prefix=/usr --sysconfdir=/etc/opensc --mandir=/usr/share/man --enable-pcsc --enable-openct
-CONFIG_GUESS=${CONFIGURE_PREFIX}/config.guess
-UNAME_ARCH=/usr/bin/uname -p
-PLATFORM = $(CONFIG_GUESS:sh)
-ARCH = $(UNAME_ARCH:sh)
-
-build:
-	@echo "Setup platform specific build directory build-${PLATFORM}"
-	mkdir -p build-${PLATFORM}
-	( cd build-${PLATFORM}; CC=cc PCSC_CFLAGS=-I/usr/include/smartcard ${CONFIGURE} ${CONFIGURE_ARGS}; make )
-
-dist:
-	@echo "Setup platform specific dist directory dist-${PLATFORM}"
-	mkdir -p dist-${PLATFORM}
-	@echo "Performing Installing in dist directory"
-	( cd build-${PLATFORM}; make DESTDIR=`pwd`/../dist-${PLATFORM} install )
-package:
-	@echo "Setup package meta files"
-	-cp proto dist-${PLATFORM}
-	-sed "s|@ARCH@|${ARCH}|" <checkinstall.in >dist-${PLATFORM}/checkinstall
-	-sed	-e "s|@ARCH@|${ARCH}|" \
-		-e "s|@VERSION@|${VERSION}|" \
-		-e "s|@PACKAGE@|${PACKAGE}|" \
-		-e "s|@PACKAGE_NAME@|${PACKAGE_NAME}|" \
-		<pkginfo.in >dist-${PLATFORM}/pkginfo
-	mkdir -p dist-${PLATFORM}/etc/opensc
-	-cp opensc.conf-dist dist-${PLATFORM}/etc/opensc/opensc.conf
-	@echo "Creating package"
-	( \
-		cd dist-${PLATFORM}; \
-		pkgmk -o -r . -d . -f proto; \
-		pkgtrans -s . ../OSCopensc-${VERSION}-${PLATFORM}.pkg ${PACKAGE} \
-	)

solaris/README

@@ -1,13 +0,0 @@
-Creating an installable package for Solaris 10
-==============================================
-
-The files in this directory are an attempt to ease
-the building of opensc packages for Solaris 10.
-
-The basic steps to create a Solaris 10 package are:
-# make build
-# make dist
-# make package
-
-NOTE: If you are using the GNU compiler you will
-      need to adjust the Makefile accordingly.

solaris/checkinstall.in

@@ -1,9 +0,0 @@
-#!/bin/sh
-
-expected_platform="@ARCH@"
-platform=`uname -p`
-if [ ${platform} != ${expected_platform} ]; then
-	echo "This package must be installed on ${expected_platform}"
-	exit 1
-fi
-exit 0

