opensc package update

Signed-off-by: tuibuilder_pel7x64builder0 <tuibuilder@powerel.org>
5 years ago · 70151c938d
15 changed files with 2403 additions and 0 deletions
--- a/SOURCES/opensc-0.16.0-cac-alt.patch
+++ b/SOURCES/opensc-0.16.0-cac-alt.patch
@ -0,0 +1,204 @@
				@@ -0,0 +1,204 @@
+From 6dc118e1c3b89c50cda1998de1d62fa6fa666e60 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 3 Nov 2017 10:55:35 +0100
+Subject: [PATCH 1/3] Enable CAC ALT token card operations
+
+---
+ src/libopensc/card-cac.c | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index 82f5c7869..bc0a754a5 100644
+--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
+@@ -229,6 +229,12 @@ static int cac_add_object_to_list(list_t *list, const cac_object_t *object)
+ #define CAC_1_RID "\xA0\x00\x00\x00\x79"
+ #define CAC_1_CM_AID "\xA0\x00\x00\x00\x30\x00\00"
+ 
+static const sc_path_t cac_ACA_Path = {
+	"", 0,
+	0,0,SC_PATH_TYPE_DF_NAME,
+	{ CAC_TO_AID(CAC_1_RID "\x10\x00") }
+};
+
+ static const sc_path_t cac_CCC_Path = {
+ 	"", 0,
+ 	0,0,SC_PATH_TYPE_DF_NAME,
+@@ -284,6 +290,8 @@ static const cac_object_t cac_1_objects[] = {
+ static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]);
+ 
+ 
+static int cac_select_ACA(sc_card_t *card);
+
+ /*
+  * use the object id to find our object info on the object in our CAC-1 list
+  */
+@@ -815,6 +823,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
+ 		case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS:
+ 			return cac_final_iterator(&priv->general_list);
+ 		case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS:
+			/* select ACA to be able to verify PIN */
+			cac_select_ACA(card);
+ 			return cac_final_iterator(&priv->pki_list);
+ 	}
+ 
+@@ -1157,6 +1167,12 @@ static int cac_select_CCC(sc_card_t *card)
+ 	return cac_select_file_by_type(card, &cac_CCC_Path, NULL, SC_CARD_TYPE_CAC_II);
+ }
+ 
+/* Select ACA in non-standard location */
+static int cac_select_ACA(sc_card_t *card)
+{
+	return cac_select_file_by_type(card, &cac_ACA_Path, NULL, SC_CARD_TYPE_CAC_II);
+}
+
+ static int cac_path_from_cardurl(sc_card_t *card, sc_path_t *path, cac_card_url_t *val, int len)
+ {
+ 	if (len < 10) {
+@@ -1476,6 +1492,23 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
+ 		}
+ 	}
+ 
+	/* Even some ALT tokens can be missing CCC so we should try with ACA */
+	r = cac_select_ACA(card);
+	if (r == SC_SUCCESS) {
+		r = cac_find_first_pki_applet(card, &index);
+	        if (r == SC_SUCCESS) {
+			priv = cac_new_private_data();
+			if (!priv)
+				return SC_ERROR_OUT_OF_MEMORY;
+			r = cac_populate_cac_1(card, index, priv);
+			if (r == SC_SUCCESS) {
+				card->type = SC_CARD_TYPE_CAC_II;
+				card->drv_data = priv;
+				return r;
+			}
+		}
+	}
+
+ 	/* is this a CAC-1 specified in DoD "CAC Applet Developer Guide" version 1.0 September 2002 */
+ 	r = cac_find_first_pki_applet(card, &index);
+ 	if (r == SC_SUCCESS) {
+
+From 68c52640a3eff078243fd2db627cf2d12fdd37de Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 6 Nov 2017 12:37:40 +0100
+Subject: [PATCH 2/3] Add the ACA path to the PIN structure if we have one
+
+---
+ src/libopensc/card-cac.c   | 25 +++++++++++++++++++------
+ src/libopensc/cardctl.h    |  1 +
+ src/libopensc/pkcs15-cac.c |  6 ++++++
+ 3 files changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index bc0a754a5..178150d35 100644
+--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
+@@ -169,6 +169,7 @@ typedef struct cac_private_data {
+ 	cac_object_t *pki_current;      /* current pki object _ctl function */
+ 	list_t general_list;            /* list of general containers */
+ 	cac_object_t *general_current;  /* current object for _ctl function */
+	sc_path_t *aca_path;		/* ACA path to be selected before pin verification */
+ } cac_private_data_t;
+ 
+ #define CAC_DATA(card) ((cac_private_data_t*)card->drv_data)
+@@ -207,6 +208,7 @@ static void cac_free_private_data(cac_private_data_t *priv)
+ {
+ 	free(priv->cac_id);
+ 	free(priv->cache_buf);
+	free(priv->aca_path);
+ 	list_destroy(&priv->pki_list);
+ 	list_destroy(&priv->general_list);
+ 	free(priv);
+@@ -289,9 +291,6 @@ static const cac_object_t cac_1_objects[] = {
+ 
+ static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]);
+ 
+-
+-static int cac_select_ACA(sc_card_t *card);
+-
+ /*
+  * use the object id to find our object info on the object in our CAC-1 list
+  */
+@@ -793,11 +792,21 @@ static int cac_get_serial_nr_from_CUID(sc_card_t* card, sc_serial_number_t* seri
+ 	if (priv->cac_id_len) {
+ 		serial->len = MIN(priv->cac_id_len, SC_MAX_SERIALNR);
+ 		memcpy(serial->value, priv->cac_id, priv->cac_id_len);
+-                SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
+		SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
+ 	}
+ 	SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND);
+ }
+ 
+static int cac_get_ACA_path(sc_card_t *card, sc_path_t *path)
+{
+	cac_private_data_t * priv = CAC_DATA(card);
+
+	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL);
+	if (priv->aca_path) {
+		*path = *priv->aca_path;
+	}
+	SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
+}
+ 
+ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
+ {
+@@ -810,6 +819,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
+ 	}
+ 	switch(cmd) {
+		case SC_CARDCTL_CAC_GET_ACA_PATH:
+			return cac_get_ACA_path(card, (sc_path_t *) ptr);
+ 		case SC_CARDCTL_GET_SERIALNR:
+ 			return cac_get_serial_nr_from_CUID(card, (sc_serial_number_t *) ptr);
+ 		case SC_CARDCTL_CAC_INIT_GET_GENERIC_OBJECTS:
+@@ -823,8 +834,6 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
+ 		case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS:
+ 			return cac_final_iterator(&priv->general_list);
+ 		case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS:
