libgcns: ArchLinux package

libgcns: C++ version
libgcns: first commit
2022-01-08 20:37:35 +01:00 · 2022-01-06 21:12:55 +01:00 · 2022-01-06 20:27:23 +01:00 · 2022-01-06 18:04:42 +01:00 · 2022-01-06 17:29:06 +01:00 · 2021-08-10 11:09:03 +02:00
328 changed files with 20351 additions and 5536 deletions
--- a/.clang-format
+++ b/.clang-format
@ -0,0 +1,3 @@
+BasedOnStyle: Google
+IndentWidth: 4
+
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -1,7 +1,9 @@
 ### Problem Description

 <!--
-Please read about [reporting bugs](https://github.com/OpenSC/OpenSC/wiki/How-to-report-bugs-so-that-they-can-be-fixed) before opening an issue.
+Please read about reporting bugs on the wiki before opening an issue:
+
+https://github.com/OpenSC/OpenSC/wiki/How-to-write-a-good-bug-report
 -->

 ### Proposed Resolution
@ -21,7 +23,7 @@ Debug output is essential to identify the problem. You can enable debugging by e
    #debug_file = opensc-debug.log
 ```

-Please use [Gist](https://gist.github.com/) or a similar code paster for longer logs. Before pasting here, remove your sensitive data from your log (e.g. PIN code or certificates).
+Please use a Gist (https://gist.github.com/) or a similar code paster for longer logs. Before pasting here, remove your sensitive data from your log (e.g. PIN code or certificates).

 ```
 Paste Log output with less than 10 lines here (between the backticks)
--- a/.github/add_signing_key.sh
+++ b/.github/add_signing_key.sh
@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -ex -o xtrace
+
+pushd .github/
+tar xvf secrets.tar
+KEY_CHAIN=mac-build.keychain
+
+# Create the keychain with a password
+security create-keychain -p travis $KEY_CHAIN
+
+# Make the custom keychain default, so xcodebuild will use it for signing
+security default-keychain -s $KEY_CHAIN
+
+# Unlock the keychain for one hour
+security unlock-keychain -p travis $KEY_CHAIN
+security set-keychain-settings -t 3600 -u $KEY_CHAIN
+
+# Add certificates to keychain and allow codesign to access them
+curl -L https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > AppleWWDRCA.cer
+security import AppleWWDRCA.cer \
+    -k ~/Library/Keychains/$KEY_CHAIN \
+    -T /usr/bin/codesign -T /usr/bin/productsign
+security import DeveloperIDApplication.cer \
+    -k ~/Library/Keychains/$KEY_CHAIN \
+    -T /usr/bin/codesign -T /usr/bin/productsign
+security import DeveloperIDInstaller.cer \
+    -k ~/Library/Keychains/$KEY_CHAIN \
+    -T /usr/bin/codesign -T /usr/bin/productsign
+security import key.p12 \
+    -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD \
+    -T /usr/bin/codesign -T /usr/bin/productsign
+security unlock-keychain -p travis $KEY_CHAIN
+
+# https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sierra-1012-code-signing-errors
+security set-key-partition-list -S apple-tool:,apple: -s -k travis $KEY_CHAIN
+popd
--- a/.github/build.sh
+++ b/.github/build.sh
@ -0,0 +1,54 @@
+#!/bin/bash -e
+
+export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig;
+
+if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
+	PR_NUMBER=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')
+	if [ "$GITHUB_BASE_REF" == "master" ]; then
+		./bootstrap.ci -s "-pr$PR_NUMBER"
+	else
+		./bootstrap.ci -s "$GITHUB_BASE_REF-pr$PR_NUMBER"
+	fi
+else
+	BRANCH=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')
+	if [ "$BRANCH" == "master" ]; then
+		./bootstrap
+	else
+		./bootstrap.ci -s "$BRANCH"
+	fi
+fi
+
+if [ "$RUNNER_OS" == "macOS" ]; then
+	./MacOSX/build
+	exit $?
+fi
+
+if [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
+	if [ "$1" == "mingw" ]; then
+		HOST=x86_64-w64-mingw32
+	elif [ "$1" == "mingw32" ]; then
+		HOST=i686-w64-mingw32
+	fi
+	unset CC
+	unset CXX
+	./configure --host=$HOST --with-completiondir=/tmp --disable-openssl --disable-readline --disable-zlib --disable-notify --prefix=$PWD/win32/opensc || cat config.log;
+	make -j 2
+	# no point in running tests on mingw
+else
+	# normal procedure
+	./configure  --disable-dependency-tracking
+	make -j 2
+	make check
+fi
+
+# this is broken in old ubuntu
+if [ "$1" == "dist" ]; then
+	make distcheck
+	make dist
+fi
+
+sudo make install
+if [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
+	# pack installed files
+	wine "C:/Program Files/Inno Setup 5/ISCC.exe" win32/OpenSC.iss
+fi
--- a/.github/push_artifacts.sh
+++ b/.github/push_artifacts.sh
@ -6,15 +6,22 @@ BUILDPATH=${PWD}
 BRANCH="`git log --max-count=1 --date=short --abbrev=8 --pretty=format:"%cd_%h"`"

 git clone --single-branch https://${GH_TOKEN}@github.com/OpenSC/Nightly.git > /dev/null 2>&1
-cd Nightly
+pushd Nightly
 git checkout -b "${BRANCH}"

-for file in ${BUILDPATH}/win32/Output/OpenSC*.exe ${BUILDPATH}/opensc*.tar.gz ${BUILDPATH}/OpenSC*.dmg ${BUILDPATH}/OpenSC*.msi ${BUILDPATH}/OpenSC*.zip ${BUILDPATH}/*.pkg
+for file in ${BUILDPATH}/win32/Output/OpenSC*.exe ${BUILDPATH}/opensc*.tar.gz ${BUILDPATH}/OpenSC*.dmg ${BUILDPATH}/OpenSC*.msi ${BUILDPATH}/OpenSC*.zip
 do
    if [ -f ${file} ]
    then
-        cp ${file} .
-        git add `basename ${file}`
+        # github only allows a maximum file size of 50MB
+        MAX_MB_FILESIZE=50
+        if [ $(du -m "$file" | cut -f 1) -ge $MAX_MB_FILESIZE ]
+        then
+            split -b ${MAX_MB_FILESIZE}m ${file} `basename ${file}`.
+        else
+            cp ${file} .
+        fi
+        git add `basename ${file}`*
    fi
 done

@ -23,6 +30,7 @@ i=0
 while [ $i -le 10 ] && ! git push --quiet --set-upstream origin "${BRANCH}"
 do
    sleep $[ ( $RANDOM % 32 )  + 1 ]s
-    git pull --rebase origin "${BRANCH}"
+    git pull --rebase origin --strategy-option ours "${BRANCH}"
    i=$(( $i + 1 ))
 done
+popd
--- a/.github/remove_signing_key.sh
+++ b/.github/remove_signing_key.sh
@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -ex -o xtrace
+
+pushd .github/
+security delete-keychain mac-build.keychain
+rm -f DeveloperIDApplication.cer DeveloperIDInstaller.cer key.p12
+popd
--- a/.github/secrets.tar.enc
+++ b/.github/secrets.tar.enc
--- a/.github/setup-java.sh
+++ b/.github/setup-java.sh
@ -0,0 +1,24 @@
+#!/bin/bash -e
+
+# Select the right java
+sudo update-java-alternatives -s java-1.8.0-openjdk-amd64
+sudo update-alternatives --get-selections | grep ^java
+export PATH="/usr/lib/jvm/java-8-openjdk-amd64/bin/:$PATH"
+export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/
+env | grep -i openjdk
+
+# VSmartcard
+./.github/setup-vsmartcard.sh
+
+# Javacard SDKs
+git clone https://github.com/martinpaljak/oracle_javacard_sdks.git
+export JC_HOME=$PWD/oracle_javacard_sdks/jc222_kit
+export JC_CLASSIC_HOME=$PWD/oracle_javacard_sdks/jc305u3_kit
+
+# jCardSim
+git clone https://github.com/arekinath/jcardsim.git
+pushd jcardsim
+env | grep -i openjdk
+export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/
+mvn initialize && mvn clean install
+popd
--- a/.github/setup-linux.sh
+++ b/.github/setup-linux.sh
@ -0,0 +1,42 @@
+#!/bin/bash -e
+
+DEPS="docbook-xsl libpcsclite-dev xsltproc gengetopt libcmocka-dev help2man pcscd check softhsm2 pcsc-tools libtool make autoconf autoconf-archive automake libssl-dev zlib1g-dev pkg-config libreadline-dev openssl git"
+
+if [ "$1" == "clang-tidy" ]; then
+	DEPS="$DEPS clang-tidy"
+elif [ "$1" == "cac" ]; then
+	DEPS="$DEPS libglib2.0-dev libnss3-dev gnutls-bin libusb-dev libudev-dev flex libnss3-tools"
+elif [ "$1" == "oseid" ]; then
+	DEPS="$DEPS socat gawk xxd"
+elif [ "$1" == "piv" -o "$1" == "isoapplet" -o "$1" == "gidsapplet" -o "$1" == "openpgp" ]; then
+	if [ "$1" == "piv" ]; then
+		DEPS="$DEPS cmake"
+	fi
+	DEPS="$DEPS ant openjdk-8-jdk"
+elif [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
+	DEPS="$DEPS wine wine32 xvfb wget"
+	sudo dpkg --add-architecture i386
+	if [ "$1" == "mingw" ]; then
+		DEPS="$DEPS binutils-mingw-w64-x86-64 gcc-mingw-w64-x86-64 mingw-w64"
+	elif [ "$1" == "mingw32" ]; then
+		DEPS="$DEPS binutils-mingw-w64-i686 gcc-mingw-w64-i686"
+	fi
+fi
+
+# make sure we do not get prompts
+export DEBIAN_FRONTEND=noninteractive
+sudo apt-get update
+sudo apt-get install -y build-essential $DEPS
+
+if [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
+	if [ ! -f "$(winepath 'C:/Program Files/Inno Setup 5/ISCC.exe')" ]; then
+		/sbin/start-stop-daemon --start --quiet --pidfile /tmp/custom_xvfb_99.pid --make-pidfile --background --exec /usr/bin/Xvfb -- :99 -ac -screen 0 1280x1024x16
+		export DISPLAY=:99.0
+		[ -d isetup ] || mkdir isetup
+		pushd isetup
+		[ -f isetup-5.5.6.exe ] || wget http://files.jrsoftware.org/is/5/isetup-5.5.6.exe
+		sleep 5 # make sure the X server is ready ?
+		wine isetup-5.5.6.exe /SILENT /VERYSILENT /SP- /SUPPRESSMSGBOXES /NORESTART
+		popd
+	fi
+fi
--- a/.github/setup-macos.sh
+++ b/.github/setup-macos.sh
@ -0,0 +1,32 @@
+#!/bin/bash
+
+brew install automake
+
+# gengetopt
+curl https://ftp.gnu.org/gnu/gengetopt/gengetopt-2.23.tar.xz -L --output gengetopt-2.23.tar.xz
+tar xfj gengetopt-2.23.tar.xz
+pushd gengetopt-2.23
+./configure && make
+sudo make install
+popd
+
+# help2man
+curl https://ftp.gnu.org/gnu/help2man/help2man-1.47.16.tar.xz -L --output help2man-1.47.16.tar.xz
+tar xjf help2man-1.47.16.tar.xz
+pushd help2man-1.47.16
+./configure && make
+sudo make install
+popd
+
+# openSCToken
+export PATH="/usr/local/opt/ccache/libexec:$PATH"
+git clone https://github.com/frankmorgner/OpenSCToken.git
+sudo rm -rf /Library/Developer/CommandLineTools;
+
+# TODO make the encrypted key working in github
+if [ "$GITHUB_EVENT_NAME" == "pull_request" -a -n "$encrypted_3b9f0b9d36d1_key" ]; then
+    openssl aes-256-cbc -K $encrypted_3b9f0b9d36d1_key -iv $encrypted_3b9f0b9d36d1_iv -in .github/secrets.tar.enc -out .github/secrets.tar -d;
+    .github/add_signing_key.sh;
+else
+    unset CODE_SIGN_IDENTITY INSTALLER_SIGN_IDENTITY;
+fi
--- a/.github/setup-vsmartcard.sh
+++ b/.github/setup-vsmartcard.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+
+if [ ! -d "vsmartcard" ]; then
+	git clone https://github.com/frankmorgner/vsmartcard.git
+fi
+pushd vsmartcard/virtualsmartcard
+autoreconf -vis && ./configure && make -j2 && sudo make install
+popd
--- a/.github/test-cac.sh
+++ b/.github/test-cac.sh
@ -0,0 +1,47 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+# VSmartcard
+./.github/setup-vsmartcard.sh
+
+# libcacard
+if [ ! -d "libcacard" ]; then
+	git clone https://gitlab.freedesktop.org/spice/libcacard.git
+fi
+pushd libcacard
+./autogen.sh --prefix=/usr && make -j2 && sudo make install
+popd
+
+# virt_cacard
+if [ ! -d "virt_cacard" ]; then
+	git clone https://github.com/Jakuje/virt_cacard.git
+fi
+pushd virt_cacard
+./autogen.sh && ./configure && make
+popd
+
+sudo /etc/init.d/pcscd restart
+
+pushd src/tests/p11test/
+./p11test -s 0 -p 12345678 -i -o virt_cacard.json &
+sleep 5
+popd
+
+# virt_cacard startup
+pushd virt_cacard
+./setup-softhsm2.sh
+export SOFTHSM2_CONF=$PWD/softhsm2.conf
+./virt_cacard &
+wait $(ps aux | grep '[p]11test'| awk '{print $2}')
+kill -9 $(ps aux | grep '[v]irt_cacard'| awk '{print $2}')
+popd
+
+# cleanup -- this would break later uses of pcscd
+pushd vsmartcard/virtualsmartcard
+sudo make uninstall
+popd
+
+diff -u3 src/tests/p11test/virt_cacard{_ref,}.json
--- a/.github/test-gidsapplet.sh
+++ b/.github/test-gidsapplet.sh
@ -0,0 +1,36 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+# setup java stuff
+. .github/setup-java.sh
+
+# GidsApplet
+git clone https://github.com/vletoux/GidsApplet.git;
+javac -classpath jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar GidsApplet/src/com/mysmartlogon/gidsApplet/*.java;
+echo "com.licel.jcardsim.card.applet.0.AID=A000000397425446590201" > gids_jcardsim.cfg;
+echo "com.licel.jcardsim.card.applet.0.Class=com.mysmartlogon.gidsApplet.GidsApplet" >> gids_jcardsim.cfg;
+echo "com.licel.jcardsim.card.ATR=3B80800101" >> gids_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.host=localhost" >> gids_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.port=35963" >> gids_jcardsim.cfg;
+
+# log errors from pcscd to console
+sudo systemctl stop pcscd.service pcscd.socket
+sudo /usr/sbin/pcscd -f &
+PCSCD_PID=$!
+
+
+# start the applet and run couple of commands against that
+java -noverify -cp GidsApplet/src/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard gids_jcardsim.cfg >/dev/null &
+PID=$!;
+sleep 5;
+opensc-tool --card-driver default --send-apdu 80b80000190bA0000003974254465902010bA00000039742544659020100;
+opensc-tool -n;
+gids-tool --initialize --pin 123456 --admin-key 000000000000000000000000000000000000000000000000 --serial 00000000000000000000000000000000;
+kill -9 $PID
+
+
+# cleanup
+sudo kill -9 $PCSCD_PID
--- a/.github/test-isoapplet.sh
+++ b/.github/test-isoapplet.sh
@ -0,0 +1,41 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+# setup java stuff
+./.github/setup-java.sh
+
+# The ISO applet
+git clone https://github.com/philipWendland/IsoApplet.git;
+javac -classpath jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar IsoApplet/src/net/pwendland/javacard/pki/isoapplet/*.java;
+echo "com.licel.jcardsim.card.applet.0.AID=F276A288BCFBA69D34F31001" > isoapplet_jcardsim.cfg;
+echo "com.licel.jcardsim.card.applet.0.Class=net.pwendland.javacard.pki.isoapplet.IsoApplet" >> isoapplet_jcardsim.cfg;
+echo "com.licel.jcardsim.card.ATR=3B80800101" >> isoapplet_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.host=localhost" >> isoapplet_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.port=35963" >> isoapplet_jcardsim.cfg;
+
+# log errors from pcscd to console
+sudo systemctl stop pcscd.service pcscd.socket
+sudo /usr/sbin/pcscd -f &
+PCSCD_PID=$!
+
+# start the applet and run couple of commands against that
+java -noverify -cp IsoApplet/src/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard isoapplet_jcardsim.cfg >/dev/null &
+PID=$!;
+sleep 5;
+opensc-tool --card-driver default --send-apdu 80b800001a0cf276a288bcfba69d34f310010cf276a288bcfba69d34f3100100;
+opensc-tool -n;
+pkcs15-init --create-pkcs15 --so-pin 123456 --so-puk 0123456789abcdef;
+pkcs15-tool --change-pin --pin 123456 --new-pin 654321;
+pkcs15-tool --unblock-pin --puk 0123456789abcdef --new-pin 123456;
+pkcs15-init --generate-key rsa/2048     --id 1 --key-usage decrypt,sign --auth-id FF --pin 123456;
+pkcs15-init --generate-key rsa/2048     --id 2 --key-usage decrypt      --auth-id FF --pin 123456;
+pkcs15-init --generate-key ec/secp256r1 --id 3 --key-usage sign         --auth-id FF --pin 123456;
+pkcs15-tool -D;
+pkcs11-tool -l -t -p 123456;
+kill -9 $PID;
+
+# cleanup
+sudo kill -9 $PCSCD_PID
--- a/.github/test-openpgp.sh
+++ b/.github/test-openpgp.sh
@ -0,0 +1,40 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+# setup java stuff
+. .github/setup-java.sh
+
+# The OpenPGP applet
+git clone --recursive https://github.com/Yubico/ykneo-openpgp.git;
+cd ykneo-openpgp;
+ant -DJAVACARD_HOME=${JC_HOME};
+cd $TRAVIS_BUILD_DIR;
+echo "com.licel.jcardsim.card.applet.0.AID=D2760001240102000000000000010000" > openpgp_jcardsim.cfg;
+echo "com.licel.jcardsim.card.applet.0.Class=openpgpcard.OpenPGPApplet" >> openpgp_jcardsim.cfg;
+echo "com.licel.jcardsim.card.ATR=3B80800101" >> openpgp_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.host=localhost" >> openpgp_jcardsim.cfg;
+echo "com.licel.jcardsim.vsmartcard.port=35963" >> openpgp_jcardsim.cfg;
+
+# log errors from pcscd to console
+sudo systemctl stop pcscd.service pcscd.socket
+sudo /usr/sbin/pcscd -f &
+PCSCD_PID=$!
+
+
+# start the applet and run couple of commands against that
+java -noverify -cp ykneo-openpgp/applet/bin:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard openpgp_jcardsim.cfg >/dev/null &
+PID=$!;
+sleep 5;
+opensc-tool --card-driver default --send-apdu 80b800002210D276000124010200000000000001000010D276000124010200000000000001000000;
+opensc-tool -n;
+openpgp-tool --verify CHV3 --pin 12345678 --gen-key 2;
+pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 2 --generate-key rsa/2048;
+pkcs11-tool -l -t -p 123456;
+kill -9 $PID
+
+
+# cleanup
+sudo kill -9 $PCSCD_PID
--- a/.github/test-oseid.sh
+++ b/.github/test-oseid.sh
@ -0,0 +1,54 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+if [ ! -d oseid ]; then
+	git clone https://github.com/popovec/oseid
+fi
+pushd oseid/src/
+make -f Makefile.console
+if [ ! -d tmp ]; then
+	mkdir tmp
+fi
+socat -d -d pty,link=tmp/OsEIDsim.socket,raw,echo=0 "exec:build/console/console ...,pty,raw,echo=0" &
+PID=$!
+sleep 1
+echo "# OsEIDsim" > tmp/reader.conf
+echo 'FRIENDLYNAME      "OsEIDsim"' >> tmp/reader.conf
+echo "DEVICENAME        $PWD/tmp/OsEIDsim.socket" >> tmp/reader.conf
+echo "LIBPATH           $PWD/build/console/libOsEIDsim.so.0.0.1" >> tmp/reader.conf
+echo "CHANNELID         1" >> tmp/reader.conf
+sudo mv tmp/reader.conf /etc/reader.conf.d/reader.conf
+cat /etc/reader.conf.d/reader.conf
+popd
+ 
+sudo /etc/init.d/pcscd restart
+
+# Needed for tput to not report warnings
+export TERM=xterm-256color
+
+pushd oseid/tools
+echo | ./OsEID-tool INIT
+./OsEID-tool RSA-CREATE-KEYS
+./OsEID-tool RSA-UPLOAD-KEYS
+./OsEID-tool RSA-DECRYPT-TEST
+./OsEID-tool RSA-SIGN-PKCS11-TEST
+./OsEID-tool EC-CREATE-KEYS
+./OsEID-tool EC-UPLOAD-KEYS
+./OsEID-tool EC-SIGN-TEST
+./OsEID-tool EC-SIGN-PKCS11-TEST
+./OsEID-tool EC-ECDH-TEST
+popd
+
+# this does not work as we have random key IDs in here
+#pushd src/tests/p11test/
+#./p11test -s 0 -p 11111111 -o oseid.json || true
+#diff -u3 oseid_ref.json oseid.json
+#popd
+
+# cleanup -- this would break later uses of pcscd
+kill -9 $PID
+rm oseid/src/card_mem
+sudo rm /etc/reader.conf.d/reader.conf
--- a/.github/test-piv.sh
+++ b/.github/test-piv.sh
@ -0,0 +1,45 @@
+#!/bin/bash -e
+
+# install the opensc
+sudo make install
+export LD_LIBRARY_PATH=/usr/local/lib
+
+# setup java stuff
+. .github/setup-java.sh
+
+# The PIV Applet
+git clone --recursive https://github.com/arekinath/PivApplet.git
+pushd PivApplet
+JC_HOME=${JC_CLASSIC_HOME} ant dist
+popd
+
+# yubico-piv-tool is needed for PIV Applet management 
+git clone https://github.com/Yubico/yubico-piv-tool.git
+pushd yubico-piv-tool
+mkdir build
+pushd build
+cmake .. && make && sudo make install
+popd
+popd
+
+
+# log errors from pcscd to console
+sudo systemctl stop pcscd.service pcscd.socket
+sudo /usr/sbin/pcscd -f &
+PCSCD_PID=$!
+
+
+# start the applet and run couple of commands against that
+java -noverify -cp PivApplet/bin/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard PivApplet/test/jcardsim.cfg >/dev/null &
+PID=$!
+sleep 5
+opensc-tool --card-driver default --send-apdu 80b80000120ba000000308000010000100050000020F0F7f
+opensc-tool -n
+yubico-piv-tool -v 9999 -r 'Virtual PCD 00 00' -P 123456 -s 9e -a generate -A RSA2048
+yubico-piv-tool -v 9999 -r 'Virtual PCD 00 00' -P 123456 -s 9a -a generate -A ECCP256
+pkcs11-tool -l -t -p 123456
+kill -9 $PID
+
+
+# cleanup
+sudo kill -9 $PCSCD_PID
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@ -0,0 +1,28 @@
+name: CIFuzz
+on:
+  pull_request:
+    paths:
+      - '**.c'
+      - '**.h'
+jobs:
+ Fuzzing:
+   runs-on: ubuntu-latest
+   steps:
+   - name: Build Fuzzers
+     id: build
+     uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+     with:
+       oss-fuzz-project-name: 'opensc'
+       dry-run: false
+   - name: Run Fuzzers
+     uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+     with:
+       oss-fuzz-project-name: 'opensc'
+       fuzz-seconds: 600
+       dry-run: false
+   - name: Upload Crash
+     uses: actions/upload-artifact@v1
+     if: failure() && steps.build.outcome == 'success'
+     with:
+       name: artifacts
+       path: ./out/artifacts
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -0,0 +1,176 @@
+name: Linux
+
+on:
+  pull_request:
+    paths:
+      - '**.c'
+      - '**.h'
+  push:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: .github/setup-linux.sh
+      - run: .github/build.sh dist
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-${{ github.sha }}
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: opensc-build
+          path:
+            opensc*.tar.gz
+
+  build-ubuntu-18:
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+      - run: .github/setup-linux.sh
+      - run: .github/build.sh
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-18-${{ github.sha }}
+
+  build-mingw:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: .github/setup-linux.sh mingw
+      - run: .github/build.sh mingw
+      - name: Cache build artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: opensc-build-mingw
+          path:
+            win32/Output/OpenSC*.exe
+
+  build-mingw32:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: .github/setup-linux.sh mingw32
+      - run: .github/build.sh mingw32
+      - name: Cache build artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: opensc-build-mingw32
+          path:
+            win32/Output/OpenSC*.exe
+
+  test-piv:
+    runs-on: ubuntu-18.04
+    needs: [build-ubuntu-18]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-18-${{ github.sha }}
+      - run: .github/setup-linux.sh piv
+      - run: .github/test-piv.sh
+
+  test-isoapplet:
+    runs-on: ubuntu-18.04
+    needs: [build-ubuntu-18]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-18-${{ github.sha }}
+      - run: .github/setup-linux.sh isoapplet
+      - run: .github/test-isoapplet.sh
+
+  test-gidsapplet:
+    runs-on: ubuntu-18.04
+    needs: [build-ubuntu-18]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-18-${{ github.sha }}
+      - run: .github/setup-linux.sh gidsapplet
+      - run: .github/test-gidsapplet.sh
+
+  test-openpgp:
+    runs-on: ubuntu-18.04
+    needs: [build-ubuntu-18]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-18-${{ github.sha }}
+      - run: .github/setup-linux.sh openpgp
+      # the openpgp sometimes fails
+      - run: .github/test-openpgp.sh || true
+
+  build-clang-tidy:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-${{ github.sha }}
+      - run: .github/setup-linux.sh clang-tidy
+      - run: .github/build.sh
+
+  test-cac:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-${{ github.sha }}
+      - run: .github/setup-linux.sh cac
+      - run: .github/test-cac.sh
+
+  test-oseid:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-${{ github.sha }}
+      - run: .github/setup-linux.sh oseid
+      - run: .github/test-oseid.sh
+
+  push-artifacts:
+    runs-on: ubuntu-latest
+    needs: [build, build-mingw]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        id: cache-build
+        with:
+          path: ./*
+          key: ${{ runner.os }}-${{ github.sha }}
+      - name: Pull mingw build artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: opensc-build-mingw
+      - run: git config --global user.email "builds@github.com"
+      - run: git config --global user.name "Github Actions";
+      - run: .github/push_artifacts.sh "Github Actions ${GITHUB_REF}"
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'OpenSC/OpenSC' }}
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -0,0 +1,39 @@
+name: OSX
+
+on:
+  pull_request:
+    paths:
+      - '**.c'
+      - '**.h'
+  push:
+
+jobs:
+  build:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: .github/setup-macos.sh
+      - run: .github/build.sh
+      - name: Cache build artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: opensc-build-macos
+          path:
+            OpenSC*.dmg
+
+  push-artifacts:
+    runs-on: macos-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Pull build artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: opensc-build-macos
+      - run: git config --global user.email "builds@github.com"
+      - run: git config --global user.name "Github Actions";
+      - run: .github/push_artifacts.sh "Github Actions ${GITHUB_REF}"
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'OpenSC/OpenSC' }}
+# TODO this fails probably because the key is not loaded in keychain before with
+# security: SecKeychainDelete: The specified keychain could not be found.
+#      - run: .github/remove_signing_key.sh; rm -f .github/secrets.tar
--- a/.gitignore
+++ b/.gitignore
@ -4,6 +4,7 @@ core
 archive
 acinclude.m4
 aclocal.m4
+aminclude_static.am
 autom4te.cache
 compile
 confdefs.h
@ -22,6 +23,7 @@ mkinstalldirs
 so_locations
 stamp-h*
 tags
+test-driver
 .deps
 .libs
 .#*#
@ -62,6 +64,7 @@ ChangeLog
 doc/tools/*-tool
 doc/tools/eidenv
 doc/tools/opensc-explorer
+doc/tools/pkcs11-register
 doc/tools/pkcs15-crypt
 doc/tools/pkcs15-init
 doc/tools/opensc-asn1
@ -77,6 +80,7 @@ src/tools/pkcs15-init
 src/tools/eidenv
 src/tools/opensc-explorer
 src/tools/cardos-info
+src/tools/gcns
 src/tools/sceac-example
 src/tools/opensc-notify
 src/tools/opensc-notify.plist
@ -115,5 +119,10 @@ src/tests/p11test/p11test

 tests/*.log
 tests/*.trs
+src/tests/unittests/*.log
+src/tests/unittests/*.trs
+src/tests/unittests/asn1
+src/tests/unittests/compression
+src/tests/unittests/simpletlv

 version.m4.ci
--- a/.travis.yml
+++ b/.travis.yml
@ -4,20 +4,26 @@ matrix:
  include:
    - compiler: clang
      os: osx
+      osx_image: xcode9.4
      env: DO_PUSH_ARTIFACT=yes
-    - compiler: gcc
+    - compiler: clang
+      os: osx
+      osx_image: xcode12.2
+      env: DO_PUSH_ARTIFACT=yes
+    - compiler: clang
      os: linux
-      dist: trusty
-      env:
-        - DO_SIMULATION=javacard
-        - ENABLE_DOC=--enable-doc
-      sudo: true
+      dist: focal
    - compiler: gcc
      os: linux
      dist: bionic
+      env:
+        - DO_SIMULATION=javacard
+        - ENABLE_DOC=--enable-doc
+    - compiler: gcc
+      os: linux
+      dist: focal
      env:
        - DO_SIMULATION=oseid
-      sudo: true
    - env:
        - HOST=x86_64-w64-mingw32
        - DO_PUSH_ARTIFACT=yes
@ -30,11 +36,10 @@ matrix:
      dist: bionic
      env:
        - DO_SIMULATION=cac
-      sudo: true

 env:
  global:
-    # The next declaration are encrypted envirnmet variables, created via the
+    # The next declaration are encrypted environment variables, created via the
    # "travis encrypt" command using the project repo's public key
    # COVERITY_SCAN_TOKEN
    - secure: "UkHn7wy4im8V1nebCWbAetnDSOLRUbOlF6++ovk/7Bnso1/lnhXHelyzgRxfD/oI68wm9nnRV+RQEZ9+72Ug1CyvHxyyxxkwal/tPeHH4B/L+aGdPi0id+5OZSKIm77VP3m5s102sJMJgH7DFd03+nUd0K26p0tk8ad4j1geV4c="
@ -46,34 +51,63 @@ env:
    - COVERITY_SCAN_PROJECT_NAME="$TRAVIS_REPO_SLUG"
    - SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)

-addons:
-  apt_packages:
-    - binutils-mingw-w64-i686
-    - binutils-mingw-w64-x86-64
-    - docbook-xsl
-    - gcc-mingw-w64-i686
-    - gcc-mingw-w64-x86-64
-    - libpcsclite-dev
-    - mingw-w64
-    - xsltproc
-    - gengetopt
-    - libcmocka-dev
-    - help2man
-    - pcscd
-    - pcsc-tools
-    - check
-    - ant
-    - socat
+# Commented out because of a bug in travis images for Focal:
+# https://travis-ci.community/t/clang-10-was-recently-broken-on-linux-unmet-dependencies-for-clang-10-clang-tidy-10-valgrind/11527
+#addons:
+#  apt_packages:
+#    - binutils-mingw-w64-i686
+#    - binutils-mingw-w64-x86-64
+#    - docbook-xsl
+#    - gcc-mingw-w64-i686
+#    - gcc-mingw-w64-x86-64
+#    - libpcsclite-dev
+#    - mingw-w64
+#    - xsltproc
+#    - gengetopt
+#    - libcmocka-dev
+#    - help2man
+#    - pcscd
+#    - pcsc-tools
+#    - check
+#    - ant
+#    - socat
+#    - cmake
+#    - clang-tidy
+#    - softhsm2

 before_install:
-  # brew install gengetopt help2man cmocka ccache llvm;
-  # export PATH="/usr/local/opt/ccache/libexec:/usr/local/opt/llvm/bin:$PATH";
+  # homebrew is dead slow in older images due to the many updates it would need to download and build.
+  # here, we build the additional dependencies manually to get around this
  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then
-        brew update;
-        brew uninstall libtool;
-        brew install libtool;
-        brew install gengetopt help2man cmocka ccache;
+        curl https://ftp.gnu.org/gnu/gengetopt/gengetopt-2.23.tar.xz -L --output gengetopt-2.23.tar.xz;
+        tar xfj gengetopt-2.23.tar.xz;
+        pushd gengetopt-2.23;
+        ./configure && make;
+        sudo make install;
+        popd;
+        curl https://ftp.gnu.org/gnu/help2man/help2man-1.47.16.tar.xz -L --output help2man-1.47.16.tar.xz;
+        tar xjf help2man-1.47.16.tar.xz;
+        pushd help2man-1.47.16;
+        ./configure && make;
+        sudo make install;
+        popd;
        export PATH="/usr/local/opt/ccache/libexec:$PATH";
+        git clone https://github.com/frankmorgner/OpenSCToken.git;
+        sudo rm -rf /Library/Developer/CommandLineTools;
+    fi
+  - if [ "$TRAVIS_OS_NAME" = "osx" -a "$TRAVIS_PULL_REQUEST" = "false" -a -n "$encrypted_3b9f0b9d36d1_key" ]; then
+        openssl aes-256-cbc -K $encrypted_3b9f0b9d36d1_key -iv $encrypted_3b9f0b9d36d1_iv -in .github/secrets.tar.enc -out .github/secrets.tar -d;
+        .github/add_signing_key.sh;
+    else
+        unset CODE_SIGN_IDENTITY INSTALLER_SIGN_IDENTITY;
+    fi
+  - if [ "${DO_SIMULATION}" = "javacard" ]; then
+        sudo apt-get install -y openjdk-8-jdk;
+        sudo update-java-alternatives -s java-1.8.0-openjdk-amd64;
+        sudo update-alternatives --get-selections | grep ^java;
+        export PATH="/usr/lib/jvm/java-8-openjdk-amd64/bin/:$PATH";
+        export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/;
+        env | grep -i openjdk;
    fi
  - if [ "${DO_SIMULATION}" = "cac" ]; then
        sudo apt-get install -y libglib2.0-dev libnss3-dev  pkgconf libtool make autoconf autoconf-archive automake libsofthsm2-dev softhsm2 softhsm2-common help2man gnutls-bin libcmocka-dev libusb-dev libudev-dev flex libnss3-tools libssl-dev libpcsclite1;
@ -82,6 +116,12 @@ before_install:
  - if [ -n "${HOST}" ]; then
        sudo apt-get install -y wine;
    fi
+  - if [ "$TRAVIS_DIST" == "focal" ]; then
+        sudo apt-get install -yq --allow-downgrades libc6=2.31-0ubuntu9.2 libc6-dev=2.31-0ubuntu9.2;
+    fi
+  - if [ "$TRAVIS_OS_NAME" == "linux" ]; then
+        sudo -E apt-get -yq --no-install-suggests --no-install-recommends --allow-downgrades --allow-remove-essential --allow-change-held-packages install binutils-mingw-w64-i686 binutils-mingw-w64-x86-64 docbook-xsl gcc-mingw-w64-i686 gcc-mingw-w64-x86-64 libpcsclite-dev mingw-w64 xsltproc gengetopt libcmocka-dev help2man pcscd pcsc-tools check ant socat cmake clang-tidy softhsm2;
+    fi

 before_script:
  - if [ "$TRAVIS_BRANCH" = "master" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then
@ -102,23 +142,27 @@ before_script:
      if [ ! -f "$(winepath 'C:/Program Files (x86)/Inno Setup 5/ISCC.exe')" ]; then
        /sbin/start-stop-daemon --start --quiet --pidfile /tmp/custom_xvfb_99.pid --make-pidfile --background --exec /usr/bin/Xvfb -- :99 -ac -screen 0 1280x1024x16;
        export DISPLAY=:99.0;
+        [ -d isetup ] || mkdir isetup;
+        pushd isetup;
        [ -f isetup-5.5.6.exe ] || wget http://files.jrsoftware.org/is/5/isetup-5.5.6.exe;
        wine isetup-5.5.6.exe /SILENT /VERYSILENT /SP- /SUPPRESSMSGBOXES /NORESTART;
+        popd;
      fi;
      unset CC;
      unset CXX;
      ./configure --host=$HOST --with-completiondir=/tmp --disable-openssl --disable-readline --disable-zlib --disable-notify --prefix=${TRAVIS_BUILD_DIR}/win32/opensc || cat config.log;
    fi
  # Optionally try to upload to Coverity Scan
-  # On error (propably quota is exhausted), just continue
+  # On error (probably quota is exhausted), just continue
  - if [ "${DO_COVERITY_SCAN}" = "yes" ]; then curl -s 'https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh' | bash || true; fi