solaris/opensc.conf-dist

@@ -1,286 +0,0 @@
-# Configuration file for OpenSC
-# Example configuration file
-
-# NOTE: All key-value pairs must be terminated by a semicolon.
-
-# Default values for any application
-# These can be overrided by an application
-# specific configuration block.
-app default {
-	# Amount of debug info to print
-	#
-	# A greater value means more debug info.
-	# Default: 0
-	#
-	debug = 0;
-
-	# The file to which debug output will be written
-	#
-	# A special value of 'stdout' is recognized.
-	# Default: stdout
-	#
-	# debug_file = /tmp/opensc-debug.log;
-
-	# The file to which errors will be written
-	#
-	# A special value of 'stderr' is recognized.
-	# Default: stderr
-	#
-	# error_file = /tmp/opensc-errors.log;
-
-        # Where to find the *.profile files for pkcs15init;
-
-	profile_dir = /usr/share/opensc;
-
-	# What reader drivers to load at start-up
-	#
-	# A special value of 'internal' will load all
-	# statically linked drivers. If an unknown (ie. not
-	# internal) driver is supplied, a separate configuration
-	# configuration block has to be written for the driver.
-	# Default: internal
-	# NOTE: if "internal" keyword is used, must be the 
-	# last entry in reader_drivers list
-	#
-	reader_drivers = openct, pcsc, ctapi;
-
-	reader_driver ctapi {
-		# module /usr/local/towitoko/lib/libtowitoko.so {
-			# CT-API ports:
-			# 0..3		COM1..4
-			# 4		Printer
-			# 5		Modem
-			# 6..7		LPT1..2
-			# ports = 0;
-		# }
-	}
-
-	# Define parameters specific to your readers.
-	# The following section shows definitions for PC/SC readers,
-	# but the same set of variables are applicatable to ctapi and
-	# openct readers, simply by using "reader_driver ctapi" and
-	# "reader_driver openct", respectively.
-	reader_driver pcsc {
-		# Whether to transform some APDU's from one case to another
-		# Possible values:
-		#            none:   Don't transform any APDU's
-		#        case4as3:   For T=0, send a case 4 APDU as case 3,
-		#                    (no Lc byte) the card will send back
-		# 		     a 61xx SW, and we will follow up with a
-		#                    GetResponse command
-		#                    The SCM SCR111, Sun SCF, and e-gate readers
-		#                    seem to require this.
-		#        case1as2:   For T=0, send a case 1 APDU as case 2.
-		#                    (append an Le byte of 0)
-		#                    The Sun SCF and e-gate readers seem to
-		#                    require this
-		# case1as2_always:   for any T=0/1, send a case 1 APDU as
-		#		     case 2.
-		#                    The Sun SCF reader may require this
-		# Default: none
-		#
-		apdu_masquerade = none;
-		#
-		# This sets the maximum send and receive sizes.
-		# Some IFD handlers do not properly handle APDUs with
-		# large lc or le bytes.
-		#
-		max_send_size = 252;
-		max_recv_size = 252;
-		#
-		# EXPERIMENTAL: Enable CCID pinpad support
-		# implemented (at least) in the libccid driver.
-		#use_ccid_pin_cmd = true;
-	}
-
-	# What card drivers to load at start-up
-	#
-	# A special value of 'internal' will load all
-	# statically linked drivers. If an unknown (ie. not
-	# internal) driver is supplied, a separate configuration
-	# configuration block has to be written for the driver.
-	# Default: internal
-	# NOTE: When "internal" keyword is used, must be last entry 
-	#
-	# card_drivers = customcos, internal;
-
-	# Card driver configuration blocks. 
-
-	# For all drivers, you can specify ATRs of cards that
-	# should be handled by this driver (in addition to the
-	# list of compiled-in ATRs). 
-	#
-	# The supported internal card driver names are
-	#  flex		Cryptoflex/Multiflex
-	#  setcos	Setec
-	#  etoken	Aladdin eToken and other CardOS based cards
-	#  gpk		GPK 4K/8K/16K
-	#  mcrd		MICARDO 2.1
-	#  miocos	MioCOS 1.1
-	#  openpgp	OpenPGP card
-	#  tcos		TCOS 2.0
-	#  emv		EMV compatible cards
-
-	# GPK card driver additional ATR entry:
-	card_driver gpk {
-		# atr = 00:11:22;
-	}
-
-	# For card drivers loaded from an external shared library/DLL, 
-	# you need to specify the path name of the module
-	#
-	# card_driver customcos {
-		# The location of the driver library
-		# module = /usr/lib/opensc/drivers/card_customcos.so;
-		# atr = 00:11:22:33:44;
-		# atr = 55:66:77:88:99:aa:bb;
-	# }
-
-	# Force using specific card driver
-	#
-	# If this option is present, OpenSC will use the supplied