+-			/* select ACA to be able to verify PIN */
+-			cac_select_ACA(card);
+ 			return cac_final_iterator(&priv->pki_list);
+ 	}
+ 
+@@ -1502,6 +1511,10 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
+ 				return SC_ERROR_OUT_OF_MEMORY;
+ 			r = cac_populate_cac_1(card, index, priv);
+ 			if (r == SC_SUCCESS) {
+				priv->aca_path = malloc(sizeof(sc_path_t));
+				if (!priv->aca_path)
+					return SC_ERROR_OUT_OF_MEMORY;
+				memcpy(priv->aca_path, &cac_ACA_Path, sizeof(sc_path_t));
+ 				card->type = SC_CARD_TYPE_CAC_II;
+ 				card->drv_data = priv;
+ 				return r;
+diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h
+index b647b0537..b610eacc7 100644
+--- a/src/libopensc/cardctl.h
+++ b/src/libopensc/cardctl.h
+@@ -220,6 +220,7 @@ enum {
+ 	SC_CARDCTL_CAC_INIT_GET_CERT_OBJECTS,
+ 	SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT,
+ 	SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS,
+	SC_CARDCTL_CAC_GET_ACA_PATH,
+ 
+         /*
+ 	 * AuthentIC v3
+diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
+index fd463a9b4..ff87a2345 100644
+--- a/src/libopensc/pkcs15-cac.c
+++ b/src/libopensc/pkcs15-cac.c
+@@ -250,6 +250,12 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
+ 		strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1);
+ 		pin_obj.flags = pins[i].obj_flags;
+ 
+		/* get the ACA path in case it needs to be selected before PIN verify */
+		r = sc_card_ctl(card, SC_CARDCTL_CAC_GET_ACA_PATH, &pin_info.path);
+		if (r < 0) {
+			SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
+		}
+
+ 		r = sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info);
+ 		if (r < 0)
+ 			SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
--- a/SOURCES/opensc-0.16.0-cardos.patch
+++ b/SOURCES/opensc-0.16.0-cardos.patch
@ -0,0 +1,240 @@
				@@ -0,0 +1,240 @@
+From bc496dfa59c1cfbc5c47c76511d5c6b7eff5cc6c Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 26 Jan 2017 17:11:24 +0100
+Subject: [PATCH 1/4] Set security context for CardOS 5.3 with p1=0x41 (as
+ Coolkey does)
+
+---
+ src/libopensc/card-cardos.c | 16 +++++++++++-----
+ src/libopensc/cards.h       |  1 +
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
+index 0c14b32..008ce5c 100644
+--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
+@@ -59,7 +59,7 @@ static struct sc_atr_table cardos_atrs[] = {
+ 	/* CardOS v5.0 */
+ 	{ "3b:d2:18:00:81:31:fe:58:c9:01:14", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL},
+ 	/* CardOS v5.3 */
+-	{ "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL},
+	{ "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_3, 0, NULL},
+ 	{ NULL, NULL, NULL, 0, 0, NULL }
+ };
+ 
+@@ -84,6 +84,8 @@ static int cardos_match_card(sc_card_t *card)
+ 		return 1;
+ 	if (card->type == SC_CARD_TYPE_CARDOS_V5_0)
+ 		return 1;
+	if (card->type == SC_CARD_TYPE_CARDOS_V5_3)
+		return 1;
+ 	if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
+ 		int rv;
+ 		sc_apdu_t apdu;
+@@ -195,7 +197,8 @@ static int cardos_init(sc_card_t *card)
+ 		|| card->type == SC_CARD_TYPE_CARDOS_M4_2B
+ 		|| card->type == SC_CARD_TYPE_CARDOS_M4_2C
+ 		|| card->type == SC_CARD_TYPE_CARDOS_M4_4
+-		|| card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+		|| card->type == SC_CARD_TYPE_CARDOS_V5_0
+		|| card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+ 		rsa_2048 = 1;
+ 		card->caps |= SC_CARD_CAP_APDU_EXT;
+ 	}
+@@ -230,7 +233,7 @@ static int cardos_init(sc_card_t *card)
+ 		_sc_card_add_rsa_alg(card, 2048, flags, 0);
+ 	}
+ 
+-	if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+	if (card->type >= SC_CARD_TYPE_CARDOS_V5_0) {
+ 		/* Starting with CardOS 5, the card supports PIN query commands */
+ 		card->caps |= SC_CARD_CAP_ISO7816_PIN_INFO;
+ 	}
+@@ -249,7 +252,7 @@ static const struct sc_card_error cardos_errors[] = {
+ { 0x6f82, SC_ERROR_CARD_CMD_FAILED,	"not enough memory in xram"}, 
+ { 0x6f84, SC_ERROR_CARD_CMD_FAILED,	"general protection fault"}, 
+ 
+-/* the card doesn't now thic combination of ins+cla+p1+p2 */
+/* the card doesn't now this combination of ins+cla+p1+p2 */
+ /* i.e. command will never work */
+ { 0x6881, SC_ERROR_NO_CARD_SUPPORT,	"logical channel not supported"}, 
+ { 0x6a86, SC_ERROR_INCORRECT_PARAMETERS,"p1/p2 invalid"}, 
+@@ -781,6 +784,8 @@ cardos_set_security_env(sc_card_t *card,
+ 	if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1) {
+ 		cardos_restore_security_env(card, 0x30);
+ 		apdu.p1 = 0xF1;
+	} else if (card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+		apdu.p1 = 0x41;
+ 	} else {
+ 		apdu.p1 = 0x01;
+ 	}
+@@ -1235,7 +1240,8 @@ cardos_logout(sc_card_t *card)
+ 		   	|| card->type == SC_CARD_TYPE_CARDOS_M4_2C
+ 		   	|| card->type == SC_CARD_TYPE_CARDOS_M4_3
+ 		   	|| card->type == SC_CARD_TYPE_CARDOS_M4_4
+-			|| card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+			|| card->type == SC_CARD_TYPE_CARDOS_V5_0
+			|| card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+ 		sc_apdu_t apdu;
+ 		int       r;
+ 		sc_path_t path;
+diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h
+index d71c02f..9f8f641 100644
+--- a/src/libopensc/cards.h
+++ b/src/libopensc/cards.h
+@@ -47,6 +47,7 @@ enum {
+ 	SC_CARD_TYPE_CARDOS_CIE_V1, /* Italian CIE (eID) v1 */
+ 	SC_CARD_TYPE_CARDOS_M4_4,
+ 	SC_CARD_TYPE_CARDOS_V5_0,
+	SC_CARD_TYPE_CARDOS_V5_3,
+ 
+ 	/* flex/cyberflex drivers */
+ 	SC_CARD_TYPE_FLEX_BASE = 2000,
+-- 
+2.9.3
+
+
+From 5dec534cf07e45ffb0209a53d6145022ecd9259a Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 30 Jan 2017 14:33:05 +0100
+Subject: [PATCH 2/4] Do not emulate signatures in CardOS 5.3
+
+Remove the bogus SC_ALGORITHM_NEED_USAGE which prevents using the
+actual implementation in cardos_compute_signature().
+
+It might be bogus also in previous version, but I don't have a way
+to verify against these cards.