  - if [ "${DO_SIMULATION}" = "javacard" ]; then
+      set -ex;
      git clone https://github.com/frankmorgner/vsmartcard.git;
      cd vsmartcard/virtualsmartcard;
      autoreconf -vis && ./configure && sudo make install;
      cd $TRAVIS_BUILD_DIR;
-      sudo /etc/init.d/pcscd restart;
+      sudo systemctl stop pcscd.service pcscd.socket;

      git clone https://github.com/martinpaljak/oracle_javacard_sdks.git;
      export JC_HOME=$PWD/oracle_javacard_sdks/jc222_kit;
@ -126,6 +170,8 @@ before_script:

      git clone https://github.com/arekinath/jcardsim.git;
      cd jcardsim;
+      env | grep -i openjdk;
+      export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/;
      mvn initialize && mvn clean install;
      cd $TRAVIS_BUILD_DIR;

@ -157,13 +203,15 @@ before_script:

      git clone --recursive https://github.com/arekinath/PivApplet.git;
      cd PivApplet;
-      ant dist;
+      JC_HOME=${JC_CLASSIC_HOME} ant dist;
      cd $TRAVIS_BUILD_DIR;

      git clone https://github.com/Yubico/yubico-piv-tool.git;
      cd yubico-piv-tool;
-      autoreconf -vis && ./configure && sudo make install;
+      mkdir build; cd build;
+      cmake .. && make && sudo make install;
      cd $TRAVIS_BUILD_DIR;
+      set +ex;
    fi

  - if [ "${DO_SIMULATION}" = "oseid" ]; then
@ -172,6 +220,7 @@ before_script:
      make -f Makefile.console;
      mkdir tmp;
      socat -d -d pty,link=tmp/OsEIDsim.socket,raw,echo=0 "exec:build/console/console ...,pty,raw,echo=0" &
+      PID=$!;
      sleep 1;
      echo "# OsEIDsim" > tmp/reader.conf;
      echo 'FRIENDLYNAME      "OsEIDsim"' >> tmp/reader.conf;
@ -211,7 +260,7 @@ script:
      fi;
    fi
  - if [ -z "$HOST" -a "${DO_COVERITY_SCAN}" != "yes" -a -z "$DO_SIMULATION" ]; then
-      make check && make dist;
+      make check && make distcheck || (cat tests/*log src/tests/unittests/*log && exit 1);
    fi
  - if [ ! -z "$HOST" -a "${DO_COVERITY_SCAN}" != "yes" ]; then
      make install;
@ -223,42 +272,53 @@ script:
      sudo make install;
      export LD_LIBRARY_PATH=/usr/local/lib;

+      sudo /usr/sbin/pcscd -f &
+      PCSCD_PID=$!;
+
      java -noverify -cp IsoApplet/src/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard isoapplet_jcardsim.cfg >/dev/null &
+      PID=$!;
      sleep 5;
      opensc-tool --card-driver default --send-apdu 80b800001a0cf276a288bcfba69d34f310010cf276a288bcfba69d34f3100100;
      opensc-tool -n;
      pkcs15-init --create-pkcs15 --so-pin 123456 --so-puk 0123456789abcdef;
+      pkcs15-tool --change-pin --pin 123456 --new-pin 654321;
+      pkcs15-tool --unblock-pin --puk 0123456789abcdef --new-pin 123456;
      pkcs15-init --generate-key rsa/2048     --id 1 --key-usage decrypt,sign --auth-id FF --pin 123456;
      pkcs15-init --generate-key rsa/2048     --id 2 --key-usage decrypt      --auth-id FF --pin 123456;
      pkcs15-init --generate-key ec/secp256r1 --id 3 --key-usage sign         --auth-id FF --pin 123456;
      pkcs15-tool -D;
      pkcs11-tool -l -t -p 123456;
-      killall java;
+      kill -9 $PID;

      java -noverify -cp GidsApplet/src/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard gids_jcardsim.cfg >/dev/null &
+      PID=$!;
      sleep 5;
      opensc-tool --card-driver default --send-apdu 80b80000190bA0000003974254465902010bA00000039742544659020100;
      opensc-tool -n;
      gids-tool --initialize --pin 123456 --admin-key 000000000000000000000000000000000000000000000000 --serial 00000000000000000000000000000000;
-      killall java;
+      kill -9 $PID;

      java -noverify -cp ykneo-openpgp/applet/bin:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard openpgp_jcardsim.cfg >/dev/null &
+      PID=$!;
      sleep 5;
      opensc-tool --card-driver default --send-apdu 80b800002210D276000124010200000000000001000010D276000124010200000000000001000000;
      opensc-tool -n;
      openpgp-tool --verify CHV3 --pin 12345678 --gen-key 2;
      pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 2 --generate-key rsa/2048;
      pkcs11-tool -l -t -p 123456;
-      killall java;
+      kill -9 $PID;

      java -noverify -cp PivApplet/bin/:jcardsim/target/jcardsim-3.0.5-SNAPSHOT.jar com.licel.jcardsim.remote.VSmartCard PivApplet/test/jcardsim.cfg >/dev/null &
+      PID=$!;
      sleep 5;
      opensc-tool --card-driver default --send-apdu 80b80000120ba000000308000010000100050000020F0F7f;
      opensc-tool -n;
-      yubico-piv-tool -r 'Virtual PCD 00 00' -P 123456 -s 9a -a generate -A ECCP256;
-      yubico-piv-tool -r 'Virtual PCD 00 00' -P 123456 -s 9e -a generate -A RSA2048;
+      yubico-piv-tool -v 9999 -r 'Virtual PCD 00 00' -P 123456 -s 9e -a generate -A RSA2048;
+      yubico-piv-tool -v 9999 -r 'Virtual PCD 00 00' -P 123456 -s 9a -a generate -A ECCP256;
      pkcs11-tool -l -t -p 123456;
-      killall java;
+      kill -9 $PID;
+
+      sudo kill -9 $PCSCD_PID;

      set +ex;
    fi
@ -273,17 +333,19 @@ script:
      ./OsEID-tool RSA-CREATE-KEYS;
      ./OsEID-tool RSA-UPLOAD-KEYS;
      ./OsEID-tool RSA-DECRYPT-TEST;
+      ./OsEID-tool RSA-SIGN-PKCS11-TEST;
      ./OsEID-tool EC-CREATE-KEYS;
      ./OsEID-tool EC-UPLOAD-KEYS;
      ./OsEID-tool EC-SIGN-TEST;
+      ./OsEID-tool EC-SIGN-PKCS11-TEST;
      ./OsEID-tool EC-ECDH-TEST;
-      killall socat;
+      kill -9 $PID;

      set +ex;
    fi
  - if [ "${DO_SIMULATION}" = "cac" ]; then
      cd $TRAVIS_BUILD_DIR;
-      make check && sudo make install;
+      make check && sudo make install || (cat tests/*log src/tests/unittests/*log && exit 1);
      export LD_LIBRARY_PATH=/usr/local/lib;
      cd src/tests/p11test/;
      ./p11test -s 0 -p 12345678 -i &
@ -309,17 +371,16 @@ after_script:
      git config --global user.name "Travis CI";
      .github/push_artifacts.sh "Travis CI build ${TRAVIS_JOB_NUMBER}";
    fi
-
-before_cache:
-  - brew cleanup
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then
+      .github/remove_signing_key.sh;
+      rm -f .github/secrets.tar;
+    fi

 cache:
  apt: true
  ccache: true
  directories:
    - $HOME/.m2/
-    - $HOME/Library/Caches/Homebrew
    - openssl_bin
    - openpace_bin
-  files:
-    - isetup-5.5.6.exe
+    - isetup
--- a/37
+++ b/37
@ -1,8 +1,8 @@
-		  GNU LESSER GENERAL PUBLIC LICENSE
-		       Version 2.1, February 1999
+                  GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 2.1, February 1999

 Copyright (C) 1991, 1999 Free Software Foundation, Inc.
-     59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

@ -10,7 +10,7 @@
 as the successor of the GNU Library Public License, version 2, hence
 the version number 2.1.]

-			    Preamble
+                            Preamble

  The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
  Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@ -111,8 +111,8 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
-		  GNU LESSER GENERAL PUBLIC LICENSE
+
+                  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  0. This License Agreement applies to any software library or other
@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
 on the Library (independent of the use of the Library in a tool for
 writing it).  Whether that is true depends on what the Library does
 and what the program that uses the Library does.
-  
+
  1. You may copy and distribute verbatim copies of the Library's
 complete source code as you receive it, in any medium, provided that
 you conspicuously and appropriately publish on each copy an
@ -158,7 +158,7 @@ Library.
  You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
  2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
  Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
  6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
  7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
  11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
  14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@ -432,7 +432,7 @@ decision will be guided by the two goals of preserving the free status
 of all derivatives of our free software and of promoting the sharing
 and reuse of software generally.

-			    NO WARRANTY
+                            NO WARRANTY

  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
 WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
@ -455,8 +455,8 @@ FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
 SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.

-		     END OF TERMS AND CONDITIONS
-
+                     END OF TERMS AND CONDITIONS
+
           How to Apply These Terms to Your New Libraries

  If you develop a new library, and you want it to be of the greatest
@ -485,7 +485,7 @@ convey the exclusion of warranty; and each file should have at least the

    You should have received a copy of the GNU Lesser General Public
    License along with this library; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

 Also add information on how to contact you by electronic and paper mail.

@ -501,4 +501,3 @@ necessary.  Here is a sample; alter the names:

 That's all there is to it!

-
--- a/MacOSX/Makefile.am
+++ b/MacOSX/Makefile.am
@ -1,5 +1,5 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-EXTRA_DIST = build build-package.in build-package-from-ci.in Distribution.xml.in libtool-bundle opensc-uninstall \
+EXTRA_DIST = build build-package.in Distribution.xml.in libtool-bundle opensc-uninstall \
 	resources \
 	resources/background.jpg \
 	resources/Welcome.html.in \
--- a/MacOSX/OpenSC_applescripts.entitlements
+++ b/MacOSX/OpenSC_applescripts.entitlements
@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.app-sandbox</key>
+    <false/>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
+  </dict>
+</plist>
--- a/MacOSX/OpenSC_binaries.entitlements
+++ b/MacOSX/OpenSC_binaries.entitlements
@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.app-sandbox</key>
+    <false/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+  </dict>
+</plist>
--- a/MacOSX/build-package-from-ci.in
+++ b/MacOSX/build-package-from-ci.in
@ -1,80 +0,0 @@
-#!/bin/bash
-# temporary build script until we've fixed the CI to include CTK
-
-# You need to install the following packages from homebrew or macports or fink:
-# autoconf automake libtool pkg-config help2man gengetopt
-
-export MACOSX_DEPLOYMENT_TARGET="10.10"
-
-set -ex
-test -x ./configure || ./bootstrap
-BUILDPATH=${PWD}
-
-# Locate the latest OSX SDK
-SDK_PATH=$(xcrun --sdk macosx --show-sdk-path)
-
-# Set SDK path
-export CFLAGS="$CFLAGS -isysroot $SDK_PATH -arch x86_64"
-
-# Build OpenSCToken
-if ! test -e OpenSCToken; then
-    git clone --depth=1 https://github.com/frankmorgner/OpenSCToken.git
-fi
-cd OpenSCToken
-# make sure OpenSCToken builds with the same dependencies as before
-if ! test -e OpenSC; then
-    git clone --depth=1 ../../OpenSC
-else
-    cd OpenSC && git pull && cd ..
-fi
-if ! test -e openssl; then
-    git clone --depth=1 https://github.com/openssl/openssl.git -b OpenSSL_1_0_2-stable
-else
-    cd openssl && git pull && cd ..
-fi
-if ! test -e openpace; then
-    git clone --depth=1 https://github.com/frankmorgner/openpace.git -b 1.1.0
-else
-    cd openpace && git pull && cd ..
-fi
-BP=${BUILDPATH}
-. ./bootstrap
-BUILDPATH=${BP}
-xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token
-cd ..
-
-imagedir=$(mktemp -d)
-
-# Get name of branch in Nightly which corresponds to the latest commit in OpenSC
-BRANCH=`git log --max-count=1 --date=short --abbrev=8 --pretty=format:"%cd_%h"`
-if ! test -e Nightly-${BRANCH}; then
-    # Download the build
-    curl -L https://github.com/OpenSC/Nightly/archive/${BRANCH}.zip > ${BRANCH}.zip
-    # Unpack the build
-    unzip ${BRANCH}.zip
-fi
-cp Nightly-${BRANCH}/OpenSC-startup.pkg .
-cp Nightly-${BRANCH}/OpenSC-tokend.pkg .
-cp Nightly-${BRANCH}/OpenSC.pkg .
-
-# Build package
-pkgbuild --root ${BUILDPATH}/target_token --identifier org.opensc-project.mac.opensctoken --version @PACKAGE_VERSION@ --install-location / OpenSCToken.pkg
-
-# Build product
-productbuild --distribution MacOSX/Distribution.xml --package-path . --resources MacOSX/resources "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg"
-
-# Build "Uninstaller"
-osacompile -o "${imagedir}/OpenSC Uninstaller.app" "MacOSX/OpenSC_Uninstaller.applescript"
-
-# Create .dmg
-rm -f OpenSC-@PACKAGE_VERSION@.dmg
-i=0
-while ! hdiutil create -srcfolder "${imagedir}" -volname "@PACKAGE_NAME@" -fs JHFS+ OpenSC-@PACKAGE_VERSION@.dmg
-do
-	i=$[$i+1]
-	if [ $i -gt 2 ]
-	then
-		exit 1
-	fi
-done
-rm -rf ${imagedir}
--- a/MacOSX/build-package.in
+++ b/MacOSX/build-package.in
@ -13,11 +13,11 @@ set -ex
 test -x ./configure || ./bootstrap
 BUILDPATH=${PWD}

-# Locate the latest OSX SDK
-SDK_PATH=$(xcrun --sdk macosx --show-sdk-path)
-
-# Set SDK path
-export CFLAGS="$CFLAGS -isysroot $SDK_PATH -arch x86_64"
+xcode_ver=$(xcodebuild -version | sed -En 's/Xcode[[:space:]](.*)/\1/p')
+base_ver="12.2"
+if [ $(echo -e $base_ver"\n"$xcode_ver | sort -V | head -1) == "$base_ver" ]; then
+	export BUILD_ARM="true"
+fi

 export SED=/usr/bin/sed
 PREFIX=/Library/OpenSC
@ -28,28 +28,47 @@ if ! pkg-config libcrypto --atleast-version=1.0.1; then
 	if ! test -e $BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig; then
 		# Build OpenSSL manually, because Apple's binaries are deprecated
 		if ! test -e openssl; then
-			git clone --depth=1 https://github.com/openssl/openssl.git -b OpenSSL_1_0_2-stable
+			git clone --depth=1 https://github.com/openssl/openssl.git -b OpenSSL_1_1_1-stable
 		fi
 		cd openssl
-		KERNEL_BITS=64 ./config --prefix=$PREFIX
+		MACHINE=x86_64 ./config no-shared --prefix=$PREFIX
 		make clean
-		make update
-		make depend
 		make -j 4
-		make INSTALL_PREFIX=$BUILDPATH/openssl_bin install_sw
+		make DESTDIR=$BUILDPATH/openssl_bin install_sw
+		if test -n "${BUILD_ARM}"; then
+			make clean
+			MACHINE=arm64 KERNEL_BITS=64 ./config no-shared --prefix=$PREFIX
+			make -j 4
+			make DESTDIR=$BUILDPATH/openssl_arm64 install_sw
+			lipo -create $BUILDPATH/openssl_arm64/$PREFIX/lib/libcrypto.a $BUILDPATH/openssl_bin/$PREFIX/lib/libcrypto.a -output libcrypto.a
+			lipo -create $BUILDPATH/openssl_arm64/$PREFIX/lib/libssl.a $BUILDPATH/openssl_bin/$PREFIX/lib/libssl.a -output libssl.a
+			mv libcrypto.a $BUILDPATH/openssl_bin/$PREFIX/lib/libcrypto.a
+			mv libssl.a $BUILDPATH/openssl_bin/$PREFIX/lib/libssl.a
+		fi
 		cd ..
 	fi
 	export OPENSSL_CFLAGS="`env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openssl_bin pkg-config --static --cflags libcrypto`"
 	export OPENSSL_LIBS="`  env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openssl_bin pkg-config --static --libs   libcrypto`"
 fi

+# Locate the latest OSX SDK
+SDK_PATH=$(xcrun --sdk macosx --show-sdk-path)
+export CFLAGS="$CFLAGS -isysroot $SDK_PATH"
+
+if test -n "${BUILD_ARM}"; then
+	export CFLAGS="$CFLAGS -arch x86_64 -arch arm64"
+	export LDFLAGS="$LDFLAGS -arch x86_64 -arch arm64"
+fi
+export OBJCFLAGS=$CFLAGS
+
 if ! test -e $BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig; then
 	if ! test -e openpace; then
-		git clone --depth=1 https://github.com/frankmorgner/openpace.git -b 1.1.0
+		git clone --depth=1 https://github.com/frankmorgner/openpace.git -b 1.1.1
 	fi
 	cd openpace
 	autoreconf -vis
-	./configure --disable-shared --prefix=$PREFIX CRYPTO_CFLAGS="$OPENSSL_CFLAGS" CRYPTO_LIBS="$OPENSSL_LIBS"
+	./configure --disable-shared --prefix=$PREFIX CRYPTO_CFLAGS="$OPENSSL_CFLAGS" CRYPTO_LIBS="$OPENSSL_LIBS" HELP2MAN=/usr/bin/true
+	touch src/cvc-create.1 src/cvc-print.1
 	make DESTDIR=$BUILDPATH/openpace_bin install
 	cd ..
 fi
@ -91,25 +110,42 @@ fi
 if ! test -e NotificationProxy; then
 	git clone http://github.com/frankmorgner/NotificationProxy.git
 fi
-xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/
-mkdir -p "$BUILDPATH/target/Applications"
-osacompile -o "$BUILDPATH/target/Applications/OpenSC Notify.app" "MacOSX/OpenSC_Notify.applescript"
-
-
-# Check out OpenSC.tokend, if not already fetched.
-if ! test -e OpenSC.tokend; then
-	git clone http://github.com/OpenSC/OpenSC.tokend.git
+if test -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
+	xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/ \
+		CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
+else
+	xcodebuild -target NotificationProxy -configuration Release -project NotificationProxy/NotificationProxy.xcodeproj install DSTROOT=$BUILDPATH/target/Library/OpenSC/
+fi
+mkdir -p "$BUILDPATH/target/Applications/Utilities"
+osacompile -o "$BUILDPATH/target/Applications/Utilities/OpenSC Notify.app" "MacOSX/OpenSC_Notify.applescript"
+if test -n "${CODE_SIGN_IDENTITY}"; then
+	codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_applescripts.entitlements --deep --timestamp --options runtime "$BUILDPATH/target/Applications/Utilities/OpenSC Notify.app"
 fi

-# Create the symlink to OpenSC sources
-test -L OpenSC.tokend/build/opensc-src || ln -sf ${BUILDPATH}/src OpenSC.tokend/build/opensc-src

-if (( xcodebuild -version | sed -En 's/Xcode[[:space:]]+([0-9]+)\.[0-9]*/\1/p' < 10 )); then
+# Build OpenSC.tokend when XCode version < 10
+if (( $(xcodebuild -version | sed -En 's/Xcode[[:space:]]+([0-9]+)(\.[0-9]*)*/\1/p') < 10 )); then
+	# Check out OpenSC.tokend, if not already fetched.
+	if ! test -e OpenSC.tokend; then
+		git clone http://github.com/OpenSC/OpenSC.tokend.git
+	fi
+
+	# Create the symlink to OpenSC sources
+	test -L OpenSC.tokend/build/opensc-src || ln -sf ${BUILDPATH}/src OpenSC.tokend/build/opensc-src
+
 	# Build and copy OpenSC.tokend
-	xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend
+	if test -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
+		xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend \
+		CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
+	else
+		xcodebuild -target OpenSC -configuration Deployment -project OpenSC.tokend/Tokend.xcodeproj install DSTROOT=${BUILDPATH}/target_tokend
+	fi
+
+	TOKEND="-tokend"
 else
 	# https://github.com/OpenSC/OpenSC.tokend/issues/33
 	mkdir -p ${BUILDPATH}/target_tokend
+	TOKEND=""
 fi

 #if ! test -e $BUILDPATH/target/Library/Security/tokend/OpenSC.tokend/Contents/Resources/Applications/terminal-notifier.app; then
@ -131,54 +167,77 @@ cp MacOSX/opensc-uninstall ${BUILDPATH}/target/usr/local/bin

 # Prepare startup root
 mkdir -p ${BUILDPATH}/target_startup/Library/LaunchAgents
-cp src/tools/pkcs11-register.plist ${BUILDPATH}/target_startup/Library/LaunchAgents
-cp src/tools/opensc-notify.plist ${BUILDPATH}/target_startup/Library/LaunchAgents
+cp src/tools/org.opensc-project.mac.pkcs11-register.plist ${BUILDPATH}/target_startup/Library/LaunchAgents
+cp src/tools/org.opensc-project.mac.opensc-notify.plist   ${BUILDPATH}/target_startup/Library/LaunchAgents

 # Build OpenSCToken if possible
-if test -e OpenSCToken; then
+if test -e OpenSCToken -a -n "${CODE_SIGN_IDENTITY}" -a -n "${DEVELOPMENT_TEAM}"; then
 	cd OpenSCToken
 	# make sure OpenSCToken builds with the same dependencies as before
 	if ! test -e OpenSC; then
-		git clone --depth=1 ../../OpenSC
+		git clone --depth=1 file://$PWD/../../OpenSC
 	else
 		cd OpenSC && git pull && cd ..
 	fi
-	if ! test -e openssl; then
-		git clone --depth=1 ../openssl
-	else
-		cd openssl && git pull && cd ..
+	mkdir -p build
+	if ! test -e build/openssl; then
+		# build/openssl/lib/libcrypto.a is hardcoded in OpenSCToken
+		ln -sf $BUILDPATH/openssl_bin/$PREFIX build/openssl
+		# in OpenSCToken's variant of OpenSC we still use OpenSSL flags from above
 	fi
-	if ! test -e openpace; then
-		git clone --depth=1 ../openpace
-	else
-		cd openpace && git pull && cd ..
+	if ! test -e build/openpace; then
+		# build/openpace/lib/libeac.a is hardcoded in OpenSCToken
+		ln -sf $BUILDPATH/openpace_bin/$PREFIX build/openpace
+		# in OpenSCToken's variant of OpenSC we still use OpenPACE flags from above
 	fi
 	BP=${BUILDPATH}
 	. ./bootstrap
 	BUILDPATH=${BP}
-	xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token
+	xcodebuild -target OpenSCTokenApp -configuration Debug -project OpenSCTokenApp.xcodeproj install DSTROOT=${BUILDPATH}/target_token \
+		CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" DEVELOPMENT_TEAM="${DEVELOPMENT_TEAM}" OTHER_CODE_SIGN_FLAGS="--timestamp --options=runtime" CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO CODE_SIGN_STYLE=Manual
 	cd ..
+
+	COMPONENT_TOKEN="--component-plist MacOSX/target_token.plist"
 else
 	# if no OpenSCToken is checked out, then we create a dummy package
 	mkdir -p ${BUILDPATH}/target_token
 fi

+if test -n "${CODE_SIGN_IDENTITY}"; then
+	for d in ${BUILDPATH}/target/Library/OpenSC/bin ${BUILDPATH}/target/Library/OpenSC/lib
+	do
+		# find executable files and run codesign on them
+		find ${d} -type f -perm +111 -print -exec \
+			codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_binaries.entitlements --deep --timestamp --options runtime {} \;
+	done
+fi
+
+
 # Build package
-pkgbuild --root ${BUILDPATH}/target --scripts MacOSX/scripts --identifier org.opensc-project.mac --version @PACKAGE_VERSION@ --install-location / OpenSC.pkg
-pkgbuild --root ${BUILDPATH}/target_tokend --identifier org.opensc-project.tokend --version @PACKAGE_VERSION@ --install-location / OpenSC-tokend.pkg
-pkgbuild --root ${BUILDPATH}/target_token --identifier org.opensc-project.mac.opensctoken --version @PACKAGE_VERSION@ --install-location / OpenSCToken.pkg
-pkgbuild --root ${BUILDPATH}/target_startup --identifier org.opensc-project.startup --version @PACKAGE_VERSION@ --install-location / OpenSC-startup.pkg
+pkgbuild --root ${BUILDPATH}/target --component-plist MacOSX/target.plist --scripts MacOSX/scripts --identifier org.opensc-project.mac --version @PACKAGE_VERSION@ --install-location / OpenSC.pkg
+pkgbuild --root ${BUILDPATH}/target_tokend --component-plist MacOSX/target_tokend.plist --identifier org.opensc-project.tokend --version @PACKAGE_VERSION@ --install-location / OpenSC-tokend.pkg
+pkgbuild --root ${BUILDPATH}/target_token $COMPONENT_TOKEN --identifier org.opensc-project.mac.opensctoken --version @PACKAGE_VERSION@ --install-location / OpenSCToken.pkg
+pkgbuild --root ${BUILDPATH}/target_startup --component-plist MacOSX/target_startup.plist --identifier org.opensc-project.startup --version @PACKAGE_VERSION@ --install-location / OpenSC-startup.pkg

 # Build product
 productbuild --distribution MacOSX/Distribution.xml --package-path . --resources MacOSX/resources "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg"

+# Sign installer
+if test -n "${INSTALLER_SIGN_IDENTITY}"; then
+	productsign --sign "${INSTALLER_SIGN_IDENTITY}" "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg" "${BUILDPATH}/OpenSC @PACKAGE_VERSION@.pkg"
+	mv "${BUILDPATH}/OpenSC @PACKAGE_VERSION@.pkg" "${imagedir}/OpenSC @PACKAGE_VERSION@.pkg"
+fi
+
 # Build "Uninstaller"
 osacompile -o "${imagedir}/OpenSC Uninstaller.app" "MacOSX/OpenSC_Uninstaller.applescript"
+if test -n "${CODE_SIGN_IDENTITY}"; then
+	codesign --force --sign "${CODE_SIGN_IDENTITY}" --entitlements MacOSX/OpenSC_applescripts.entitlements --deep --timestamp --options runtime "${imagedir}/OpenSC Uninstaller.app"
+fi

 # Create .dmg
-rm -f OpenSC-@PACKAGE_VERSION@.dmg
+rm -f OpenSC-@PACKAGE_VERSION@$TOKEND.dmg
 i=0
-while ! hdiutil create -srcfolder "${imagedir}" -volname "@PACKAGE_NAME@" -fs JHFS+ OpenSC-@PACKAGE_VERSION@.dmg
+while ! hdiutil create -srcfolder "${imagedir}" -volname "@PACKAGE_NAME@" -fs JHFS+ OpenSC-@PACKAGE_VERSION@$TOKEND.dmg
 do
 	i=$[$i+1]
 	if [ $i -gt 2 ]
@ -187,3 +246,6 @@ do
 	fi
 done
 rm -rf ${imagedir}
+
+#if [ "$TRAVIS_EVENT_TYPE" != "pull_request" ]; then xcrun altool --notarize-app --file $(pwd)/vorteil_darwin-x86.dmg --username $OSX_NOTARIZE_USERNAME --primary-bundle-id com.vorteil.cli -p $OSX_NOTARIZE_PW -- >> /dev/null; fi;
+#if [ "$TRAVIS_EVENT_TYPE" != "pull_request" ]; then for ((i=1;i<=30;i+=1)); do xcrun stapler staple $(pwd)/vorteil_darwin-x86.dmg >> /dev/null; if [ $? = 65 ]; then echo "Waiting for notarization to complete..." && sleep 10; fi; done; fi;
--- a/MacOSX/opensc-uninstall
+++ b/MacOSX/opensc-uninstall
@ -6,6 +6,8 @@ if [ "$(id -u)" != "0" ]; then
   exit 1
 fi

+pluginkit -r -i org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken
+
 for f in \
 	/Library/OpenSC/bin/* \
 	/Library/OpenSC/etc/bash_completion.d/* \
@ -26,16 +28,23 @@ rm -f /usr/local/lib/onepin-opensc-pkcs11.so
 # Remove installed files
 rm -rf /Applications/OpenSCTokenApp.app
 rm -rf "/Applications/OpenSC Notify.app"
+rm -rf /Applications/Utilities/OpenSCTokenApp.app
+rm -rf "/Applications/Utilities/OpenSC Notify.app"
 rm -rf /Library/OpenSC
 rm -rf /Library/Security/tokend/OpenSC.tokend
 rm -f  /Library/LaunchAgents/pkcs11-register.plist
 rm -f  /Library/LaunchAgents/opensc-notify.plist
 rm -rf /System/Library/Security/tokend/OpenSC.tokend

+# Unload launchagents
+launchctl remove pkcs11-register
+launchctl remove opensc-notify

 # delete receipts on 10.6+
-pkgutil --forget org.opensc-project.mac > /dev/null
-pkgutil --forget org.opensc-project.tokend > /dev/null
+pkgutil --forget org.opensc-project.mac             > /dev/null 2>/dev/null
+pkgutil --forget org.opensc-project.tokend          > /dev/null 2>/dev/null
+pkgutil --forget org.opensc-project.mac.opensctoken > /dev/null 2>/dev/null
+pkgutil --forget org.opensc-project.startup         > /dev/null 2>/dev/null

 # remove this script
 rm -f /usr/local/bin/opensc-uninstall
--- a/MacOSX/scripts/postinstall
+++ b/MacOSX/scripts/postinstall
@ -1,43 +1,63 @@
 #!/bin/bash

-cp /Library/OpenSC/lib/opensc-pkcs11.so /usr/local/lib/opensc-pkcs11.so
-cp /Library/OpenSC/lib/onepin-opensc-pkcs11.so /usr/local/lib/onepin-opensc-pkcs11.so
-if [ -e "/Library/OpenSC/etc/opensc.conf.md5" ]
-then
-	read cs_fromfile file < "/Library/OpenSC/etc/opensc.conf.md5"
-	cs_calculated=$( md5 -q "/Library/OpenSC/etc/opensc.conf")
-	if [ "$cs_fromfile" = "$cs_calculated" ]
-	then
-		mv /Library/OpenSC/etc/opensc.conf.orig /Library/OpenSC/etc/opensc.conf
-		md5 -r /Library/OpenSC/etc/opensc.conf  > /Library/OpenSC/etc/opensc.conf.md5
-	fi
-else
-	mv /Library/OpenSC/etc/opensc.conf.orig /Library/OpenSC/etc/opensc.conf
-	md5 -r /Library/OpenSC/etc/opensc.conf  > /Library/OpenSC/etc/opensc.conf.md5
-fi
+# copy libs to /usr/local/lib
+cp /Library/OpenSC/lib/opensc-pkcs11.so \
+  /Library/OpenSC/lib/onepin-opensc-pkcs11.so \
+  /usr/local/lib/

-for f in \
-	/Library/OpenSC/bin/* \
-	/Library/OpenSC/etc/bash_completion.d/* \
-	/Library/OpenSC/share/doc/opensc \
-	/Library/OpenSC/share/man/man1/* \
-	/Library/OpenSC/share/man/man5/*
-do
-	a=/Library/OpenSC
-	b=/usr/local
-	l="$(dirname ${f/$a/$b})"
-	mkdir -p $l
-	ln -sf $f $l
+# install opensc.conf if it hasn't been locally modified
+# shellcheck disable=SC2043
+for f in /Library/OpenSC/etc/opensc.conf; do
+  if [ -e "${f}.md5" ]; then
+    read -r cs_fromfile _ < "${f}.md5"
+    cs_calculated="$(md5 -q "${f}")"
+    if [ "$cs_fromfile" != "$cs_calculated" ]; then
+      echo "config ${f} was locally modified since last install, skipping" 2>&1
+      continue
+    fi
+  fi
+  cp "${f}.orig" "$f"
+  md5 -r "$f"  >"${f}.md5"
 done

+# symlink other files to /usr/local
 for f in \
-	/Library/LaunchAgents/pkcs11-register.plist \
-	/Library/LaunchAgents/opensc-notify.plist
+  /Library/OpenSC/bin/* \
+  /Library/OpenSC/etc/bash_completion.d/* \
+  /Library/OpenSC/share/doc/*
 do
-	if [ -e "$f" ]
-	then
-		/bin/launchctl asuser $(id -u "${USER}") /bin/launchctl load "$f"
-	fi
+  [ -e "$f" ] || continue # keep this or set "shopt -s nullglob"
+  a=/Library/OpenSC
+  b=/usr/local
+  l="${f/$a/$b}" # parameter expansion, returns $f where $a is replaced by $b
+  mkdir -p "$(dirname "$l")"
+  ln -sf "$f" "$l"
+done
+
+# correct past issue where a literal shell glob character was symlinked
+# e.g. /usr/local/share/man/man1/* -> /Library/OpenSC/share/man/man1/*
+# maybe remove this step post 2022?
+for f in \
+  '/usr/local/share/man/man1/*' \
+  '/usr/local/share/man/man5/*'
+do
+  [ -L "$f" ] || continue # skip unless $f is a symlink
+  t="$(readlink "$f")"
+  [ -e "$t" ] && continue # skip if the symlink target actually exists
+  a=/usr/local
+  b=/Library/OpenSC
+  [ "$t" = "${f/$a/$b}" ] || continue # skip unless the target is in the corresponding /Library/OpenSC subdirectory
+  # we can now assume that we originally made $f and can safely remove it
+  unlink "$f"
+done
+
+# register the launch agents
+for f in \
+  /Library/LaunchAgents/org.opensc-project.mac.pkcs11-register.plist \
+  /Library/LaunchAgents/org.opensc-project.mac.opensc-notify.plist
+do
+  [ -e "$f" ] || continue
+  /bin/launchctl asuser "$(id -u "$USER")" /bin/launchctl load "$f" || true
 done

 exit 0
--- a/MacOSX/target.plist
+++ b/MacOSX/target.plist
@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+	<dict>
+		<key>BundleHasStrictIdentifier</key>
+		<true/>
+		<key>BundleIsRelocatable</key>
+		<false/>
+		<key>BundleIsVersionChecked</key>
+		<true/>
+		<key>BundleOverwriteAction</key>
+		<string>upgrade</string>
+		<key>RootRelativeBundlePath</key>
+		<string>Library/OpenSC/Applications/NotificationProxy.app</string>
+	</dict>
+</array>
+</plist>
--- a/MacOSX/target_startup.plist
+++ b/MacOSX/target_startup.plist
@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array/>
+</plist>
--- a/MacOSX/target_token.plist
+++ b/MacOSX/target_token.plist
@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+	<dict>
+		<key>BundleHasStrictIdentifier</key>
+		<true/>
+		<key>BundleIsRelocatable</key>
+		<false/>
+		<key>BundleIsVersionChecked</key>
+		<true/>
+		<key>BundleOverwriteAction</key>
+		<string>upgrade</string>
+		<key>ChildBundles</key>
+		<array>
+			<dict>
+				<key>BundleOverwriteAction</key>
+				<string></string>
+				<key>RootRelativeBundlePath</key>
+				<string>Applications/Utilities/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex</string>
+			</dict>
+		</array>
+		<key>RootRelativeBundlePath</key>
+		<string>Applications/Utilities/OpenSCTokenApp.app</string>
+	</dict>
+</array>
+</plist>
--- a/MacOSX/target_tokend.plist
+++ b/MacOSX/target_tokend.plist
@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array/>
+</plist>
--- a/Makefile.am
+++ b/Makefile.am
@ -28,6 +28,10 @@ dist_noinst_DATA = README \
 	packaging/debian.templates/rules
 dist_doc_DATA = NEWS

+include $(top_srcdir)/aminclude_static.am
+clean-local: code-coverage-clean
+distclean-local: code-coverage-dist-clean
+
 Generate-ChangeLog:
 	rm -f ChangeLog.tmp "$(srcdir)/ChangeLog"
 	test -n "$(GIT)"
--- a/106
+++ b/106
@ -1,5 +1,107 @@
 NEWS for OpenSC -- History of user visible changes

+# New in 0.22.0; 2021-08-10
+## General improvements
+ * Use standard paths for file cache on Linux (#2148) and OSX (#2214)
+ * Various issues of memory/buffer handling in legacy drivers mostly reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc, westcos, gpk, flex, dnie, mcrd, authentic, belpic)
+ * Add threading test to `pkcs11-tool` (#2067)
+ * Add support to generate generic secret keys (#2140)
+ * `opensc-explorer`: Print information about LCS (Life cycle status byte) (#2195)
+ * Add support for Apple's arm64 (M1) binaries, removed TokenD. A seperate installer with TokenD (and without arm64 binaries) will be available (#2179).
+ * Support for gcc11 and its new strict aliasing rules (#2241, #2260)
+ * Initial support for building with OpenSSL 3.0 (#2343)
+ * pkcs15-tool: Write data objects in binary mode (#2324)
+ * Avoid limited size of log messages (#2352)
+## PKCS#11
+ * Support for ECDSA verification (#2211)
+ * Support for ECDSA with different SHA hashes (#2190)
+ * Prevent issues in p11-kit by not returning unexpected return codes (#2207)
+ * Add support for PKCS#11 3.0: The new interfaces, profile objects and functions (#2096, #2293)
+ * Standardize the version 2 on 2.20 in the code (#2096)
+ * Fix CKA_MODIFIABLE and CKA_EXTRACTABLE  (#2176)
+ * Copy arguments of C_Initialize (#2350)
+## Minidriver
+ * Fix RSA-PSS signing (#2234)
+## OpenPGP
+ * Fix DO deletion (#2215)
+ * Add support for (X)EdDSA keys (#1960)
+## IDPrime
+ * Add support for applet version 3 and fix RSA-PSS mechanisms (#2205)
+ * Add support for applet version 4 (#2332)
+## MyEID
+ * New configuration option for opensc.conf to disable pkcs1_padding (#2193)
+ * Add support for ECDSA with different hashes (#2190)
+ * Enable more mechanisms (#2178)
+ * Fixed asking for a user pin when formatting a card (#1737)
+## IAS/ECC
+ * Added support for French CPx Healthcare cards (#2217)
+## CardOS
+ * Added ATR for new CardOS 5.4 version (#2296)
+
+# New in 0.21.0; 2020-11-24
+## General Improvements
+* fixed security problems
+  * CVE-2020-26570 (6903aebfddc466d966c7b865fae34572bf3ed23e)
+  * CVE-2020-26571
+  * CVE-2020-26572 (9d294de90d1cc66956389856e60b6944b27b4817)
+* Bump minimal required OpenSSL version to 1.0.1 (#1658)
+* Implement basic unit tests for asn1 library, compression and simpletlv parser (#1830)
+* Allow generating code coverage
+* Improve fuzzing by providing corpus from real cards (#1830)
+* Implement support for OAEP encryption
+* New separate debug level for PIN commands (d06f23e8)
+* Fix handling of card/reader insertion/removal events in pcscd
+* Many bugfixes reported by oss-fuzz, coverity and lgtm.com
+* Fixes of removed readers handling (#1970)
+* Fix Firefox crash because of invalid pcsc context (#2077)
+## PKCS#11
+* Return CKR_TOKEN_NOT_RECOGNIZED for not recognized cards (#2030)
+* Propagate ignore_user_content to PKCS#11 layer not to confuse applications (#2040)
+## Minidriver
+* Fix check of ATR length (2-to 33 characters inclusive) (#2146)
+## MacOS
+* Add installer signing for PR and master
+* Avoid app bundle relocations after installation
+* Move OpenSC to MacOS Utilities folder (#2063)
+## OpenSC tools
+### pkcs11-tool
+* Make SHA256 default for OAEP encryption
+* pkcs11-tool: allow using SW tokens (#2113)
+### opensc-explorer
+* `asn1` accepts offsets and decode records (#2090)
+* `cat` accepts records (#2090)
+## OpenPGP
+* Add new ec curves supported by GNUK (#1853)
+* First steps supporting OpenPGP 3.4
+* Add support for EC key import (#1821)
+## Rutoken
+* Add ATR for Rutoken ECP SC NFC (#2122)
+## CardOS
+* Improve detection of various CardOS 5 configurations (#1987)
+## DNIe
+* Add new DNIe CA structure for the secure channel (#2109)
+## ePass2003
+* Improve ECC support (#1859)
+* Fixed erase sequence (#2097)
+## IAS-ECC (#2070):
+* Fixed support for Idemia Cosmo cards with AWP middleware interoperability (previously broken).
+* Added support for Idemia Cosmo v8 cards.
+* PIN padding settings are now used from PKCS#15 info when available.
+* Added PIN-pad support for PIN unblock.
+## IDPrime
+* New driver for Gemalto IDPrime (only some types) (#1772)
+## eDo
+* New driver with initial support for Polish eID card (e-dowód, eDO) (#2023)
+## MCRD
+* Remove unused and broken RSA EstEID support (#2095)
+## TCOS
+* Add missing encryption certificates (#2083)
+## PIV
+* Add ATR of DOD Yubikey (#2115)
+* fixed PIV global pin bug (#2142)
+## CAC1
+* Support changing PIN with CAC Alt tokens (#2129)
+
 # New in 0.20.0; 2019-12-29
 ## General Improvements
 * fixed security problems
@ -385,7 +487,7 @@ New separate CAC1 driver using the old CAC specification (#1502)
    * Fixed --id for `C_GenerateKey`, DES and DES3 keygen mechanism (#857)
    * Added `--derive-pass-der` option
    * Added `--generate-random` option
-    * Add GOSTR3410 keypair generation
+    * Add GOSTR3410 key pair generation
 * `npa-tool` (new)
    * Allows read/write access to EAC tokens
    * Allows PIN management for EAC tokens
@ -513,7 +615,7 @@ New in 0.15.0; 2015-05-11
  allow extended length APDUs
  accept no output for 'SELECT' MF and 'SELECT' DF_NAME APDUs
  fixed sc_driver_version check
-  adjusted send/receive size accoriding to card capabilities
+  adjusted send/receive size according to card capabilities
  in iso7816 make SELECT agnosting to sc_path_t's aid
 * asn1
  support multi-bytes tags
--- a/README.md
+++ b/README.md
@ -4,17 +4,23 @@ Wiki is [available online](https://github.com/OpenSC/OpenSC/wiki)

 Please take a look at the documentation before trying to use OpenSC.