-	# driver with all inserted cards.
-	#
-	# Default: autodetect
-	#
-	# force_card_driver = miocos;
-
-	# Below are the framework specific configuration blocks.
-
-	# PKCS #15
-	framework pkcs15 {
-		# Whether to use the cache files in the user's
-		# home directory.
-		#
-		# At the moment you have to 'teach' the card to the
-		# system by:
-		# pkcs15-tool -L
-		#
-		# WARNING: Caching shouldn't be used in setuid root
-		# applications.
-		# Default: false
-		#
-		use_caching = true;
-		# Enable pkcs15 emulation
-		# Default: yes
-		enable_pkcs15_emulation = yes;
-		# Try pkcs15 emulation code first (before the normal
-		# pkcs15 processing).
-		# Default: no
-		try_emulation_first = no;
-		# Enable builtin emulators
-		# Default: yes
-		enable_builtin_emulation = yes;
-		# list of the builtin pkcs15 emulators to test
-		# possible values: esteid, openpgp, netkey, netkey,
-		# starcert, infocamere, postecert
-		builtin_emulators = esteid, openpgp, netkey, netkey, starcert, infocamere, postecert;
-
-		# additional pkcs15 emulators (dynamic or builtin with
-		# a different atr etc.) 
-		# emulate foo {
-			# module = builtin;
-			# atr = 11:22:33:44;
-		#}
-	}
-	
-	# Estonian ID card and Micardo driver currently play together with T=0 only.
-	# In theory only the 'cold' ATR should be specified, as T=0 will be the preferred
-	# protocol once you boot it up with T=0, but be paranoid.
-	
-	# Generic format: card_atr <hex encoded ATR (case-sensitive!)>
-	# Only parameter currently understood is force_protocol
-	card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
-		force_protocol = t0;
-	}
-	card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 {
-		force_protocol = t0;
-	}
-}
-
-# For applications that use SCAM (pam_opensc, sia_opensc)
-app scam {
-	framework pkcs15 {
-		use_caching = false;
-	}
-}
-
-# Parameters for the OpenSC PKCS11 module
-app opensc-pkcs11 {
-	pkcs11 {
-		# Maxmimum number of slots per smart card.
-		# If the card has fewer keys than defined here,
-		# the remaining number of slots will be empty.
-		#
-		# Note that there is currently a compile time
-		# maximum on the overall number of slots
-		# the pkcs11 module is able to handle.
-		num_slots = 4;
-
-		# Normally, the pkcs11 module will create
-		# the full number of slots defined above by
-		# num_slots. If there are fewer pins/keys on
-		# the card, the remaining keys will be empty
-		# (and you will be able to create new objects
-		# within them).
-		#
-		# Set this option to true to hide these empty
-		# slots.
-		hide_empty_tokens = true;
-
-		# By default, the OpenSC PKCS#11 module will
-		# try to lock this card once you have authenticated
-		# to the card via C_Login. This is done so that no
-		# other user can connect to the card and perform
-		# crypto operations (which may be possible because
-		# you have already authenticated with the card).
-		#
-		# However, this also means that no other application
-		# that _you_ run can use the card until your application
-		# has done a C_Logout or C_Finalize. In the case of
-		# Netscape or Mozilla, this does not happen until
-		# you exit the browser.
-		lock_login = true;
-
-		# Normally, the pkcs11 module will not cache PINs
-		# presented via C_Login. However, some cards
-		# may not work properly with OpenSC; for instance
-		# when you have two keys on your card that get
-		# stored in two different directories.
-		#
-		# In this case, you can turn on PIN caching by setting
-		# cache_pins = true
-		#
-		# Default: false
-		cache_pins = false;
-
-		# Set this value to false if you want to enfore on-card
-		# keypair generation
-		#
-		# Default: true
-		soft_keygen_allowed = true;
-	}
-}
-
-# Parameters for the OpenSC PKCS11-Spy module, that logs all the
-# communication between a pkcs11 module and it's calling application:
-#    app <--> pkcs11-spy <--> pkcs11 module
-app pkcs11-spy {
-	spy {
-		# Where to log to.
-		#
-		# By default, the value of the PKCS11SPY_OUTPUT environment
-		# variable is used. And if that one isn't defined: stderr
-		# is used.
-		#
-		#output = /tmp/pkcs11-spy.log;
-
-		# Which PKCS11 module to load.
-		#
-		# By default, the value of the PKCS11SPY environment
-		# variable is used. And if that one isn't defined,
-		# opensc-pkcs11.so is used.
-		#
-		#module = opensc-pkcs11.so;
-	}
-}