+---
+ src/libopensc/card-cardos.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
+index 008ce5c..a21e67a 100644
+--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
+@@ -177,11 +177,13 @@ static int cardos_init(sc_card_t *card)
+ 	card->cla = 0x00;
+ 
+ 	/* Set up algorithm info. */
+-	flags = SC_ALGORITHM_NEED_USAGE
+-		| SC_ALGORITHM_RSA_RAW
+	flags = SC_ALGORITHM_RSA_RAW
+ 		| SC_ALGORITHM_RSA_HASH_NONE
+ 		| SC_ALGORITHM_ONBOARD_KEY_GEN
+ 		;
+	if (card->type != SC_CARD_TYPE_CARDOS_V5_3)
+		flags |= SC_ALGORITHM_NEED_USAGE;
+
+ 	_sc_card_add_rsa_alg(card,  512, flags, 0);
+ 	_sc_card_add_rsa_alg(card,  768, flags, 0);
+ 	_sc_card_add_rsa_alg(card, 1024, flags, 0);
+@@ -252,7 +254,7 @@ static const struct sc_card_error cardos_errors[] = {
+ { 0x6f82, SC_ERROR_CARD_CMD_FAILED,	"not enough memory in xram"}, 
+ { 0x6f84, SC_ERROR_CARD_CMD_FAILED,	"general protection fault"}, 
+ 
+-/* the card doesn't now this combination of ins+cla+p1+p2 */
+/* the card doesn't know this combination of ins+cla+p1+p2 */
+ /* i.e. command will never work */
+ { 0x6881, SC_ERROR_NO_CARD_SUPPORT,	"logical channel not supported"}, 
+ { 0x6a86, SC_ERROR_INCORRECT_PARAMETERS,"p1/p2 invalid"}, 
+-- 
+2.9.3
+
+
+From 057197c7abf29715a2b7793045c35adf2a34dc17 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 10 Mar 2017 16:37:43 +0100
+Subject: [PATCH 3/4] Hack for returning the padding back in CardOS 5.3
+
+---
+ src/libopensc/card-cardos.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
+index a21e67a..39ec4ac 100644
+--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
+@@ -979,6 +979,30 @@ cardos_compute_signature(sc_card_t *card, const u8 *data, size_t datalen,
+ }
+ 
+ static int
+cardos_decipher(struct sc_card *card,
+		const u8 * crgram, size_t crgram_len,
+		u8 * out, size_t outlen)
+{
+	int r;
+	u8 *tmp = NULL;
+	size_t tmp_len = crgram_len;
+
+	assert(card != NULL && crgram != NULL && out != NULL);
+	LOG_FUNC_CALLED(card->ctx);
+
+	tmp = malloc(tmp_len);
+	r = iso_ops->decipher(card, crgram, crgram_len, tmp, tmp_len);
+
+	/* add bogus padding, because the card removes it */
+	if (sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1,
+			tmp, r, out, &outlen, crgram_len) != SC_SUCCESS)
+		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
+	out[1] = 0x02; /* this is encryption-padding */
+
+	LOG_FUNC_RETURN(card->ctx, outlen);
+}
+
+static int
+ cardos_lifecycle_get(sc_card_t *card, int *mode)
+ {
+ 	sc_apdu_t	apdu;
+@@ -1278,6 +1302,7 @@ static struct sc_card_driver * sc_get_driver(void)
+ 	cardos_ops.set_security_env = cardos_set_security_env;
+ 	cardos_ops.restore_security_env = cardos_restore_security_env;
+ 	cardos_ops.compute_signature = cardos_compute_signature;
+	cardos_ops.decipher = cardos_decipher;
+ 
+ 	cardos_ops.list_files = cardos_list_files;
+ 	cardos_ops.check_sw = cardos_check_sw;
+-- 
+2.9.3
+
+
+From 515f761f5564e91302ce672d30a24d6e6738e349 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 13 Mar 2017 15:15:48 +0100
+Subject: [PATCH 4/4] With older cards, use iso decipher
+
+---
+ src/libopensc/card-cardos.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
+index 39ec4ac..d479065 100644
+--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
+@@ -992,10 +992,22 @@ cardos_decipher(struct sc_card *card,
+ 
+ 	tmp = malloc(tmp_len);
+ 	r = iso_ops->decipher(card, crgram, crgram_len, tmp, tmp_len);
+	if (r < 0)
+		LOG_FUNC_RETURN(card->ctx, r);
+
+	if (card->type != SC_CARD_TYPE_CARDOS_V5_3) {
+		/* XXX */
+		memcpy(out, tmp, tmp_len);
+		outlen = tmp_len;
+		free(tmp);
+		LOG_FUNC_RETURN(card->ctx, r);
+	}
+ 
+ 	/* add bogus padding, because the card removes it */
+-	if (sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1,
+-			tmp, r, out, &outlen, crgram_len) != SC_SUCCESS)
+	r = sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1,
+		tmp, r, out, &outlen, crgram_len);
+	free(tmp);
+	if (r != SC_SUCCESS)
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
+ 	out[1] = 0x02; /* this is encryption-padding */
+ 
+-- 
+2.9.3
+
--- a/SOURCES/opensc-0.16.0-cardos5.patch
+++ b/SOURCES/opensc-0.16.0-cardos5.patch
@ -0,0 +1,126 @@
				@@ -0,0 +1,126 @@
+From 60dbebf511cf6112e5fc2c3549ce38881847b121 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 22 Aug 2017 10:46:26 +0200
+Subject: [PATCH] Parse the ECC parameters from TokenInfo (CHOICE in
+ AlgorithmInfo)
+
+Fixes #1134
+---
+ src/libopensc/opensc.h |  1 +
+ src/libopensc/pkcs15.c | 40 +++++++++++++++++++++++++++++++++-------
+ 2 files changed, 34 insertions(+), 7 deletions(-)
+
+diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h
+index f81f27e3a..688c14003 100644
+--- a/src/libopensc/opensc.h
+++ b/src/libopensc/opensc.h
+@@ -163,6 +163,7 @@ extern "C" {
+ struct sc_supported_algo_info {
+ 	unsigned int reference;
+ 	unsigned int mechanism;
+	struct sc_object_id *parameters; /* OID for ECC, NULL for RSA */
+ 	unsigned int operations;
+ 	struct sc_object_id algo_id;
+ 	unsigned int algo_ref;
+diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c
+index 05fe03061..ba99c8af9 100644
+--- a/src/libopensc/pkcs15.c
+++ b/src/libopensc/pkcs15.c
+@@ -50,13 +50,19 @@ static const struct sc_asn1_entry c_asn1_twlabel[] = {
+ static const struct sc_asn1_entry c_asn1_algorithm_info[7] = {
+ 	{ "reference",		SC_ASN1_INTEGER,	SC_ASN1_TAG_INTEGER,	0, NULL, NULL },
+ 	{ "algorithmPKCS#11",	SC_ASN1_INTEGER,	SC_ASN1_TAG_INTEGER,	0, NULL, NULL },
+-	{ "parameters",		SC_ASN1_NULL,		SC_ASN1_TAG_NULL,	0, NULL, NULL },
+	{ "parameters",		SC_ASN1_CHOICE,		0,			0, NULL, NULL },
+ 	{ "supportedOperations",SC_ASN1_BIT_FIELD,	SC_ASN1_TAG_BIT_STRING,	0, NULL, NULL },
+ 	{ "objId",		SC_ASN1_OBJECT,		SC_ASN1_TAG_OBJECT,	SC_ASN1_OPTIONAL, NULL, NULL },
+ 	{ "algRef",		SC_ASN1_INTEGER,	SC_ASN1_TAG_INTEGER,	SC_ASN1_OPTIONAL, NULL, NULL },
+ 	{ NULL, 0, 0, 0, NULL, NULL }
+ };
+ 