-[![Travis CI Build Status](https://travis-ci.org/OpenSC/OpenSC.svg)](https://travis-ci.org/OpenSC/OpenSC/branches) [![AppVeyor CI Build Status](https://ci.appveyor.com/api/projects/status/github/OpenSC/OpenSC?branch=master&svg=true)](https://ci.appveyor.com/project/LudovicRousseau/OpenSC/branch/master) [![Coverity Scan Status](https://scan.coverity.com/projects/4026/badge.svg)](https://scan.coverity.com/projects/4026) [![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/OpenSC/OpenSC.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/OpenSC/OpenSC/context:cpp) [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/opensc.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:opensc)
+[![Linux build](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml)
+[![OSX build](https://github.com/OpenSC/OpenSC/actions/workflows/macos.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/macos.yml)
+[![AppVeyor CI Build Status](https://ci.appveyor.com/api/projects/status/github/OpenSC/OpenSC?branch=master&svg=true)](https://ci.appveyor.com/project/LudovicRousseau/OpenSC/branch/master)
+[![Coverity Scan Status](https://scan.coverity.com/projects/4026/badge.svg)](https://scan.coverity.com/projects/4026)
+[![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/OpenSC/OpenSC.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/OpenSC/OpenSC/context:cpp)
+[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/opensc.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:opensc)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3908/badge)](https://bestpractices.coreinfrastructure.org/projects/3908)

 Build and test status of specific cards:

 | Cards                                                               | Status                                                                                                                            |
 |---------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
-| CAC                                                                 | [![CAC](https://gitlab.com/redhat-crypto/OpenSC/badges/cac/build.svg)](https://gitlab.com/redhat-crypto/OpenSC/pipelines)         |
-| [virt_CACard](https://github.com/OpenSC/OpenSC/tree/virt_cacard)                                                         | [![virt_CACard](https://travis-ci.org/OpenSC/OpenSC.svg)](https://travis-ci.org/OpenSC/OpenSC/branches)        |
-| [Coolkey](https://github.com/dogtagpki/coolkey/tree/master/applet)  | [![Coolkey](https://gitlab.com/redhat-crypto/OpenSC/badges/coolkey/build.svg)](https://gitlab.com/redhat-crypto/OpenSC/pipelines) |
-| [PivApplet](https://github.com/arekinath/PivApplet)                 | [![PIV](https://travis-ci.org/OpenSC/OpenSC.svg)](https://travis-ci.org/OpenSC/OpenSC/branches)                                   |
-| [OpenPGP Applet](https://github.com/Yubico/ykneo-openpgp/)          | [![OpenPGP](https://travis-ci.org/OpenSC/OpenSC.svg)](https://travis-ci.org/OpenSC/OpenSC/branches)                               |
-| [GidsApplet](https://github.com/vletoux/GidsApplet/)                | [![GIDS](https://travis-ci.org/OpenSC/OpenSC.svg)](https://travis-ci.org/OpenSC/OpenSC/branches)                                  |
-| [IsoApplet](https://github.com/philipWendland/IsoApplet/)           | [![IsoApplet](https://travis-ci.org/OpenSC/OpenSC.svg)](https://travis-ci.org/OpenSC/OpenSC/branches)                             |
-| [OsEID (MyEID)](https://sourceforge.net/projects/oseid/)            | [![OsEID (MyEID)](https://travis-ci.org/OpenSC/OpenSC.svg)](https://travis-ci.org/OpenSC/OpenSC/branches)                         |
+| CAC                                                                 | [![CAC](https://gitlab.com/redhat-crypto/OpenSC/badges/cac/pipeline.svg)](https://gitlab.com/redhat-crypto/OpenSC/pipelines)      |
+| [virt_CACard](https://github.com/Jakuje/virt_cacard)                | [![virt_CACard](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |
+| [Coolkey](https://github.com/dogtagpki/coolkey/tree/master/applet)  | [![Coolkey](https://gitlab.com/redhat-crypto/OpenSC/badges/coolkey/pipeline.svg)](https://gitlab.com/redhat-crypto/OpenSC/pipelines) |
+| [PivApplet](https://github.com/arekinath/PivApplet)                 | [![PIV](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |
+| [OpenPGP Applet](https://github.com/Yubico/ykneo-openpgp/)          | [![OpenPGP](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |
+| [GidsApplet](https://github.com/vletoux/GidsApplet/)                | [![GIDS](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |
+| [IsoApplet](https://github.com/philipWendland/IsoApplet/)           | [![IsoApplet](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |
+| [OsEID (MyEID)](https://sourceforge.net/projects/oseid/)            | [![OsEID (MyEID)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml) |
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,23 @@
+# Security Policy
+
+## Supported Versions
+
+OpenSC releases are made roughly once a year, unless important security is discovered.
+
+OpenSC does not release micro updates for previously released versions and does not
+backport security fixes into them.
+
+| Version  | Supported          |
+| -------- | ------------------ |
+| 0.20.0   | :white_check_mark: |
+| < 0.20.0 | :x:                |
+
+## Reporting a Vulnerability
+
+If you discovered security vulnerability in supported version of OpenSC,
+you can either fill an issue in [github](https://github.com/OpenSC/OpenSC/issues)
+(note, that these issues are public!) or you can send email to any recently active
+project developers frankmorgner(at)gmail.com, deengert(at)gmail.com and/or
+jakuje(at)gmail.com .
+
+You can expect update on the issue no later than in two weeks.
--- a/appveyor.yml
+++ b/appveyor.yml
@ -1,4 +1,4 @@
-version: 0.20.0.{build}
+version: 0.22.0.{build}

 platform:
  - x86
@ -11,10 +11,21 @@ configuration:
 environment:
  GH_TOKEN:
    secure: aLu3tFc7lRJbotnmnHLx/QruIHc5rLaGm1RttoEdy4QILlPXzVkCZ6loYMz0sfrY
+  PATH: C:\cygwin\bin;%PATH%
+  OPENPACE_VER: 1.1.1
+  ZLIB_VER_DOT: 1.2.11
  matrix:
-    - VSVER: 14
-    - VSVER: 12
-      DO_PUSH_ARTIFACT: yes
+  # not compatible with OpenSSL 1.1.1:
+  # - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2013
+  #   VCVARSALL: "%VS120COMNTOOLS%/../../VC/vcvarsall.bat"
+  - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2015
+    VCVARSALL: "%VS140COMNTOOLS%/../../VC/vcvarsall.bat"
+    DO_PUSH_ARTIFACT: yes
+  - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2017
+    VCVARSALL: "%ProgramFiles(x86)%/Microsoft Visual Studio/2017/Community/VC/Auxiliary/Build/vcvarsall.bat"
+  # not compatible with WiX 3.11.2:
+  # - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
+  #   VCVARSALL: "%ProgramFiles(x86)%/Microsoft Visual Studio/2019/Community/VC/Auxiliary/Build/vcvarsall.bat"

 install:
  - ps: if ($env:APPVEYOR_PULL_REQUEST_NUMBER -and $env:APPVEYOR_BUILD_NUMBER -ne ((Invoke-RestMethod `
@ -22,26 +33,21 @@ install:
        Where-Object pullRequestId -eq $env:APPVEYOR_PULL_REQUEST_NUMBER)[0].buildNumber) { `
        throw "There are newer queued builds for this pull request, failing early." }
  - date /T & time /T
-  - set PATH=C:\cygwin\bin;%PATH%
-  - set OPENPACE_VER=1.1.0
-  - set ZLIB_VER_DOT=1.2.11
  - ps: $env:PACKAGE_NAME=(git describe --tags --abbrev=0)
  - ps: >-
      If ($env:Platform -Match "x86") {
-        $env:VCVARS_PLATFORM="x86"
        $env:OPENSSL_PF="Win32"
        $env:ARTIFACT="OpenSC-${env:PACKAGE_NAME}_win32"
      } Else {
-        $env:VCVARS_PLATFORM="amd64"
        $env:OPENSSL_PF="Win64"
        $env:ARTIFACT="OpenSC-${env:PACKAGE_NAME}_win64"
      }
  - ps: >-
      If ($env:Configuration -Like "*Light*") {
-        $env:ARTIFACT="${env:ARTIFACT}-Light"
+        $env:ARTIFACT+="-Light"
      } Else {
-        $env:NMAKE_EXTRA="OPENSSL_DEF=/DENABLE_OPENSSL ${env:NMAKE_EXTRA}"
-        $env:NMAKE_EXTRA="OPENSSL_EXTRA_CFLAGS=/DOPENSSL_SECURE_MALLOC_SIZE=65536 ${env:NMAKE_EXTRA}"
+        $env:NMAKE_EXTRA+=" OPENSSL_DEF=/DENABLE_OPENSSL OPENSSL_DIR=C:\OpenSSL-v111-${env:OPENSSL_PF}"
+        $env:NMAKE_EXTRA+=" OPENSSL_EXTRA_CFLAGS=/DOPENSSL_SECURE_MALLOC_SIZE=65536"
        If (!(Test-Path C:\zlib )) {
          appveyor DownloadFile "https://github.com/madler/zlib/archive/v${env:ZLIB_VER_DOT}.zip" -FileName zlib.zip
          7z x zlib.zip -oC:\
@ -53,13 +59,12 @@ install:
          Rename-Item -path "c:\openpace-${env:OPENPACE_VER}" -newName "openpace"
        }
      }
-      If (!(Test-Path cngsdk.msi )) {
-          appveyor DownloadFile "http://download.microsoft.com/download/2/C/9/2C93059C-0532-42DF-8C24-9AEAFF00768E/cngsdk.msi"
+      If (!(Test-Path cpdksetup.exe )) {
+          appveyor DownloadFile "https://download.microsoft.com/download/1/7/6/176909B0-50F2-4DF3-B29B-830A17EA7E38/CPDK_RELEASE_UPDATE/cpdksetup.exe"
      }
-  - ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + "0COMNTOOLS"))
-  - echo "Using Visual Studio %VSVER%.0 at %VSCOMNTOOLS%"
-  - call "%VSCOMNTOOLS%\..\..\VC\vcvarsall.bat" %VCVARS_PLATFORM%
-  - cngsdk.msi /quiet
+  - echo "Using %APPVEYOR_BUILD_WORKER_IMAGE% with %VCVARSALL%"
+  - call "%VCVARSALL%" %Platform%
+  - cpdksetup.exe /quiet
  - uname -a
  - set

@ -71,21 +76,23 @@ build_script:
          xcopy C:\zlib C:\zlib-${env:OPENSSL_PF} /e /i /y /s
          cd C:\zlib-${env:OPENSSL_PF}
          (Get-Content win32/Makefile.msc).replace('-MD', '-MT') | Set-Content win32/Makefile.msc
-          nmake -f win32/Makefile.msc zlib.lib
+          nmake /nologo -f win32/Makefile.msc zlib.lib
        }
-        $env:NMAKE_EXTRA="ZLIBSTATIC_DEF=/DENABLE_ZLIB_STATIC ZLIB_INCL_DIR=/IC:\zlib-${env:OPENSSL_PF} ZLIB_LIB=C:\zlib-${env:OPENSSL_PF}\zlib.lib ${env:NMAKE_EXTRA}"
+        $env:NMAKE_EXTRA+=" ZLIBSTATIC_DEF=/DENABLE_ZLIB_STATIC ZLIB_INCL_DIR=/IC:\zlib-${env:OPENSSL_PF} ZLIB_LIB=C:\zlib-${env:OPENSSL_PF}\zlib.lib"
        If (!(Test-Path -Path "C:\openpace-${env:OPENSSL_PF}" )) {
          # build libeac.lib as a static library
          xcopy C:\openpace C:\openpace-${env:OPENSSL_PF} /e /i /y /s
          cd C:\openpace-${env:OPENSSL_PF}\src
          # OpenSSL 1.1.0
-          #cl /IC:\OpenSSL-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /DHAVE_ASN1_STRING_GET0_DATA=1 /DHAVE_DECL_OPENSSL_ZALLOC=1 /DHAVE_DH_GET0_KEY=1 /DHAVE_DH_GET0_PQG=1 /DHAVE_DH_SET0_KEY=1 /DHAVE_DH_SET0_PQG=1 /DHAVE_ECDSA_SIG_GET0=1 /DHAVE_ECDSA_SIG_SET0=1 /DHAVE_EC_KEY_METHOD=1 /DHAVE_RSA_GET0_KEY=1 /DHAVE_RSA_SET0_KEY=1 /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
+          #cl /nologo /IC:\OpenSSL-v110-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /DHAVE_ASN1_STRING_GET0_DATA=1 /DHAVE_DECL_OPENSSL_ZALLOC=1 /DHAVE_DH_GET0_KEY=1 /DHAVE_DH_GET0_PQG=1 /DHAVE_DH_SET0_KEY=1 /DHAVE_DH_SET0_PQG=1 /DHAVE_ECDSA_SIG_GET0=1 /DHAVE_ECDSA_SIG_SET0=1 /DHAVE_EC_KEY_METHOD=1 /DHAVE_RSA_GET0_KEY=1 /DHAVE_RSA_SET0_KEY=1 /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
+          # OpenSSL 1.1.1
+          cl /nologo /IC:\OpenSSL-v111-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /DHAVE_ASN1_STRING_GET0_DATA=1 /DHAVE_DECL_OPENSSL_ZALLOC=1 /DHAVE_DH_GET0_KEY=1 /DHAVE_DH_GET0_PQG=1 /DHAVE_DH_SET0_KEY=1 /DHAVE_DH_SET0_PQG=1 /DHAVE_ECDSA_SIG_GET0=1 /DHAVE_ECDSA_SIG_SET0=1 /DHAVE_EC_KEY_METHOD=1 /DHAVE_RSA_GET0_KEY=1 /DHAVE_RSA_SET0_KEY=1 /DHAVE_EC_POINT_GET_AFFINE_COORDINATES=1 /DHAVE_EC_POINT_SET_AFFINE_COORDINATES=1 /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
          # OpenSSL 1.0.2
-          cl /IC:\OpenSSL-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
-          lib /out:libeac.lib ca_lib.obj cv_cert.obj cvc_lookup.obj x509_lookup.obj eac_asn1.obj eac.obj eac_ca.obj eac_dh.obj eac_ecdh.obj eac_kdf.obj eac_lib.obj eac_print.obj eac_util.obj misc.obj pace.obj pace_lib.obj pace_mappings.obj ri.obj ri_lib.obj ta.obj ta_lib.obj objects.obj ssl_compat.obj
+          #cl /nologo /IC:\OpenSSL-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c ssl_compat.c
+          lib /nologo /out:libeac.lib ca_lib.obj cv_cert.obj cvc_lookup.obj x509_lookup.obj eac_asn1.obj eac.obj eac_ca.obj eac_dh.obj eac_ecdh.obj eac_kdf.obj eac_lib.obj eac_print.obj eac_util.obj misc.obj pace.obj pace_lib.obj pace_mappings.obj ri.obj ri_lib.obj ta.obj ta_lib.obj objects.obj ssl_compat.obj
          cd C:\projects\OpenSC
        }
-        $env:NMAKE_EXTRA="OPENPACE_DEF=/DENABLE_OPENPACE OPENPACE_DIR=C:\openpace-${env:OPENSSL_PF} ${env:NMAKE_EXTRA}"
+        $env:NMAKE_EXTRA+=" OPENPACE_DEF=/DENABLE_OPENPACE OPENPACE_DIR=C:\openpace-${env:OPENSSL_PF}"
      }
  - bash -c "exec 0</dev/null && if [ \"$APPVEYOR_REPO_BRANCH\" == \"master\" -a -z \"$APPVEYOR_PULL_REQUEST_NUMBER\" ]; then ./bootstrap; fi"
  - bash -c "exec 0</dev/null && if [ \"$APPVEYOR_REPO_BRANCH\" == \"master\" -a -n \"$APPVEYOR_PULL_REQUEST_NUMBER\" ]; then ./bootstrap.ci -s \"-pr$APPVEYOR_PULL_REQUEST_NUMBER\"; fi"
@ -95,7 +102,7 @@ build_script:
  - bash -c "exec 0</dev/null && ./configure --with-cygwin-native --disable-openssl --disable-readline --disable-zlib || cat config.log"
  - bash -c "exec 0</dev/null && rm src/getopt.h"
  - nmake /f Makefile.mak %NMAKE_EXTRA%
-  - cd win32 && nmake /f Makefile.mak %NMAKE_EXTRA% VSVER=%VSVER% OpenSC.msi && cd ..
+  - cd win32 && nmake /nologo /f Makefile.mak %NMAKE_EXTRA% OpenSC.msi && cd ..
  - move win32\OpenSC.msi %ARTIFACT%.msi
  # put all pdb files for dump analysis, but this consumes approx 100 MB per build
  - md %ARTIFACT%-Debug
@ -119,4 +126,4 @@ cache:
  - C:\openpace -> appveyor.yml
  - C:\openpace-Win32 -> appveyor.yml
  - C:\openpace-Win64 -> appveyor.yml
-  - cngsdk.msi -> appveyor.yml
+  - cpdksetup.exe -> appveyor.yml
--- a/configure.ac
+++ b/configure.ac
@ -1,13 +1,13 @@
 dnl -*- mode: m4; -*-

-AC_PREREQ(2.60)
+AC_PREREQ(2.68)

 define([PRODUCT_NAME], [OpenSC])
 define([PRODUCT_TARNAME], [opensc])
 define([PRODUCT_BUGREPORT], [https://github.com/OpenSC/OpenSC/issues])
 define([PRODUCT_URL], [https://github.com/OpenSC/OpenSC])
 define([PACKAGE_VERSION_MAJOR], [0])
-define([PACKAGE_VERSION_MINOR], [20])
+define([PACKAGE_VERSION_MINOR], [22])
 define([PACKAGE_VERSION_FIX], [0])
 define([PACKAGE_SUFFIX], [])

@ -21,11 +21,13 @@ define([VS_FF_PRODUCT_URL], [https://github.com/OpenSC/OpenSC])

 m4_sinclude(version.m4.ci)

+m4_define([openssl_minimum_version], [1.0.1])
+
 AC_INIT([PRODUCT_NAME],[PACKAGE_VERSION_MAJOR.PACKAGE_VERSION_MINOR.PACKAGE_VERSION_FIX[]PACKAGE_SUFFIX],[PRODUCT_BUGREPORT],[PRODUCT_TARNAME],[PRODUCT_URL])
 AC_CONFIG_AUX_DIR([.])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
-AM_INIT_AUTOMAKE(foreign 1.10)
+AM_INIT_AUTOMAKE(foreign 1.10 [subdir-objects])

 OPENSC_VERSION_MAJOR="PACKAGE_VERSION_MAJOR"
 OPENSC_VERSION_MINOR="PACKAGE_VERSION_MINOR"
@ -41,10 +43,10 @@ OPENSC_VS_FF_PRODUCT_URL="VS_FF_PRODUCT_URL"

 # LT Version numbers, remember to change them just *before* a release.
 #   (Code changed:                      REVISION++)
-#   (Oldest interface removed:          OLDEST++)
+#   (Oldest interface changed/removed:  OLDEST++)
 #   (Interfaces added:                  CURRENT++, REVISION=0)
-OPENSC_LT_CURRENT="6"
-OPENSC_LT_OLDEST="6"
+OPENSC_LT_CURRENT="8"
+OPENSC_LT_OLDEST="8"
 OPENSC_LT_REVISION="0"
 OPENSC_LT_AGE="0"
 OPENSC_LT_AGE="$((${OPENSC_LT_CURRENT}-${OPENSC_LT_OLDEST}))"
@ -77,7 +79,7 @@ AC_ARG_WITH(
 )

 if test "${enable_optimization}" = "no"; then
-	CFLAGS="-O0 -g"
+	CFLAGS="${CFLAGS} -O0 -g"
 fi

 dnl Check for some target-specific stuff
@ -129,12 +131,14 @@ case "${host}" in
 	;;
 esac

-AX_CHECK_COMPILE_FLAG([-Wunknown-warning-option], [have_unknown_warning_option="yes"], [have_unknown_warning_option="no"], [-Werror])
+AX_CODE_COVERAGE()
+
+AX_CHECK_COMPILE_FLAG([-Wunknown-warning-option], [have_unknown_warning_option="yes"], [have_unknown_warning_option="no"])
 AM_CONDITIONAL([HAVE_UNKNOWN_WARNING_OPTION], [test "${have_unknown_warning_option}" = "yes"])

 AC_ARG_ENABLE(
 	[fuzzing],
-	[AS_HELP_STRING([--enable-fuzzing],[enable compile of fuzzing tests @<:@disabled@:>@, note that CFLAGS and FUZZING_LIBS should be set accoringly, e.g. to something like CFLAGS="-fsanitize=address,fuzzer" FUZZING_LIBS="-fsanitize=fuzzer"])],
+	[AS_HELP_STRING([--enable-fuzzing],[enable compile of fuzzing tests @<:@disabled@:>@, note that CFLAGS and FUZZING_LIBS should be set accordingly, e.g. to something like CFLAGS="-fsanitize=address,fuzzer" FUZZING_LIBS="-fsanitize=fuzzer"])],
 	,
 	[enable_fuzzing="no"]
 )
@ -184,7 +188,7 @@ AC_ARG_ENABLE(
 )

 AC_ARG_ENABLE([openssl-secure-malloc],
-    [AC_HELP_STRING([--openssl-secure-malloc=<SIZE_IN_BYTES>],
+    [AS_HELP_STRING([--openssl-secure-malloc=<SIZE_IN_BYTES>],
        [Enable OpenSSL secure memory by specifying its size in bytes, must be a power of 2 @<:@disabled@:>@])],
    [], [enable_openssl_secure_malloc=no])
 AS_IF([test $enable_openssl_secure_malloc != no],
@ -390,20 +394,19 @@ dnl C Compiler features
 AC_C_INLINE

 dnl Checks for header files.
-AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
 AC_HEADER_ASSERT
 AC_CHECK_HEADERS([ \
 	errno.h fcntl.h stdlib.h \
 	inttypes.h string.h strings.h \
-	sys/time.h unistd.h sys/mman.h
+	sys/time.h unistd.h sys/mman.h \
+	sys/endian.h endian.h
 ])

 dnl Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
 AC_TYPE_UID_T
 AC_TYPE_SIZE_T
-AC_HEADER_TIME

 dnl Checks for library functions.
 AC_FUNC_ERROR_AT_LINE
@ -411,9 +414,22 @@ AC_FUNC_STAT
 AC_FUNC_VPRINTF
 AC_CHECK_FUNCS([ \
 	getpass gettimeofday getline memset mkdir \
-	strdup strerror \
-	strlcpy strlcat strnlen sigaction
+	strdup strerror memset_s explicit_bzero \
+	strnlen sigaction
 ])
+
+# Do not check for strlcpy and strlcat in Linux because it is not implemented
+# and autotools can not detect it in AC_CHECK_DECLS because build does not fail
+# in this test.
+# https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22192
+case "${host_os}" in
+	linux*)
+		;;
+	*)
+		AC_CHECK_DECLS([strlcpy, strlcat], [], [], [[#include <string.h>]])
+		;;
+esac
+
 AC_CHECK_SIZEOF(void *)
 if test "${ac_cv_sizeof_void_p}" = 8; then
 	LIBRARY_BITNESS="64"
@ -632,7 +648,7 @@ fi

 PKG_CHECK_MODULES(
 	[OPENSSL],
-	[libcrypto >= 0.9.8],
+	[libcrypto >= openssl_minimum_version],
 	[have_openssl="yes"],
 	[AC_CHECK_LIB(
 		[crypto],
@ -711,7 +727,7 @@ LIBS="$saved_LIBS"


 AC_ARG_ENABLE(cvcdir,
-              AC_HELP_STRING([--enable-cvcdir=DIR],
+              AS_HELP_STRING([--enable-cvcdir=DIR],
                             [directory containing CV certificates (default is determined by libeac)]),
                             [cvcdir="${enableval}"],
                             [cvcdir=false])
@ -733,7 +749,7 @@ AC_SUBST(CVCDIR)
 AC_DEFINE_UNQUOTED([CVCDIR], ["${CVCDIR}"], [CVC directory])

 AC_ARG_ENABLE(x509dir,
-              AC_HELP_STRING([--enable-x509dir=DIR],
+              AS_HELP_STRING([--enable-x509dir=DIR],
                             [directory containing X.509 certificates (default is determined by libeac)]),
                             [x509dir="${enableval}"],
                             [x509dir=false])
@ -935,6 +951,7 @@ AC_PATH_PROG(GENGETOPT, gengetopt, not found)
 AC_ARG_VAR([CLANGTIDY],
           [absolute path to clang-tidy used for static code analysis])
 AC_PATH_PROG(CLANGTIDY, clang-tidy, not found)
+TIDY_CHECKS="-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling"

 AX_FUNC_GETOPT_LONG
 #AH_BOTTOM([#include "common/compat_getopt.h"])
@ -1042,6 +1059,7 @@ AC_SUBST([PROFILE_DIR])
 AC_SUBST([PROFILE_DIR_DEFAULT])
 AC_SUBST([OPTIONAL_NOTIFY_CFLAGS])
 AC_SUBST([OPTIONAL_NOTIFY_LIBS])
+AC_SUBST([TIDY_CHECKS])

 AM_CONDITIONAL([ENABLE_MAN], [test "${enable_man}" = "yes"])
 AM_CONDITIONAL([ENABLE_THREAD_LOCKING], [test "${enable_thread_locking}" = "yes"])
@ -1068,10 +1086,10 @@ AS_IF([test "${enable_shared}" = "yes"], [AC_DEFINE([ENABLE_SHARED], [1], [Enabl

 if test "${enable_pedantic}" = "yes"; then
 	enable_strict="yes";
-	CFLAGS="${CFLAGS} -pedantic"
+	CFLAGS="-pedantic ${CFLAGS}"
 fi
 if test "${enable_strict}" = "yes"; then
-	CFLAGS="${CFLAGS} -Wall -Wextra -Wno-unused-parameter -Werror"
+	CFLAGS="-Wall -Wextra -Wno-unused-parameter -Werror -Wstrict-aliasing=2 ${CFLAGS}"
 fi

 AC_CONFIG_FILES([
@ -1096,6 +1114,7 @@ AC_CONFIG_FILES([
 	src/tests/regression/Makefile
 	src/tests/p11test/Makefile
 	src/tests/fuzzing/Makefile
+	src/tests/unittests/Makefile
 	src/tools/Makefile
 	src/tools/versioninfo-tools.rc
 	src/tools/versioninfo-opensc-notify.rc
@ -1111,7 +1130,6 @@ AC_CONFIG_FILES([
 	win32/OpenSC.wxs
 	MacOSX/Makefile
 	MacOSX/build-package
-	MacOSX/build-package-from-ci
 	MacOSX/Distribution.xml
 	MacOSX/resources/Welcome.html
 ])
@ -1158,6 +1176,7 @@ SM default module:       ${DEFAULT_SM_MODULE}
 SM default path:         $(eval eval eval echo "${DEFAULT_SM_MODULE_PATH}")
 DNIe UI support:         ${enable_dnie_ui}
 Notification support:    ${enable_notify}
+Code coverage:           ${enable_code_coverage}

 PC/SC default provider:  ${DEFAULT_PCSC_PROVIDER}
 PKCS11 default provider: $(eval eval eval echo "${DEFAULT_PKCS11_PROVIDER}")
--- a/doc/files/Makefile.am
+++ b/doc/files/Makefile.am
@ -10,7 +10,7 @@ man5_MANS = pkcs15-profile.5  opensc.conf.5
 endif

 opensc.conf.5.xml opensc.conf.5: $(srcdir)/opensc.conf.5.xml.in
-	sed \
+	@sed \
 		-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
 		-e 's|@docdir[@]|$(docdir)|g' \
 		-e 's|@libdir[@]|$(libdir)|g' \
@ -19,14 +19,14 @@ opensc.conf.5.xml opensc.conf.5: $(srcdir)/opensc.conf.5.xml.in
 		-e 's|@PROFILE_DIR_DEFAULT[@]|$(PROFILE_DIR_DEFAULT)|g' \
 		-e 's|@DEFAULT_SM_MODULE[@]|$(DEFAULT_SM_MODULE)|g' \
 		< $< > opensc.conf.5.xml
-	$(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl opensc.conf.5.xml
+	$(AM_V_GEN)$(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl opensc.conf.5.xml 2>/dev/null

 files.html: $(srcdir)/files.xml $(wildcard $(srcdir)/*.5.xml) opensc.conf.5.xml
-	$(XSLTPROC) --nonet --path "$(builddir):$(srcdir)/..:$(xslstylesheetsdir)/html" --xinclude -o $@ html.xsl $<
+	$(AM_V_GEN)$(XSLTPROC) --nonet --path "$(builddir):$(srcdir)/..:$(xslstylesheetsdir)/html" --xinclude -o $@ html.xsl $< 2>/dev/null

 %.5: $(srcdir)/%.5.xml
-	sed -e 's|@pkgdatadir[@]|$(pkgdatadir)|g' < $< \
-	| $(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl $<
+	$(AM_V_GEN)sed -e 's|@pkgdatadir[@]|$(pkgdatadir)|g' < $< \
+	| $(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl $< 2>/dev/null

 clean-local:
 	-rm -rf $(html_DATA) $(man5_MANS) opensc.conf.5.xml
--- a/doc/files/files.html
+++ b/doc/files/files.html
@ -43,7 +43,7 @@ span.errortext {
  font-style: italic;
 }