solaris/pkginfo.in

@@ -1,12 +0,0 @@
-PKG="OSCopensc"
-NAME="opensc"
-VERSION="@VERSION@"
-ARCH="@ARCH@"
-CLASSES="none"
-CATEGORY="drivers"
-VENDOR="WW"
-PSTAMP="26thFeb2005"
-EMAIL="william@wanders.org"
-ISTATES="S s 1 2 3"
-RSTATES="S s 1 2 3"
-BASEDIR="/"

solaris/proto

@@ -1,118 +0,0 @@
-d none usr 0755 root sys
-d none usr/share 0755 root other
-d none usr/share/man 0755 root other
-d none usr/share/man/man1 0755 root other
-f none usr/share/man/man1/pkcs15-crypt.1 0644 root other
-f none usr/share/man/man1/pkcs15-init.1 0644 root other
-f none usr/share/man/man1/cryptoflex-tool.1 0644 root other
-f none usr/share/man/man1/opensc-config.1 0644 root other
-f none usr/share/man/man1/opensc-explorer.1 0644 root other
-f none usr/share/man/man1/opensc-tool.1 0644 root other
-f none usr/share/man/man1/pkcs15-tool.1 0644 root other
-f none usr/share/man/man1/pkcs11-tool.1 0644 root other
-f none usr/share/man/man1/cardos-info.1 0644 root other
-d none usr/share/man/man3 0755 root other
-f none usr/share/man/man3/sc_connect_card.3 0644 root other
-f none usr/share/man/man3/sc_detect_card_presence.3 0644 root other
-f none usr/share/man/man3/sc_disconnect_card.3 0644 root other
-f none usr/share/man/man3/sc_establish_context.3 0644 root other
-f none usr/share/man/man3/sc_file.3 0644 root other
-f none usr/share/man/man3/sc_file_free.3 0644 root other
-f none usr/share/man/man3/sc_file_new.3 0644 root other
-f none usr/share/man/man3/sc_list_files.3 0644 root other
-f none usr/share/man/man3/sc_lock.3 0644 root other
-f none usr/share/man/man3/sc_read_binary.3 0644 root other
-f none usr/share/man/man3/sc_read_record.3 0644 root other
-f none usr/share/man/man3/sc_release_context.3 0644 root other
-f none usr/share/man/man3/sc_select_file.3 0644 root other
-f none usr/share/man/man3/sc_pkcs15_compute_signature.3 0644 root other
-d none usr/share/man/man5 0755 root other
-f none usr/share/man/man5/pkcs15-profile.5 0644 root other
-d none usr/share/man/man7 0755 root other
-f none usr/share/man/man7/opensc.7 0644 root other
-f none usr/share/man/man7/pkcs15.7 0644 root other
-d none usr/share/opensc 0755 root other
-f none usr/share/opensc/opensc.conf.example 0644 root other
-f none usr/share/opensc/cyberflex.profile 0644 root other
-f none usr/share/opensc/flex.profile 0644 root other
-f none usr/share/opensc/gpk.profile 0644 root other
-f none usr/share/opensc/miocos.profile 0644 root other
-f none usr/share/opensc/etoken.profile 0644 root other
-f none usr/share/opensc/jcop.profile 0644 root other
-f none usr/share/opensc/oberthur.profile 0644 root other
-f none usr/share/opensc/starcos.profile 0644 root other
-f none usr/share/opensc/pkcs15.profile 0644 root other
-d none usr/lib 0755 root bin
-s none usr/lib/libscconf.so.0=libscconf.so.0.0.9
-f none usr/lib/libscconf.so.0.0.9 0755 root bin
-s none usr/lib/libscconf.so=libscconf.so.0.0.9
-f none usr/lib/libscconf.la 0755 root bin
-f none usr/lib/libscconf.a 0644 root bin
-s none usr/lib/libopensc.so.0=libopensc.so.0.0.9
-f none usr/lib/libopensc.so.0.0.9 0755 root bin
-s none usr/lib/libopensc.so=libopensc.so.0.0.9