+static const struct sc_asn1_entry c_asn1_algorithm_info_parameters[3] = {
+	{ "PKCS15RSAParameters",SC_ASN1_NULL,		SC_ASN1_TAG_NULL,	0, NULL, NULL },
+	{ "PKCS15ECParameters",	SC_ASN1_OBJECT,		SC_ASN1_TAG_OBJECT,	0, NULL, NULL },
+	{ NULL, 0, 0, 0, NULL, NULL }
+};
+
+ /*
+  * in src/libopensc/types.h SC_MAX_SUPPORTED_ALGORITHMS  defined as 8
+  */
+@@ -134,9 +140,11 @@ int sc_pkcs15_parse_tokeninfo(sc_context_t *ctx,
+ 	u8 preferred_language[3];
+ 	size_t lang_length = sizeof(preferred_language);
+ 	struct sc_asn1_entry asn1_supported_algorithms[SC_MAX_SUPPORTED_ALGORITHMS + 1],
+-			asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7];
+			asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7],
+			asn1_algo_infos_parameters[SC_MAX_SUPPORTED_ALGORITHMS][3];
+ 	size_t reference_len = sizeof(ti->supported_algos[0].reference);
+ 	size_t mechanism_len = sizeof(ti->supported_algos[0].mechanism);
+	size_t parameter_len = sizeof(ti->supported_algos[0].parameters);
+ 	size_t operations_len = sizeof(ti->supported_algos[0].operations);
+ 	size_t algo_ref_len = sizeof(ti->supported_algos[0].algo_ref);
+ 
+@@ -152,14 +160,22 @@ int sc_pkcs15_parse_tokeninfo(sc_context_t *ctx,
+ 	sc_format_asn1_entry(asn1_twlabel, label, &label_len, 0);
+ 	sc_copy_asn1_entry(c_asn1_profile_indication, asn1_profile_indication);
+ 
+-	for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS; ii++)
+	for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS; ii++) {
+ 		sc_copy_asn1_entry(c_asn1_algorithm_info, asn1_algo_infos[ii]);
+		sc_copy_asn1_entry(c_asn1_algorithm_info_parameters,
+			asn1_algo_infos_parameters[ii]);
+	}
+ 	sc_copy_asn1_entry(c_asn1_supported_algorithms, asn1_supported_algorithms);
+ 
+ 	for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS; ii++)   {
+ 		sc_format_asn1_entry(asn1_algo_infos[ii] + 0, &ti->supported_algos[ii].reference, &reference_len, 0);
+ 		sc_format_asn1_entry(asn1_algo_infos[ii] + 1, &ti->supported_algos[ii].mechanism, &mechanism_len, 0);
+-		sc_format_asn1_entry(asn1_algo_infos[ii] + 2, NULL, NULL, 0);
+		sc_format_asn1_entry(asn1_algo_infos[ii] + 2,
+			asn1_algo_infos_parameters[ii], NULL, 0);
+		sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 0,
+			NULL, NULL, 0);
+		sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 1,
+			&ti->supported_algos[ii].parameters, &parameter_len, 0);
+ 		sc_format_asn1_entry(asn1_algo_infos[ii] + 3, &ti->supported_algos[ii].operations, &operations_len, 0);
+ 		sc_format_asn1_entry(asn1_algo_infos[ii] + 4, &ti->supported_algos[ii].algo_id, NULL, 1);
+ 		sc_format_asn1_entry(asn1_algo_infos[ii] + 5, &ti->supported_algos[ii].algo_ref, &algo_ref_len, 0);
+@@ -270,9 +286,11 @@ sc_pkcs15_encode_tokeninfo(sc_context_t *ctx, sc_pkcs15_tokeninfo_t *ti,
+ 	struct sc_asn1_entry asn1_toki_attrs[C_ASN1_TOKI_ATTRS_SIZE];
+ 	struct sc_asn1_entry asn1_tokeninfo[2];
+ 	struct sc_asn1_entry asn1_supported_algorithms[SC_MAX_SUPPORTED_ALGORITHMS + 1],
+-			asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7];
+			asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7],
+			asn1_algo_infos_parameters[SC_MAX_SUPPORTED_ALGORITHMS][3];
+ 	size_t reference_len = sizeof(ti->supported_algos[0].reference);
+ 	size_t mechanism_len = sizeof(ti->supported_algos[0].mechanism);
+	size_t parameter_len = sizeof(ti->supported_algos[0].parameters);
+ 	size_t operations_len = sizeof(ti->supported_algos[0].operations);
+ 	size_t algo_ref_len = sizeof(ti->supported_algos[0].algo_ref);
+ 	struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE];
+@@ -283,14 +301,22 @@ sc_pkcs15_encode_tokeninfo(sc_context_t *ctx, sc_pkcs15_tokeninfo_t *ti,
+ 	sc_copy_asn1_entry(c_asn1_last_update, asn1_last_update);
+ 	sc_copy_asn1_entry(c_asn1_profile_indication, asn1_profile_indication);
+ 
+-	for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS && ti->supported_algos[ii].reference; ii++)
+	for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS && ti->supported_algos[ii].reference; ii++) {
+ 		sc_copy_asn1_entry(c_asn1_algorithm_info, asn1_algo_infos[ii]);
+		sc_copy_asn1_entry(c_asn1_algorithm_info_parameters,
+			asn1_algo_infos_parameters[ii]);
+	}
+ 	sc_copy_asn1_entry(c_asn1_supported_algorithms, asn1_supported_algorithms);
+ 
+ 	for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS && ti->supported_algos[ii].reference; ii++)   {
+ 		sc_format_asn1_entry(asn1_algo_infos[ii] + 0, &ti->supported_algos[ii].reference, &reference_len, 1);
+ 		sc_format_asn1_entry(asn1_algo_infos[ii] + 1, &ti->supported_algos[ii].mechanism, &mechanism_len, 1);
+-		sc_format_asn1_entry(asn1_algo_infos[ii] + 2, NULL, NULL, 0);
+		sc_format_asn1_entry(asn1_algo_infos[ii] + 2,
+			asn1_algo_infos_parameters[ii], NULL, 0);
+		sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 0,
+			NULL, NULL, 0);
+		sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 1,
+			&ti->supported_algos[ii].parameters, &parameter_len, 0);
+ 		sc_format_asn1_entry(asn1_algo_infos[ii] + 3, &ti->supported_algos[ii].operations, &operations_len, 1);
+ 		sc_format_asn1_entry(asn1_algo_infos[ii] + 4, &ti->supported_algos[ii].algo_id, NULL, 1);
+ 		sc_format_asn1_entry(asn1_algo_infos[ii] + 5, &ti->supported_algos[ii].algo_ref, &algo_ref_len, 1);
+
--- a/SOURCES/opensc-0.16.0-coolkey-labels.patch
+++ b/SOURCES/opensc-0.16.0-coolkey-labels.patch
@ -0,0 +1,68 @@
				@@ -0,0 +1,68 @@
+From a4b6b9630eb2ee684bbf1560a93b3075c7eb58ab Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 4 Jul 2017 14:25:50 +0200
+Subject: [PATCH] [coolkey] Copy labels from certificate objects to the keys
+
+---
+ src/libopensc/pkcs15-coolkey.c | 33 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-coolkey.c b/src/libopensc/pkcs15-coolkey.c
+index 5064a0f4f..a5f457acd 100644
+--- a/src/libopensc/pkcs15-coolkey.c
+++ b/src/libopensc/pkcs15-coolkey.c
+@@ -484,7 +484,7 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card)