-		--></style></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book"><div class="titlepage"><div><div><h1 class="title"><a name="idm1"></a>OpenSC Manual Pages: Section 5</h1></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl class="toc"><dt><span class="refentrytitle"><a href="#opensc.conf">opensc.conf</a></span><span class="refpurpose"> &#8212; configuration file for OpenSC</span></dt><dt><span class="refentrytitle"><a href="#pkcs15-profile">pkcs15-profile</a></span><span class="refpurpose"> &#8212; format of profile for <span class="command"><strong>pkcs15-init</strong></span></span></dt></dl></div><div class="refentry"><a name="opensc.conf"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>opensc.conf &#8212; configuration file for OpenSC</p></div><div class="refsect1"><a name="idm13"></a><h2>Description</h2><p>
+		--></style></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book"><div class="titlepage"><div><div><h1 class="title"><a name="id-1"></a>OpenSC Manual Pages: Section 5</h1></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl class="toc"><dt><span class="refentrytitle"><a href="#opensc.conf">opensc.conf</a></span><span class="refpurpose"> &#8212; configuration file for OpenSC</span></dt><dt><span class="refentrytitle"><a href="#pkcs15-profile">pkcs15-profile</a></span><span class="refpurpose"> &#8212; format of profile for <span class="command"><strong>pkcs15-init</strong></span></span></dt></dl></div><div class="refentry"><a name="opensc.conf"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>opensc.conf &#8212; configuration file for OpenSC</p></div><div class="refsect1"><a name="id-1.2.3"></a><h2>Description</h2><p>
 			OpenSC obtains configuration data from the following sources in the following order
 			</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>
 						command-line options
@ -122,7 +122,7 @@ app <em class="replaceable"><code>application</code></em> {
 						<code class="literal">westcos-tool</code>:
 						Configuration block for OpenSC tools
 				</p></li></ul></div><p>
-		</p></div><div class="refsect1"><a name="idm103"></a><h2>Configuration Options</h2><div class="variablelist"><dl class="variablelist"><dt><a name="debug"></a><span class="term">
+		</p></div><div class="refsect1"><a name="id-1.2.4"></a><h2>Configuration Options</h2><div class="variablelist"><dl class="variablelist"><dt><a name="debug"></a><span class="term">
 					<code class="option">debug = <em class="replaceable"><code>num</code></em>;</code>
 				</span></dt><dd><p>
 						Amount of debug info to print (Default:
@ -153,6 +153,12 @@ app <em class="replaceable"><code>application</code></em> {
 						<code class="filename">Software\OpenSC
 							Project\OpenSC\ProfileDir</code> is
 						checked.
+				</p></dd><dt><span class="term">
+					<code class="option">disable_colors = <em class="replaceable"><code>bool</code></em>;</code>
+				</span></dt><dd><p>
+						Disable colors of log messages (Default:
+						<code class="literal">false</code> if attached to a console,
+						<code class="literal">true</code> otherwise).
 				</p></dd><dt><span class="term">
 					<code class="option">disable_popups = <em class="replaceable"><code>bool</code></em>;</code>
 				</span></dt><dd><p>
@ -176,7 +182,7 @@ app <em class="replaceable"><code>application</code></em> {
 						default) will load all statically linked drivers.
 					</p><p>
 						If an unknown (i.e. not internal or old) driver is
-						supplied, a separate configuration configuration
+						supplied, a separate configuration
 						block has to be written for the driver. A special
 						value <code class="literal">old</code> will load all
 						statically linked drivers that may be removed in
@ -227,6 +233,10 @@ app <em class="replaceable"><code>application</code></em> {
 									<code class="literal">npa</code>: See <a class="xref" href="#npa" title="Configuration Options for German ID Card">the section called &#8220;Configuration Options for German ID Card&#8221;</a>
 							</p></li><li class="listitem"><p>
 									<code class="literal">dnie</code>: See <a class="xref" href="#dnie" title="Configuration Options for DNIe">the section called &#8220;Configuration Options for DNIe&#8221;</a>
+							</p></li><li class="listitem"><p>
+									<code class="literal">edo</code>: See <a class="xref" href="#edo" title="Configuration Options for Polish eID Card">the section called &#8220;Configuration Options for Polish eID Card&#8221;</a>
+							</p></li><li class="listitem"><p>
+									<code class="literal">myeid</code>: See <a class="xref" href="#myeid" title="Configuration Options for MyEID Card">the section called &#8220;Configuration Options for MyEID Card&#8221;</a>
 							</p></li><li class="listitem"><p>
 									Any other value: Configuration block for an externally loaded card driver
 							</p></li></ul></div><p>
@ -332,7 +342,7 @@ app <em class="replaceable"><code>application</code></em> {
 						Parameters for the OpenSC PKCS11 module.
 					</p><p>
 						For details see <a class="xref" href="#pkcs11" title="Configuration of PKCS#11">the section called &#8220;Configuration of PKCS#11&#8221;</a>.
-					</p></dd></dl></div><div class="refsect2"><a name="reader_driver"></a><h3>Configuration of Smart Card Reader Driver</h3><div class="refsect3"><a name="idm330"></a><h4>Configuration Options for all Reader Drivers</h4><div class="variablelist"><dl class="variablelist"><dt><span class="term">
+					</p></dd></dl></div><div class="refsect2"><a name="reader_driver"></a><h3>Configuration of Smart Card Reader Driver</h3><div class="refsect3"><a name="id-1.2.4.3.2"></a><h4>Configuration Options for all Reader Drivers</h4><div class="variablelist"><dl class="variablelist"><dt><span class="term">
 							<code class="option">max_send_size = <em class="replaceable"><code>num</code></em>;</code>
 							<code class="option">max_recv_size = <em class="replaceable"><code>num</code></em>;</code>
 						</span></dt><dd><p>
@ -429,7 +439,27 @@ app <em class="replaceable"><code>application</code></em> {
 							<code class="option">readers = <em class="replaceable"><code>num</code></em>;</code>
 						</span></dt><dd><p>
 								Virtual readers to allocate (Default: <code class="literal">2</code>).
-						</p></dd></dl></div></div></div><div class="refsect2"><a name="npa"></a><h3>Configuration Options for German ID Card</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
+						</p></dd></dl></div></div></div><div class="refsect2"><a name="myeid"></a><h3>Configuration Options for MyEID Card</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
+						<code class="option">disable_hw_pkcs1_padding = <em class="replaceable"><code>bool</code></em>;</code>
+					</span></dt><dd><p>
+							The MyEID card can internally
+							encapsulate the data (hash code)
+							into a DigestInfo ASN.1 structure
+							according to the selected hash
+							algorithm (currently only for SHA1).
+							DigestInfo is padded to RSA key
+							modulus length according to PKCS#1
+							v1.5, block type 01h. Size of the
+							DigestInfo must not exceed 40%
+							of the RSA key modulus length. If
+							this limit is unsatisfactory (for
+							example someone needs RSA 1024
+							with SHA512), the user can disable
+							this feature. In this case, the
+							card driver will do everything
+							necessary before sending the data
+							(hash code) to the card.
+					</p></dd></dl></div></div><div class="refsect2"><a name="npa"></a><h3>Configuration Options for German ID Card</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
 						<code class="option">can = <em class="replaceable"><code>value</code></em>;</code>
 					</span></dt><dd><p>
 							German ID card requires the CAN to
@ -453,7 +483,7 @@ app <em class="replaceable"><code>application</code></em> {
 							itself as signature terminal (ST).
 							We usually will use the reader's
 							capability to sign the data.
-							However, during developement you
+							However, during development you
 							may specify soft certificates and
 							keys for a ST.
 						</p><p>
@ -478,6 +508,16 @@ app <em class="replaceable"><code>application</code></em> {
 							<code class="literal">/usr/bin/pinentry</code>).
 							Only used if compiled with
 							<code class="option">--enable-dnie-ui</code>
+					</p></dd></dl></div></div><div class="refsect2"><a name="edo"></a><h3>Configuration Options for Polish eID Card</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
+						<code class="option">can = <em class="replaceable"><code>value</code></em>;</code>
+					</span></dt><dd><p>
+							CAN (Card Access Number &#8211; 6 digit number
+							printed on the right bottom corner of the
+							front side of the document) is required
+							to establish connection with the card.
+							It might be overwritten by <code class="literal">EDO_CAN</code>
+							environment variable. Currently, it is not
+							possible to set it in any other way.
 					</p></dd></dl></div></div><div class="refsect2"><a name="card_atr"></a><h3>Configuration based on ATR</h3><p>
 				</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
 							<code class="option">atrmask = <em class="replaceable"><code>hexstring</code></em>;</code>
@ -554,10 +594,10 @@ app <em class="replaceable"><code>application</code></em> {
 											<code class="literal">raw</code>
 									</p></li></ul></div><p>
 						</p></dd><dt><span class="term">
-							<code class="option">md_read_only = <em class="replaceable"><code>bool</code></em>;</code>
+							<code class="option">read_only = <em class="replaceable"><code>bool</code></em>;</code>
 						</span></dt><dd><p>
 								Mark card as read/only card in
-								Minidriver/BaseCSP interface
+								PKCS#11/Minidriver/BaseCSP interface
 								(Default: <code class="literal">false</code>).
 						</p></dd><dt><span class="term">
 							<code class="option">md_supports_X509_enrollment = <em class="replaceable"><code>bool</code></em>;</code>
@ -724,9 +764,11 @@ app <em class="replaceable"><code>application</code></em> {
 					</span></dt><dd><p>
 							Where to cache the card's files. The default values are:
 							</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
-										<code class="filename"><code class="envar">HOME</code>/.eid/cache/</code> (Unix)
+										<code class="filename"><code class="envar">$XDG_CACHE_HOME</code>/opensc/</code> (If <code class="envar">$XDG_CACHE_HOME</code> is defined)
 									</p></li><li class="listitem"><p>
-										<code class="filename"><code class="envar">USERPROFILE</code>\.eid-cache\</code> (Windows)
+										<code class="filename"><code class="envar">$HOME</code>/.cache/opensc/</code> (Unix)
+									</p></li><li class="listitem"><p>
+										<code class="filename"><code class="envar">$USERPROFILE</code>\.eid-cache\</code> (Windows)
 									</p></li></ul></div><p>
 						</p><p>
 							If caching is done by a system process, the
@ -753,6 +795,26 @@ app <em class="replaceable"><code>application</code></em> {
 							<code class="literal">CKA_ALWAYS_AUTHENTICATE</code> may
 							need to set this to get signatures to work with
 							some cards (Default: <code class="literal">false</code>).
+					</p><p>
+							It is recommended to enable also PIN caching using
+							<code class="literal">use_pin_caching</code> option for OpenSC
+							to be able to provide PIN for the card when needed.
+					</p></dd><dt><span class="term">
+						<code class="option">private_certificate = <em class="replaceable"><code>value</code></em>;</code>
+					</span></dt><dd><p>
+							How to handle a PIN-protected certificate. Known
+							parameters:
+							</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+										<code class="literal">protect</code>: The certificate stays PIN-protected.
+								</p></li><li class="listitem"><p>
+										<code class="literal">declassify</code>: Allow
+										reading the certificate without
+										enforcing verification of the PIN.
+								</p></li><li class="listitem"><p>
+										<code class="literal">ignore</code>: Ignore PIN-protected certificates.
+								</p></li></ul></div><p>
+							(Default: <code class="literal">ignore</code> in Tokend,
+							<code class="literal">protect</code> otherwise).
 					</p></dd><dt><span class="term">
 						<code class="option">enable_pkcs15_emulation = <em class="replaceable"><code>bool</code></em>;</code>
 					</span></dt><dd><p>
@ -775,7 +837,7 @@ app <em class="replaceable"><code>application</code></em> {
 						<code class="option">builtin_emulators = <em class="replaceable"><code>emulators</code></em>;</code>
 					</span></dt><dd><p>
 							List of the builtin pkcs15 emulators to test
-							(Default: <code class="literal">westcos, openpgp,
+							(Default: <code class="literal">westcos, openpgp, 
 								starcert, tcos, esteid, itacns, 
 								PIV-II, cac, gemsafeGPK, gemsafeV1, actalis,
 								atrust-acos, tccardos, entersafe, pteid,
@ -854,13 +916,6 @@ app <em class="replaceable"><code>application</code></em> {
 							Score for <span class="application">OpenSC.tokend</span>
 							(Default: <code class="literal">300</code>).  The tokend with
 							the highest score shall be used.
-					</p></dd><dt><span class="term">
-						<code class="option">ignore_private_certificate = <em class="replaceable"><code>bool</code></em>;</code>
-					</span></dt><dd><p>
-							Tokend ignore to read PIN protected certificate
-							that is set
-							<code class="literal">SC_PKCS15_CO_FLAG_PRIVATE</code> flag
-							(Default: <code class="literal">true</code>).
 					</p></dd></dl></div></div><div class="refsect2"><a name="pkcs11"></a><h3>Configuration of PKCS#11</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
 						<code class="option">max_virtual_slots = <em class="replaceable"><code>num</code></em>;</code>
 					</span></dt><dd><p>
@ -1020,7 +1075,7 @@ app <em class="replaceable"><code>application</code></em> {
 							For the module to simulate the opensc-onepin module
 							behavior the following option
 							<code class="option">create_slots_for_pins = "user";</code>
-					</p></dd></dl></div></div></div><div class="refsect1"><a name="idm971"></a><h2>Environment</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">
+					</p></dd></dl></div></div></div><div class="refsect1"><a name="id-1.2.5"></a><h2>Environment</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">
 					<code class="envar">OPENSC_CONF</code>
 				</span></dt><dd><p>
 						Filename for a user defined configuration file
@ -1063,7 +1118,7 @@ app <em class="replaceable"><code>application</code></em> {
 				</span></dt><dd><p>
 						PIV configuration during initialization with
 						<span class="application">piv-tool</span>.
-				</p></dd></dl></div></div><div class="refsect1"><a name="idm1012"></a><h2>Files</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">
+				</p></dd></dl></div></div><div class="refsect1"><a name="id-1.2.6"></a><h2>Files</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">
 					<code class="filename">/usr/etc/opensc.conf</code>
 				</span></dt><dd><p>
 						System-wide configuration file
@ -1071,7 +1126,7 @@ app <em class="replaceable"><code>application</code></em> {
 					<code class="filename">/usr/share/doc/opensc/opensc.conf</code>
 				</span></dt><dd><p>
 						Extended example configuration file
-				</p></dd></dl></div></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="pkcs15-profile"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs15-profile &#8212; format of profile for <span class="command"><strong>pkcs15-init</strong></span></p></div><div class="refsect1"><a name="idm1036"></a><h2>Description</h2><p>
+				</p></dd></dl></div></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="pkcs15-profile"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs15-profile &#8212; format of profile for <span class="command"><strong>pkcs15-init</strong></span></p></div><div class="refsect1"><a name="id-1.3.3"></a><h2>Description</h2><p>
 			The <span class="command"><strong>pkcs15-init</strong></span> utility for PKCS #15 smart card
 			personalization is controlled via profiles. When starting, it will read two
 			such profiles at the moment, a generic application profile, and a card
@ -1087,10 +1142,10 @@ app <em class="replaceable"><code>application</code></em> {
 			The card specific profile contains additional information required during
 			card initialization, such as location of PIN files, key references etc.
 			Profiles currently reside in <code class="filename">@pkgdatadir@</code>
-		</p></div><div class="refsect1"><a name="idm1044"></a><h2>Syntax</h2><p>
+		</p></div><div class="refsect1"><a name="id-1.3.4"></a><h2>Syntax</h2><p>
 			This section should contain information about the profile syntax. Will add
 			this soonishly.
-		</p></div><div class="refsect1"><a name="idm1047"></a><h2>See also</h2><p>
+		</p></div><div class="refsect1"><a name="id-1.3.5"></a><h2>See also</h2><p>
 			<span class="citerefentry"><span class="refentrytitle">pkcs15-init</span>(1)</span>,
 			<span class="citerefentry"><span class="refentrytitle">pkcs15-crypt</span>(1)</span>
 		</p></div></div></div></body></html>
--- a/doc/files/opensc.conf.5.xml.in
+++ b/doc/files/opensc.conf.5.xml.in
@ -293,6 +293,12 @@ app <replaceable>application</replaceable> {
 							<listitem><para>
 									<literal>dnie</literal>: See <xref linkend="dnie"/>
 							</para></listitem>
+							<listitem><para>
+									<literal>edo</literal>: See <xref linkend="edo"/>
+							</para></listitem>
+							<listitem><para>
+									<literal>myeid</literal>: See <xref linkend="myeid"/>
+							</para></listitem>
 							<listitem><para>
 									Any other value: Configuration block for an externally loaded card driver
 							</para></listitem>
@ -636,6 +642,37 @@ app <replaceable>application</replaceable> {

 		</refsect2>

+		<refsect2 id="myeid">
+			<title>Configuration Options for MyEID Card</title>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>disable_hw_pkcs1_padding = <replaceable>bool</replaceable>;</option>
+					</term>
+					<listitem><para>
+							The MyEID card can internally
+							encapsulate the data (hash code)
+							into a DigestInfo ASN.1 structure
+							according to the selected hash
+							algorithm (currently only for SHA1).
+							DigestInfo is padded to RSA key
+							modulus length according to PKCS#1
+							v1.5, block type 01h. Size of the
+							DigestInfo must not exceed 40%
+							of the RSA key modulus length. If
+							this limit is unsatisfactory (for
+							example someone needs RSA 1024
+							with SHA512), the user can disable
+							this feature. In this case, the
+							card driver will do everything
+							necessary before sending the data
+							(hash code) to the card.
+					</para></listitem>
+				</varlistentry>
+
+			</variablelist>
+		</refsect2>
+
 		<refsect2 id="npa">
 			<title>Configuration Options for German ID Card</title>
 			<variablelist>
@ -669,7 +706,7 @@ app <replaceable>application</replaceable> {
 							itself as signature terminal (ST).
 							We usually will use the reader's
 							capability to sign the data.
-							However, during developement you
+							However, during development you
 							may specify soft certificates and
 							keys for a ST.
 						</para>
@ -715,6 +752,26 @@ app <replaceable>application</replaceable> {
 			</variablelist>
 		</refsect2>

+		<refsect2 id="edo">
+			<title>Configuration Options for Polish eID Card</title>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>can = <replaceable>value</replaceable>;</option>
+					</term>
+					<listitem><para>
+							CAN (Card Access Number – 6 digit number
+							printed on the right bottom corner of the
+							front side of the document) is required
+							to establish connection with the card.
+							It might be overwritten by <literal>EDO_CAN</literal>
+							environment variable. Currently, it is not
+							possible to set it in any other way.
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</refsect2>
+
 		<refsect2 id="card_atr">
 			<title>Configuration based on ATR</title>
 			<para>
@ -1093,12 +1150,17 @@ app <replaceable>application</replaceable> {
 							<itemizedlist>
 								<listitem>
 									<para>
-										<filename><envar>HOME</envar>/.eid/cache/</filename> (Unix)
+										<filename><envar>$XDG_CACHE_HOME</envar>/opensc/</filename> (If <envar>$XDG_CACHE_HOME</envar> is defined)
 									</para>
 								</listitem>
 								<listitem>
 									<para>
-										<filename><envar>USERPROFILE</envar>\.eid-cache\</filename> (Windows)
+										<filename><envar>$HOME</envar>/.cache/opensc/</filename> (Unix)
+									</para>
+								</listitem>
+								<listitem>
+									<para>
+										<filename><envar>$USERPROFILE</envar>\.eid-cache\</filename> (Windows)
 									</para>
 								</listitem>
 							</itemizedlist>
@ -1140,6 +1202,11 @@ app <replaceable>application</replaceable> {
 							<literal>CKA_ALWAYS_AUTHENTICATE</literal> may
 							need to set this to get signatures to work with
 							some cards (Default: <literal>false</literal>).
+					</para>
+					<para>
+							It is recommended to enable also PIN caching using
+							<literal>use_pin_caching</literal> option for OpenSC
+							to be able to provide PIN for the card when needed.
 					</para></listitem>
 				</varlistentry>
 				<varlistentry>
--- a/doc/tools/Makefile.am
+++ b/doc/tools/Makefile.am
@ -14,15 +14,14 @@ endif
 completion_DATA = $(patsubst $(srcdir)/%.1.xml, %, $(wildcard $(srcdir)/*.1.xml))

 tools.html: $(srcdir)/tools.xml $(wildcard $(srcdir)/*.1.xml)
-	$(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/html" --xinclude -o $@ html.xsl $<
+	$(AM_V_GEN)$(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/html" --xinclude -o $@ html.xsl $< 2>/dev/null

 %.1: $(srcdir)/%.1.xml
-	sed -e 's|@pkgdatadir[@]|$(pkgdatadir)|g' < $< \
-	| $(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl $<
+	$(AM_V_GEN)sed -e 's|@pkgdatadir[@]|$(pkgdatadir)|g' < $< \
+	| $(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl $< 2>/dev/null

 %: $(srcdir)/%.1.xml
-	@echo $< $@
-	@cat $(srcdir)/completion-template \
+	$(AM_V_GEN)cat $(srcdir)/completion-template \
 		| sed "s,ALLOPTS,\
 			$(shell sed -n 's,.*<option>\([^<]*\)</option>.*,\1,pg' $< \
 				| sort -u | grep -- '^\-' | tr '\n' ' ')," \
@ -32,6 +31,9 @@ tools.html: $(srcdir)/tools.xml $(wildcard $(srcdir)/*.1.xml)
 		| sed "s,FILEOPTS,\
 			$(shell sed -n 's,.*<option>\([^<]*\)</option>.*<replaceable>.*filename.*,\1,pg' $< \
 				| sort -u | grep -- '^\-' | tr '\n' '|' | sed 's,|$$,,' | grep ^ || echo "!*"),"  \
+		| sed "s,PINOPTS,\
+			$(shell sed -En 's,.*<option>([^<]*)</option>.*<replaceable>\s*(newpin|pin|puk|sopin|sopuk)\s*<.*,\1,pg' $< \
+				| sort -u | grep -- '^\-' | tr '\n' '|' | sed 's,|$$,,' | grep ^ || echo "!*"),"  \
 		| sed "s,MODULEOPTS,\
 			$(shell sed -n 's,.*<option>\([^<]*\)</option>.*<replaceable>.*mod.*,\1,pg' $< \
 				| sort -u | grep -- '^\-' | tr '\n' '|' | sed 's,|$$,,' | grep ^ || echo "!*")," \
--- a/doc/tools/cardos-tool.1.xml
+++ b/doc/tools/cardos-tool.1.xml
@ -33,13 +33,6 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
 		<title>Options</title>
 		<para>
 			<variablelist>
-				<varlistentry>
-					<term>
-						<option>--card-driver</option> <replaceable>name</replaceable>,
-						<option>-c</option> <replaceable>name</replaceable></term>
-					<listitem><para>Use the card driver specified by <replaceable>name</replaceable>.
-					The default is to auto-detect the correct card driver.</para></listitem>
-				</varlistentry>
 				<varlistentry>
 					<term>
 						<option>--format</option>,
--- a/doc/tools/completion-template
+++ b/doc/tools/completion-template
@ -3,7 +3,7 @@ _FUNCTION_NAME()
 {
    COMPREPLY=()
    local cur prev split=false
-    _get_comp_words_by_ref cur prev
+    _get_comp_words_by_ref -n : cur prev

    _split_longopt && split=true

@ -23,6 +23,11 @@ _FUNCTION_NAME()
            _filedir
            return 0
            ;;
+        PINOPTS|--password)
+            COMPREPLY=( $( compgen -W "$(printenv | cut -d = -f 1 | xargs printf 'env:%s ')" -- $cur ) )
+            __ltrim_colon_completions "$cur"
+            return 0
+            ;;
        OPTSWITHARGS)
            return 0
            ;;
--- a/doc/tools/dnie-tool.1.xml
+++ b/doc/tools/dnie-tool.1.xml
@ -75,11 +75,23 @@
 						<option>--pin</option> <replaceable>pin</replaceable>,
 						<option>-p</option> <replaceable>pin</replaceable>
 					</term>
-					<listitem><para>Specify the user pin <replaceable>pin</replaceable> to use.
-					If set to env:<replaceable>VARIABLE</replaceable>, the
-					value of the environment variable
-					<replaceable>VARIABLE</replaceable> is used.
-					The default is do not enter pin</para></listitem>
+					<listitem>
+						<para>
+							These options can be used to specify the PIN value
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
@ -95,14 +107,6 @@
 						</para>
 					</listitem>
 				</varlistentry>
-				<varlistentry>
-					<term>
-						<option>--driver</option> <replaceable>driver</replaceable>,
-						<option>-c</option> <replaceable>driver</replaceable>
-					</term>
-					<listitem><para>Specify the card driver <replaceable>driver</replaceable> to use.
-					Default is use driver from configuration file, or auto-detect if absent</para></listitem>
-				</varlistentry>
 				<varlistentry>
 					<term>
 						<option>--wait</option>, 
--- a/doc/tools/gids-tool.1.xml
+++ b/doc/tools/gids-tool.1.xml
@ -46,9 +46,25 @@
 				</varlistentry>
 				<varlistentry>
 					<term>
-						<option>--pin</option> <replaceable>argument</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>
 					</term>
-					<listitem><para>Define user PIN.</para></listitem>
+					<listitem>
+						<para>
+							This option can be used to specify the PIN value
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
--- a/doc/tools/goid-tool.1.xml
+++ b/doc/tools/goid-tool.1.xml
@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry id="goid-tool">
+	<refmeta>
+		<refentrytitle>goid-tool</refentrytitle>
+		<manvolnum>1</manvolnum>
+		<refmiscinfo class="productname">OpenSC</refmiscinfo>
+		<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
+		<refmiscinfo class="source">opensc</refmiscinfo>
+	</refmeta>
+
+	<refnamediv>
+		<refname>goid-tool</refname>
+		<refpurpose>???</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>goid-tool</command>
+			<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
+			<arg><replaceable class="option">mode</replaceable></arg>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+		<para>
+			The <command>goid-tool</command> utility can be used from
+			the command line to ???
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Options</title>
+		<para>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--help</option>,
+						<option>-h</option>
+					</term>
+					<listitem><para>Print help message on screen.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--version</option>,
+						<option>-V</option>
+					</term>
+					<listitem><para>Print the OpenSC package release version.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--reader</option> <replaceable>string</replaceable>,
+						<option>-r</option> <replaceable>string</replaceable>
+					</term>
+					<listitem><para>
+						Specify the number of the reader to use. By default, the
+						first reader with present card is used. If
+						the argument is an ATR, the reader with a
+						matching card will be chosen.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--verbose</option>,
+						<option>-v</option>
+					</term>
+					<listitem><para>
+						Cause <command>goid-tool</command> to be
+						more verbose. Use it multiple times to be even more
+						verbose.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--verify-pin</option>,
+						<option>-p</option>
+					</term>
+					<listitem><para>
+						Verify PIN.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--verify-bio</option>,
+						<option>-b</option>
+					</term>
+					<listitem><para>
+						Verify finger print.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--verify-pin-or-bio</option>
+					</term>
+					<listitem><para>
+						Verify PIN or finger print (user's choice).
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</para>
+	</refsect1>
+<!-- TODO modes -->
+	<refsect1>
+		<title>See also</title>
+		<para>
+			<citerefentry>
+				<refentrytitle>pkcs11-tool</refentrytitle>
+				<manvolnum>1</manvolnum>
+			</citerefentry>
+			<citerefentry>
+				<refentrytitle>opensc.conf</refentrytitle>
+				<manvolnum>5</manvolnum>
+			</citerefentry>
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Authors</title>
+		<para><command>pkcs11-register</command> was written by
+		Frank Morgner <email>frankmorgner@gmail.com</email>.</para>
+	</refsect1>
+
+</refentry>
+
+
+
--- a/doc/tools/netkey-tool.1.xml
+++ b/doc/tools/netkey-tool.1.xml
@ -43,29 +43,29 @@
        </varlistentry>
        <varlistentry>
          <term>
-            <option>--pin</option> <replaceable>pin-value</replaceable>,
-            <option>-p</option> <replaceable>pin-value</replaceable>
+            <option>--pin</option> <replaceable>pin</replaceable>,
+            <option>-p</option> <replaceable>pin</replaceable>
          </term>
          <listitem><para>Specifies the current value of the global PIN.</para></listitem>
        </varlistentry>
        <varlistentry>
          <term>
-            <option>--puk</option> <replaceable>pin-value</replaceable>,
-            <option>-u</option> <replaceable>pin-value</replaceable>
+            <option>--puk</option> <replaceable>pin</replaceable>,
+            <option>-u</option> <replaceable>pin</replaceable>
          </term>
          <listitem><para>Specifies the current value of the global PUK.</para></listitem>
        </varlistentry>
        <varlistentry>
          <term>
-            <option>--pin0</option> <replaceable>pin-value</replaceable>,
-            <option>-0</option> <replaceable>pin-value</replaceable>
+            <option>--pin0</option> <replaceable>pin</replaceable>,
+            <option>-0</option> <replaceable>pin</replaceable>
          </term>
          <listitem><para>Specifies the current value of the local PIN0 (aka local PIN).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term>
-            <option>--pin1</option> <replaceable>pin-value</replaceable>,
-            <option>-1</option> <replaceable>pin-value</replaceable>
+            <option>--pin1</option> <replaceable>pin</replaceable>,
+            <option>-1</option> <replaceable>pin</replaceable>
          </term>
          <listitem><para>Specifies the current value of the local PIN1 (aka local PUK).</para></listitem>
        </varlistentry>
--- a/doc/tools/openpgp-tool.1.xml
+++ b/doc/tools/openpgp-tool.1.xml
@ -149,14 +149,25 @@

 				<varlistentry>
 					<term>
-						<option>--pin</option> <replaceable>string</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>
 					</term>
-					<listitem><para>
-						The PIN text to verify. If set to
-						env:<replaceable>VARIABLE</replaceable>, the value of
-						the environment variable
-						<replaceable>VARIABLE</replaceable> is used.
-					</para></listitem>
+					<listitem>
+						<para>
+							This option can be used to specify the PIN value
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>

 				<varlistentry>
--- a/doc/tools/opensc-explorer.1.xml
+++ b/doc/tools/opensc-explorer.1.xml
@ -55,8 +55,11 @@
 						<option>-c</option> <replaceable>driver</replaceable>
 					</term>
 					<listitem><para>
-						Use the given card driver.  The default is
-						auto-detected.
+						Use the given card driver.
+						The default is to auto-detect the correct card driver.
+						The literal value <literal>?</literal> lists
+						all available card drivers and terminates
+						<command>opensc-explorer</command>.
 					</para></listitem>
 				</varlistentry>
 				<varlistentry>
@ -163,11 +166,23 @@
 					<term>
 						<command>asn1</command>
 						<replaceable>file-id</replaceable>
+						<arg choice="opt"><replaceable>rec-no</replaceable></arg>
+						<arg choice="opt"><replaceable>offs</replaceable></arg>
 					</term>
 					<listitem>
 						<para>
 							Parse and print the ASN.1 encoded content of the working EF
 							specified by <replaceable>file-id</replaceable>.
+							If the optional parameter
+							<replaceable>rec-no</replaceable> is given and the file is
+							a record-oriented EF, parse and print only the record
+							indicated by this parameter.
+							If the optional parameter
+							<replaceable>offs</replaceable> is given, start parsing
+							and printing the file or record at the offset indicated
+							by the value given.
+							If this parameter is not given, the default offset is
+							<literal>0</literal>.
 						</para>
 					</listitem>
 				</varlistentry>
@ -179,12 +194,16 @@
 							<arg choice="plain"><replaceable>file-id</replaceable></arg>
 							<arg choice="plain"><literal>sfi:</literal><replaceable>short-id</replaceable></arg>
 						</group>
+						<arg choice="opt"><replaceable>rec-no</replaceable></arg>
 					</term>
 					<listitem>
 						<para>
 							Print the contents of the working EF specified by
 							<replaceable>file-id</replaceable> or the short file id
 							<replaceable>short-id</replaceable>.
+							If the optional second parameter
+							<replaceable>rec-no</replaceable> is given,
+							only print the record indicated by this parameter.
 							If no argument is given, print the the contents
 							of the currently selected EF.
 						</para>
@ -400,6 +419,31 @@
 					</listitem>
 				</varlistentry>

+				<varlistentry>
+					<term>
+						<command>get_record</command>
+						<replaceable>file-id</replaceable>
+						<replaceable>rec-no</replaceable>
+						<arg choice="opt"><replaceable>output</replaceable></arg>
+					</term>
+					<listitem>
+						<para>
+							Copy a record of a record-oriented EF to a local file.
+							The local file is specified by
+							<replaceable>output</replaceable>
+							while the card file and the record are specified by
+							<replaceable>file-id</replaceable> and
+							<replaceable>rec-no</replaceable>,
+						</para>
+						<para>
+							If <replaceable>output</replaceable> is omitted,
+							the name of the output file will be derived from the
+							full card path to <replaceable>file-id</replaceable>.
+							and the <replaceable>rec-no</replaceable>.
+						</para>
+					</listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<command>help</command>
--- a/doc/tools/opensc-tool.1.xml
+++ b/doc/tools/opensc-tool.1.xml
@ -35,7 +35,7 @@
 			<variablelist>
 				<varlistentry>
 					<term>
-						<option>--version</option>,
+						<option>--version</option>
 					</term>
 					<listitem><para>Print the OpenSC package release version.</para></listitem>
 				</varlistentry>
@ -52,8 +52,12 @@
 						<option>--card-driver</option> <replaceable>driver</replaceable>,
 						<option>-c</option> <replaceable>driver</replaceable>
 					</term>
-					<listitem><para>Use the given card driver.
-					The default is auto-detected.</para></listitem>
+					<listitem><para>
+						Use the given card driver.
+						The default is to auto-detect the correct card driver.
+						The literal value <literal>?</literal> lists
+						all available card drivers.
+					</para></listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
--- a/doc/tools/piv-tool.1.xml
+++ b/doc/tools/piv-tool.1.xml
@ -53,15 +53,18 @@
 						<option>--admin</option> <replaceable>argument</replaceable>,
 						<option>-A</option> <replaceable>argument</replaceable>
 					</term>
-					<listitem><para>Authenticate to the card using a 2DES or 3DES key.
+					<listitem><para>Authenticate to the card using a 2DES, 3DES or AES key.
 					The <replaceable>argument</replaceable> of the form
 					<synopsis> {<literal>A</literal>|<literal>M</literal>}<literal>:</literal><replaceable>ref</replaceable><literal>:</literal><replaceable>alg</replaceable></synopsis>
 					is required, were <literal>A</literal> uses "EXTERNAL AUTHENTICATION"
 					and <literal>M</literal> uses "MUTUAL AUTHENTICATION".
 					<replaceable>ref</replaceable> is normally <literal>9B</literal>,
-					and <replaceable>alg</replaceable> is <literal>03</literal> for 3DES.
-					The key is provided by the card vendor, and the environment variable
-					<varname>PIV_EXT_AUTH_KEY</varname> must point to a text file containing
+					and <replaceable>alg</replaceable> is <literal>03</literal> for 3DES,
+					<literal>01</literal> for 2DES, <literal>08</literal> for AES-128,
+					<literal>0A</literal> for AES-192 or <literal>0C</literal> for AES-256.
+					The key is provided by the card vendor. The environment variable
+					<varname>PIV_EXT_AUTH_KEY</varname> must point to either a binary file
+					matching the length of the key or a text file containing
 					the key in the format:
 					<code>XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX</code>
 					</para></listitem>
@ -163,14 +166,6 @@
 						</para>
 					</listitem>
 				</varlistentry>
-				<varlistentry>
-					<term>
-						<option>--card-driver</option> <replaceable>driver</replaceable>,
-						<option>-c</option> <replaceable>driver</replaceable>
-					</term>
-					<listitem><para>Use the given card driver.
-					The default is auto-detected.</para></listitem>
-				</varlistentry>
 				<varlistentry>
 					<term>
 						<option>--wait</option>,
--- a/doc/tools/pkcs11-register.1.xml
+++ b/doc/tools/pkcs11-register.1.xml
@ -0,0 +1,124 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry id="pkcs11-register">
+	<refmeta>
+		<refentrytitle>pkcs11-register</refentrytitle>
+		<manvolnum>1</manvolnum>
+		<refmiscinfo class="productname">OpenSC</refmiscinfo>
+		<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
+		<refmiscinfo class="source">opensc</refmiscinfo>
+	</refmeta>
+
+	<refnamediv>
+		<refname>pkcs11-register</refname>
+		<refpurpose>Simple tool to install PKCS#11 modules to known applications.</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>pkcs11-register</command>
+			<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+		<para>
+			The <command>pkcs11-register</command> utility can be used from
+			the command line to register PKCS#11 modules to various applications
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Options</title>
+		<para>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>--help</option>,
+						<option>-h</option>
+					</term>
+					<listitem><para>Print help message on screen.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--version</option>,
+						<option>-V</option>
+					</term>
+					<listitem><para>Print the OpenSC package release version.</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--module</option> <replaceable>filename</replaceable>,
+						<option>-m</option> <replaceable>filename</replaceable>
+					</term>
+					<listitem><para>
+						Path to the PKCS#11 module to load. The default
+						is OpenSC PKCS#11 module.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--skip-chrome</option>
+					</term>
+					<listitem><para>
+						Don't install module for Chrome browser. By default,
+						the tool attempts to install the module for Chrome
+						browser.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--skip-firefox</option>
+					</term>
+					<listitem><para>
+						Don't install module for Firefox browser. By default,
+						the tool attempts to install the module for Firefox
+						browser.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--skip-thunderbird</option>
+					</term>
+					<listitem><para>
+						Don't install module for Thunderbird mail client.
+						By default, the tool attempts to install the module
+						for Thunderbird mail client.
+					</para></listitem>
+				</varlistentry>
+				<varlistentry>
+					<term>
+						<option>--skip-seamonkey</option>
+					</term>
+					<listitem><para>
+						Don't install module for Seamonkey. By default,
+						the tool attempts to install the module Seamonkey.
+					</para></listitem>
+				</varlistentry>
+			</variablelist>
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>See also</title>
+		<para>
+			<citerefentry>
+				<refentrytitle>pkcs11-tool</refentrytitle>
+				<manvolnum>1</manvolnum>
+			</citerefentry>
+			<citerefentry>
+				<refentrytitle>opensc.conf</refentrytitle>
+				<manvolnum>5</manvolnum>
+			</citerefentry>
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Authors</title>
+		<para><command>pkcs11-register</command> was written by
+		Frank Morgner <email>frankmorgner@gmail.com</email>.</para>
+	</refsect1>
+
+</refentry>
+
+
--- a/doc/tools/pkcs11-tool.1.xml
+++ b/doc/tools/pkcs11-tool.1.xml
@ -146,7 +146,9 @@
 					<term>
 						<option>--key-type</option> <replaceable>specification</replaceable>
 					</term>
-					<listitem><para>Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1.</para></listitem>
+					<listitem><para>Specify the type and length (bytes if symmetric) of the key to create,
+					for example RSA:1024, EC:prime256v1, GOSTR3410-2012-256:B,
+					DES:8, DES3:24, AES:16 or GENERIC:64.</para></listitem>
 				</varlistentry>

 				<varlistentry>
@ -170,6 +172,13 @@
 					<listitem><para>Specify 'derive' key usage flag (EC only).</para></listitem>
 				</varlistentry>

+				<varlistentry>
+					<term>
+						<option>--usage-wrap</option>
+					</term>
+					<listitem><para>Specify 'wrap' key usage flag.</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--label</option> <replaceable>name</replaceable>,
@ -212,6 +221,13 @@
 					<listitem><para>List slots with tokens.</para></listitem>
 				</varlistentry>

+				<varlistentry>
+					<term>
+						<option>--list-interfaces</option>
+					</term>
+					<listitem><para>List interfaces of PKCS #11 3.0 library.</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--login</option>,
@ -266,7 +282,7 @@
 						<option>--moz-cert</option> <replaceable>filename</replaceable>,
 						<option>-z</option> <replaceable>filename</replaceable>
 					</term>
-					<listitem><para>Test a Mozilla-like keypair generation
+					<listitem><para>Test a Mozilla-like key pair generation
 					and certificate request. Specify the <replaceable>filename</replaceable>
 					to the certificate file.</para></listitem>
 				</varlistentry>
@ -410,6 +426,22 @@
 					<listitem><para>Specify the index of the object to use.</para></listitem>
 				</varlistentry>