-d none usr/lib/pkgconfig 0755 root bin
-f none usr/lib/pkgconfig/libopensc.pc 0644 root bin
-f none usr/lib/pkgconfig/libpkcs15init.pc 0644 root bin
-f none usr/lib/pkgconfig/libscconf.pc 0644 root bin
-f none usr/lib/libopensc.la 0755 root bin
-f none usr/lib/libopensc.a 0644 root bin
-d none usr/lib/pkcs11 0755 root bin
-s none usr/lib/pkcs11/libpkcs11.so.0=libpkcs11.so.0.0.9
-f none usr/lib/pkcs11/opensc-pkcs11.so 0755 root bin
-f none usr/lib/pkcs11/opensc-pkcs11.la 0755 root bin
-f none usr/lib/pkcs11/opensc-pkcs11.a 0644 root bin
-f none usr/lib/pkcs11/libpkcs11.so.0.0.9 0755 root bin
-s none usr/lib/pkcs11/libpkcs11.so=libpkcs11.so.0.0.9
-f none usr/lib/pkcs11/libpkcs11.la 0755 root bin
-f none usr/lib/pkcs11/libpkcs11.a 0644 root bin
-f none usr/lib/pkcs11/pkcs11-spy.so 0755 root bin
-f none usr/lib/pkcs11/pkcs11-spy.la 0755 root bin
-f none usr/lib/pkcs11/pkcs11-spy.a 0644 root bin
-f none usr/lib/libpkcs15init.so.0.0.9 0755 root bin
-s none usr/lib/libpkcs15init.so.0=libpkcs15init.so.0.0.9
-s none usr/lib/libpkcs15init.so=libpkcs15init.so.0.0.9
-f none usr/lib/libpkcs15init.la 0755 root bin
-f none usr/lib/libpkcs15init.a 0644 root bin
-d none usr/lib/opensc 0755 root bin
-f none usr/lib/opensc/engine_opensc.so 0755 root bin
-f none usr/lib/opensc/engine_opensc.la 0755 root bin
-f none usr/lib/opensc/engine_opensc.a 0644 root bin
-f none usr/lib/opensc/engine_pkcs11.so 0755 root bin
-f none usr/lib/opensc/engine_pkcs11.la 0755 root bin
-f none usr/lib/opensc/engine_pkcs11.a 0644 root bin
-d none usr/include 0755 root bin
-d none usr/include/opensc 0755 root bin
-d none usr/include/opensc/rsaref 0755 root bin
-f none usr/include/opensc/rsaref/pkcs11.h 0644 root bin
-f none usr/include/opensc/rsaref/pkcs11f.h 0644 root bin
-f none usr/include/opensc/rsaref/pkcs11t.h 0644 root bin
-f none usr/include/opensc/rsaref/unix.h 0644 root bin
-f none usr/include/opensc/rsaref/win32.h 0644 root bin
-f none usr/include/opensc/scconf.h 0644 root bin
-f none usr/include/opensc/opensc.h 0644 root bin
-f none usr/include/opensc/pkcs15.h 0644 root bin
-f none usr/include/opensc/cardctl.h 0644 root bin
-f none usr/include/opensc/asn1.h 0644 root bin
-f none usr/include/opensc/log.h 0644 root bin
-f none usr/include/opensc/ui.h 0644 root bin
-f none usr/include/opensc/errors.h 0644 root bin
-f none usr/include/opensc/types.h 0644 root bin
-f none usr/include/opensc/pkcs15-init.h 0644 root bin
-f none usr/include/opensc/pkcs11.h 0644 root bin
-d none usr/bin 0755 root bin
-f none usr/bin/opensc-config 0755 root bin
-f none usr/bin/opensc-tool 0755 root bin
-f none usr/bin/opensc-explorer 0755 root bin
-f none usr/bin/pkcs15-tool 0755 root bin
-f none usr/bin/pkcs15-crypt 0755 root bin
-f none usr/bin/pkcs11-tool 0755 root bin
-f none usr/bin/cardos-info 0755 root bin
-f none usr/bin/eidenv 0755 root bin
-f none usr/bin/cryptoflex-tool 0755 root bin
-f none usr/bin/pkcs15-init 0755 root bin
-d none etc 0755 root sys
-d none etc/opensc 0755 root sys
-f none etc/opensc/opensc.conf 0644 root sys
-i checkinstall=checkinstall
-i pkginfo=pkginfo