+ 	sc_card_t *card = p15card->card;
+ 	sc_serial_number_t serial;
+ 	int count;
+-
+	struct sc_pkcs15_object *obj;
+ 
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+ 
+@@ -558,6 +558,8 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card)
+ 
+ 
+ 		memset(&obj_obj, 0, sizeof(obj_obj));
+		/* coolkey applets have label only on the certificates,
+		 * but we should copy it also to the keys maching the same ID */
+ 		coolkey_get_attribute_bytes(card, &coolkey_obj, CKA_LABEL, (u8 *)obj_obj.label, &len, sizeof(obj_obj.label));
+ 		coolkey_get_flags(card, &coolkey_obj, &obj_obj.flags);
+ 		if (obj_obj.flags & SC_PKCS15_CO_FLAG_PRIVATE) {
+@@ -677,6 +679,35 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card)
+ 	}
+ 	r = (card->ops->card_ctl)(card, SC_CARDCTL_COOLKEY_FINAL_GET_OBJECTS, &count);
+ 
+	/* Iterate over all the created objects and fill missing labels */
+	for (obj = p15card->obj_list; obj != NULL; obj = obj->next) {
+		struct sc_pkcs15_id *id = NULL;
+		struct sc_pkcs15_object *cert_object;
+
+		/* label non-empty -- do not overwrite */
+		if (obj->label[0] != '\0')
+			continue;
+
+		switch (obj->type & SC_PKCS15_TYPE_CLASS_MASK) {
+		case SC_PKCS15_TYPE_PUBKEY:
+			id = &((struct sc_pkcs15_pubkey_info *)obj->data)->id;
+			break;
+		case SC_PKCS15_TYPE_PRKEY:
+			id = &((struct sc_pkcs15_prkey_info *)obj->data)->id;
+			break;
+		default:
+			/* We do not care about other objects */
+			continue;
+		}
+		r = sc_pkcs15_find_cert_by_id(p15card, id, &cert_object);
+		if (r != 0)
+			continue;
+
+		sc_log(card->ctx, "Copy label \"%s\" from cert to key object",
+			cert_object->label);
+		memcpy(obj->label, cert_object->label, SC_PKCS15_MAX_LABEL_SIZE);
+	}
+
+ 	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ }
+ 
+
--- a/SOURCES/opensc-0.16.0-coverity.patch
+++ b/SOURCES/opensc-0.16.0-coverity.patch
@ -0,0 +1,643 @@
				@@ -0,0 +1,643 @@
+From 15163e6212aaf6b2dd5d7b432e5b13ca39496110 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 28 Feb 2017 16:12:31 +0100
+Subject: [PATCH 1/3] Coverity fixes for:
+
+card-cac.c
+ * CLANG_WARNING: The left operand of '<' is a garbage value
+card-coolkey.c
+ * CLANG_WARNING: overwriting variable
+ * CPPCHECK_WARNING: memory leak / overwrite variable
+ * CLANG_WARNING: null pointer dereference
+ * UNUSED_VALUE: unused return value
+card-gids.c
+ * CLANG_WARNING: Branch condition evaluates to a garbage value
+ * SIZEOF_MISMATCH: suspicious_sizeof
+card-myeid.c
+ * RESOURCE_LEAK: Variable "buf" going out of scope leaks the storage it points to.
+ * CLANG_WARNING: overwriting variable
+ * (rewrite not to confuse coverity)
+pkcs15-cac.c
+ * RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to.
+pkcs15-coolkey.c
+ * UNUSED_VALUE: unused return value
+pkcs15-piv.c
+ * RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to.
+pkcs15-sc-hsm.c
+ * DEADCODE
+pkcs11/framework-pkcs15.c
+ * RESOURCE_LEAK: Variable "p15_cert" going out of scope leaks the storage it points to.
+pkcs15init/pkcs15-lib.c
+ * CLANG_WARNING: Assigned value is garbage or undefined
+pkcs15init/pkcs15-myeid.c
+ * UNREACHABLE: Probably wrong placement of code block
+tests/p15dump.c
+ * IDENTICAL_BRANCHES
+pkcs15-init.c
+ * CLANG_WARNING: Potential leak of memory pointed to by 'args.der_encoded.value'
+pkcs15-tool.c
+ * RESOURCE_LEAK: Variable "cert" going out of scope leaks the storage it points to.
+ * MISSING_BREAK: The above case falls through to this one.
+sc-hsm-tool.c
+ * CLANG_WARNING: Potential leak of memory pointed to by 'sp'
+westcos-tool.c
+ * FORWARD_NULL: Passing null pointer "pin" to "unlock_pin", which dereferences it.
+ * (rewrite not to confuse coverity)
+---
+ src/libopensc/card-cac.c       |  2 +-
+ src/libopensc/card-coolkey.c   |  7 +++++--
+ src/libopensc/card-entersafe.c |  2 +-
+ src/libopensc/card-gids.c      |  7 ++++++-
+ src/libopensc/card-myeid.c     | 20 ++++++++++++--------
+ src/libopensc/iso7816.c        |  1 +
+ src/libopensc/pkcs15-cac.c     |  5 ++++-
+ src/libopensc/pkcs15-coolkey.c |  2 ++
+ src/libopensc/pkcs15-piv.c     |  3 ++-
+ src/libopensc/pkcs15-sc-hsm.c  |  6 ++----
+ src/pkcs11/framework-pkcs15.c  |  7 ++++++-
+ src/pkcs15init/pkcs15-lib.c    |  2 +-
+ src/pkcs15init/pkcs15-myeid.c  |  4 ++--
+ src/tests/p15dump.c            |  3 +--
+ src/tools/pkcs15-init.c        |  4 +++-
+ src/tools/pkcs15-tool.c        | 11 ++++++++---
+ src/tools/sc-hsm-tool.c        |  2 ++
+ src/tools/westcos-tool.c       |  6 +++---
+ 18 files changed, 62 insertions(+), 32 deletions(-)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index d5f8585..788fb52 100644
+--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
+@@ -467,7 +467,7 @@ static int cac_cac1_get_certificate(sc_card_t *card, u8 **out_buf, size_t *out_l
+ 	size_t left = 0;
+ 	size_t len, next_len;
+ 	sc_apdu_t apdu;
+-	int r;
+	int r = SC_SUCCESS;
+ 
+ 
+ 	/* get the size */
+diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c
+index c44febe..7672028 100644
+--- a/src/libopensc/card-coolkey.c
+++ b/src/libopensc/card-coolkey.c
+@@ -1369,7 +1369,7 @@ coolkey_fill_object(sc_card_t *card, sc_cardctl_coolkey_object_t *obj)
+ {
+ 	int r;
+ 	size_t buf_len = obj->length;
+-	u8 *new_obj_data = malloc(buf_len);
+	u8 *new_obj_data = NULL;
+ 	sc_cardctl_coolkey_object_t *obj_entry;
+ 	coolkey_private_data_t * priv = COOLKEY_DATA(card);
+ 
+@@ -1413,7 +1413,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut
+ 	const u8 *obj = attribute->object->data;
+ 	const u8 *attr = NULL;
+ 	size_t buf_len = attribute->object->length;
+-	coolkey_object_header_t *object_head = (coolkey_object_header_t *)obj;
+	coolkey_object_header_t *object_head;
+ 	int attribute_count,i;
+ 	attribute->attribute_data_type = SC_CARDCTL_COOLKEY_ATTR_TYPE_STRING;
+ 	attribute->attribute_length = 0;
+@@ -1434,6 +1434,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut
+ 	if (buf_len <= sizeof(coolkey_v0_object_header_t)) {
+ 		return SC_ERROR_CORRUPTED_DATA;
+ 	}
+	object_head = (coolkey_object_header_t *)obj;
+ 	object_record_type = object_head->record_type;
+ 	/* make sure it's a type we recognize */
+ 	if ((object_record_type != COOLKEY_V1_OBJECT) && (object_record_type != COOLKEY_V0_OBJECT)) {
+@@ -2183,6 +2184,8 @@ static int coolkey_initialize(sc_card_t *card)
+ 			continue;
+ 		}
+ 		r = coolkey_add_object(priv, object_id, NULL, object_len, 0);
+		if (r != SC_SUCCESS)
+			sc_log(card->ctx, "coolkey_add_object() returned %d", r);
+ 
+ 	}
+ 	if (r != SC_ERROR_FILE_END_REACHED) {
+diff --git a/src/libopensc/card-entersafe.c b/src/libopensc/card-entersafe.c
+index 6e18252..1fe4102 100644
+--- a/src/libopensc/card-entersafe.c
+++ b/src/libopensc/card-entersafe.c
+@@ -487,7 +487,7 @@ static int entersafe_select_fid(sc_card_t *card,
+ 								sc_file_t **file_out)
+ {
+ 	int r;
+-	sc_file_t *file=0;
+	sc_file_t *file = NULL;
+ 	sc_path_t path;
+ 
+ 	memset(&path, 0, sizeof(sc_path_t));
+diff --git a/src/libopensc/card-gids.c b/src/libopensc/card-gids.c
+index 51db9af..4db09f5 100644
+--- a/src/libopensc/card-gids.c
+++ b/src/libopensc/card-gids.c
+@@ -668,6 +668,7 @@ static int gids_get_crypto_identifier_from_key_ref(sc_card_t *card, const unsign
+ 	if (index >= recordsnum) {
+ 		SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INVALID_ARGUMENTS);
+ 	}
+	*cryptoidentifier = 0x00; /* initialize to zero */
+ 	if (records[index].wKeyExchangeKeySizeBits == 1024 || records[index].wSigKeySizeBits == 1024) {
+ 		*cryptoidentifier = GIDS_RSA_1024_IDENTIFIER;
+ 		return SC_SUCCESS;
+@@ -878,12 +879,16 @@ static int gids_read_public_key (struct sc_card *card , unsigned int algorithm,
+ 	if (keydata != NULL) {
+ 		rsa_key.modulus.data = (u8*) keydata;
+ 		rsa_key.modulus.len = len;
+	} else {
+		rsa_key.modulus.len = 0;
+ 	}
+ 
+ 	keydata = sc_asn1_find_tag(card->ctx, keytemplate, tlen, GIDS_PUBKEY_TAG_EXPONENT, &len);
+ 	if (keydata != NULL) {
+ 		rsa_key.exponent.data = (u8*) keydata;
+ 		rsa_key.exponent.len = len;
+	} else {
+		rsa_key.exponent.len = 0;
+ 	}
+ 
+ 	if (rsa_key.exponent.len && rsa_key.modulus.len) {
+@@ -1453,7 +1458,7 @@ static int gids_import_key(sc_card_t *card, sc_pkcs15_object_t *object, sc_pkcs1
+ 	SC_TEST_GOTO_ERR(card->ctx, SC_LOG_DEBUG_NORMAL, r, "unable to put the private key - key greater than 2048 bits ?");
+ 	r = SC_SUCCESS;
+ err:
+-	sc_mem_clear(buffer, sizeof(buffer));
+	sc_mem_clear(buffer, buflen);
+ 	LOG_FUNC_RETURN(card->ctx, r);
+ }
+ 
+diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c
+index 0e75486..65c108f 100644
+--- a/src/libopensc/card-myeid.c
+++ b/src/libopensc/card-myeid.c
+@@ -846,20 +846,24 @@ myeid_convert_ec_signature(struct sc_context *ctx, size_t s_len, unsigned char *
+ 	if (sig_len != (datalen - len_size - 1))	/* validate size of the DER structure */
+ 	    return SC_ERROR_INVALID_DATA;
+ 
+-	buf = calloc(1, (s_len + 7)/8*2);
+	/* test&fail early */
+	buflen = (s_len + 7)/8*2;
+	if (buflen > datalen)
+		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
+	buf = calloc(1, buflen);
+ 	if (!buf)
+ 		LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
+-	buflen = (s_len + 7)/8*2;
+ 
+ 	r = sc_asn1_sig_value_sequence_to_rs(ctx, data, datalen, buf, buflen);
+-	if (r < 0)
+	if (r < 0) {
+ 		free(buf);
+-	LOG_TEST_RET(ctx, r, "Failed to cenvert Sig-Value to the raw RS format");
+-
+-	if (buflen > datalen)
+-		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+		sc_log(ctx, "Failed to convert Sig-Value to the raw RS format");
+		return r;
+	}
+ 
+ 	memmove(data, buf, buflen);
+	free(buf);
+ 	return buflen;
+ }
+ 
+@@ -868,7 +872,7 @@ static int
+ myeid_compute_signature(struct sc_card *card, const u8 * data, size_t datalen,
+ 		u8 * out, size_t outlen)
+ {
+-	struct sc_context *ctx = card->ctx;
+	struct sc_context *ctx;
+ 	struct sc_apdu apdu;
+ 	u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
+ 	u8 sbuf[SC_MAX_APDU_BUFFER_SIZE];
+diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
+index 296cf69..2539d1c 100644
+--- a/src/libopensc/iso7816.c
+++ b/src/libopensc/iso7816.c
+@@ -392,6 +392,7 @@ iso7816_process_fci(struct sc_card *card, struct sc_file *file,
+ 			sc_log(ctx, "  type: %s", type);
+ 			sc_log(ctx, "  EF structure: %d", byte & 0x07);
+ 			sc_log(ctx, "  tag 0x82: 0x%02x", byte);
+			/* FIXME: check return value? */
+ 			sc_file_set_type_attr(file, &byte, 1);
+ 		}
+ 	}
+diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
+index 4894fe4..e0fa50b 100644
+--- a/src/libopensc/pkcs15-cac.c
+++ b/src/libopensc/pkcs15-cac.c
+@@ -292,7 +292,7 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
+ 		struct sc_pkcs15_object pubkey_obj;
+ 		struct sc_pkcs15_object prkey_obj;
+ 		sc_pkcs15_der_t   cert_der;
+-		sc_pkcs15_cert_t *cert_out;
+		sc_pkcs15_cert_t *cert_out = NULL;
+ 
+ 		r = (card->ops->card_ctl)(card, SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT, &obj_info);
+ 
+@@ -352,12 +352,14 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
+ 		r =  sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out);
+ 		if (r < 0 || cert_out->key == NULL) {
+ 			sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r);
+			sc_pkcs15_free_certificate(cert_out);
+ 			continue;
+ 		}
+ 
+ 		r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
+ 		if (r < 0) {
+ 			sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, " Failed to add cert obj r=%d",r);
+			sc_pkcs15_free_certificate(cert_out);
+ 			continue;
+ 		}
+ 		/* set the token name to the name of the CN of the first certificate */
+@@ -393,6 +395,7 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
+ 				 usage, pubkey_info.usage, prkey_info.usage);
+ 		if (cert_out->key->algorithm != SC_ALGORITHM_RSA) {
+ 			sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"unsupported key.algorithm %d", cert_out->key->algorithm);