+				<varlistentry>
+					<term>
+						<option>--use-locking</option>
+					</term>
+					<listitem><para>Tell pkcs11 module it should use OS thread locking.
+					</para></listitem>
+				</varlistentry>
+
+				<varlistentry>
+					<term>
+						<option>--test-threads</option> <replaceable>options</replaceable>
+					</term>
+					<listitem><para>Test a pkcs11 module's thread implication. (See source code).
+					</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--token-label</option> <replaceable>label</replaceable>
@ -605,6 +637,15 @@
 					</para></listitem>
 				</varlistentry>

+				<varlistentry>
+					<term>
+						<option>--allow-sw</option>
+					</term>
+					<listitem><para>Allow using software mechanisms that do not have the CKF_HW flag set.
+					May be required when using software tokens and emulators.
+					</para></listitem>
+				</varlistentry>
+
 			</variablelist>
 		</para>
 	</refsect1>
--- a/doc/tools/pkcs15-init.1.xml
+++ b/doc/tools/pkcs15-init.1.xml
@ -136,11 +136,12 @@
 				<command>pkcs15-init --generate-key " keyspec " --auth-id " nn</command>
 			</para>
 			<para>
-				where <replaceable>keyspec</replaceable> describes the algorithm and length of the
-				key to be created, such as <literal>rsa/512</literal>. This will create a 512 bit
-				RSA key. Currently, only RSA key generation is supported. Note that cards
-				usually support just a few different key lengths. Almost all cards will support
-				512 and 1024 bit keys, some will support 768 or 2048 as well.
+				where <replaceable>keyspec</replaceable> describes the algorithm and the parameters
+				of the key to be created. For example, <literal>rsa:2048</literal> generates a RSA key
+				with 2048-bit modulus. If you are generating an EC key, the curve designation must
+				be specified, for example <literal>ec:prime256v1</literal>. For symmetric key,
+				the length of key is specified in bytes, for example  <literal>AES:32</literal>
+				or <literal>DES3:24</literal>.
 			</para>
 			<para>
 				<replaceable>nn</replaceable> is the ID of a user PIN installed previously,
@ -242,7 +243,7 @@
 				you would use
 			</para>
 			<para>
-				<command>pkcs15-init --store-secret-key /dev/urandom --secret-key-algorithm aes/256 --auth-id 01</command>
+				<command>pkcs15-init --store-secret-key /dev/urandom --secret-key-algorithm aes:256 --auth-id 01</command>
 			</para>
 			<para>
 				By default a random ID is generated for the secret key. You may specify an ID
@ -332,9 +333,9 @@
 					<listitem>
 						<para>
 							Tells the card to generate new key and store it on the card.
-							<replaceable>keyspec</replaceable> consists of an algorithm name
-							(currently, the only supported name is <option>RSA</option>),
-							optionally followed by a slash and the length of the key in bits.
+							<replaceable>keyspec</replaceable> consists of an algorithm name,
+							optionally followed by a colon ":", slash "/" or hyphen "-" and
+							the parameters of the key to be created.
 							It is a good idea to specify the key ID along with this command,
 							using the <option>id</option> option, otherwise an intrinsic ID
 							will be calculated from the key material. Look the description of
@ -348,46 +349,26 @@

 				<varlistentry>
 					<term>
-						<option>--options-file</option> <replaceable>filename</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>,
+						<option>--puk</option> <replaceable>puk</replaceable>,
+						<option>--so-pin</option> <replaceable>sopin</replaceable>,
+						<option>--so-puk</option> <replaceable>sopuk</replaceable>
 					</term>
 					<listitem>
 						<para>
-							Tells <command>pkcs15-init</command> to read additional options
-							from <replaceable>filename</replaceable>. The file is supposed to
-							contain one long option per line, without the leading dashes,
-							for instance:
-							<programlisting>
-pin		1234
-puk		87654321
-							</programlisting>
+							These options can be used to specify the PIN/PUK values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
 						</para>
 						<para>
-							You can specify <option>--options-file</option> several times.
-						</para>
-					</listitem>
-				</varlistentry>
-
-				<varlistentry>
-					<term>
-						<option>--pin</option>,
-						<option>--puk</option>
-						<option>--so-pin</option>,
-						<option>--so-puk</option>,
-					</term>
-					<listitem>
-						<para>
-							These options can be used to specify PIN/PUK values
-							on the command line. If set to
-							env:<replaceable>VARIABLE</replaceable>, the value
-							of the environment variable
-							<replaceable>VARIABLE</replaceable> is used. Note
-							that on most operation systems, any user can
+							Note that on most operation systems, any user can
 							display the command line of any process on the
 							system using utilities such as
-							<command>ps(1)</command>. Therefore, you should use
-							these options only on a secured system, or in an
-							options file specified with
-							<option>--options-file</option>.
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
 						</para>
 					</listitem>
 				</varlistentry>
@ -437,7 +418,7 @@ puk		87654321
 					<listitem>
 						<para>
 							<replaceable>keyspec</replaceable> describes the algorithm and length of the
-							key to be created or downloaded, such as <literal>aes/256</literal>.
+							key to be created or downloaded, such as <literal>aes:256</literal>.
 							This will create a 256 bit AES key.
 						</para>
 					</listitem>
--- a/doc/tools/pkcs15-tool.1.xml
+++ b/doc/tools/pkcs15-tool.1.xml
@ -52,8 +52,8 @@

 				<varlistentry>
 					<term>
-						<option>--auth-id</option> <replaceable>pin</replaceable>,
-						<option>-a</option> <replaceable>pin</replaceable>
+						<option>--auth-id</option> <replaceable>id</replaceable>,
+						<option>-a</option> <replaceable>id</replaceable>
 					</term>
 					<listitem><para>Specifies the auth id of the PIN to use for the
 					operation. This is useful with the --change-pin operation.</para></listitem>
@ -310,21 +310,32 @@

 				<varlistentry>
 					<term>
-						<option>--pin</option> <replaceable>PIN</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>,
+						<option>--new-pin</option> <replaceable>newpin</replaceable>
+						<option>--puk</option> <replaceable>puk</replaceable>
 					</term>
-					<listitem><para>Specify PIN</para></listitem>
+					<listitem>
+						<para>
+							These options can be used to specify the PIN/PUK values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>

 				<varlistentry>
 					<term>
-						<option>--puk</option> <replaceable>PUK</replaceable>
-					</term>
-					<listitem><para>Specify Unblock PIN</para></listitem>
-				</varlistentry>
-
-				<varlistentry>
-					<term>
-						<option>--new-pin</option> <replaceable>PIN</replaceable>
+						<option>--new-pin</option> <replaceable>pin</replaceable>
 					</term>
 					<listitem><para>Specify New PIN (when changing or unblocking)</para></listitem>
 				</varlistentry>
--- a/doc/tools/sc-hsm-tool.1.xml
+++ b/doc/tools/sc-hsm-tool.1.xml
@ -120,26 +120,25 @@
 				
 				<varlistentry>
 					<term>
-						<option>--so-pin</option> <replaceable>value</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>,
+						<option>--so-pin</option> <replaceable>sopin</replaceable>,
 					</term>
 					<listitem>
-						<para>Define SO-PIN for initialization. If set to
-						env:<replaceable>VARIABLE</replaceable>, the value of
-						the environment variable
-						<replaceable>VARIABLE</replaceable> is used.</para>
-					</listitem>
-				</varlistentry>
-				
-				<varlistentry>
-					<term>
-						<option>--pin</option> <replaceable>value</replaceable>
-					</term>
-					<listitem>
-						<para>Define user PIN for initialization, wrap or
-						unwrap operation. If set to
-						env:<replaceable>VARIABLE</replaceable>, the value of
-						the environment variable
-						<replaceable>VARIABLE</replaceable> is used.</para>
+						<para>
+							These options can be used to specify the PIN values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
 					</listitem>
 				</varlistentry>
 				
--- a/doc/tools/tools.html
+++ b/doc/tools/tools.html
--- a/doc/tools/westcos-tool.1.xml
+++ b/doc/tools/westcos-tool.1.xml
@ -115,25 +115,28 @@

 				<varlistentry>
 					<term>
-						<option>--pin-value</option> <replaceable>value</replaceable>,
-						<option>-x</option> <replaceable>value</replaceable>
+						<option>--pin-value</option> <replaceable>pin</replaceable>,
+						<option>-x</option> <replaceable>pin</replaceable>
+						<option>--puk-value</option> <replaceable>puk</replaceable>,
+						<option>-y</option> <replaceable>puk</replaceable>
 					</term>
-					<listitem><para>Set value of PIN. If set to
-					env:<replaceable>VARIABLE</replaceable>, the value of
-					the environment variable
-					<replaceable>VARIABLE</replaceable> is used.</para></listitem>
-				</varlistentry>
-
-				<varlistentry>
-					<term>
-						<option>--puk-value</option> <replaceable>value</replaceable>,
-						<option>-y</option> <replaceable>value</replaceable>
-					</term>
-					<listitem><para>set value of PUK (or value of new PIN for change PIN
-					command see <option>-n</option>). If set to
-					env:<replaceable>VARIABLE</replaceable>, the value of
-					the environment variable
-					<replaceable>VARIABLE</replaceable> is used.</para></listitem>
+					<listitem>
+						<para>
+							These options can be used to specify the PIN/PUK values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>

 				<varlistentry>
--- a/etc/Makefile.am
+++ b/etc/Makefile.am
@ -12,12 +12,12 @@ nodist_noinst_DATA = opensc.conf.example

 # Make sure we build this every time
 # as there is no dependency for this.
-# Can be removed if MSVC is not requried.
+# Can be removed if MSVC is not required.
 force:
 opensc.conf.example: opensc.conf.example.in force

 .in:
-	@sed \
+	$(AM_V_GEN)sed \
 		-e 's|@pkgdatadir[@]|$(pkgdatadir)|g' \
 		-e 's|@DEBUG_FILE[@]|$(DEBUG_FILE)|g' \
 		-e 's|@DEFAULT_PCSC_PROVIDER[@]|$(DEFAULT_PCSC_PROVIDER)|g' \
--- a/etc/opensc.conf.example.in
+++ b/etc/opensc.conf.example.in
@ -174,7 +174,7 @@ app default {
 		# QES is only possible with a Comfort Reader (CAT-K), which holds a
 		# cryptographic key to authenticate itself as signature terminal (ST).
 		# We usually will use the reader's capability to sign the data.
-		# However, during developement you may specify soft certificates and
+		# However, during development you may specify soft certificates and
 		# keys for a ST below.
 		# The following example EAC PKI can be found in vicc's example data:
 		# https://github.com/frankmorgner/vsmartcard/tree/master/virtualsmartcard/npa-example-data
@ -202,6 +202,15 @@ app default {
 		# user_consent_app = "/usr/bin/pinentry";
 	}

+	card_driver edo {
+		# CAN is required to establish connection
+		# with the card. It might be overridden by
+		# EDO_CAN environment variable. Currently,
+		# it is not possible to set it in any other way.
+		#
+		#can = 123456;
+	}
+
 	# In addition to the built-in list of known cards in the
 	# card driver, you can configure a new card for the driver
 	# using the card_atr block. The goal is to centralize
@ -894,6 +903,8 @@ app default {
 		# Older PKCS#11 applications not supporting CKA_ALWAYS_AUTHENTICATE
 		# may need to set this to get signatures to work with some cards.
 		# Default: false
+		# It is recommended to enable also use_pin_caching to allow OpenSC
+		# to pass the pin to the card when needed.
 		# pin_cache_ignore_user_consent = true;

 		# How to handle a PIN-protected certificate
@ -1054,7 +1065,7 @@ app opensc-pkcs11 {
 		#    init_pin_in_so_session:  C_InitPIN() in CKU_SO logged session:
 		#       User PIN 'UNBLOCK' is protected by SOPIN. (PUK == SOPIN).
 		#       # Actually this style works only for the PKCS15 contents without SOPIN.
-		#       # For those with SOPIN, this mode will be usefull for the cards without
+		#       # For those with SOPIN, this mode will be useful for the cards without
 		#       #   modes 00 and 01 of ISO command 'RESET RETRY COUNTER'. --vt
 		#
 		# Default: none
@ -1073,7 +1084,7 @@ app opensc-pkcs11 {
 		# Card can contain more then one PINs or more then one on-card application with
 		#   its own PINs. Normally, to access all of them with the PKCS#11 API a slot has to be
 		#   created for all of them. Many slots could be ennoying for some of widely used application,
-		#   like FireFox. This configuration parameter allows to select the PIN(s)
+		#   like FireFox. This configuration parameter allows one to select the PIN(s)
 		#   for which PKCS#11 slot will be created.
 		# Actually recognised following symbolic names:
 		#  'user', 'sign', 'all'
--- a/m4/ax_ac_append_to_file.m4
+++ b/m4/ax_ac_append_to_file.m4
@ -0,0 +1,32 @@
+# ===========================================================================
+#   https://www.gnu.org/software/autoconf-archive/ax_ac_append_to_file.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_AC_APPEND_TO_FILE([FILE],[DATA])
+#
+# DESCRIPTION
+#
+#   Appends the specified data to the specified Autoconf is run. If you want
+#   to append to a file when configure is run use AX_APPEND_TO_FILE instead.
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Allan Caffee <allan.caffee@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 10
+
+AC_DEFUN([AX_AC_APPEND_TO_FILE],[
+AC_REQUIRE([AX_FILE_ESCAPES])
+m4_esyscmd(
+AX_FILE_ESCAPES
+[
+printf "%s" "$2" >> "$1"
+])
+])
--- a/m4/ax_ac_print_to_file.m4
+++ b/m4/ax_ac_print_to_file.m4
@ -0,0 +1,32 @@
+# ===========================================================================
+#   https://www.gnu.org/software/autoconf-archive/ax_ac_print_to_file.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_AC_PRINT_TO_FILE([FILE],[DATA])
+#
+# DESCRIPTION
+#
+#   Writes the specified data to the specified file when Autoconf is run. If
+#   you want to print to a file when configure is run use AX_PRINT_TO_FILE
+#   instead.
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Allan Caffee <allan.caffee@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 10
+
+AC_DEFUN([AX_AC_PRINT_TO_FILE],[
+m4_esyscmd(
+AC_REQUIRE([AX_FILE_ESCAPES])
+[
+printf "%s" "$2" > "$1"
+])
+])
--- a/m4/ax_add_am_macro_static.m4
+++ b/m4/ax_add_am_macro_static.m4
@ -0,0 +1,28 @@
+# ===========================================================================
+#  https://www.gnu.org/software/autoconf-archive/ax_add_am_macro_static.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_ADD_AM_MACRO_STATIC([RULE])
+#
+# DESCRIPTION
+#
+#   Adds the specified rule to $AMINCLUDE.
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Tom Howard <tomhoward@users.sf.net>
+#   Copyright (c) 2009 Allan Caffee <allan.caffee@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 8
+
+AC_DEFUN([AX_ADD_AM_MACRO_STATIC],[
+  AC_REQUIRE([AX_AM_MACROS_STATIC])
+  AX_AC_APPEND_TO_FILE(AMINCLUDE_STATIC,[$1])
+])
--- a/m4/ax_am_macros_static.m4
+++ b/m4/ax_am_macros_static.m4
@ -0,0 +1,38 @@
+# ===========================================================================
+#   https://www.gnu.org/software/autoconf-archive/ax_am_macros_static.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_AM_MACROS_STATIC
+#
+# DESCRIPTION
+#
+#   Adds support for macros that create Automake rules. You must manually
+#   add the following line
+#
+#     include $(top_srcdir)/aminclude_static.am
+#
+#   to your Makefile.am files.
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Tom Howard <tomhoward@users.sf.net>
+#   Copyright (c) 2009 Allan Caffee <allan.caffee@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 11
+
+AC_DEFUN([AMINCLUDE_STATIC],[aminclude_static.am])
+
+AC_DEFUN([AX_AM_MACROS_STATIC],
+[
+AX_AC_PRINT_TO_FILE(AMINCLUDE_STATIC,[
+# ]AMINCLUDE_STATIC[ generated automatically by Autoconf
+# from AX_AM_MACROS_STATIC on ]m4_esyscmd([LC_ALL=C date])[
+])
+])
--- a/m4/ax_check_gnu_make.m4
+++ b/m4/ax_check_gnu_make.m4
@ -0,0 +1,95 @@
+# ===========================================================================
+#    https://www.gnu.org/software/autoconf-archive/ax_check_gnu_make.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_GNU_MAKE([run-if-true],[run-if-false])
+#
+# DESCRIPTION
+#
+#   This macro searches for a GNU version of make. If a match is found:
+#
+#     * The makefile variable `ifGNUmake' is set to the empty string, otherwise
+#       it is set to "#". This is useful for including a special features in a
+#       Makefile, which cannot be handled by other versions of make.
+#     * The makefile variable `ifnGNUmake' is set to #, otherwise
+#       it is set to the empty string. This is useful for including a special
+#       features in a Makefile, which can be handled
+#       by other versions of make or to specify else like clause.
+#     * The variable `_cv_gnu_make_command` is set to the command to invoke
+#       GNU make if it exists, the empty string otherwise.
+#     * The variable `ax_cv_gnu_make_command` is set to the command to invoke
+#       GNU make by copying `_cv_gnu_make_command`, otherwise it is unset.
+#     * If GNU Make is found, its version is extracted from the output of
+#       `make --version` as the last field of a record of space-separated
+#       columns and saved into the variable `ax_check_gnu_make_version`.
+#     * Additionally if GNU Make is found, run shell code run-if-true
+#       else run shell code run-if-false.
+#
+#   Here is an example of its use:
+#
+#   Makefile.in might contain:
+#
+#     # A failsafe way of putting a dependency rule into a makefile
+#     $(DEPEND):
+#             $(CC) -MM $(srcdir)/*.c > $(DEPEND)
+#
+#     @ifGNUmake@ ifeq ($(DEPEND),$(wildcard $(DEPEND)))
+#     @ifGNUmake@ include $(DEPEND)
+#     @ifGNUmake@ else
+#     fallback code
+#     @ifGNUmake@ endif
+#
+#   Then configure.in would normally contain:
+#
+#     AX_CHECK_GNU_MAKE()
+#     AC_OUTPUT(Makefile)
+#
+#   Then perhaps to cause gnu make to override any other make, we could do
+#   something like this (note that GNU make always looks for GNUmakefile
+#   first):
+#
+#     if  ! test x$_cv_gnu_make_command = x ; then
+#             mv Makefile GNUmakefile
+#             echo .DEFAULT: > Makefile ;
+#             echo \  $_cv_gnu_make_command \$@ >> Makefile;
+#     fi
+#
+#   Then, if any (well almost any) other make is called, and GNU make also
+#   exists, then the other make wraps the GNU make.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 John Darrington <j.darrington@elvis.murdoch.edu.au>
+#   Copyright (c) 2015 Enrico M. Crisostomo <enrico.m.crisostomo@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 12
+
+AC_DEFUN([AX_CHECK_GNU_MAKE],dnl
+  [AC_PROG_AWK
+  AC_CACHE_CHECK([for GNU make],[_cv_gnu_make_command],[dnl
+    _cv_gnu_make_command="" ;
+dnl Search all the common names for GNU make
+    for a in "$MAKE" make gmake gnumake ; do
+      if test -z "$a" ; then continue ; fi ;
+      if "$a" --version 2> /dev/null | grep GNU 2>&1 > /dev/null ; then
+        _cv_gnu_make_command=$a ;
+        AX_CHECK_GNU_MAKE_HEADLINE=$("$a" --version 2> /dev/null | grep "GNU Make")
+        ax_check_gnu_make_version=$(echo ${AX_CHECK_GNU_MAKE_HEADLINE} | ${AWK} -F " " '{ print $(NF); }')
+        break ;
+      fi
+    done ;])
+dnl If there was a GNU version, then set @ifGNUmake@ to the empty string, '#' otherwise
+  AS_VAR_IF([_cv_gnu_make_command], [""], [AS_VAR_SET([ifGNUmake], ["#"])],   [AS_VAR_SET([ifGNUmake], [""])])
+  AS_VAR_IF([_cv_gnu_make_command], [""], [AS_VAR_SET([ifnGNUmake], [""])],   [AS_VAR_SET([ifnGNUmake], ["#"])])
+  AS_VAR_IF([_cv_gnu_make_command], [""], [AS_UNSET(ax_cv_gnu_make_command)], [AS_VAR_SET([ax_cv_gnu_make_command], [${_cv_gnu_make_command}])])
+  AS_VAR_IF([_cv_gnu_make_command], [""],[$2],[$1])
+  AC_SUBST([ifGNUmake])
+  AC_SUBST([ifnGNUmake])
+])
--- a/m4/ax_code_coverage.m4
+++ b/m4/ax_code_coverage.m4
@ -0,0 +1,272 @@
+# ===========================================================================
+#     https://www.gnu.org/software/autoconf-archive/ax_code_coverage.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CODE_COVERAGE()
+#
+# DESCRIPTION
+#
+#   Defines CODE_COVERAGE_CPPFLAGS, CODE_COVERAGE_CFLAGS,
+#   CODE_COVERAGE_CXXFLAGS and CODE_COVERAGE_LIBS which should be included
+#   in the CPPFLAGS, CFLAGS CXXFLAGS and LIBS/LIBADD variables of every
+#   build target (program or library) which should be built with code
+#   coverage support. Also add rules using AX_ADD_AM_MACRO_STATIC; and
+#   $enable_code_coverage which can be used in subsequent configure output.
+#   CODE_COVERAGE_ENABLED is defined and substituted, and corresponds to the
+#   value of the --enable-code-coverage option, which defaults to being
+#   disabled.
+#
+#   Test also for gcov program and create GCOV variable that could be
+#   substituted.
+#
+#   Note that all optimization flags in CFLAGS must be disabled when code
+#   coverage is enabled.
+#
+#   Usage example:
+#
+#   configure.ac:
+#
+#     AX_CODE_COVERAGE
+#
+#   Makefile.am:
+#
+#     include $(top_srcdir)/aminclude_static.am
+#
+#     my_program_LIBS = ... $(CODE_COVERAGE_LIBS) ...
+#     my_program_CPPFLAGS = ... $(CODE_COVERAGE_CPPFLAGS) ...
+#     my_program_CFLAGS = ... $(CODE_COVERAGE_CFLAGS) ...
+#     my_program_CXXFLAGS = ... $(CODE_COVERAGE_CXXFLAGS) ...
+#
+#     clean-local: code-coverage-clean
+#     distclean-local: code-coverage-dist-clean
+#
+#   This results in a "check-code-coverage" rule being added to any
+#   Makefile.am which do "include $(top_srcdir)/aminclude_static.am"
+#   (assuming the module has been configured with --enable-code-coverage).
+#   Running `make check-code-coverage` in that directory will run the
+#   module's test suite (`make check`) and build a code coverage report
+#   detailing the code which was touched, then print the URI for the report.
+#
+#   This code was derived from Makefile.decl in GLib, originally licensed
+#   under LGPLv2.1+.
+#
+# LICENSE
+#
+#   Copyright (c) 2012, 2016 Philip Withnall
+#   Copyright (c) 2012 Xan Lopez
+#   Copyright (c) 2012 Christian Persch
+#   Copyright (c) 2012 Paolo Borelli
+#   Copyright (c) 2012 Dan Winship
+#   Copyright (c) 2015,2018 Bastien ROUCARIES
+#
+#   This library is free software; you can redistribute it and/or modify it
+#   under the terms of the GNU Lesser General Public License as published by
+#   the Free Software Foundation; either version 2.1 of the License, or (at
+#   your option) any later version.
+#
+#   This library is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
+#   General Public License for more details.
+#
+#   You should have received a copy of the GNU Lesser General Public License
+#   along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+#serial 32
+
+m4_define(_AX_CODE_COVERAGE_RULES,[
+AX_ADD_AM_MACRO_STATIC([
+# Code coverage
+#
+# Optional:
+#  - CODE_COVERAGE_DIRECTORY: Top-level directory for code coverage reporting.
+#    Multiple directories may be specified, separated by whitespace.
+#    (Default: \$(top_builddir))
+#  - CODE_COVERAGE_OUTPUT_FILE: Filename and path for the .info file generated
+#    by lcov for code coverage. (Default:
+#    \$(PACKAGE_NAME)-\$(PACKAGE_VERSION)-coverage.info)
+#  - CODE_COVERAGE_OUTPUT_DIRECTORY: Directory for generated code coverage
+#    reports to be created. (Default:
+#    \$(PACKAGE_NAME)-\$(PACKAGE_VERSION)-coverage)
+#  - CODE_COVERAGE_BRANCH_COVERAGE: Set to 1 to enforce branch coverage,
+#    set to 0 to disable it and leave empty to stay with the default.
+#    (Default: empty)
+#  - CODE_COVERAGE_LCOV_SHOPTS_DEFAULT: Extra options shared between both lcov
+#    instances. (Default: based on $CODE_COVERAGE_BRANCH_COVERAGE)
+#  - CODE_COVERAGE_LCOV_SHOPTS: Extra options to shared between both lcov
+#    instances. (Default: $CODE_COVERAGE_LCOV_SHOPTS_DEFAULT)
+#  - CODE_COVERAGE_LCOV_OPTIONS_GCOVPATH: --gcov-tool pathtogcov
+#  - CODE_COVERAGE_LCOV_OPTIONS_DEFAULT: Extra options to pass to the
+#    collecting lcov instance. (Default: $CODE_COVERAGE_LCOV_OPTIONS_GCOVPATH)
+#  - CODE_COVERAGE_LCOV_OPTIONS: Extra options to pass to the collecting lcov
+#    instance. (Default: $CODE_COVERAGE_LCOV_OPTIONS_DEFAULT)
+#  - CODE_COVERAGE_LCOV_RMOPTS_DEFAULT: Extra options to pass to the filtering
+#    lcov instance. (Default: empty)
+#  - CODE_COVERAGE_LCOV_RMOPTS: Extra options to pass to the filtering lcov
+#    instance. (Default: $CODE_COVERAGE_LCOV_RMOPTS_DEFAULT)
+#  - CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT: Extra options to pass to the
+#    genhtml instance. (Default: based on $CODE_COVERAGE_BRANCH_COVERAGE)
+#  - CODE_COVERAGE_GENHTML_OPTIONS: Extra options to pass to the genhtml
+#    instance. (Default: $CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT)
+#  - CODE_COVERAGE_IGNORE_PATTERN: Extra glob pattern of files to ignore
+#
+# The generated report will be titled using the \$(PACKAGE_NAME) and
+# \$(PACKAGE_VERSION). In order to add the current git hash to the title,
+# use the git-version-gen script, available online.
+# Optional variables
+# run only on top dir
+if CODE_COVERAGE_ENABLED
+ ifeq (\$(abs_builddir), \$(abs_top_builddir))
+CODE_COVERAGE_DIRECTORY ?= \$(top_builddir)
+CODE_COVERAGE_OUTPUT_FILE ?= \$(PACKAGE_NAME)-\$(PACKAGE_VERSION)-coverage.info
+CODE_COVERAGE_OUTPUT_DIRECTORY ?= \$(PACKAGE_NAME)-\$(PACKAGE_VERSION)-coverage
+
+CODE_COVERAGE_BRANCH_COVERAGE ?=
+CODE_COVERAGE_LCOV_SHOPTS_DEFAULT ?= \$(if \$(CODE_COVERAGE_BRANCH_COVERAGE),\
+--rc lcov_branch_coverage=\$(CODE_COVERAGE_BRANCH_COVERAGE))
+CODE_COVERAGE_LCOV_SHOPTS ?= \$(CODE_COVERAGE_LCOV_SHOPTS_DEFAULT)
+CODE_COVERAGE_LCOV_OPTIONS_GCOVPATH ?= --gcov-tool \"\$(GCOV)\"
+CODE_COVERAGE_LCOV_OPTIONS_DEFAULT ?= \$(CODE_COVERAGE_LCOV_OPTIONS_GCOVPATH)
+CODE_COVERAGE_LCOV_OPTIONS ?= \$(CODE_COVERAGE_LCOV_OPTIONS_DEFAULT)
+CODE_COVERAGE_LCOV_RMOPTS_DEFAULT ?=
+CODE_COVERAGE_LCOV_RMOPTS ?= \$(CODE_COVERAGE_LCOV_RMOPTS_DEFAULT)
+CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT ?=\
+\$(if \$(CODE_COVERAGE_BRANCH_COVERAGE),\
+--rc genhtml_branch_coverage=\$(CODE_COVERAGE_BRANCH_COVERAGE))
+CODE_COVERAGE_GENHTML_OPTIONS ?= \$(CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT)
+CODE_COVERAGE_IGNORE_PATTERN ?=
+
+GITIGNOREFILES = \$(GITIGNOREFILES) \$(CODE_COVERAGE_OUTPUT_FILE) \$(CODE_COVERAGE_OUTPUT_DIRECTORY)
+code_coverage_v_lcov_cap = \$(code_coverage_v_lcov_cap_\$(V))
+code_coverage_v_lcov_cap_ = \$(code_coverage_v_lcov_cap_\$(AM_DEFAULT_VERBOSITY))
+code_coverage_v_lcov_cap_0 = @echo \"  LCOV   --capture\" \$(CODE_COVERAGE_OUTPUT_FILE);
+code_coverage_v_lcov_ign = \$(code_coverage_v_lcov_ign_\$(V))
+code_coverage_v_lcov_ign_ = \$(code_coverage_v_lcov_ign_\$(AM_DEFAULT_VERBOSITY))
+code_coverage_v_lcov_ign_0 = @echo \"  LCOV   --remove /tmp/*\" \$(CODE_COVERAGE_IGNORE_PATTERN);
+code_coverage_v_genhtml = \$(code_coverage_v_genhtml_\$(V))
+code_coverage_v_genhtml_ = \$(code_coverage_v_genhtml_\$(AM_DEFAULT_VERBOSITY))
+code_coverage_v_genhtml_0 = @echo \"  GEN   \" \"\$(CODE_COVERAGE_OUTPUT_DIRECTORY)\";
+code_coverage_quiet = \$(code_coverage_quiet_\$(V))
+code_coverage_quiet_ = \$(code_coverage_quiet_\$(AM_DEFAULT_VERBOSITY))
+code_coverage_quiet_0 = --quiet
+
+# sanitizes the test-name: replaces with underscores: dashes and dots
+code_coverage_sanitize = \$(subst -,_,\$(subst .,_,\$(1)))
+
+# Use recursive makes in order to ignore errors during check
+check-code-coverage:
+	-\$(AM_V_at)\$(MAKE) \$(AM_MAKEFLAGS) -k check
+	\$(AM_V_at)\$(MAKE) \$(AM_MAKEFLAGS) code-coverage-capture
+
+# Capture code coverage data
+code-coverage-capture: code-coverage-capture-hook
+	\$(code_coverage_v_lcov_cap)\$(LCOV) \$(code_coverage_quiet) \$(addprefix --directory ,\$(CODE_COVERAGE_DIRECTORY)) --capture --output-file \"\$(CODE_COVERAGE_OUTPUT_FILE).tmp\" --test-name \"\$(call code_coverage_sanitize,\$(PACKAGE_NAME)-\$(PACKAGE_VERSION))\" --no-checksum --compat-libtool \$(CODE_COVERAGE_LCOV_SHOPTS) \$(CODE_COVERAGE_LCOV_OPTIONS)
+	\$(code_coverage_v_lcov_ign)\$(LCOV) \$(code_coverage_quiet) \$(addprefix --directory ,\$(CODE_COVERAGE_DIRECTORY)) --remove \"\$(CODE_COVERAGE_OUTPUT_FILE).tmp\" \"/tmp/*\" \$(CODE_COVERAGE_IGNORE_PATTERN) --output-file \"\$(CODE_COVERAGE_OUTPUT_FILE)\" \$(CODE_COVERAGE_LCOV_SHOPTS) \$(CODE_COVERAGE_LCOV_RMOPTS)
+	-@rm -f \"\$(CODE_COVERAGE_OUTPUT_FILE).tmp\"
+	\$(code_coverage_v_genhtml)LANG=C \$(GENHTML) \$(code_coverage_quiet) \$(addprefix --prefix ,\$(CODE_COVERAGE_DIRECTORY)) --output-directory \"\$(CODE_COVERAGE_OUTPUT_DIRECTORY)\" --title \"\$(PACKAGE_NAME)-\$(PACKAGE_VERSION) Code Coverage\" --legend --show-details \"\$(CODE_COVERAGE_OUTPUT_FILE)\" \$(CODE_COVERAGE_GENHTML_OPTIONS)
+	@echo \"file://\$(abs_builddir)/\$(CODE_COVERAGE_OUTPUT_DIRECTORY)/index.html\"
+
+code-coverage-clean:
+	-\$(LCOV) --directory \$(top_builddir) -z
+	-rm -rf \"\$(CODE_COVERAGE_OUTPUT_FILE)\" \"\$(CODE_COVERAGE_OUTPUT_FILE).tmp\" \"\$(CODE_COVERAGE_OUTPUT_DIRECTORY)\"
+	-find . \\( -name \"*.gcda\" -o -name \"*.gcno\" -o -name \"*.gcov\" \\) -delete
+
+code-coverage-dist-clean:
+
+A][M_DISTCHECK_CONFIGURE_FLAGS = \$(A][M_DISTCHECK_CONFIGURE_FLAGS) --disable-code-coverage
+ else # ifneq (\$(abs_builddir), \$(abs_top_builddir))
+check-code-coverage:
+
+code-coverage-capture: code-coverage-capture-hook
+
+code-coverage-clean:
+
+code-coverage-dist-clean:
+ endif # ifeq (\$(abs_builddir), \$(abs_top_builddir))
+else #! CODE_COVERAGE_ENABLED
+# Use recursive makes in order to ignore errors during check
+check-code-coverage:
+	@echo \"Need to reconfigure with --enable-code-coverage\"
+# Capture code coverage data
+code-coverage-capture: code-coverage-capture-hook
+	@echo \"Need to reconfigure with --enable-code-coverage\"
+
+code-coverage-clean:
+
+code-coverage-dist-clean:
+
+endif #CODE_COVERAGE_ENABLED
+# Hook rule executed before code-coverage-capture, overridable by the user
+code-coverage-capture-hook:
+
+.PHONY: check-code-coverage code-coverage-capture code-coverage-dist-clean code-coverage-clean code-coverage-capture-hook
+])
+])
+
+AC_DEFUN([_AX_CODE_COVERAGE_ENABLED],[
+	AX_CHECK_GNU_MAKE([],[AC_MSG_ERROR([not using GNU make that is needed for coverage])])
+	AC_REQUIRE([AX_ADD_AM_MACRO_STATIC])
+	# check for gcov
+	AC_CHECK_TOOL([GCOV],
+		  [$_AX_CODE_COVERAGE_GCOV_PROG_WITH],
+		  [:])
+	AS_IF([test "X$GCOV" = "X:"],
+	      [AC_MSG_ERROR([gcov is needed to do coverage])])
+	AC_SUBST([GCOV])
+
+	dnl Check if gcc is being used
+	AS_IF([ test "$GCC" = "no" ], [
+		AC_MSG_ERROR([not compiling with gcc, which is required for gcov code coverage])
+	      ])
+
+	AC_CHECK_PROG([LCOV], [lcov], [lcov])
+	AC_CHECK_PROG([GENHTML], [genhtml], [genhtml])
+
+	AS_IF([ test x"$LCOV" = x ], [
+		AC_MSG_ERROR([To enable code coverage reporting you must have lcov installed])
+	      ])
+
+	AS_IF([ test x"$GENHTML" = x ], [
+		AC_MSG_ERROR([Could not find genhtml from the lcov package])
+	])
+
+	dnl Build the code coverage flags
+	dnl Define CODE_COVERAGE_LDFLAGS for backwards compatibility
+	CODE_COVERAGE_CPPFLAGS="-DNDEBUG"
+	CODE_COVERAGE_CFLAGS="-O0 -g -fprofile-arcs -ftest-coverage"
+	CODE_COVERAGE_CXXFLAGS="-O0 -g -fprofile-arcs -ftest-coverage"
+	CODE_COVERAGE_LIBS="-lgcov"
+
+	AC_SUBST([CODE_COVERAGE_CPPFLAGS])
+	AC_SUBST([CODE_COVERAGE_CFLAGS])
+	AC_SUBST([CODE_COVERAGE_CXXFLAGS])
+	AC_SUBST([CODE_COVERAGE_LIBS])
+])
+
+AC_DEFUN([AX_CODE_COVERAGE],[
+	dnl Check for --enable-code-coverage
+
+	# allow to override gcov location
+	AC_ARG_WITH([gcov],
+	  [AS_HELP_STRING([--with-gcov[=GCOV]], [use given GCOV for coverage (GCOV=gcov).])],
+	  [_AX_CODE_COVERAGE_GCOV_PROG_WITH=$with_gcov],
+	  [_AX_CODE_COVERAGE_GCOV_PROG_WITH=gcov])
+
+	AC_MSG_CHECKING([whether to build with code coverage support])
+	AC_ARG_ENABLE([code-coverage],
+	  AS_HELP_STRING([--enable-code-coverage],
+	  [Whether to enable code coverage support]),,
+	  enable_code_coverage=no)
+
+	AM_CONDITIONAL([CODE_COVERAGE_ENABLED], [test "x$enable_code_coverage" = xyes])
+	AC_SUBST([CODE_COVERAGE_ENABLED], [$enable_code_coverage])
+	AC_MSG_RESULT($enable_code_coverage)
+
+	AS_IF([ test "x$enable_code_coverage" = xyes ], [
+		_AX_CODE_COVERAGE_ENABLED
+	      ])
+
+	_AX_CODE_COVERAGE_RULES
+])
--- a/m4/ax_file_escapes.m4
+++ b/m4/ax_file_escapes.m4
@ -0,0 +1,30 @@
+# ===========================================================================
+#     https://www.gnu.org/software/autoconf-archive/ax_file_escapes.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_FILE_ESCAPES
+#
+# DESCRIPTION
+#
+#   Writes the specified data to the specified file.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Tom Howard <tomhoward@users.sf.net>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 8
+
+AC_DEFUN([AX_FILE_ESCAPES],[
+AX_DOLLAR="\$"
+AX_SRB="\\135"
+AX_SLB="\\133"
+AX_BS="\\\\"
+AX_DQ="\""
+])
--- a/src/common/Makefile.am
+++ b/src/common/Makefile.am
@ -43,4 +43,4 @@ TIDY_FILES = \
 	libpkcs11.c libscdl.c

 check-local:
-	if [ -x "$(CLANGTIDY)" ]; then clang-tidy -config='' -header-filter=.* $(TIDY_FILES) -- $(TIDY_FLAGS); fi
+	if [ -x "$(CLANGTIDY)" ]; then clang-tidy -config='' --checks='$(TIDY_CHECKS)' -header-filter=.* $(addprefix $(srcdir)/,$(TIDY_FILES)) -- $(TIDY_FLAGS); fi
--- a/src/common/compat_getopt_main.c
+++ b/src/common/compat_getopt_main.c
@ -99,7 +99,7 @@ handle(char *progname,
            {
              char rc = letters[(match - letters + rotate) % 26];
              if (isupper(c))
-                rc = toupper(rc);
+                rc = toupper((unsigned char)rc);
              c = rc;
            }
        }
--- a/src/common/compat_strlcat.c
+++ b/src/common/compat_strlcat.c
@ -31,7 +31,7 @@
 #include "config.h"
 #endif