src/Makefile.am

@@ -3,7 +3,7 @@ EXTRA_DIST = Makefile.mak
 
 # Order IS important
 SUBDIRS = common scconf ui pkcs15init sm \
-		  libopensc pkcs11 tools tests minidriver
+		  libopensc pkcs11 tools minidriver tests
 
 if ENABLE_SM
 SUBDIRS += smm

src/Makefile.mak

@@ -1,7 +1,7 @@
 TOPDIR = ..
 
 SUBDIRS = common scconf ui sm pkcs15init \
-		  libopensc pkcs11 tools tests
+		  libopensc pkcs11 tools
 
 default: all
 
@@ -15,6 +15,16 @@ SUBDIRS = $(SUBDIRS) minidriver
 SUBDIRS = $(SUBDIRS) smm
 !ENDIF
 
-all clean::
+!IF "$(TESTS_DEF)" == "/DENABLE_TESTS"
+SUBDIRS = $(SUBDIRS) tests
+!ENDIF
+
+all::
+	copy /y common\compat_getopt.h getopt.h
 	@for %i in ( $(SUBDIRS) ) do \
 		@cmd /c "cd %i && $(MAKE) /nologo /f Makefile.mak $@"
+
+clean::
+	@for %i in ( $(SUBDIRS) ) do \
+		@cmd /c "cd %i && $(MAKE) /nologo /f Makefile.mak $@"
+	del /Q getopt.h

src/common/Makefile.am

@@ -8,10 +8,29 @@ dist_noinst_DATA = \
 	LICENSE.compat_getopt compat_getopt.txt \
 	compat_getopt_main.c \
 	README.compat_strlcpy compat_strlcpy.3
+noinst_HEADERS = compat_strlcat.h compat_strlcpy.h compat_strnlen.h compat_getpass.h compat_getopt.h simclist.h libpkcs11.h libscdl.h
 
 AM_CPPFLAGS = -I$(top_srcdir)/src
 
 libcompat_la_SOURCES = \
+	compat_dummy.c \
+	compat_strlcat.c \
+	compat_strlcpy.c \
+	compat_strnlen.c \
+	compat_getpass.c \
+	compat_getopt.c \
+	compat_report_rangecheckfailure.c \
+	compat___iob_func.c \
+	simclist.c
+
+compat_getopt_main_LDADD = libcompat.la
+
+libpkcs11_la_SOURCES = libpkcs11.c
+
+libscdl_la_SOURCES = libscdl.c
+
+TIDY_FLAGS = $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+TIDY_FILES = \
 	compat_dummy.c \
 	compat_strlcat.h compat_strlcat.c \
 	compat_strlcpy.h compat_strlcpy.c \
@@ -20,10 +39,8 @@ libcompat_la_SOURCES = \
 	compat_getopt.h compat_getopt.c \
 	compat_report_rangecheckfailure.c \
 	compat___iob_func.c \
-	simclist.c simclist.h
+	simclist.c simclist.h \
+	libpkcs11.c libscdl.c
 
-compat_getopt_main_LDADD = libcompat.la
-
-libpkcs11_la_SOURCES = libpkcs11.c libpkcs11.h
-
-libscdl_la_SOURCES = libscdl.c libscdl.h
+check-local:
+	if [ -x "$(CLANGTIDY)" ]; then clang-tidy -config='' --checks='$(TIDY_CHECKS)' -header-filter=.* $(addprefix $(srcdir)/,$(TIDY_FILES)) -- $(TIDY_FLAGS); fi

src/common/README.compat_getopt

@@ -94,14 +94,14 @@ WHY RE-INVENT THE WHEEL?
 ========================
 
 I re-implemented getopt, getopt_long, and getopt_long_only because
-there were noticable bugs in several versions of the GNU
+there were noticeable bugs in several versions of the GNU
 implementations, and because the GNU versions aren't always available
 on some systems (*BSD, for example.) Other systems don't include any
 sort of standard argument parser (Win32 with Microsoft tools, for
 example, has no getopt.)
 
 These should do all the expected Unix- and GNU-style argument
-parsing, including permution, bunching, long options with single or
+parsing, including permutation, bunching, long options with single or
 double dashes (double dashes are required if you use
 my_getopt_long,) and optional arguments for both long and short
 options. A word with double dashes all by themselves halts argument
@@ -112,11 +112,11 @@ separated by '='.
 
 As with the GNU versions, a '+' prefix to the short option
 specification (or the POSIXLY_CORRECT environment variable) disables
-permution, a '-' prefix to the short option specification returns 1
+permutation, a '-' prefix to the short option specification returns 1
 for non-options, ':' after a short option indicates a required
 argument, and '::' after a short option specification indicates an
 optional argument (which must appear in the same word.) If you'd like
-to recieve ':' instead of '?' for missing option arguments, prefix the
+to receive ':' instead of '?' for missing option arguments, prefix the
 short option specification with ':'.
 
 The original intent was to re-implement the documented behavior of