+			sc_pkcs15_free_certificate(cert_out);
+ 			continue;
+ 		} else {
+ 			pubkey_info.modulus_length = cert_out->key->u.rsa.modulus.len * 8;
+diff --git a/src/libopensc/pkcs15-coolkey.c b/src/libopensc/pkcs15-coolkey.c
+index 487be19..de4920b 100644
+--- a/src/libopensc/pkcs15-coolkey.c
+++ b/src/libopensc/pkcs15-coolkey.c
+@@ -667,6 +667,8 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card)
+ 		}
+ 
+ 		r = sc_pkcs15emu_object_add(p15card, obj_type, &obj_obj, obj_info);
+		if (r != SC_SUCCESS)
+			sc_log(card->ctx, "sc_pkcs15emu_object_add() returned %d", r);
+ fail:
+ 		if (key) { sc_pkcs15_free_pubkey(key); }
+ 
+diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
+index bf72df0..5bd0fdf 100644
+--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
+@@ -710,7 +710,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
+ 		struct sc_pkcs15_cert_info cert_info;
+ 		struct sc_pkcs15_object    cert_obj;
+ 		sc_pkcs15_der_t   cert_der;
+-		sc_pkcs15_cert_t *cert_out;
+		sc_pkcs15_cert_t *cert_out = NULL;
+ 		
+ 		ckis[i].cert_found = 0;
+ 		ckis[i].key_alg = -1;
+@@ -761,6 +761,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
+ 		r =  sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out);
+ 		if (r < 0 || cert_out->key == NULL) {
+ 			sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r);
+			sc_pkcs15_free_certificate(cert_out);
+ 			continue;
+ 		}
+ 		/* 
+diff --git a/src/libopensc/pkcs15-sc-hsm.c b/src/libopensc/pkcs15-sc-hsm.c
+index 938ea9d..3f6b6e4 100644
+--- a/src/libopensc/pkcs15-sc-hsm.c
+++ b/src/libopensc/pkcs15-sc-hsm.c
+@@ -460,6 +460,7 @@ static int sc_pkcs15emu_sc_hsm_get_ec_public_key(struct sc_context *ctx, sc_cvc_
+ 	memcpy(pubkey->u.ec.params.der.value, ecp->der.value, ecp->der.len);
+ 	pubkey->u.ec.params.der.len = ecp->der.len;
+ 
+	/* FIXME: check return value? */
+ 	sc_pkcs15_fix_ec_parameters(ctx, &pubkey->u.ec.params);
+ 
+ 	return SC_SUCCESS;
+@@ -627,11 +628,8 @@ static int sc_pkcs15emu_sc_hsm_add_prkd(sc_pkcs15_card_t * p15card, u8 keyid) {
+ 
+ 	len = sizeof efbin;
+ 	r = read_file(p15card, fid, efbin, &len);
+-	LOG_TEST_RET(card->ctx, r, "Could not read EF");
+ 
+-	if (r < 0) {
+-		return SC_SUCCESS;
+-	}
+	LOG_TEST_RET(card->ctx, r, "Could not read EF");
+ 
+ 	if (efbin[0] == 0x67) {		/* Decode CSR and create public key object */
+ 		sc_pkcs15emu_sc_hsm_add_pubkey(p15card, efbin, len, key_info, prkd.label);
+diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
+index 0c89d47..732e1e5 100644
+--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
+@@ -571,8 +571,11 @@ __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_obj
+ 	/* Certificate object */
+ 	rv = __pkcs15_create_object(fw_data, (struct pkcs15_any_object **) &object,
+ 			cert, &pkcs15_cert_ops, sizeof(struct pkcs15_cert_object));
+-	if (rv < 0)
+	if (rv < 0) {
+		if (p15_cert != NULL)
+			sc_pkcs15_free_certificate(p15_cert);
+ 		return rv;
+	}
+ 
+ 	object->cert_info = p15_info;
+ 	object->cert_data = p15_cert;
+@@ -643,6 +646,8 @@ __pkcs15_create_pubkey_object(struct pkcs15_fw_data *fw_data,
+ 		object->pub_data = p15_key;
+ 		if (p15_key && object->pub_info->modulus_length == 0 && p15_key->algorithm == SC_ALGORITHM_RSA)
+ 			object->pub_info->modulus_length = 8 * p15_key->u.rsa.modulus.len;
+	} else if (pubkey->emulated && (fw_data->p15_card->flags & SC_PKCS15_CARD_FLAG_EMULATED)) {
+		sc_pkcs15_free_pubkey(p15_key);
+ 	}
+ 
+ 	if (pubkey_object != NULL)
+diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
+index c2fc2df..d1558e2 100644
+--- a/src/pkcs15init/pkcs15-lib.c
+++ b/src/pkcs15init/pkcs15-lib.c
+@@ -760,7 +760,7 @@ sc_pkcs15init_add_app(struct sc_card *card, struct sc_profile *profile,
+ 	struct sc_pkcs15_object	*pin_obj = NULL;
+ 	struct sc_app_info	*app;
+ 	struct sc_file		*df = profile->df_info->file;
+-	int			r;
+	int			r = SC_SUCCESS;
+ 
+ 	LOG_FUNC_CALLED(ctx);
+ 	p15card->card = card;
+diff --git a/src/pkcs15init/pkcs15-myeid.c b/src/pkcs15init/pkcs15-myeid.c
+index 9ed515d..6c93545 100644
+--- a/src/pkcs15init/pkcs15-myeid.c
+++ b/src/pkcs15init/pkcs15-myeid.c
+@@ -510,10 +510,10 @@ myeid_store_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+ 				keybits = key_info->field_length;
+ 			else
+ 				key_info->field_length = keybits;
+-			break;
+-			
+
+ 			if (sc_card_find_ec_alg(p15card->card, keybits, &prkey->u.ec.params.id) == NULL)
+ 				LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Unsupported algorithm or key size");			
+			break;
+ 		default:
+ 			LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Store key failed: Unsupported key type");
+ 			break;
+diff --git a/src/tests/p15dump.c b/src/tests/p15dump.c
+index 17ab86b..da8b4a3 100644
+--- a/src/tests/p15dump.c
+++ b/src/tests/p15dump.c
+@@ -30,8 +30,7 @@ static int dump_objects(const char *what, int type)
+ 		printf("failed.\n");
+ 		fprintf(stderr, "Error enumerating %s: %s\n",
+ 			what, sc_strerror(count));
+-		if (SC_SUCCESS != sc_unlock(card))
+-			return 1;
+		sc_unlock(card);
+ 		return 1;
+ 	}
+ 	if (count == 0) {
+diff --git a/src/tools/pkcs15-init.c b/src/tools/pkcs15-init.c
+index a1b183d..a4fb1a9 100644
+--- a/src/tools/pkcs15-init.c
+++ b/src/tools/pkcs15-init.c
+@@ -1318,8 +1318,10 @@ do_store_data_object(struct sc_profile *profile)
+ 		args.der_encoded.value = data;
+ 		args.der_encoded.len = datalen;
+ 		r = sc_lock(p15card->card);
+-		if (r < 0)
+		if (r < 0) {
+			free(data);
+ 			return r;
+		}
+ 		r = sc_pkcs15init_store_data_object(p15card, profile, &args, NULL);
+ 		sc_unlock(p15card->card);
+ 	}
+diff --git a/src/tools/pkcs15-tool.c b/src/tools/pkcs15-tool.c
+index 092b9d9..e146753 100644
+--- a/src/tools/pkcs15-tool.c
+++ b/src/tools/pkcs15-tool.c
+@@ -793,15 +793,18 @@ static int read_public_key(void)
+ 
+ 	if (r == SC_ERROR_OBJECT_NOT_FOUND) {
+ 		fprintf(stderr, "Public key with ID '%s' not found.\n", opt_pubkey);