-#ifndef HAVE_STRLCAT
+#if !defined(HAVE_DECL_STRLCAT) || !HAVE_DECL_STRLCAT
 #include <sys/types.h>
 #include <string.h>

--- a/src/common/compat_strlcat.h
+++ b/src/common/compat_strlcat.h
@ -10,9 +10,11 @@
 #include "config.h"
 #endif

-#ifndef HAVE_STRLCAT
+#if !defined(HAVE_DECL_STRLCAT) || !HAVE_DECL_STRLCAT
 #include <stddef.h>
 size_t strlcat(char *dst, const char *src, size_t siz);
+#else
+#include <string.h>
 #endif

 #endif
--- a/src/common/compat_strlcpy.c
+++ b/src/common/compat_strlcpy.c
@ -20,7 +20,7 @@
 #include "config.h"
 #endif

-#ifndef HAVE_STRLCPY	/* empty file if strlcpy is available */
+#if !defined(HAVE_DECL_STRLCPY) || !HAVE_DECL_STRLCPY
 #include <sys/types.h>
 #include <string.h>

--- a/src/common/compat_strlcpy.h
+++ b/src/common/compat_strlcpy.h
@ -38,9 +38,11 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #include "config.h"
 #endif

-#ifndef HAVE_STRLCPY
+#if !defined(HAVE_DECL_STRLCPY) || !HAVE_DECL_STRLCPY
 #include <stddef.h>
 size_t strlcpy(char *dst, const char *src, size_t siz);
+#else
+#include <string.h>
 #endif

 #endif
--- a/src/common/libpkcs11.c
+++ b/src/common/libpkcs11.c
@ -49,6 +49,7 @@ C_LoadModule(const char *mspec, CK_FUNCTION_LIST_PTR_PTR funcs)
 {
 	sc_pkcs11_module_t *mod;
 	CK_RV rv, (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR);
+	CK_RV (*c_get_interface)(CK_UTF8CHAR_PTR, CK_VERSION_PTR, CK_INTERFACE_PTR_PTR, CK_FLAGS);
 	mod = calloc(1, sizeof(*mod));
 	if (mod == NULL) {
 		return NULL;
@ -65,6 +66,24 @@ C_LoadModule(const char *mspec, CK_FUNCTION_LIST_PTR_PTR funcs)
 		goto failed;
 	}

+	c_get_interface = (CK_RV (*)(CK_UTF8CHAR_PTR, CK_VERSION_PTR, CK_INTERFACE_PTR_PTR, CK_FLAGS))
+		sc_dlsym(mod->handle, "C_GetInterface");
+	if (c_get_interface) {
+		CK_INTERFACE *interface = NULL;
+
+		/* Get default PKCS #11 interface */
+		rv = c_get_interface((CK_UTF8CHAR_PTR) "PKCS 11", NULL, &interface, 0);
+		if (rv == CKR_OK) {
+			/* this is actually 3.0 function list, but it starts
+			 * with the same fields. Only for new functions, it
+			 * needs to be casted to new structure */
+			*funcs = interface->pFunctionList;
+			return (void *) mod;
+		} else {
+			fprintf(stderr, "C_GetInterface failed %lx, retry 2.x way", rv);
+		}
+	}
+
 	/* Get the list of function pointers */
 	c_get_function_list = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR))
 				sc_dlsym(mod->handle, "C_GetFunctionList");
@ -100,7 +119,6 @@ C_UnloadModule(void *module)
 	if (mod->handle != NULL && sc_dlclose(mod->handle) < 0)
 		return CKR_FUNCTION_FAILED;

-	memset(mod, 0, sizeof(*mod));
 	free(mod);
 	return CKR_OK;
 }
--- a/src/common/simclist.c
+++ b/src/common/simclist.c
@ -28,7 +28,9 @@
 #if !defined(_WIN32)
 #include <arpa/inet.h>  /* for htons() */
 #include <unistd.h>
+#ifdef HAVE_SYS_TIME_H
 #include <sys/time.h>   /* for gettimeofday() */
+#endif
 #include <stdint.h>
 #else
 #include <winsock2.h>
@ -71,8 +73,10 @@

 /* disable asserts */
 #ifndef SIMCLIST_DEBUG
+#ifndef NDEBUG
 #define NDEBUG
 #endif
+#endif

 #include <assert.h>

--- a/src/gcns/.gitignore
+++ b/src/gcns/.gitignore
@ -0,0 +1 @@
+/build/
--- a/src/gcns/CMakeLists.txt
+++ b/src/gcns/CMakeLists.txt
@ -0,0 +1,12 @@
+cmake_minimum_required(VERSION 3.18)
+
+project(gcns VERSION 1.0 DESCRIPTION "Italian healthcare smart card parsing utility")
+
+add_library(gcns SHARED gcns.c gcns.cpp)
+target_include_directories(gcns PUBLIC ../.. .. .)
+install(TARGETS gcns LIBRARY)
+install(FILES gcns.h gcns.hpp DESTINATION include)
+
+add_executable(main main.c ../tools/util.c)
+target_link_libraries(main gcns opensc bsd)
+
--- a/src/gcns/arch/PKGBUILD
+++ b/src/gcns/arch/PKGBUILD
@ -0,0 +1,33 @@
+# Maintainer: Giovan Battista Rolandi <giomba@linux.it>
+
+pkgname=gcns
+pkgver=1.0
+pkgrel=1
+pkgdesc='Tools for Italian healthcare smart card'
+arch=('x86_64')
+url='https://git.golem.linux.it/giomba/opensc'
+license=('LGPL')
+depends=('opensc')
+source=('git+https://git.golem.linux.it/giomba/opensc#branch=golem/tessera-sanitaria')
+sha256sums=('SKIP')
+
+build() {
+    cd opensc
+
+    ./bootstrap
+    ./configure
+    make -j$(nproc)
+    cd src/gcns
+
+    mkdir -p build
+    cd build
+    cmake ..
+    make -j$(nproc)
+
+}
+
+package() {
+    cd opensc/src/gcns/build
+    make DESTDIR=$pkgdir install
+
+}
--- a/src/gcns/gcns.c
+++ b/src/gcns/gcns.c
@ -0,0 +1,91 @@
+/*
+ * gcns.c: A reader of Italian healtcare smartcards with libopensc
+ *
+ * Copyright (C) 2022  Giovan Battista Rolandi <giomba@linux.it>
+ * based on previous work by
+ * Copyright (C) 2001  Juha Yrjölä <juha.yrjola@iki.fi>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include "gcns.h"
+
+#include "libopensc/asn1.h"
+#include "tools/util.h"
+
+static int opt_wait = 0;
+static const char *opt_reader = NULL;
+static sc_context_t *ctx = NULL;
+static sc_card_t *card = NULL;
+sc_context_param_t ctx_param;
+
+int gcns_init() {
+    int r, err = 0;
+    int lcycle = SC_CARDCTRL_LIFECYCLE_ADMIN;
+
+    memset(&ctx_param, 0, sizeof(ctx_param));
+    ctx_param.ver = 0;
+
+    r = sc_context_create(&ctx, &ctx_param);
+    if (r) {
+        fprintf(stderr, "Failed to establish context: %s\n", sc_strerror(r));
+        return GCNS_INIT;
+    }
+
+    ctx->flags |= SC_CTX_FLAG_ENABLE_DEFAULT_DRIVER;
+
+    err = util_connect_card_ex(ctx, &card, opt_reader, opt_wait, 0, 0);
+    if (err) {
+        return GCNS_INIT;
+    }
+
+    r = sc_lock(card);
+    if (r == SC_SUCCESS)
+        r = sc_card_ctl(card, SC_CARDCTL_LIFECYCLE_SET, &lcycle);
+    sc_unlock(card);
+    if (r && r != SC_ERROR_NOT_SUPPORTED) {
+        fprintf(stderr, "unable to change lifecycle: %s\n", sc_strerror(r));
+        return GCNS_INIT;
+    }
+
+    return GCNS_SUCCESS;
+}
+
+int gcns_close() {
+    if (card) {
+        sc_disconnect_card(card);
+    }
+    if (ctx) sc_release_context(ctx);
+    return GCNS_SUCCESS;
+}
+
+int gcns_read_personal_data(u8 *buffer, size_t len) {
+    sc_path_t path;
+    int r;
+
+    sc_format_path("3F0011001102", &path);
+    r = sc_select_file(card, &path, NULL);
+    if (r) {
+        fprintf(stderr, "no select file: 3F0011001102\n");
+        return GCNS_READ_PERSONAL_DATA;
+    }
+    r = sc_read_binary(card, 0, buffer, 0x180, 0);
+    if (r < 0) {
+        fprintf(stderr, "no read binary: %d\n", r);
+        return GCNS_READ_PERSONAL_DATA;
+    }
+
+    return r;
+}
--- a/src/gcns/gcns.cpp
+++ b/src/gcns/gcns.cpp
@ -0,0 +1,71 @@
+#include "gcns.hpp"
+
+#include <vector>
+
+using namespace gcns;
+
+PersonalData::PersonalData(const uint8_t* buffer, size_t len) {
+    std::vector<std::string> field;
+
+    // TODO check length at the beginning?
+    for (int i = 12; i < len;) {
+        if (buffer[i] == '\0') break;
+
+        std::string hexstring((const char*)&buffer[i], 2);
+        int len = std::stoi(hexstring, nullptr, 16);
+        i += 2;
+        std::string fieldData((const char*)&buffer[i], len);
+        i += len;
+
+        field.push_back(fieldData);
+    }
+
+    for (int i = 0; i < (int)field.size(); ++i) {
+        switch (i) {
+            case 0:
+                this->issue_date.year =
+                    std::stoi(field[i].substr(4, 4), nullptr);
+                this->issue_date.month =
+                    std::stoi(field[i].substr(2, 2), nullptr);
+                this->issue_date.day =
+                    std::stoi(field[i].substr(0, 2), nullptr);
+                break;
+            case 1:
+                this->expiration_date.year =
+                    std::stoi(field[i].substr(4, 4), nullptr);
+                this->expiration_date.month =
+                    std::stoi(field[i].substr(2, 2), nullptr);
+                this->expiration_date.day =
+                    std::stoi(field[i].substr(0, 2), nullptr);
+                break;
+            case 2:
+                this->family_name = field[i];
+                break;
+            case 3:
+                this->first_name = field[i];
+                break;
+            case 4:
+                this->birth_date.year =
+                    std::stoi(field[i].substr(4, 4), nullptr);
+                this->birth_date.month =
+                    std::stoi(field[i].substr(2, 2), nullptr);
+                this->birth_date.day =
+                    std::stoi(field[i].substr(0, 2), nullptr);
+                break;
+            case 5:
+                this->gender = field[i] == "F" ? GENDER_FEMALE : GENDER_MALE;
+                break;
+            case 7:
+                this->fiscal_code = field[i];
+                break;
+            case 9:
+                this->birth_place = field[i];
+                break;
+            case 12:
+                this->residence_place = field[i];
+                break;
+            default:
+                break;
+        }
+    }
+}
--- a/src/gcns/gcns.h
+++ b/src/gcns/gcns.h
@ -0,0 +1,13 @@
+#ifndef GCNS_H
+#define GCNS_H
+
+#define GCNS_SUCCESS 0
+#define GCNS_INIT -1001
+#define GCNS_READ_PERSONAL_DATA -1002
+#define GCNS_CLOSE -1003
+
+int gcns_init();
+int gcns_read_personal_data(u8 *buffer, size_t len);
+int gcns_close();
+
+#endif
--- a/src/gcns/gcns.hpp
+++ b/src/gcns/gcns.hpp
@ -0,0 +1,34 @@
+#ifndef GCNS_CPP
+#define GCNS_CPP
+
+#include <string>
+
+namespace gcns {
+
+enum Gender { GENDER_MALE, GENDER_FEMALE };
+
+struct Date {
+    uint16_t year;
+    uint8_t month;
+    uint8_t day;
+};
+
+class PersonalData {
+   private:
+    std::string first_name;
+    std::string family_name;
+    std::string fiscal_code;
+    std::string birth_place;
+    Date birth_date;
+    std::string residence_place;
+    Gender gender;
+    Date issue_date;
+    Date expiration_date;
+
+   public:
+    PersonalData(const uint8_t* personal_data, size_t len);
+};
+
+}  // namespace gcns
+
+#endif
--- a/src/gcns/main.c
+++ b/src/gcns/main.c
@ -0,0 +1,56 @@
+#include <ctype.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "config.h"
+#ifdef ENABLE_READLINE
+#include <readline/history.h>
+#include <readline/readline.h>
+#endif
+#if !defined(_WIN32)
+#include <arpa/inet.h> /* for htons() */
+#endif
+
+#include <getopt.h>
+
+#include "common/compat_strlcpy.h"
+#include "gcns.h"
+#include "libopensc/asn1.h"
+#include "libopensc/cardctl.h"
+#include "libopensc/cards.h"
+#include "libopensc/internal.h"
+#include "libopensc/iso7816.h"
+#include "libopensc/log.h"
+#include "libopensc/opensc.h"
+#include "tools/util.h"
+
+int main(int argc, char *argv[]) {
+    int r;
+
+    printf("OpenSC version: %s\n", sc_get_version());
+
+    r = gcns_init();
+    if (r != GCNS_SUCCESS) {
+        fprintf(stderr, "Init Error\n");
+        return GCNS_INIT;
+    }
+
+    u8 buffer[2048];
+    r = gcns_read_personal_data(buffer, 2048);
+
+    if (r < 0) {
+        fprintf(stderr, "Read personal data error\n");
+        return GCNS_READ_PERSONAL_DATA;
+    }
+
+    util_hex_dump_asc(stdout, buffer, r, 0);
+
+    r = gcns_close();
+    if (r != GCNS_SUCCESS) {
+        return GCNS_CLOSE;
+    }
+
+    return GCNS_SUCCESS;
+}
--- a/src/libopensc/Makefile.am
+++ b/src/libopensc/Makefile.am
@ -12,7 +12,8 @@ noinst_HEADERS = cards.h ctbcs.h internal.h muscle.h muscle-filesystem.h \
 	errors.h types.h compression.h itacns.h iso7816.h \
 	authentic.h iasecc.h iasecc-sdo.h sm.h card-sc-hsm.h \
 	pace.h cwa14890.h cwa-dnie.h card-gids.h aux-data.h \
-	jpki.h sc-ossl-compat.h card-npa.h ccid-types.h reader-tr03119.h \
+	jpki.h sc-ossl-compat.h card-npa.h card-openpgp.h \
+	ccid-types.h reader-tr03119.h \
 	card-cac-common.h

 AM_CPPFLAGS = -D'OPENSC_CONF_PATH="$(sysconfdir)/opensc.conf"' \
@ -48,14 +49,15 @@ libopensc_la_SOURCES_BASE = \
 	card-iasecc.c iasecc-sdo.c iasecc-sm.c card-sc-hsm.c \
 	card-dnie.c cwa14890.c cwa-dnie.c \
 	card-isoApplet.c card-masktech.c card-gids.c card-jpki.c \
-	card-npa.c card-esteid2018.c \
+	card-npa.c card-esteid2018.c card-idprime.c \
+	card-edo.c \
 	\
-	pkcs15-openpgp.c pkcs15-starcert.c \
+	pkcs15-openpgp.c pkcs15-starcert.c pkcs15-cardos.c \
 	pkcs15-tcos.c pkcs15-esteid.c pkcs15-gemsafeGPK.c \
 	pkcs15-actalis.c pkcs15-atrust-acos.c pkcs15-tccardos.c pkcs15-piv.c \
 	pkcs15-cac.c pkcs15-esinit.c pkcs15-westcos.c pkcs15-pteid.c \
 	pkcs15-oberthur.c pkcs15-itacns.c pkcs15-gemsafeV1.c pkcs15-sc-hsm.c \
-	pkcs15-coolkey.c pkcs15-din-66291.c \
+	pkcs15-coolkey.c pkcs15-din-66291.c pkcs15-idprime.c \
 	pkcs15-dnie.c pkcs15-gids.c pkcs15-iasecc.c pkcs15-jpki.c pkcs15-esteid2018.c \
 	compression.c p15card-helper.c sm.c \
 	aux-data.c
@ -64,10 +66,9 @@ if ENABLE_CRYPTOTOKENKIT
 # most platforms don't support objective C the way we needed.
 # Only include it if needed
 libopensc_la_SOURCES_BASE += reader-cryptotokenkit.m
-else
+endif
 libopensc_la_LIBTOOLFLAGS = --tag CC
 libopensc_static_la_LIBTOOLFLAGS = --tag CC
-endif

 libopensc_la_SOURCES = $(libopensc_la_SOURCES_BASE) \
 	libopensc.exports
@ -131,18 +132,19 @@ TIDY_FILES = \
 	card-iasecc.c iasecc-sdo.c iasecc-sm.c card-sc-hsm.c \
 	cwa14890.c cwa-dnie.c \
 	card-isoApplet.c card-masktech.c card-jpki.c \
-	card-npa.c card-esteid2018.c \
+	card-npa.c card-esteid2018.c card-idprime.c \
+	card-edo.c \
 	\
-	pkcs15-openpgp.c \
+	pkcs15-openpgp.c pkcs15-cardos.c \
 	pkcs15-tcos.c pkcs15-esteid.c \
 	pkcs15-actalis.c pkcs15-atrust-acos.c pkcs15-tccardos.c \
 	pkcs15-cac.c pkcs15-esinit.c pkcs15-westcos.c pkcs15-pteid.c \
 	pkcs15-oberthur.c pkcs15-itacns.c pkcs15-sc-hsm.c \
-	pkcs15-coolkey.c pkcs15-din-66291.c \
+	pkcs15-coolkey.c pkcs15-din-66291.c pkcs15-idprime.c \
 	pkcs15-dnie.c pkcs15-gids.c pkcs15-iasecc.c pkcs15-jpki.c pkcs15-esteid2018.c \
 	compression.c p15card-helper.c sm.c \
 	aux-data.c \
 	#$(SOURCES)

 check-local:
-	if [ -x "$(CLANGTIDY)" ]; then clang-tidy -config='' -header-filter=.* $(TIDY_FILES) -- $(TIDY_FLAGS); fi
+	if [ -x "$(CLANGTIDY)" ]; then clang-tidy -config='' --checks='$(TIDY_CHECKS)' -header-filter=.* $(addprefix $(srcdir)/,$(TIDY_FILES)) -- $(TIDY_FLAGS); fi
--- a/src/libopensc/Makefile.mak
+++ b/src/libopensc/Makefile.mak
@ -27,15 +27,16 @@ OBJECTS			= \
 	card-iasecc.obj iasecc-sdo.obj iasecc-sm.obj cwa-dnie.obj cwa14890.obj \
 	card-sc-hsm.obj card-dnie.obj card-isoApplet.obj pkcs15-coolkey.obj \
 	card-masktech.obj card-gids.obj card-jpki.obj \
-	card-npa.obj card-esteid2018.obj \
+	card-npa.obj card-esteid2018.obj card-idprime.obj \
+	card-edo.obj \
 	\
-	pkcs15-openpgp.obj pkcs15-starcert.obj \
+	pkcs15-openpgp.obj pkcs15-starcert.obj pkcs15-cardos.obj \
 	pkcs15-tcos.obj pkcs15-esteid.obj pkcs15-gemsafeGPK.obj \
 	pkcs15-actalis.obj pkcs15-atrust-acos.obj pkcs15-tccardos.obj pkcs15-piv.obj \
 	pkcs15-cac.obj pkcs15-esinit.obj pkcs15-westcos.obj pkcs15-pteid.obj pkcs15-din-66291.obj \
 	pkcs15-oberthur.obj pkcs15-itacns.obj pkcs15-gemsafeV1.obj pkcs15-sc-hsm.obj \
 	pkcs15-dnie.obj pkcs15-gids.obj pkcs15-iasecc.obj pkcs15-jpki.obj \
-	pkcs15-esteid2018.obj \
+	pkcs15-esteid2018.obj pkcs15-idprime.obj \
 	compression.obj p15card-helper.obj sm.obj \
 	aux-data.obj \
 	$(TOPDIR)\win32\versioninfo.res
--- a/src/libopensc/apdu.c
+++ b/src/libopensc/apdu.c
@ -77,7 +77,7 @@ size_t sc_apdu_get_length(const sc_apdu_t *apdu, unsigned int proto)
 *  @param  apdu    APDU to be encoded as an octet string
 *  @param  proto   protocol version to be used
 *  @param  out     output buffer of size outlen.
- *  @param  outlen  size of hte output buffer
+ *  @param  outlen  size of the output buffer
 *  @return SC_SUCCESS on success and an error code otherwise
 */
 int sc_apdu2bytes(sc_context_t *ctx, const sc_apdu_t *apdu,
@ -401,11 +401,13 @@ sc_set_le_and_transmit(struct sc_card *card, struct sc_apdu *apdu, size_t olen)
 	/* set the new expected length */
 	apdu->resplen = olen;
 	apdu->le      = nlen;
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 	/* Belpic V1 applets have a problem: if the card sends a 6C XX (only XX bytes available), 
 	 * and we resend the command too soon (i.e. the reader is too fast), the card doesn't respond. 
 	 * So we build in a delay. */
 	if (card->type == SC_CARD_TYPE_BELPIC_EID)
 		msleep(40);
+#endif

 	/* re-transmit the APDU with new Le length */
 	rv = sc_single_transmit(card, apdu);
--- a/src/libopensc/asn1.c
+++ b/src/libopensc/asn1.c
@ -253,10 +253,15 @@ static void sc_asn1_print_bit_string(const u8 * buf, size_t buflen, size_t depth
 	if (buflen > sizeof(a) + 1) {
 		print_hex(buf, buflen, depth);
 	} else {
-		r = sc_asn1_decode_bit_string(buf, buflen, &a, sizeof(a));
+		r = sc_asn1_decode_bit_string(buf, buflen, &a, sizeof(a), 1);
 		if (r < 0) {
-			printf("decode error");
-			return;
+			printf("decode error, ");
+			/* try again without the strict mode */
+			r = sc_asn1_decode_bit_string(buf, buflen, &a, sizeof(a), 0);
+			if (r < 0) {
+				printf("even for lax decoding");
+				return ;
+			}
 		}
 		for (i = r - 1; i >= 0; i--) {
 			printf("%c", ((a >> i) & 1) ? '1' : '0');
@ -374,7 +379,7 @@ static void print_tags_recursive(const u8 * buf0, const u8 * buf,
 		size_t len;

 		r = sc_asn1_read_tag(&tagp, bytesleft, &cla, &tag, &len);
-		if (r != SC_SUCCESS || tagp == NULL) {
+		if (r != SC_SUCCESS || (tagp == NULL && tag != SC_ASN1_TAG_EOC)) {
 			printf("Error in decoding.\n");
 			return;
 		}
@ -567,7 +572,7 @@ const u8 *sc_asn1_verify_tag(sc_context_t *ctx, const u8 * buf, size_t buflen,
 }

 static int decode_bit_string(const u8 * inbuf, size_t inlen, void *outbuf,
-			     size_t outlen, int invert)
+			     size_t outlen, int invert, const int strict)
 {
 	const u8 *in = inbuf;
 	u8 *out = (u8 *) outbuf;
@ -577,6 +582,19 @@ static int decode_bit_string(const u8 * inbuf, size_t inlen, void *outbuf,

 	if (inlen < 1)
 		return SC_ERROR_INVALID_ASN1_OBJECT;
+
+	/* The formatting is only enforced by SHALL keyword so we should accept
+	 * by default also non-strict values. */
+	if (strict) {
+		/* 8.6.2.3 If the bitstring is empty, there shall be no
+		 * subsequent octets,and the initial octet shall be zero. */
+		if (inlen == 1 && *in != 0)
+			return SC_ERROR_INVALID_ASN1_OBJECT;
+		/* ITU-T Rec. X.690 8.6.2.2: The number shall be in the range zero to seven. */
+		if ((*in & ~0x07) != 0)
+			return SC_ERROR_INVALID_ASN1_OBJECT;
+	}
+
 	memset(outbuf, 0, outlen);
 	zero_bits = *in & 0x07;
 	in++;
@ -591,9 +609,13 @@ static int decode_bit_string(const u8 * inbuf, size_t inlen, void *outbuf,
 		int bits_to_go;

 		*out = 0;
-		if (octets_left == 1)
+		if (octets_left == 1 && zero_bits > 0) {
 			bits_to_go = 8 - zero_bits;
-		else
+			/* Verify the padding is zero bits */
+			if (*in & (1 << (zero_bits-1))) {
+				return SC_ERROR_INVALID_ASN1_OBJECT;
+			}
+		} else
 			bits_to_go = 8;
 		if (invert)
 			for (i = 0; i < bits_to_go; i++) {
@ -611,15 +633,15 @@ static int decode_bit_string(const u8 * inbuf, size_t inlen, void *outbuf,
 }

 int sc_asn1_decode_bit_string(const u8 * inbuf, size_t inlen,
-			      void *outbuf, size_t outlen)
+			      void *outbuf, size_t outlen, const int strict)
 {
-	return decode_bit_string(inbuf, inlen, outbuf, outlen, 1);
+	return decode_bit_string(inbuf, inlen, outbuf, outlen, 1, strict);
 }

 int sc_asn1_decode_bit_string_ni(const u8 * inbuf, size_t inlen,
-				 void *outbuf, size_t outlen)
+				 void *outbuf, size_t outlen, const int strict)
 {
-	return decode_bit_string(inbuf, inlen, outbuf, outlen, 0);
+	return decode_bit_string(inbuf, inlen, outbuf, outlen, 0, strict);
 }

 static int encode_bit_string(const u8 * inbuf, size_t bits_left, u8 **outbuf,
@ -664,7 +686,7 @@ static int encode_bit_string(const u8 * inbuf, size_t bits_left, u8 **outbuf,
 * Bitfields are just bit strings, stored in an unsigned int
 * (taking endianness into account)
 */
-static int decode_bit_field(const u8 * inbuf, size_t inlen, void *outbuf, size_t outlen)
+static int decode_bit_field(const u8 * inbuf, size_t inlen, void *outbuf, size_t outlen, const int strict)
 {
 	u8		data[sizeof(unsigned int)];
 	unsigned int	field = 0;
@ -673,7 +695,7 @@ static int decode_bit_field(const u8 * inbuf, size_t inlen, void *outbuf, size_t
 	if (outlen != sizeof(data))
 		return SC_ERROR_BUFFER_TOO_SMALL;

-	n = decode_bit_string(inbuf, inlen, data, sizeof(data), 1);
+	n = decode_bit_string(inbuf, inlen, data, sizeof(data), 1, strict);
 	if (n < 0)
 		return n;

@ -706,17 +728,28 @@ static int encode_bit_field(const u8 *inbuf, size_t inlen,
 	return encode_bit_string(data, bits, outbuf, outlen, 1);
 }

-int sc_asn1_decode_integer(const u8 * inbuf, size_t inlen, int *out)
+int sc_asn1_decode_integer(const u8 * inbuf, size_t inlen, int *out, int strict)
 {
 	int    a = 0, is_negative = 0;
 	size_t i = 0;

-	if (inlen > sizeof(int) || inlen == 0)
+	if (inlen == 0) {
 		return SC_ERROR_INVALID_ASN1_OBJECT;
+	}
+	if (inlen > sizeof(int)) {
+		return SC_ERROR_NOT_SUPPORTED;
+	}
 	if (inbuf[0] & 0x80) {
+		if (strict && inlen > 1 && inbuf[0] == 0xff && (inbuf[1] & 0x80)) {
+			return SC_ERROR_INVALID_ASN1_OBJECT;
+		}
 		is_negative = 1;
 		a |= 0xff^(*inbuf++);
 		i = 1;
+	} else {
+		if (strict && inlen > 1 && inbuf[0] == 0x00 && (inbuf[1] & 0x80) == 0) {
+			return SC_ERROR_INVALID_ASN1_OBJECT;
+		}
 	}
 	for (; i < inlen; i++) {
 		if (a > (INT_MAX >> 8) || a < (INT_MIN + (1<<8))) {
@ -797,7 +830,8 @@ static int asn1_encode_integer(int in, u8 ** obj, size_t * objsize)
 int
 sc_asn1_decode_object_id(const u8 *inbuf, size_t inlen, struct sc_object_id *id)
 {
-	int a;
+	int large_second_octet = 0;
+	unsigned int a = 0;
 	const u8 *p = inbuf;
 	int *octet;

@ -807,18 +841,36 @@ sc_asn1_decode_object_id(const u8 *inbuf, size_t inlen, struct sc_object_id *id)
 	sc_init_oid(id);
 	octet = id->value;

-	a = *p;
-	*octet++ = a / 40;
-	*octet++ = a % 40;
-	inlen--;
+	/* The first octet can be 0, 1 or 2 and is derived from the first byte */
+	a = MIN(*p / 40, 2);
+	*octet++ = a;
+
+	/* The second octet fits here if the previous was 0 or 1 and second one is smaller than 40.
+	 * for the value 2 we can go up to 47. Otherwise the first bit needs to be set
+	 * and we continue reading further */
+	if ((*p & 0x80) == 0) {
+		*octet++ = *p - (a * 40);
+		inlen--;
+	} else {
+		large_second_octet = 1;
+	}

 	while (inlen) {
-		p++;
+		if (!large_second_octet)
+			p++;
+		/* This signalizes empty most significant bits, which means
+		 * the unsigned integer encoding is not minimal */
+		if (*p == 0x80) {
+			sc_init_oid(id);
+			return SC_ERROR_INVALID_ASN1_OBJECT;
+		}
+		/* Use unsigned type here so we can process the whole INT range.
+		 * Values can not be negative */
 		a = *p & 0x7F;
 		inlen--;
 		while (inlen && *p & 0x80) {
 			/* Limit the OID values to int size and do not overflow */
-			if (a > (INT_MAX>>7)) {
+			if (a > (UINT_MAX>>7)) {
 				sc_init_oid(id);
 				return SC_ERROR_NOT_SUPPORTED;
 			}
@ -827,12 +879,26 @@ sc_asn1_decode_object_id(const u8 *inbuf, size_t inlen, struct sc_object_id *id)
 			a |= *p & 0x7F;
 			inlen--;
 		}
+		if (*p & 0x80) {
+			/* We dropped out from previous cycle on the end of
+			 * data while still expecting continuation of value */
+			sc_init_oid(id);
+			return SC_ERROR_INVALID_ASN1_OBJECT;
+		}
+		if (large_second_octet) {
+			a -= (2 * 40);
+		}
+		if (a > INT_MAX) {
+			sc_init_oid(id);
+			return SC_ERROR_NOT_SUPPORTED;
+		}
 		*octet++ = a;
 		if (octet - id->value >= SC_MAX_OBJECT_ID_OCTETS)   {
 			sc_init_oid(id);
 			return SC_ERROR_INVALID_ASN1_OBJECT;
 		}
-	};
+		large_second_octet = 0;
+	}

 	return 0;
 }
@ -864,10 +930,13 @@ sc_asn1_encode_object_id(u8 **buf, size_t *buflen, const struct sc_object_id *id
 			*p = k * 40;
 			break;
 		case 1:
-			if (k > 39)
+			if (k > 39 && id->value[0] < 2) {
 				return SC_ERROR_INVALID_ARGUMENTS;
-			*p++ += k;
-			break;
+			}
+			/* We can encode larger IDs to multiple bytes
+			 * similarly as the following IDs */
+			k += *p;
+			/* fall through */
 		default:
 			shift = 28;
 			while (shift && (k >> shift) == 0)
@ -903,6 +972,9 @@ static int sc_asn1_decode_utf8string(const u8 *inbuf, size_t inlen,
 	return 0;
 }

+/*
+ * This assumes the tag is already encoded
+ */
 int sc_asn1_put_tag(unsigned int tag, const u8 * data, size_t datalen, u8 * out, size_t outlen, u8 **ptr)
 {
 	size_t c = 0;
@ -1174,9 +1246,12 @@ static int asn1_decode_se_info(sc_context_t *ctx, const u8 *obj, size_t objlen,
 	size_t idx, ptrlen = objlen;
 	int ret;

+	LOG_FUNC_CALLED(ctx);
+
 	ses = calloc(SC_MAX_SE_NUM, sizeof(sc_pkcs15_sec_env_info_t *));
-	if (ses == NULL)
-		return SC_ERROR_OUT_OF_MEMORY;
+	if (ses == NULL) {
+		SC_FUNC_RETURN(ctx, SC_LOG_DEBUG_ASN1, SC_ERROR_OUT_OF_MEMORY);
+	}

 	for (idx=0; idx < SC_MAX_SE_NUM && ptrlen; )   {
 		struct sc_asn1_entry asn1_se[2];
@ -1220,7 +1295,7 @@ err:
 		free(ses);
 	}

-	return ret;
+	SC_FUNC_RETURN(ctx, SC_LOG_DEBUG_ASN1, ret);
 }


@ -1448,7 +1523,7 @@ static int asn1_decode_entry(sc_context_t *ctx,struct sc_asn1_entry *entry,
 	case SC_ASN1_INTEGER:
 	case SC_ASN1_ENUMERATED:
 		if (parm != NULL) {
-			r = sc_asn1_decode_integer(obj, objlen, (int *) entry->parm);
+			r = sc_asn1_decode_integer(obj, objlen, (int *) entry->parm, 0);
 			sc_debug(ctx, SC_LOG_DEBUG_ASN1, "%*.*sdecoding '%s' returned %d\n", depth, depth, "",
 					entry->name, *((int *) entry->parm));
 		}
@ -1474,7 +1549,7 @@ static int asn1_decode_entry(sc_context_t *ctx,struct sc_asn1_entry *entry,
 				*len = objlen-1;
 				parm = *buf;
 			}
-			r = decode_bit_string(obj, objlen, (u8 *) parm, *len, invert);
+			r = decode_bit_string(obj, objlen, (u8 *) parm, *len, invert, 0);
 			if (r >= 0) {
 				*len = r;
 				r = 0;
@ -1483,7 +1558,7 @@ static int asn1_decode_entry(sc_context_t *ctx,struct sc_asn1_entry *entry,
 		break;
 	case SC_ASN1_BIT_FIELD:
 		if (parm != NULL)
-			r = decode_bit_field(obj, objlen, (u8 *) parm, *len);
+			r = decode_bit_field(obj, objlen, (u8 *) parm, *len, 0);
 		break;
 	case SC_ASN1_OCTET_STRING:
 		if (parm != NULL) {
@ -1927,6 +2002,10 @@ static int asn1_encode(sc_context_t *ctx, const struct sc_asn1_entry *asn1,
 	u8 *obj = NULL, *buf = NULL, *tmp;
 	size_t total = 0, objsize;

+	if (asn1 == NULL) {
+		return SC_ERROR_INVALID_ARGUMENTS;
+	}
+
 	for (idx = 0; asn1[idx].name != NULL; idx++) {
 		r = asn1_encode_entry(ctx, &asn1[idx], &obj, &objsize, depth);
 		if (r) {
@ -2096,8 +2175,10 @@ sc_asn1_sig_value_sequence_to_rs(struct sc_context *ctx, const unsigned char *in
 	}

 	memset(buf, 0, buflen);
-	memcpy(buf + (halflen - r_len), r, r_len);
-	memcpy(buf + (buflen - s_len), s, s_len);
+	if (r_len > 0)
+		memcpy(buf + (halflen - r_len), r, r_len);
+	if (s_len > 0)
+		memcpy(buf + (buflen - s_len), s, s_len);

 	sc_log(ctx, "r(%"SC_FORMAT_LEN_SIZE_T"u): %s", halflen,
 	       sc_dump_hex(buf, halflen));
--- a/src/libopensc/asn1.h
+++ b/src/libopensc/asn1.h
@ -96,11 +96,11 @@ void sc_asn1_print_tags(const u8 * buf, size_t buflen);
 int sc_asn1_utf8string_to_ascii(const u8 * buf, size_t buflen,
 				u8 * outbuf, size_t outlen);
 int sc_asn1_decode_bit_string(const u8 * inbuf, size_t inlen,
-			      void *outbuf, size_t outlen);
+			      void *outbuf, size_t outlen, const int strict);
 /* non-inverting version */
 int sc_asn1_decode_bit_string_ni(const u8 * inbuf, size_t inlen,
-				 void *outbuf, size_t outlen);
-int sc_asn1_decode_integer(const u8 * inbuf, size_t inlen, int *out);
+				 void *outbuf, size_t outlen, const int strict);
+int sc_asn1_decode_integer(const u8 * inbuf, size_t inlen, int *out, int strict);
 int sc_asn1_decode_object_id(const u8 * inbuf, size_t inlen,
 			     struct sc_object_id *id);
 int sc_asn1_encode_object_id(u8 **buf, size_t *buflen,
@ -127,13 +127,16 @@ int sc_asn1_sig_value_sequence_to_rs(struct sc_context *ctx,
 		const unsigned char *in, size_t inlen,
                unsigned char *buf, size_t buflen);

-#define SC_ASN1_CLASS_MASK		0x30000000
+/* long form tags use these */
+/* Same as  SC_ASN1_TAG_* shifted left by 24 bits  */
+#define SC_ASN1_CLASS_MASK		0xC0000000
 #define SC_ASN1_UNI			0x00000000 /* Universal */
-#define SC_ASN1_APP			0x10000000 /* Application */
-#define SC_ASN1_CTX			0x20000000 /* Context */
-#define SC_ASN1_PRV			0x30000000 /* Private */
-#define SC_ASN1_CONS			0x01000000
+#define SC_ASN1_APP			0x40000000 /* Application */
+#define SC_ASN1_CTX			0x80000000 /* Context */
+#define SC_ASN1_PRV			0xC0000000 /* Private */
+#define SC_ASN1_CONS			0x20000000

+#define SC_ASN1_CLASS_CONS		0xE0000000 /* CLASS and CONS */
 #define SC_ASN1_TAG_MASK		0x00FFFFFF
 #define SC_ASN1_TAGNUM_SIZE		3

@ -173,6 +176,7 @@ int sc_asn1_sig_value_sequence_to_rs(struct sc_context *ctx,
 /* use callback function */
 #define SC_ASN1_CALLBACK		384

+/* use with short one byte tags */
 #define SC_ASN1_TAG_CLASS		0xC0
 #define SC_ASN1_TAG_UNIVERSAL		0x00
 #define SC_ASN1_TAG_APPLICATION		0x40
@ -181,6 +185,7 @@ int sc_asn1_sig_value_sequence_to_rs(struct sc_context *ctx,

 #define SC_ASN1_TAG_CONSTRUCTED		0x20
 #define SC_ASN1_TAG_PRIMITIVE		0x1F
+#define SC_ASN1_TAG_CLASS_CONS		0xE0

 #define SC_ASN1_TAG_EOC			0
 #define SC_ASN1_TAG_BOOLEAN		1
--- a/src/libopensc/card-asepcos.c
+++ b/src/libopensc/card-asepcos.c
@ -167,7 +167,7 @@ static int asepcos_parse_sec_attr(sc_card_t *card, sc_file_t *file, const u8 *bu
 {
 	const u8 *p = buf;

-	while (len != 0) {
+	while (len > 0) {
 		unsigned int amode, tlen = 3;
 		if (len < 5 || p[0] != 0x80 || p[1] != 0x01) {
 			sc_log(card->ctx,  "invalid access mode encoding");
@ -184,13 +184,21 @@ static int asepcos_parse_sec_attr(sc_card_t *card, sc_file_t *file, const u8 *bu
 			if (r != SC_SUCCESS) 
 				return r;
 			tlen += 2;
-		} else if (p[3] == 0xA0 && len >= 4U + p[4]) {
+		} else if (p[3] == 0xA0 && len >= 5U + p[4]) {
+			if (len < 6) {
+				sc_log(card->ctx,  "invalid access mode encoding");
+				return SC_ERROR_INTERNAL;
+			}
 			/* TODO: support OR expressions */
 			int r = set_sec_attr(file, amode, p[5], SC_AC_CHV);
 			if (r != SC_SUCCESS)
 				return r;
 			tlen += 2 + p[4]; /* FIXME */
-		} else if (p[3] == 0xAF && len >= 4U + p[4]) {
+		} else if (p[3] == 0xAF && len >= 5U + p[4]) {
+			if (len < 6) {
+				sc_log(card->ctx,  "invalid access mode encoding");
+				return SC_ERROR_INTERNAL;
+			}
 			/* TODO: support AND expressions */
 			int r = set_sec_attr(file, amode, p[5], SC_AC_CHV);
 			if (r != SC_SUCCESS)
--- a/src/libopensc/card-atrust-acos.c
+++ b/src/libopensc/card-atrust-acos.c
@ -123,7 +123,7 @@ static int atrust_acos_init(struct sc_card *card)
 		| SC_ALGORITHM_RSA_HASH_RIPEMD160
 		| SC_ALGORITHM_RSA_HASH_MD5_SHA1;

-	if (!strcmp(card->name, ACOS_EMV_A05))
+	if (card->name != NULL && !strcmp(card->name, ACOS_EMV_A05))
 		flags |= SC_ALGORITHM_RSA_HASH_SHA256;

 	_sc_card_add_rsa_alg(card, 1536, flags, 0x10001);
--- a/src/libopensc/card-authentic.c
+++ b/src/libopensc/card-authentic.c
@ -93,7 +93,7 @@ unsigned char aid_AuthentIC_3_2[] = {
 static int authentic_select_file(struct sc_card *card, const struct sc_path *path, struct sc_file **file_out);
 static int authentic_process_fci(struct sc_card *card, struct sc_file *file, const unsigned char *buf, size_t buflen);
 static int authentic_get_serialnr(struct sc_card *card, struct sc_serial_number *serial);
-static int authentic_pin_get_policy (struct sc_card *card, struct sc_pin_cmd_data *data);
+static int authentic_pin_get_policy (struct sc_card *card, struct sc_pin_cmd_data *data, struct sc_acl_entry *acls);
 static int authentic_pin_is_verified(struct sc_card *card, struct sc_pin_cmd_data *pin_cmd, int *tries_left);
 static int authentic_select_mf(struct sc_card *card, struct sc_file **file_out);
 static int authentic_card_ctl(struct sc_card *card, unsigned long cmd, void *ptr);
@ -275,7 +275,7 @@ authentic_decode_pubkey_rsa(struct sc_context *ctx, unsigned char *blob, size_t

 static int
 authentic_parse_credential_data(struct sc_context *ctx, struct sc_pin_cmd_data *pin_cmd,
-		unsigned char *blob, size_t blob_len)
+		struct sc_acl_entry *acls, unsigned char *blob, size_t blob_len)
 {
 	unsigned char *data;
 	size_t data_len;
@ -298,31 +298,34 @@ authentic_parse_credential_data(struct sc_context *ctx, struct sc_pin_cmd_data *
 	else
 		LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "unsupported Credential type");

-	rv = authentic_get_tagged_data(ctx, blob, blob_len, AUTHENTIC_TAG_DOCP_ACLS, &data, &data_len);
-	LOG_TEST_RET(ctx, rv, "failed to get ACLs");
-	sc_log(ctx, "data_len:%"SC_FORMAT_LEN_SIZE_T"u", data_len);
-	if (data_len == 10)   {
-		for (ii=0; ii<5; ii++)   {
-			unsigned char acl = *(data + ii*2);
-			unsigned char cred_id = *(data + ii*2 + 1);
-			unsigned sc = acl * 0x100 + cred_id;
+	/* Parse optional ACLs when requested */
+	if (acls) {
+		rv = authentic_get_tagged_data(ctx, blob, blob_len, AUTHENTIC_TAG_DOCP_ACLS, &data, &data_len);
+		LOG_TEST_RET(ctx, rv, "failed to get ACLs");
+		sc_log(ctx, "data_len:%"SC_FORMAT_LEN_SIZE_T"u", data_len);
+		if (data_len == 10)   {
+			for (ii=0; ii<5; ii++)   {
+				unsigned char acl = *(data + ii*2);
+				unsigned char cred_id = *(data + ii*2 + 1);
+				unsigned sc = acl * 0x100 + cred_id;

-			sc_log(ctx, "%i: SC:%X", ii, sc);
-			if (!sc)
-				continue;
+				sc_log(ctx, "%i: SC:%X", ii, sc);
+				if (!sc)
+					continue;

-			if (acl & AUTHENTIC_AC_SM_MASK)   {
-				pin_cmd->pin1.acls[ii].method = SC_AC_SCB;
-				pin_cmd->pin1.acls[ii].key_ref = sc;
-			}
-			else if (acl!=0xFF && cred_id)   {
-				sc_log(ctx, "%i: ACL(method:SC_AC_CHV,id:%i)", ii, cred_id);
-				pin_cmd->pin1.acls[ii].method = SC_AC_CHV;
-				pin_cmd->pin1.acls[ii].key_ref = cred_id;
-			}
-			else   {
-				pin_cmd->pin1.acls[ii].method = SC_AC_NEVER;
-				pin_cmd->pin1.acls[ii].key_ref = 0;
+				if (acl & AUTHENTIC_AC_SM_MASK)   {
+					acls[ii].method = SC_AC_SCB;
+					acls[ii].key_ref = sc;
+				}
+				else if (acl!=0xFF && cred_id)   {
+					sc_log(ctx, "%i: ACL(method:SC_AC_CHV,id:%i)", ii, cred_id);
+					acls[ii].method = SC_AC_CHV;
+					acls[ii].key_ref = cred_id;
+				}
+				else   {
+					acls[ii].method = SC_AC_NEVER;
+					acls[ii].key_ref = 0;
+				}
 			}
 		}
 	}
@ -491,6 +494,11 @@ authentic_init(struct sc_card *card)
 	if (rv != SC_SUCCESS)
 		rv = SC_ERROR_INVALID_CARD;

+	/* Free private data on error */
+	if (rv != SC_SUCCESS) {
+		free(card->drv_data);
+		card->drv_data = NULL;
+	}
 	LOG_FUNC_RETURN(ctx, rv);
 }

@ -515,9 +523,8 @@ authentic_erase_binary(struct sc_card *card, unsigned int offs, size_t count, un

 	rv = sc_update_binary(card, offs, buf_zero, count, flags);
 	free(buf_zero);
-	LOG_TEST_RET(ctx, rv, "'ERASE BINARY' failed");

-	LOG_FUNC_RETURN(ctx, SC_SUCCESS);
+	LOG_FUNC_RETURN(ctx, rv);
 }


@ -541,7 +548,10 @@ authentic_set_current_files(struct sc_card *card, struct sc_path *path,
 				file->path = *path;

 			rv = authentic_process_fci(card, file, resp, resplen);
-			LOG_TEST_RET(ctx, rv, "cannot set 'current file': FCI process error");
+			if (rv != SC_SUCCESS) {
+				sc_file_free(file);
+				LOG_TEST_RET(ctx, rv, "cannot set 'current file': FCI process error");
+			}

 			break;
 		default:
@ -561,9 +571,11 @@ authentic_set_current_files(struct sc_card *card, struct sc_path *path,

 			if (cur_df_path.len)   {
 				if (cur_df_path.len + card->cache.current_df->path.len > sizeof card->cache.current_df->path.value
-						|| cur_df_path.len > sizeof card->cache.current_df->path.value)
+						|| cur_df_path.len > sizeof card->cache.current_df->path.value) {
+					sc_file_free(file);
 					LOG_FUNC_RETURN(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
-				memcpy(card->cache.current_df->path.value + cur_df_path.len,
+				}
+				memmove(card->cache.current_df->path.value + cur_df_path.len,
 						card->cache.current_df->path.value,
 						card->cache.current_df->path.len);
 				memcpy(card->cache.current_df->path.value, cur_df_path.value, cur_df_path.len);
@ -660,12 +672,12 @@ authentic_reduce_path(struct sc_card *card, struct sc_path *path)
 	cur_path = card->cache.current_df->path;

 	if (!memcmp(cur_path.value, "\x3F\x00", 2) && memcmp(in_path.value, "\x3F\x00", 2))   {
-		memmove(in_path.value + 2, in_path.value, in_path.len);
+		memmove(in_path.value + 2, in_path.value, (in_path.len - 2));
 		memcpy(in_path.value, "\x3F\x00", 2);
 		in_path.len += 2;
 	}

-	for (offs=0; offs < in_path.len && offs < cur_path.len; offs += 2)   {
+	for (offs = 0; (offs + 1) < in_path.len && (offs + 1) < cur_path.len; offs += 2)   {
 		if (cur_path.value[offs] != in_path.value[offs])
 			break;
 		if (cur_path.value[offs + 1] != in_path.value[offs + 1])
@ -687,8 +699,8 @@ authentic_debug_select_file(struct sc_card *card, const struct sc_path *path)
 	struct sc_card_cache *cache = &card->cache;

 	if (path)
-		sc_log(ctx, "try to select path(type:%i) %s",
-				path->type, sc_print_path(path));
+		sc_log(ctx, "try to select path(type:%i,len=%"SC_FORMAT_LEN_SIZE_T"u) %s",
+				path->type, path->len, sc_print_path(path));

 	if (!cache->valid)
 		return;
@ -752,8 +764,12 @@ authentic_select_file(struct sc_card *card, const struct sc_path *path,
 		memmove(&lpath.value[0], &lpath.value[2], lpath.len - 2);
 		lpath.len -=  2;

-		if (!lpath.len)
+		if (lpath.len == 0) {
 			LOG_FUNC_RETURN(ctx, SC_SUCCESS);
+		} else if (file_out != NULL) {
+			sc_file_free(*file_out);
+			*file_out = NULL;
+		}
 	}

 	if (lpath.type == SC_PATH_TYPE_PATH && (lpath.len == 2))
@ -1313,7 +1329,7 @@ authentic_pin_verify(struct sc_card *card, struct sc_pin_cmd_data *pin_cmd)

 	memset(prv_data->pins_sha1[pin_cmd->pin_reference], 0, sizeof(prv_data->pins_sha1[0]));

-	rv = authentic_pin_get_policy(card, pin_cmd);
+	rv = authentic_pin_get_policy(card, pin_cmd, NULL);
 	LOG_TEST_RET(ctx, rv, "Get 'PIN policy' error");

 	if (pin_cmd->pin1.len > (int)pin_cmd->pin1.max_length)
@ -1350,7 +1366,7 @@ authentic_pin_change_pinpad(struct sc_card *card, unsigned reference, int *tries
 	pin_cmd.cmd = SC_PIN_CMD_CHANGE;
 	pin_cmd.flags |= SC_PIN_CMD_USE_PINPAD | SC_PIN_CMD_NEED_PADDING;

-	rv = authentic_pin_get_policy(card, &pin_cmd);
+	rv = authentic_pin_get_policy(card, &pin_cmd, NULL);
 	LOG_TEST_RET(ctx, rv, "Get 'PIN policy' error");

 	memset(pin1_data, pin_cmd.pin1.pad_char, sizeof(pin1_data));
@ -1388,7 +1404,7 @@ authentic_pin_change(struct sc_card *card, struct sc_pin_cmd_data *data, int *tr
 	size_t offs;
 	int rv;

-	rv = authentic_pin_get_policy(card, data);
+	rv = authentic_pin_get_policy(card, data, NULL);
 	LOG_TEST_RET(ctx, rv, "Get 'PIN policy' error");

 	memset(prv_data->pins_sha1[data->pin_reference], 0, sizeof(prv_data->pins_sha1[0]));
@ -1448,7 +1464,7 @@ authentic_chv_set_pinpad(struct sc_card *card, unsigned char reference)
 	pin_cmd.cmd = SC_PIN_CMD_UNBLOCK;
 	pin_cmd.flags |= SC_PIN_CMD_USE_PINPAD | SC_PIN_CMD_NEED_PADDING;

-	rv = authentic_pin_get_policy(card, &pin_cmd);
+	rv = authentic_pin_get_policy(card, &pin_cmd, NULL);
 	LOG_TEST_RET(ctx, rv, "Get 'PIN policy' error");

 	memset(pin_data, pin_cmd.pin1.pad_char, sizeof(pin_data));
@ -1471,7 +1487,7 @@ authentic_chv_set_pinpad(struct sc_card *card, unsigned char reference)


 static int
-authentic_pin_get_policy (struct sc_card *card, struct sc_pin_cmd_data *data)
+authentic_pin_get_policy (struct sc_card *card, struct sc_pin_cmd_data *data, struct sc_acl_entry *acls)
 {
 	struct sc_context *ctx = card->ctx;
 	struct sc_apdu apdu;
@ -1500,7 +1516,7 @@ authentic_pin_get_policy (struct sc_card *card, struct sc_pin_cmd_data *data)

 	data->pin1.tries_left = -1;

-	rv = authentic_parse_credential_data(ctx, data, apdu.resp, apdu.resplen);
+	rv = authentic_parse_credential_data(ctx, data, acls, apdu.resp, apdu.resplen);
        LOG_TEST_RET(ctx, rv, "Cannot parse credential data");

 	data->pin1.encoding = SC_PIN_ENCODING_ASCII;
@ -1527,6 +1543,7 @@ authentic_pin_reset(struct sc_card *card, struct sc_pin_cmd_data *data, int *tri
 	struct sc_context *ctx = card->ctx;
 	struct authentic_private_data *prv_data = (struct authentic_private_data *) card->drv_data;
 	struct sc_pin_cmd_data pin_cmd, puk_cmd;
+	struct sc_acl_entry acls[SC_MAX_SDO_ACLS];
 	struct sc_apdu apdu;
 	unsigned reference;
 	int rv, ii;
@ -1541,17 +1558,18 @@ authentic_pin_reset(struct sc_card *card, struct sc_pin_cmd_data *data, int *tri
 	pin_cmd.pin_type = data->pin_type;
 	pin_cmd.pin1.tries_left = -1;

-	rv = authentic_pin_get_policy(card, &pin_cmd);
+	memset(&acls, 0, sizeof(acls));
+	rv = authentic_pin_get_policy(card, &pin_cmd, acls);
 	LOG_TEST_RET(ctx, rv, "Get 'PIN policy' error");

-	if (pin_cmd.pin1.acls[AUTHENTIC_ACL_NUM_PIN_RESET].method == SC_AC_CHV)   {
+	if (acls[AUTHENTIC_ACL_NUM_PIN_RESET].method == SC_AC_CHV)   {
 		for (ii=0;ii<8;ii++)   {
 			unsigned char mask = 0x01 << ii;
-			if (pin_cmd.pin1.acls[AUTHENTIC_ACL_NUM_PIN_RESET].key_ref & mask)   {
+			if (acls[AUTHENTIC_ACL_NUM_PIN_RESET].key_ref & mask)   {
 				memset(&puk_cmd, 0, sizeof(puk_cmd));
 				puk_cmd.pin_reference = ii + 1;

-				rv = authentic_pin_get_policy(card, &puk_cmd);
+				rv = authentic_pin_get_policy(card, &puk_cmd, NULL);
 				LOG_TEST_RET(ctx, rv, "Get 'PIN policy' error");

 				if (puk_cmd.pin_type == SC_AC_CHV)
@ -1627,7 +1645,7 @@ authentic_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries
 		rv = authentic_pin_reset(card, data, tries_left);
 		break;
 	case SC_PIN_CMD_GET_INFO:
-		rv = authentic_pin_get_policy(card, data);
+		rv = authentic_pin_get_policy(card, data, NULL);
 		break;
 	default:
 		LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Unsupported PIN command");
--- a/src/libopensc/card-belpic.c
+++ b/src/libopensc/card-belpic.c
@ -215,7 +215,6 @@ static int belpic_match_card(sc_card_t *card)
 static int belpic_init(sc_card_t *card)
 {
 	int key_size = 1024;
-	int r;

 	sc_log(card->ctx,  "Belpic V%s\n", BELPIC_VERSION);

@ -227,7 +226,7 @@ static int belpic_init(sc_card_t *card)
 		u8 carddata[BELPIC_CARDDATA_RESP_LEN];
 		memset(carddata, 0, sizeof(carddata));

-		if((r = get_carddata(card, carddata, sizeof(carddata))) < 0) {
+		if(get_carddata(card, carddata, sizeof(carddata)) < 0) {
 			return SC_ERROR_INVALID_CARD;
 		}
 		if (carddata[BELPIC_CARDDATA_OFF_APPLETVERS] >= 0x17) {
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@ -54,6 +54,7 @@
 #endif
 #include "iso7816.h"
 #include "card-cac-common.h"
+#include "pkcs15.h"

 /*
 *  CAC hardware and APDU constants
@ -105,6 +106,8 @@
 #define CAC_ACR_AMP                   0x20
 #define CAC_ACR_SERVICE               0x21

+#define CAC_MAX_CCC_DEPTH             16
+
 /* hardware data structures (returned in the CCC) */
 /* part of the card_url */
 typedef struct cac_access_profile {
@ -621,15 +624,6 @@ done:
 	LOG_FUNC_RETURN(card->ctx, r);
 }

-/* CAC driver is read only */
-static int cac_write_binary(sc_card_t *card, unsigned int idx,
-		const u8 *buf, size_t count, unsigned long flags)
-{
-
-	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
-	LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
-}
-
 /* initialize getting a list and return the number of elements in the list */
 static int cac_get_init_and_get_count(list_t *list, cac_object_t **entry, int *countp)
 {
@ -877,7 +871,7 @@ static int cac_parse_properties_object(sc_card_t *card, u8 type,
 	if (data_len < 11)
 		return -1;

-	/* Initilize: non-PKI applet */
+	/* Initialize: non-PKI applet */
 	object->privatekey = 0;

 	val = data;
@ -1090,10 +1084,8 @@ static int cac_select_file_by_type(sc_card_t *card, const sc_path_t *in_path, sc
 	 * We only need to do this for private keys.
 	 */
 	if ((pathlen > 2) && (pathlen <= 4) && memcmp(path, "\x3F\x00", 2) == 0) {
-		if (pathlen > 2) {
-			path += 2;
-			pathlen -= 2;
-		}
+		path += 2;
+		pathlen -= 2;
 	}


@ -1307,7 +1299,7 @@ static int cac_parse_aid(sc_card_t *card, cac_private_data_t *priv, const u8 *ai
 	memcpy(new_object.path.aid.value, aid, aid_len);
 	new_object.path.aid.len = aid_len;

-	/* Call without OID set will just select the AID without subseqent
+	/* Call without OID set will just select the AID without subsequent
 	 * OID selection, which we need to figure out just now
 	 */
 	cac_select_file_by_type(card, &new_object.path, NULL);
@ -1419,10 +1411,10 @@ static int cac_parse_cuid(sc_card_t *card, cac_private_data_t *priv, cac_cuid_t
 	priv->cac_id_len = card_id_len;
 	return SC_SUCCESS;
 }
-static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv);
+static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv, int depth);

 static int cac_parse_CCC(sc_card_t *card, cac_private_data_t *priv, const u8 *tl,
-						 size_t tl_len, u8 *val, size_t val_len)
+	size_t tl_len, u8 *val, size_t val_len, int depth)
 {
 	size_t len = 0;
 	const u8 *tl_end = tl + tl_len;
@ -1519,7 +1511,8 @@ static int cac_parse_CCC(sc_card_t *card, cac_private_data_t *priv, const u8 *tl
 			if (r < 0)
 				return r;

-			r = cac_process_CCC(card, priv);
+			/* Increase depth to avoid infinite recursion */
+			r = cac_process_CCC(card, priv, depth + 1);
 			if (r < 0)
 				return r;
 			break;
@ -1532,12 +1525,16 @@ static int cac_parse_CCC(sc_card_t *card, cac_private_data_t *priv, const u8 *tl
 	return SC_SUCCESS;
 }

-static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv)
+static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv, int depth)
 {
 	u8 *tl = NULL, *val = NULL;
 	size_t tl_len, val_len;
 	int r;

+	if (depth > CAC_MAX_CCC_DEPTH) {
+		sc_log(card->ctx, "Too much recursive CCC found. Exiting");
+		return SC_ERROR_INVALID_CARD;
+	}

 	r = cac_read_file(card, CAC_FILE_TAG, &tl, &tl_len);
 	if (r < 0)
@ -1547,7 +1544,7 @@ static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv)
 	if (r < 0)
 		goto done;

-	r = cac_parse_CCC(card, priv, tl, tl_len, val, val_len);
+	r = cac_parse_CCC(card, priv, tl, tl_len, val, val_len, depth);
 done:
 	if (tl)
 		free(tl);
@ -1774,7 +1771,7 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
 		priv = cac_new_private_data();
 		if (!priv)
 			return SC_ERROR_OUT_OF_MEMORY;
-		r = cac_process_CCC(card, priv);
+		r = cac_process_CCC(card, priv, 0);
 		if (r == SC_SUCCESS) {
 			card->type = SC_CARD_TYPE_CAC_II;
 			card->drv_data = priv;
@ -1796,7 +1793,7 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
 		}
 		r = cac_process_ACA(card, priv);
 		if (r == SC_SUCCESS) {
-			card->type = SC_CARD_TYPE_CAC_II;
+			card->type = SC_CARD_TYPE_CAC_ALT_HID;
 			card->drv_data = priv;
 			return r;
 		}
@ -1872,7 +1869,10 @@ static int cac_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries
 	 * FIPS 201 4.1.6.1 (numeric only) and * FIPS 140-2
 	 * (6 character minimum) requirements.
 	 */
+	sc_apdu_t apdu;
+	u8  sbuf[SC_MAX_APDU_BUFFER_SIZE];
 	struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
+	int rv;

 	if (data->cmd == SC_PIN_CMD_CHANGE) {
 		int i = 0;
@ -1884,9 +1884,24 @@ static int cac_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries
 				return SC_ERROR_INVALID_DATA;
 			}
 		}
+
+		/* We can change the PIN of Giesecke & Devrient CAC ALT tokens
+		 * with a bit non-standard APDU */
+		if (card->type == SC_CARD_TYPE_CAC_ALT_HID) {
+			int r = 0;
+			r = iso7816_build_pin_apdu(card, &apdu, data, sbuf, sizeof(sbuf));
+			if (r < 0)
+				return r;
+			/* it requires P1 = 0x01 completely against the ISO specs */
+			apdu.p1 = 0x01;
+			data->apdu = &apdu;
+		}
 	}

-	return  iso_drv->ops->pin_cmd(card, data, tries_left);
+	rv = iso_drv->ops->pin_cmd(card, data, tries_left);
+
+	data->apdu = NULL;
+	return rv;
 }

 static struct sc_card_operations cac_ops;
@ -1910,7 +1925,8 @@ static struct sc_card_driver * sc_get_driver(void)
 	cac_ops.select_file =  cac_select_file; /* need to record object type */
 	cac_ops.get_challenge = cac_get_challenge;
 	cac_ops.read_binary = cac_read_binary;
-	cac_ops.write_binary = cac_write_binary;
+	/* CAC driver is read only */
+	cac_ops.write_binary = NULL;
 	cac_ops.set_security_env = cac_set_security_env;
 	cac_ops.restore_security_env = cac_restore_security_env;
 	cac_ops.compute_signature = cac_compute_signature;
--- a/src/libopensc/card-cac1.c
+++ b/src/libopensc/card-cac1.c
@ -54,6 +54,7 @@
 #endif
 #include "iso7816.h"
 #include "card-cac-common.h"
+#include "pkcs15.h"

 /*
 *  CAC hardware and APDU constants
@ -78,7 +79,7 @@ static int cac_cac1_get_certificate(sc_card_t *card, u8 **out_buf, size_t *out_l
 	out_ptr = *out_buf ? *out_buf : buf;
 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, CAC_INS_GET_CERTIFICATE, 0, 0 );
 	len = MIN(left, 100);
-	for (; left > 0;) { /* Increments for readability in the end of the function */
+	while (left > 0) {
 		apdu.resp = out_ptr;
 		apdu.le = len;
 		apdu.resplen = left;
--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@ -53,13 +53,44 @@ static const struct sc_atr_table cardos_atrs[] = {
 	/* CardOS v5.0 */
 	{ "3b:d2:18:00:81:31:fe:58:c9:01:14", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL},
 	/* CardOS v5.3 */
-	{ "3b:d2:18:00:81:31:fe:58:c9:02:17", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL},
-	{ "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL},
+	{ "3b:d2:18:00:81:31:fe:58:c9:02:17", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_3, 0, NULL},
+	{ "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_3, 0, NULL},
+	/* CardOS v5.4 */
+	{ "3b:d2:18:00:81:31:fe:58:c9:04:11", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_3, 0, NULL},
 	{ NULL, NULL, NULL, 0, 0, NULL }
 };

-static unsigned int algorithm_ids_in_tokeninfo[SC_MAX_SUPPORTED_ALGORITHMS];
-static unsigned int algorithm_ids_in_tokeninfo_count=0;
+/* private data for cardos driver */
+typedef struct cardos_data {
+	/* constructed internally */
+	unsigned int algorithm_ids_in_tokeninfo[SC_MAX_SUPPORTED_ALGORITHMS];
+	unsigned int algorithm_ids_in_tokeninfo_count;
+	unsigned long flags; /* flags used by init to create sc_algorithms */
+	unsigned long ec_flags;
+	unsigned long ext_flags;
+	int rsa_2048;
+	const sc_security_env_t * sec_env;
+} cardos_data_t;
+
+/* copied from iso7816.c */
+static void fixup_transceive_length(const struct sc_card *card,
+		struct sc_apdu *apdu)
+{
+	if (card == NULL || apdu == NULL) {
+		return;
+	}
+
+	if (apdu->lc > sc_get_max_send_size(card)) {
+		/* The lower layers will automatically do chaining */
+		apdu->flags |= SC_APDU_FLAGS_CHAINING;
+	}
+
+	if (apdu->le > sc_get_max_recv_size(card)) {
+		/* The lower layers will automatically do a GET RESPONSE, if possible.
+		 * All other workarounds must be carried out by the upper layers. */
+		apdu->le = sc_get_max_recv_size(card);
+	}
+}

 static int cardos_match_card(sc_card_t *card)
 {
@ -79,6 +110,8 @@ static int cardos_match_card(sc_card_t *card)
 		return 1;
 	if (card->type == SC_CARD_TYPE_CARDOS_V5_0)
 		return 1;
+	if (card->type == SC_CARD_TYPE_CARDOS_V5_3)
+		return 1;
 	if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
 		int rv;
 		sc_apdu_t apdu;
@ -128,7 +161,7 @@ static int cardos_have_2048bit_package(sc_card_t *card)
 	sc_apdu_t apdu;
        u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
        int       r;
-	const u8  *p = rbuf, *q;
+	const u8  *p = rbuf, *q, *pp;
 	size_t    len, tlen = 0, ilen = 0;

 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
@ -144,10 +177,10 @@ static int cardos_have_2048bit_package(sc_card_t *card)
 		return 0;

 	while (len != 0) {
-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
-		if (p == NULL)
+		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+		if (pp == NULL)
 			return 0;
-		q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
+		q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
 		if (q == NULL || ilen != 4)
 			return 0;
 		if (q[0] == 0x1c)
@ -159,42 +192,104 @@ static int cardos_have_2048bit_package(sc_card_t *card)
 	return 0;
 }

+
+/* Called from cardos_init for old cards, from cardos_cardctl_parsed_token_info for new cards */
+/* TODO see if works from old cards too */
+static int cardos_add_algs(sc_card_t *card, unsigned long flags, unsigned long ec_flags, unsigned long ext_flags)
+{
+
+	cardos_data_t * priv = (cardos_data_t *)card->drv_data;
+
+	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+
+	_sc_card_add_rsa_alg(card,  512, flags, 0);
+	_sc_card_add_rsa_alg(card,  768, flags, 0);
+	_sc_card_add_rsa_alg(card, 1024, flags, 0);
+	if (priv->rsa_2048 == 1) {
+		_sc_card_add_rsa_alg(card, 1280, flags, 0);
+		_sc_card_add_rsa_alg(card, 1536, flags, 0);
+		_sc_card_add_rsa_alg(card, 1792, flags, 0);
+		_sc_card_add_rsa_alg(card, 2048, flags, 0);
+	}
+
+	if (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+		/* Starting with CardOS 5, the card supports PIN query commands */
+		card->caps |= SC_CARD_CAP_ISO7816_PIN_INFO;
+		_sc_card_add_rsa_alg(card, 3072, flags, 0);
+		_sc_card_add_rsa_alg(card, 4096, flags, 0);
+	}
+
+	/* TODO need to get sizes from supported_algos too */
+	if (ec_flags != 0) {
+		 _sc_card_add_ec_alg(card, 256, ec_flags, priv->ext_flags, NULL);
+		 _sc_card_add_ec_alg(card, 384, ec_flags, priv->ext_flags, NULL);
+	}
+
+	return 0;
+}
+
 static int cardos_init(sc_card_t *card)
 {
-	unsigned long flags = 0, rsa_2048 = 0;
+	cardos_data_t * priv = NULL;
+	unsigned long flags = 0;
 	size_t data_field_length;
 	sc_apdu_t apdu;
 	u8 rbuf[2];
 	int r;

+	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+
+	priv = calloc(1, sizeof(cardos_data_t));
+	if (!priv)
+		LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+	card->drv_data = priv;
+
 	card->name = "Atos CardOS";
 	card->cla = 0x00;

-	/* Set up algorithm info. */
-	flags = 0;
-	if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
-		flags |= SC_ALGORITHM_RSA_PAD_PKCS1;
+	/* let user override flags and type from opensc.conf */
+	/* user can override card->type too.*/
+	if (card->flags) {
+	    flags = card->flags;
 	} else {
-		flags |= SC_ALGORITHM_RSA_RAW
-			| SC_ALGORITHM_RSA_HASH_NONE
-			| SC_ALGORITHM_NEED_USAGE
-			| SC_ALGORITHM_ONBOARD_KEY_GEN;
+
+		/* Set up algorithm info. */
+		flags = 0;
+		if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+			flags |= SC_ALGORITHM_RSA_PAD_PKCS1;
+		} else if(card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+			flags |= SC_ALGORITHM_RSA_RAW
+				| SC_ALGORITHM_RSA_HASH_NONE
+				| SC_ALGORITHM_ONBOARD_KEY_GEN;
+		} else {
+			flags |= SC_ALGORITHM_RSA_RAW
+				| SC_ALGORITHM_RSA_HASH_NONE
+				| SC_ALGORITHM_NEED_USAGE
+				| SC_ALGORITHM_ONBOARD_KEY_GEN;
+		}
 	}

+	priv->flags = flags;
+
 	if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
 		r = cardos_have_2048bit_package(card);
-		if (r < 0)
-			return SC_ERROR_INVALID_CARD;
+		if (r < 0) {
+			r = SC_ERROR_INVALID_CARD;
+			goto err;
+		}
 		if (r == 1)
-			rsa_2048 = 1;
+			priv->rsa_2048 = 1;
 		card->caps |= SC_CARD_CAP_APDU_EXT;
-	} else if (card->type == SC_CARD_TYPE_CARDOS_M4_3 
+	} else if (card->type == SC_CARD_TYPE_CARDOS_M4_3
 		|| card->type == SC_CARD_TYPE_CARDOS_M4_2B
 		|| card->type == SC_CARD_TYPE_CARDOS_M4_2C
 		|| card->type == SC_CARD_TYPE_CARDOS_M4_4
-		|| card->type == SC_CARD_TYPE_CARDOS_V5_0) {
-		rsa_2048 = 1;
+		|| card->type == SC_CARD_TYPE_CARDOS_V5_0
+		|| card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+		priv->rsa_2048 = 1;
 		card->caps |= SC_CARD_CAP_APDU_EXT;
+		/* TODO check this. EC only if in supported_algo */
+		priv->ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES;
 	}

 	/* probe DATA FIELD LENGTH with GET DATA */
@ -202,48 +297,122 @@ static int cardos_init(sc_card_t *card)
 	apdu.le = sizeof rbuf;
 	apdu.resp = rbuf;
 	apdu.resplen = sizeof(rbuf);
+
 	r = sc_transmit_apdu(card, &apdu);
 	if (r < 0)
-		LOG_TEST_RET(card->ctx,
+		LOG_TEST_GOTO_ERR(card->ctx,
 				SC_ERROR_INVALID_CARD,
 				"APDU transmit failed");
 	r = sc_check_sw(card, apdu.sw1, apdu.sw2);
 	if (r < 0)
-		LOG_TEST_RET(card->ctx,
+		LOG_TEST_GOTO_ERR(card->ctx,
 				SC_ERROR_INVALID_CARD,
 				"GET DATA command returned error");
-	if (apdu.resplen != 2)
-		return SC_ERROR_INVALID_CARD;
+	if (apdu.resplen != 2) {
+		r = SC_ERROR_INVALID_CARD;
+		goto err;
+	}
 	data_field_length = ((rbuf[0] << 8) | rbuf[1]);

-	/* strip the length of possible Lc and Le bytes */
-	if (card->caps & SC_CARD_CAP_APDU_EXT)
-		card->max_send_size = data_field_length - 6;
-	else
-		card->max_send_size = data_field_length - 3;
-	/* strip the length of SW bytes */
-	card->max_recv_size = data_field_length - 2;
+	/* TODO is this really needed? strip the length of possible Lc and Le bytes */

-	_sc_card_add_rsa_alg(card,  512, flags, 0);
-	_sc_card_add_rsa_alg(card,  768, flags, 0);
-	_sc_card_add_rsa_alg(card, 1024, flags, 0);
-	if (rsa_2048 == 1) {
-		_sc_card_add_rsa_alg(card, 1280, flags, 0);
-		_sc_card_add_rsa_alg(card, 1536, flags, 0);
-		_sc_card_add_rsa_alg(card, 1792, flags, 0);
-		_sc_card_add_rsa_alg(card, 2048, flags, 0);
+	/* Use Min card sizes and reader too. for V5_3 at least*/
+
+	if (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+		sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "data_field_length:%"SC_FORMAT_LEN_SIZE_T"u "
+				"card->reader->max_send_size:%"SC_FORMAT_LEN_SIZE_T"u "
+				"card->reader->max_recv_size:%"SC_FORMAT_LEN_SIZE_T"u %s",
+				data_field_length, card->reader->max_send_size, card->reader->max_recv_size,
+				(card->caps & SC_CARD_CAP_APDU_EXT) ? "SC_CARD_CAP_APDU_EXT" : " ");
+
+		if (card->caps & SC_CARD_CAP_APDU_EXT) {
+			card->max_send_size  = data_field_length - 6;
+#ifdef _WIN32
+			/* Windows does not support PCSC PART_10 and may have forced reader to 255/256
+			 * https://github.com/OpenSC/OpenSC/commit/eddea6f3c2d3dafc2c09eba6695c745a61b5186f
+			 * may have reset this. if so, will override and force extended 
+			 * Most, if not all, cardos cards do extended, but not chaining 
+			 */
+			if (card->reader->max_send_size == 255 && card->reader->max_recv_size == 256) {
+				sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "resetting reader to use data_field_length");
+				card->reader->max_send_size = data_field_length - 6;
+				card->reader->max_recv_size = data_field_length - 3;
+			}
+#endif
+		} else
+			card->max_send_size = data_field_length - 3;
+
+		card->max_send_size = sc_get_max_send_size(card); /* include reader sizes and protocol */
+		card->max_recv_size = data_field_length - 2;
+		card->max_recv_size = sc_get_max_recv_size(card);
+	} else {
+		/* old way, disregards reader capabilities */
+		if (card->caps & SC_CARD_CAP_APDU_EXT)
+			card->max_send_size = data_field_length - 6;
+		else
+			card->max_send_size = data_field_length - 3;
+		/* strip the length of SW bytes */
+		card->max_recv_size = data_field_length - 2;
 	}

-	if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
-		/* Starting with CardOS 5, the card supports PIN query commands */
-		card->caps |= SC_CARD_CAP_ISO7816_PIN_INFO;
-		_sc_card_add_rsa_alg(card, 3072, flags, 0);
-		_sc_card_add_rsa_alg(card, 4096, flags, 0);
+	/*for new cards, wait till after sc_pkcs15_bind_internal reads tokeninfo */
+	if (card->type != SC_CARD_TYPE_CARDOS_V5_0 && card->type != SC_CARD_TYPE_CARDOS_V5_3) {
+		r = cardos_add_algs(card, flags, 0, 0);
 	}

-	return 0;
+err:
+	if (r != SC_SUCCESS) {
+		free(priv);
+		card->drv_data = NULL;
+	}
+
+	return r;
 }

+static int cardos_pass_algo_flags(sc_card_t *card, struct sc_cardctl_cardos_pass_algo_flags * ptr)
+{
+	cardos_data_t * priv = (cardos_data_t *)card->drv_data;
+	int r = 0;
+
+	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+	switch (ptr->pass) {
+		case 1:
+			ptr->card_flags = card->flags;
+			ptr->used_flags = priv->flags;
+			ptr->ec_flags = priv->ec_flags;
+			ptr->ext_flags = priv->ext_flags;
+			break;
+		case 2:
+			r = cardos_add_algs(card,ptr->new_flags, ptr->ec_flags, ptr->ext_flags);
+			break;
+		default:
+			sc_log(card->ctx, "ptr->pass: %ul invalid", ptr->pass);
+			r = SC_ERROR_INTERNAL;
+	}
+	LOG_FUNC_RETURN(card->ctx, r);
+}
+
+
+static int cardos_finish(sc_card_t *card)
+{
+	int r = 0;
+
+	if (card == NULL )
+		return 0;
+
+	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+
+	/* free priv data */
+	if (card->drv_data) { /* priv */
+		free(card->drv_data);
+		card->drv_data = NULL;
+	}
+
+	SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r);
+}
+
+
+
 static const struct sc_card_error cardos_errors[] = {
 /* some error inside the card */
 /* i.e. nothing you can do */
@ -381,8 +550,7 @@ get_next_part:
 		q = sc_asn1_find_tag(card->ctx, p, tlen, 0x8a, &ilen);
 		if (q != NULL && ilen == 1) {
 			offset = (u8)ilen;
-			if (offset != 0)
-				goto get_next_part;
+			goto get_next_part;
 		}
 		len -= tlen + 2;
 		p   += tlen;
@ -462,7 +630,7 @@ static const int ef_acl[9] = {
 	/* XXX: ADMIN should be an ACL type of its own, or mapped
 	 * to erase */
 	SC_AC_OP_UPDATE,	/* ADMIN EF (modify meta information?) */
-	-1,			/* INC (-> cylic fixed files) */
+	-1,			/* INC (-> cyclic fixed files) */
 	-1			/* DEC */
 };

@ -773,8 +941,9 @@ cardos_set_security_env(sc_card_t *card,
 			    const sc_security_env_t *env,
 			    int se_num)
 {
+	cardos_data_t* priv = (cardos_data_t*)card->drv_data;
 	sc_apdu_t apdu;
-	u8	data[6];
+	u8	data[9];
 	int	key_id, r;

 	assert(card != NULL && env != NULL);
@ -783,6 +952,15 @@ cardos_set_security_env(sc_card_t *card,
 		sc_log(card->ctx, "No or invalid key reference\n");
 		return SC_ERROR_INVALID_ARGUMENTS;
 	}
+	priv->sec_env = env; /* pass on to crypto routines */
+
+	/* key_ref includes card mechanism and key number
+	 * But newer cards appear to get this some other way,
+	 * We can use flags passed to know what OpenSC expects from the card
+	 * and have derived what these machanisums are. 
+	 * Newer cards may change how this is done
+	 */
+
 	key_id = env->key_ref[0];

 	sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x22, 0, 0);
@ -803,16 +981,39 @@ cardos_set_security_env(sc_card_t *card,
 		return SC_ERROR_INVALID_ARGUMENTS;
 	}

-	if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+	if (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+		/* some cards appear to have key_id be both Cryptographic mechanism reference 4 bits
+		 * and key_ref 4 bits. But this limits card to 16 keys.
+		 * TODO may need to be looked at at a later time
+		 */
 		/* Private key reference */
 		data[0] = 0x84;
 		data[1] = 0x01;
-		data[2] = key_id;
+		data[2] = key_id & 0x0F;
 		/* Usage qualifier byte */
 		data[3] = 0x95;
 		data[4] = 0x01;
 		data[5] = 0x40;
 		apdu.lc = apdu.datalen = 6;
+		if (key_id & 0xF0) {
+			/* Cryptographic mechanism reference */
+			data[6] = 0x80;
+			data[7] = 0x01;
+			data[8] = key_id & 0xF0;
+			apdu.lc = apdu.datalen = 9;
+		} else if (priv->sec_env->algorithm_flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
+			/* TODO this may only apply to c903 cards */
+			/* TODO or only for cards without any supported_algos or EIDComplient only */
+			data[6] = 0x80;
+			data[7] = 0x01;
+			data[8] = 0x10;
+			apdu.lc = apdu.datalen = 9;
+		} else if (priv->sec_env->algorithm_flags & SC_ALGORITHM_ECDSA_RAW) {
+			data[6] = 0x80;
+			data[7] = 0x01;
+			data[8] = 0x30;
+			apdu.lc = apdu.datalen = 9;
+		}
 	} else {
 		data[0] = 0x83;
 		data[1] = 0x01;
@ -840,12 +1041,12 @@ cardos_set_security_env(sc_card_t *card,

 				sc_log(card->ctx, "is signature");
 				sc_log(card->ctx, "Adding ID %d at index %d", algorithm_id, algorithm_id_count);
-				algorithm_ids_in_tokeninfo[algorithm_id_count++] = algorithm_id;
+				priv->algorithm_ids_in_tokeninfo[algorithm_id_count++] = algorithm_id;
 			}
 			sc_log(card->ctx, "reference=%d, mechanism=%d, operations=%d, algo_ref=%d",
 					alg.reference, alg.mechanism, alg.operations, alg.algo_ref);
 		}
-		algorithm_ids_in_tokeninfo_count = algorithm_id_count;
+		priv -> algorithm_ids_in_tokeninfo_count = algorithm_id_count;
 	} while (0);

 	LOG_FUNC_RETURN(card->ctx, r);
@ -860,6 +1061,7 @@ static int
 do_compute_signature(sc_card_t *card, const u8 *data, size_t datalen,
 		     u8 *out, size_t outlen)
 {
+	/* cardos_data_t* priv = (cardos_data_t*)card->drv_dataa */;
 	int r;
 	sc_apdu_t apdu;

@ -874,6 +1076,7 @@ do_compute_signature(sc_card_t *card, const u8 *data, size_t datalen,
 	apdu.data    = data;
 	apdu.lc      = datalen;
 	apdu.datalen = datalen;
+	fixup_transceive_length(card, &apdu);
 	r = sc_transmit_apdu(card, &apdu);
 	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");

@ -887,6 +1090,7 @@ static int
 cardos_compute_signature(sc_card_t *card, const u8 *data, size_t datalen,
 			 u8 *out, size_t outlen)
 {
+	cardos_data_t* priv;
 	int    r;
 	sc_context_t *ctx;
 	int do_rsa_pure_sig = 0;
@ -896,8 +1100,21 @@ cardos_compute_signature(sc_card_t *card, const u8 *data, size_t datalen,

 	assert(card != NULL && data != NULL && out != NULL);
 	ctx = card->ctx;
+	priv = (cardos_data_t*)card->drv_data;
 	SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_VERBOSE);

+	/* sec_env has algorithm_flags set from sc_get_encoding_flags sec_flags
+	 * If flags are set correctly we don't need to test anything 
+	 * TODO this assumes RSA is  PSS, PKCS1 or RAW and we are passing 
+	 * the correct data. Should work for ECDSA too.    
+	 * use for V5 cards and TODO should for older cards too
+	 */
+	if (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+
+		r = do_compute_signature(card, data, datalen, out, outlen);
+		LOG_FUNC_RETURN(ctx, r);
+	}
+
 	/* There are two ways to create a signature, depending on the way,
 	 * the key was created: RSA_SIG and RSA_PURE_SIG.
 	 * We can use the following reasoning, to determine the correct operation:
@ -914,8 +1131,8 @@ cardos_compute_signature(sc_card_t *card, const u8 *data, size_t datalen,
 	 */

 	/* check the the algorithmIDs from the AlgorithmInfo */
-	for (i = 0; i < algorithm_ids_in_tokeninfo_count; ++i) {
-		unsigned int id = algorithm_ids_in_tokeninfo[i];
+	for (i = 0; i < priv->algorithm_ids_in_tokeninfo_count; ++i) {
+		unsigned int id = priv->algorithm_ids_in_tokeninfo[i];
 		if (id == 0x86 || id == 0x88) {
 			do_rsa_sig = 1;
 		} else if (id == 0x8C || id == 0x8A) {
@ -986,10 +1203,41 @@ cardos_decipher(struct sc_card *card,
 		const u8 * crgram, size_t crgram_len,
 		u8 * out, size_t outlen)
 {
+	cardos_data_t* priv = (cardos_data_t*)card->drv_data;
 	int r;
 	size_t card_max_send_size = card->max_send_size;
 	size_t reader_max_send_size = card->reader->max_send_size;

+	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+
+	/* 5.3 supports command chaining. Others may also
+	 * card_max_send_size for 5.3 is already based on reader max_send_size */
+
+	if (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+
+		r = iso_ops->decipher(card, crgram, crgram_len, out, outlen);
+		/*
+		 * 5.3 supports RAW as well as PKCS1 and PSS
+		 * description may strip padding if card supports it
+		 * with cards that support RAW, it always appears to 
+		 * drop first 00 that is start of padding.
+		 */
+
+		if (r > 0 && priv->sec_env->algorithm_flags & SC_ALGORITHM_RSA_RAW) {
+			size_t rsize = r;
+			/* RSA RAW crgram_len == modlen */
+			/* removed padding is always > 1 byte */
+			/* add back missing leading zero if card dropped it */
+			if (rsize == crgram_len - 1 && rsize < outlen) {
+				memmove(out+1, out, rsize);
+				out[0] =0x00;
+				r++;
+			}
+		}
+
+		SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r);
+	}
+
 	if (sc_get_max_send_size(card) < crgram_len + 1) {
 		/* CardOS doesn't support chaining for PSO:DEC, so we just _hope_
 		 * that both, the reader and the card are able to send enough data.
@ -1004,7 +1252,7 @@ cardos_decipher(struct sc_card *card,
 	card->max_send_size = card_max_send_size;
 	card->reader->max_send_size = reader_max_send_size;

-	return r;
+	SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r);
 }

 static int
@ -1189,7 +1437,7 @@ static int cardos_get_serialnr(sc_card_t *card, sc_serial_number_t *serial)
 	LOG_TEST_RET(card->ctx, r,  "APDU transmit failed");
 	if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
 		return SC_ERROR_INTERNAL;
-	if ((apdu.resplen == 8) && (card->type == SC_CARD_TYPE_CARDOS_V5_0)) {
+	if ((apdu.resplen == 8) && (card->type == SC_CARD_TYPE_CARDOS_V5_0 || card->type == SC_CARD_TYPE_CARDOS_V5_3)) {
 		/* cache serial number */
 		memcpy(card->serialnr.value, rbuf, 8);
 		card->serialnr.len = 8;
@ -1224,6 +1472,9 @@ cardos_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
 	case SC_CARDCTL_CARDOS_GENERATE_KEY:
 		return cardos_generate_key(card,
 			(struct sc_cardctl_cardos_genkey_info *) ptr);
+	case  SC_CARDCTL_CARDOS_PASS_ALGO_FLAGS:
+		return cardos_pass_algo_flags(card,
+			(struct sc_cardctl_cardos_pass_algo_flags *) ptr);
 	case SC_CARDCTL_LIFECYCLE_GET:
 		return cardos_lifecycle_get(card, (int *) ptr);
 	case SC_CARDCTL_LIFECYCLE_SET:
@ -1280,7 +1531,8 @@ cardos_logout(sc_card_t *card)
 		   	|| card->type == SC_CARD_TYPE_CARDOS_M4_2C
 		   	|| card->type == SC_CARD_TYPE_CARDOS_M4_3
 		   	|| card->type == SC_CARD_TYPE_CARDOS_M4_4
-			|| card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+			|| card->type == SC_CARD_TYPE_CARDOS_V5_0
+			|| card->type == SC_CARD_TYPE_CARDOS_V5_3) {
 		sc_apdu_t apdu;
 		int       r;
 		sc_path_t path;
@ -1310,6 +1562,7 @@ static struct sc_card_driver * sc_get_driver(void)
 	cardos_ops = *iso_ops;
 	cardos_ops.match_card = cardos_match_card;
 	cardos_ops.init = cardos_init;
+	cardos_ops.finish = cardos_finish;
 	cardos_ops.select_file = cardos_select_file;
 	cardos_ops.create_file = cardos_create_file;
 	cardos_ops.set_security_env = cardos_set_security_env;
--- a/src/libopensc/card-coolkey.c
+++ b/src/libopensc/card-coolkey.c
@ -799,9 +799,7 @@ static void coolkey_free_private_data(coolkey_private_data_t *priv)
 	list_iterator_stop(l);

 	list_destroy(&priv->objects_list);
-	if (priv->token_name) {
-		free(priv->token_name);
-	}
+	free(priv->token_name);
 	free(priv);
 	return;
 }
@ -1101,6 +1099,8 @@ static int coolkey_read_object(sc_card_t *card, unsigned long object_id, size_t
 	size_t len;
 	int r;

+	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+
 	ulong2bebytes(&params.object_id[0], object_id);

 	out_ptr = out_buf;
@ -1127,7 +1127,7 @@ static int coolkey_read_object(sc_card_t *card, unsigned long object_id, size_t
 	return out_len;

 fail:
-	return r;
+	LOG_FUNC_RETURN(card->ctx, r);
 }

 /*
@ -1208,7 +1208,7 @@ static int coolkey_read_binary(sc_card_t *card, unsigned int idx,


 	r = coolkey_read_object(card, priv->obj->id, 0, data, priv->obj->length,
-												priv->nonce, sizeof(priv->nonce));
+		priv->nonce, sizeof(priv->nonce));
 	if (r < 0)
 		goto done;

@ -1337,8 +1337,11 @@ static int coolkey_get_token_info(sc_card_t *card, sc_pkcs15_tokeninfo_t * token
 	serial_number = coolkey_cuid_to_string(&priv->cuid);

 	if (label && manufacturer_id && serial_number) {
+		free(token_info->label);
 		token_info->label = label;
+		free(token_info->manufacturer_id);
 		token_info->manufacturer_id = manufacturer_id;
+		free(token_info->serial_number);
 		token_info->serial_number = serial_number;
 		return SC_SUCCESS;
 	}
@ -1367,6 +1370,8 @@ coolkey_fill_object(sc_card_t *card, sc_cardctl_coolkey_object_t *obj)
 	sc_cardctl_coolkey_object_t *obj_entry;
 	coolkey_private_data_t * priv = COOLKEY_DATA(card);

+	LOG_FUNC_CALLED(card->ctx);
+
 	if (obj->data != NULL) {
 		return SC_SUCCESS;
 	}
@ -1378,7 +1383,10 @@ coolkey_fill_object(sc_card_t *card, sc_cardctl_coolkey_object_t *obj)
 				priv->nonce, sizeof(priv->nonce));
 	if (r != (int)buf_len) {
 		free(new_obj_data);
-		return SC_ERROR_CORRUPTED_DATA;
+		if (r < 0) {
+			LOG_FUNC_RETURN(card->ctx, r);
+		}
+		LOG_FUNC_RETURN(card->ctx, SC_ERROR_CORRUPTED_DATA);
 	}
 	obj_entry = coolkey_find_object_by_id(&priv->objects_list, obj->id);
 	if (obj_entry == NULL) {
@ -1397,7 +1405,7 @@ coolkey_fill_object(sc_card_t *card, sc_cardctl_coolkey_object_t *obj)
 	}
 	obj_entry->data = new_obj_data;
 	obj->data = new_obj_data;
-	return SC_SUCCESS;
+	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
 }

 /*
@ -1419,6 +1427,8 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut
 	attribute->attribute_length = 0;
 	attribute->attribute_value = NULL;

+	LOG_FUNC_CALLED(card->ctx);
+
 	if (obj == NULL) {
 		/* cast away const so we can cache the data value */
 		int r = coolkey_fill_object(card, (sc_cardctl_coolkey_object_t *)attribute->object);
@ -1444,7 +1454,6 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut
 		return SC_ERROR_CORRUPTED_DATA;
 	}

-
 	/*
 	 * now loop through all the attributes in the list. first find the start of the list
 	 */
@ -1460,7 +1469,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut
 		size_t record_len = coolkey_get_attribute_record_len(attr, object_record_type, buf_len);
 		/* make sure we have the complete record */
 		if (buf_len < record_len || record_len < 4) {
-				return SC_ERROR_CORRUPTED_DATA;
+			return SC_ERROR_CORRUPTED_DATA;
 		}
 		/* does the attribute match the one we are looking for */
 		if (attr_type == coolkey_get_attribute_type(attr, object_record_type, record_len)) {
@ -1477,7 +1486,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut

 		return coolkey_get_attribute_data_fixed(attr_type, fixed_attributes, attribute);
 	}
-	return SC_ERROR_DATA_OBJECT_NOT_FOUND;
+	LOG_FUNC_RETURN(card->ctx, SC_ERROR_DATA_OBJECT_NOT_FOUND);
 }

 /*
@ -1664,55 +1673,41 @@ typedef struct coolkey_compute_ecc_params {
 	u8 buf[MAX_COMPUTE_BUF];
 } coolkey_compute_ecc_params_t;

-static int coolkey_rsa_op(sc_card_t *card,
-					const u8 * data, size_t datalen,
-					u8 * out, size_t max_out_len)
+static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+	u8 * out, size_t max_out_len)
 {
 	int r;
-	const u8 *crypt_in;
-	u8 **crypt_out_p;
-	size_t crypt_in_len, *crypt_out_len_p;
-	coolkey_private_data_t * priv = COOLKEY_DATA(card);
+	u8 **crypt_out_p = NULL;
+	size_t crypt_out_len_p = 0;
+	coolkey_private_data_t *priv = COOLKEY_DATA(card);
 	coolkey_compute_crypt_params_t params;
 	u8 key_number;
 	size_t params_len;
-	size_t buf_len;
-	u8 buf[MAX_COMPUTE_BUF+2];
+	u8 buf[MAX_COMPUTE_BUF + 2];
 	u8 *buf_out;

 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
-	sc_log(card->ctx, 
-		 "datalen=%"SC_FORMAT_LEN_SIZE_T"u outlen=%"SC_FORMAT_LEN_SIZE_T"u\n",
-		 datalen, max_out_len);
-
-	crypt_in = data;
-	crypt_in_len = datalen;
-
-	buf_out = &buf[0];
-	crypt_out_p = &buf_out;
-	buf_len = sizeof(buf);
-	crypt_out_len_p = &buf_len;
-	key_number = priv->key_id;
-	params.init.mode = COOLKEY_CRYPT_MODE_RSA_NO_PAD;
-	params.init.location = COOLKEY_CRYPT_LOCATION_APDU;
-	params.init.direction = COOLKEY_CRYPT_DIRECTION_ENCRYPT; /* for no pad, direction is irrelevant */
+	sc_log(card->ctx, "datalen=%"SC_FORMAT_LEN_SIZE_T"u outlen=%"SC_FORMAT_LEN_SIZE_T"u\n",
+		datalen, max_out_len);

 	if (priv->key_id > 0xff) {
 		r = SC_ERROR_NO_DEFAULT_KEY;
 		goto done;
 	}
+	key_number = priv->key_id;

-	params_len = sizeof(params.init) + crypt_in_len;
+	memset(&params, 0, sizeof(params));
+	params.init.mode = COOLKEY_CRYPT_MODE_RSA_NO_PAD;
+	params.init.direction = COOLKEY_CRYPT_DIRECTION_ENCRYPT; /* for no pad, direction is irrelevant */

 	/* send the data to the card if necessary */
-	if (crypt_in_len > MAX_COMPUTE_BUF) {
+	if (datalen > MAX_COMPUTE_BUF) {
+		/* We need to write data to special object on the card as it does not safely fit APDU */
 		u8 len_buf[2];
+
 		params.init.location = COOLKEY_CRYPT_LOCATION_DL_OBJECT;
+
 		params_len = sizeof(params.init);
-		crypt_in = NULL;
-		crypt_in_len = 0;
-		*crypt_out_p = NULL;
-		*crypt_out_len_p = 0;

 		ushort2bebytes(len_buf, datalen);

@ -1722,26 +1717,35 @@ static int coolkey_rsa_op(sc_card_t *card,
 			goto done;
 		}

-		r = coolkey_write_object(card, COOLKEY_DL_OBJECT_ID, 2, data, datalen, priv->nonce,
-						sizeof(priv->nonce));
+		r = coolkey_write_object(card, COOLKEY_DL_OBJECT_ID, 2, data, datalen, priv->nonce, sizeof(priv->nonce));
 		if (r < 0) {
 			goto done;
 		}
+		ushort2bebytes(params.init.buf_len, 0);
+	} else {
+		/* The data fits in APDU. Copy it to the params object */
+		size_t buf_len;

-	}
-	ushort2bebytes(params.init.buf_len, crypt_in_len);
-	if (crypt_in_len) {
-		memcpy(params.buf, crypt_in, crypt_in_len);
-	}
+		params.init.location = COOLKEY_CRYPT_LOCATION_APDU;

+		params_len = sizeof(params.init) + datalen;
+
+		buf_out = &buf[0];
+		crypt_out_p = &buf_out;
+		buf_len = sizeof(buf);
+		crypt_out_len_p = buf_len;
+
+		ushort2bebytes(params.init.buf_len, datalen);
+		memcpy(params.buf, data, datalen);
+	}

 	r = coolkey_apdu_io(card, COOLKEY_CLASS, COOLKEY_INS_COMPUTE_CRYPT,
 			key_number, COOLKEY_CRYPT_ONE_STEP, (u8 *)&params, params_len,
-			crypt_out_p, crypt_out_len_p, priv->nonce, sizeof(priv->nonce));
-
+			crypt_out_p, &crypt_out_len_p, priv->nonce, sizeof(priv->nonce));
 	if (r < 0) {
 		goto done;
 	}
+
 	if (datalen > MAX_COMPUTE_BUF) {
 		u8 len_buf[2];
 		size_t out_length;
@ -1760,8 +1764,12 @@ static int coolkey_rsa_op(sc_card_t *card,

 	} else {
 		size_t out_length = bebytes2ushort(buf);
+		if (out_length > sizeof buf - 2) {
+			r = SC_ERROR_WRONG_LENGTH;
+			goto done;
+		}
 		out_length = MIN(out_length, max_out_len);
-		memcpy(out, buf+2, out_length);
+		memcpy(out, buf + 2, out_length);
 		r = out_length;
 	}

@ -2047,6 +2055,7 @@ coolkey_process_combined_object(sc_card_t *card, coolkey_private_data_t *priv, u
 	}

 	/* store the token name in the priv structure so the emulator can set it */
+	free(priv->token_name);
 	priv->token_name = malloc(decompressed_header->token_name_length+1);
 	if (priv->token_name == NULL) {
 		r = SC_ERROR_OUT_OF_MEMORY;
@ -2054,17 +2063,28 @@ coolkey_process_combined_object(sc_card_t *card, coolkey_private_data_t *priv, u
 	}
 	memcpy(priv->token_name, &decompressed_header->token_name[0],
 							decompressed_header->token_name_length);
-	priv->token_name[decompressed_header->token_name_length] = 0;
+	priv->token_name[decompressed_header->token_name_length] = '\0';
 	priv->token_name_length = decompressed_header->token_name_length;


-	for (i=0; i < object_count && object_offset < decompressed_object_len; i++ ) {
-		u8 *current_object = &decompressed_object[object_offset];
-		coolkey_combined_object_header_t *object_header =
-				(coolkey_combined_object_header_t *)current_object;
-		unsigned long object_id = bebytes2ulong(object_header->object_id);
+	for (i=0; i < object_count; i++) {
+		u8 *current_object = NULL;
+		coolkey_combined_object_header_t *object_header = NULL;
+		unsigned long object_id;
 		int current_object_len;

+		/* Can we read the object header at all? */
+		if ((object_offset + sizeof(coolkey_combined_object_header_t)) > decompressed_object_len) {
+			r = SC_ERROR_CORRUPTED_DATA;
+			goto done;
+		}
+
+		current_object = &decompressed_object[object_offset];
+		object_header = (coolkey_combined_object_header_t *)current_object;
+
+		/* Parse object ID */
+		object_id = bebytes2ulong(object_header->object_id);
+
 		/* figure out how big it is */
 		r = coolkey_v1_get_object_length(current_object, decompressed_object_len-object_offset);
 		if (r < 0) {
@ -2078,6 +2098,7 @@ coolkey_process_combined_object(sc_card_t *card, coolkey_private_data_t *priv, u
 		object_offset += current_object_len;

 		/* record this object */
+		sc_log(card->ctx, "Add new object id=%ld", object_id);
 		r = coolkey_add_object(priv, object_id, current_object, current_object_len, 1);
 		if (r) {
 			goto done;
@ -2146,7 +2167,7 @@ static int coolkey_initialize(sc_card_t *card)
 	r = coolkey_list_object(card, COOLKEY_LIST_RESET, &object_info);
 	while (r >= 0) {
 		unsigned long object_id;
-		unsigned short object_len;
+		unsigned long object_len;

 		/* The card did not return what we expected: Lets try other objects */
 		if ((size_t)r < (sizeof(object_info)))
@ -2156,7 +2177,11 @@ static int coolkey_initialize(sc_card_t *card)

 		object_id = bebytes2ulong(object_info.object_id);
 		object_len = bebytes2ulong(object_info.object_length);
-
+		/* Avoid insanely large data */
+		if (object_len > MAX_FILE_SIZE) {
+			r = SC_ERROR_CORRUPTED_DATA;
+			goto cleanup;
+		}

 		/* the combined object is a single object that can store the other objects.
 		 * most coolkeys provisioned by TPS has a single combined object that is
@ -2171,7 +2196,7 @@ static int coolkey_initialize(sc_card_t *card)
 				break;
 			}
 			r = coolkey_read_object(card, COOLKEY_COMBINED_OBJECT_ID, 0, object, object_len,
-											priv->nonce, sizeof(priv->nonce));
+				priv->nonce, sizeof(priv->nonce));
 			if (r < 0) {
 				free(object);
 				break;
@ -2183,6 +2208,7 @@ static int coolkey_initialize(sc_card_t *card)
 			}
 			combined_processed = 1;
 		} else {
+			sc_log(card->ctx, "Add new object id=%ld, len=%lu", object_id, object_len);
 			r = coolkey_add_object(priv, object_id, NULL, object_len, 0);
 			if (r != SC_SUCCESS)
 				sc_log(card->ctx, "coolkey_add_object() returned %d", r);
@ -2216,19 +2242,19 @@ static int coolkey_initialize(sc_card_t *card)
 		coolkey_make_cuid_from_cplc(&priv->cuid, &cplc_data);
 		priv->token_name = (u8 *)strdup("COOLKEY");
 		if (priv->token_name == NULL) {
-			r= SC_ERROR_OUT_OF_MEMORY;
+			r = SC_ERROR_OUT_OF_MEMORY;
 			goto cleanup;
 		}
 		priv->token_name_length = sizeof("COOLKEY")-1;
 	}
 	card->drv_data = priv;
-	return SC_SUCCESS;
+	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);

 cleanup:
 	if (priv) {
 		coolkey_free_private_data(priv);
 	}
-	return r;
+	LOG_FUNC_RETURN(card->ctx, r);
 }


--- a/src/libopensc/card-dnie.c
+++ b/src/libopensc/card-dnie.c
@ -903,22 +903,6 @@ static int dnie_finish(struct sc_card *card)

 /* ISO 7816-4 functions */

-/**
- * Convert little-endian data into unsigned long.
- *
- * @param pt pointer to little-endian data
- * @return equivalent long
- */
-static unsigned long le2ulong(u8 * pt)
-{
-	unsigned long res = 0L;
-	if (pt==NULL) return res;
-	res = (0xff & *(pt + 0)) +
-	    ((0xff & *(pt + 1)) << 8) +
-	    ((0xff & *(pt + 2)) << 16) + ((0xff & *(pt + 3)) << 24);
-	return res;
-}
-
 /**
 * Uncompress data if in compressed format.
 *
@ -944,14 +928,17 @@ static u8 *dnie_uncompress(sc_card_t * card, u8 * from, size_t *len)
 	if (*len < 8)
 		goto compress_exit;
 	/* evaluate compressed an uncompressed sizes (little endian format) */
-	uncompressed = le2ulong(from);
-	compressed = le2ulong(from + 4);
+	uncompressed = lebytes2ulong(from);
+	compressed = lebytes2ulong(from + 4);
 	/* if compressed size doesn't match data length assume not compressed */
 	if (compressed != (*len) - 8)
 		goto compress_exit;
 	/* if compressed size greater than uncompressed, assume uncompressed data */
 	if (uncompressed < compressed)
 		goto compress_exit;
+	/* Do not try to allocate insane size if we receive bogus data */
+	if (uncompressed > MAX_FILE_SIZE)
+		goto compress_exit;

 	sc_log(card->ctx, "Data seems to be compressed. calling uncompress");
 	/* ok: data seems to be compressed */
@ -960,16 +947,15 @@ static u8 *dnie_uncompress(sc_card_t * card, u8 * from, size_t *len)
 		sc_log(card->ctx, "alloc() for uncompressed buffer failed");
 		return NULL;
 	}
+	*len = uncompressed;
 	res = sc_decompress(upt,	/* try to uncompress by calling sc_xx routine */
-			    (size_t *) & uncompressed,
+			    len,
 			    from + 8, (size_t) compressed, COMPRESSION_ZLIB);
-	/* TODO: check that returned uncompressed size matches expected */
 	if (res != SC_SUCCESS) {
 		sc_log(card->ctx, "Uncompress() failed or data not compressed");
 		goto compress_exit;	/* assume not need uncompression */
 	}
 	/* Done; update buffer len and return pt to uncompressed data */
-	*len = uncompressed;
 	sc_log_hex(card->ctx, "Compressed data", from + 8, compressed);
 	sc_log_hex(card->ctx, "Uncompressed data", upt, uncompressed);
 compress_exit:
@ -1161,8 +1147,6 @@ static int dnie_compose_and_send_apdu(sc_card_t *card, const u8 *path, size_t pa
 	int res = 0;
 	sc_apdu_t apdu;
 	u8 rbuf[MAX_RESP_BUFFER_SIZE];
-	sc_file_t *file = NULL;
-
 	sc_context_t *ctx = NULL;

 	if (!card || !card->ctx)
@ -1199,14 +1183,15 @@ static int dnie_compose_and_send_apdu(sc_card_t *card, const u8 *path, size_t pa
 		LOG_FUNC_RETURN(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
 	}

-	/* finally process FCI response */
-	file = sc_file_new();
-	if (file == NULL) {
-		LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
+	if (file_out) {
+		/* finally process FCI response */
+		sc_file_free(*file_out);
+		*file_out = sc_file_new();
+		if (*file_out == NULL) {
+			LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
+		}
+		res = card->ops->process_fci(card, *file_out, apdu.resp + 2, apdu.resp[1]);
 	}
-	res = card->ops->process_fci(card, file, apdu.resp + 2, apdu.resp[1]);
-	sc_file_free(*file_out);
-	*file_out = file;
 	LOG_FUNC_RETURN(ctx, res);
 }

@ -1907,8 +1892,8 @@ static int dnie_read_header(struct sc_card *card)
 	/* check response */
 	if (apdu.resplen != 8)
 		goto header_notcompressed;
-	uncompressed = le2ulong(apdu.resp);
-	compressed = le2ulong(apdu.resp + 4);
+	uncompressed = lebytes2ulong(apdu.resp);
+	compressed = lebytes2ulong(apdu.resp + 4);
 	if (uncompressed < compressed)
 		goto header_notcompressed;
 	if (uncompressed > 32767)
@ -2158,7 +2143,6 @@ static int dnie_pin_verify(struct sc_card *card,
 	res = cwa_create_secure_channel(card, GET_DNIE_PRIV_DATA(card)->cwa_provider, CWA_SM_ON);
 	LOG_TEST_RET(card->ctx, res, "Establish SM failed");

-	data->apdu = &apdu;	/* prepare apdu struct */
 	/* compose pin data to be inserted in apdu */
 	if (data->flags & SC_PIN_CMD_NEED_PADDING)
 		padding = 1;
@ -2191,7 +2175,9 @@ static int dnie_pin_verify(struct sc_card *card,
 	if (card->atr.value[15] >= DNIE_30_VERSION) {
 		sc_log(card->ctx, "DNIe 3.0 detected => re-establish secure channel");
 		dnie_change_cwa_provider_to_secure(card);
-		res = cwa_create_secure_channel(card, GET_DNIE_PRIV_DATA(card)->cwa_provider, CWA_SM_ON);
+		if (res == SC_SUCCESS) {
+			res = cwa_create_secure_channel(card, GET_DNIE_PRIV_DATA(card)->cwa_provider, CWA_SM_ON);
+		}
 	}

 	LOG_FUNC_RETURN(card->ctx, res);
--- a/Show More
+++ b/Show More