+-		return 2;
+		r = 2;
+		goto out;
+ 	}
+ 	if (r < 0) {
+ 		fprintf(stderr, "Public key enumeration failed: %s\n", sc_strerror(r));
+-		return 1;
+		r = 1;
+		goto out;
+ 	}
+ 	if (!pubkey) {
+ 		fprintf(stderr, "Public key not available\n");
+-		return 1;
+		r = 1;
+		goto out;
+ 	}
+ 
+ 	r = sc_pkcs15_encode_pubkey_as_spki(ctx, pubkey, &pem_key.value, &pem_key.len);
+@@ -813,6 +816,7 @@ static int read_public_key(void)
+ 		free(pem_key.value);
+ 	}
+ 
+out:
+ 	if (cert)
+ 		sc_pkcs15_free_certificate(cert);
+ 	else if (pubkey)
+@@ -2097,6 +2101,7 @@ int main(int argc, char * const argv[])
+ 			break;
+ 		case OPT_USE_PINPAD_DEPRECATED:
+ 			fprintf(stderr, "'--no-prompt' is deprecated , use '--use-pinpad' instead.\n");
+			/* fallthrough */
+ 		case OPT_USE_PINPAD:
+ 			opt_use_pinpad = 1;
+ 			break;
+diff --git a/src/tools/sc-hsm-tool.c b/src/tools/sc-hsm-tool.c
+index cce855f..029d991 100644
+--- a/src/tools/sc-hsm-tool.c
+++ b/src/tools/sc-hsm-tool.c
+@@ -697,6 +697,7 @@ static int recreate_password_from_shares(char **pwd, int *pwdlen, int num_of_pas
+ 		memset(inbuf, 0, sizeof(inbuf));
+ 		if (fgets(inbuf, sizeof(inbuf), stdin) == NULL) {
+ 			fprintf(stderr, "Input aborted\n");
+			free(shares);
+ 			return -1;
+ 		}
+ 		p = (sp->x);
+@@ -706,6 +707,7 @@ static int recreate_password_from_shares(char **pwd, int *pwdlen, int num_of_pas
+ 		memset(inbuf, 0, sizeof(inbuf));
+ 		if (fgets(inbuf, sizeof(inbuf), stdin) == NULL) {
+ 			fprintf(stderr, "Input aborted\n");
+			free(shares);
+ 			return -1;
+ 		}
+ 		binlen = 64;
+diff --git a/src/tools/westcos-tool.c b/src/tools/westcos-tool.c
+index 29b75dd..ff3d5e6 100644
+--- a/src/tools/westcos-tool.c
+++ b/src/tools/westcos-tool.c
+@@ -91,8 +91,6 @@ static int finalize = 0;
+ static int install_pin = 0;
+ static int overwrite = 0;
+ 
+-static const char *pin = NULL;
+-static const char *puk = NULL;
+ static char *cert = NULL;
+ 
+ static int keylen = 0;
+@@ -260,7 +258,7 @@ static int unlock_pin(sc_card_t *card,
+ 	}
+ 	else
+ 	{
+-		if(pin == NULL || puk == NULL)
+		if(pin_value == NULL || puk_value == NULL)
+ 		{
+ 			return SC_ERROR_INVALID_ARGUMENTS;
+ 		}
+@@ -372,6 +370,8 @@ int main(int argc, char *argv[])
+ 	RSA	*rsa = NULL;
+ 	BIGNUM	*bn = NULL;
+ 	BIO	*mem = NULL;
+	static const char *pin = NULL;
+	static const char *puk = NULL;
+ 
+ 	while (1)
+ 	{
+
+From e73b2ad2e01cbcc3fdee471ce9692ab95a83b8a0 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 1 Mar 2017 09:45:17 +0100
+Subject: [PATCH 2/3] Sanitize call to sc_pkcs15_free_certificate()
+
+---
+ src/libopensc/pkcs15-cac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
+index e0fa50b..61c6430 100644
+--- a/src/libopensc/pkcs15-cac.c
+++ b/src/libopensc/pkcs15-cac.c
+@@ -352,7 +352,8 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
+ 		r =  sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out);
+ 		if (r < 0 || cert_out->key == NULL) {
+ 			sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r);
+-			sc_pkcs15_free_certificate(cert_out);
+			if (cert_out != NULL)
+				sc_pkcs15_free_certificate(cert_out);
+ 			continue;
+ 		}
+ 
+
+From bdf452210f7fdbefe91df910025142b2e48b8ebc Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 1 Mar 2017 15:23:17 +0100
+Subject: [PATCH 3/3] Sanitize call to sc_pkcs15_free_certificate() in PIV too
+
+---
+ src/libopensc/pkcs15-piv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
+index 5bd0fdf..f6b6742 100644
+--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
+@@ -761,7 +761,8 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
+ 		r =  sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out);
+ 		if (r < 0 || cert_out->key == NULL) {
+ 			sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r);
+-			sc_pkcs15_free_certificate(cert_out);
+			if (cert_out != NULL)
+				sc_pkcs15_free_certificate(cert_out);
+ 			continue;
+ 		}
+ 		/* 
+From 389ffe590986c6ed42fa810874a52a51bac3ca26 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 23 Mar 2017 12:16:46 +0100
+Subject: [PATCH 1/3] Coverity: FORWARD_NULL -- copy&paste error
+
+---
+ src/tools/gids-tool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tools/gids-tool.c b/src/tools/gids-tool.c
+index 029c53f..84073b6 100644
+--- a/src/tools/gids-tool.c
+++ b/src/tools/gids-tool.c
+@@ -277,7 +277,7 @@ static int changeAdminKey(sc_card_t* card, const char *so_pin, const char* new_k
+ 
+ 	if (new_key == NULL) {
+ 		printf("Enter new admin key (48 hexadecimal characters) : ");
+-		util_getpass(&_so_pin, NULL, stdin);
+		util_getpass(&_new_key, NULL, stdin);
+ 		printf("\n");
+ 	} else {
+ 		_new_key = (char *)new_key;
+-- 
+2.9.3
+
+
+From 1133efa4fe4d9a0267486cadbd3f6d144c584645 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 23 Mar 2017 15:14:35 +0100
+Subject: [PATCH 2/3] CLANG_WARNING: Call to 'malloc' has an allocation size of
+ 0 bytes
+
+---
+ src/scconf/scconf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/scconf/scconf.c b/src/scconf/scconf.c
+index 7fcc301..678df3e 100644
+--- a/src/scconf/scconf.c
+++ b/src/scconf/scconf.c
+@@ -411,6 +411,8 @@ char *scconf_list_strdup(const scconf_list * list, const char *filler)
+ 	if (filler) {
+ 		len += scconf_list_array_length(list) * (strlen(filler) + 1);
+ 	}
+	if (len == 0)
+		return NULL;
+ 	buf = malloc(len);
+ 	if (!buf) {
+ 		return NULL;
+-- 
+2.9.3
+
+
+From f82bc2008d58348cafcbba30623fcb55dab5cb3a Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 23 Mar 2017 15:46:42 +0100
+Subject: [PATCH 3/3] Avoid malloc with 0 argument
+
+---
+ src/libopensc/card-cac.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index 788fb52..6a5b5af 100644
+--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
+@@ -670,12 +670,12 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx,
+ 			r = sc_decompress_alloc(&priv->cache_buf, &priv->cache_buf_len,
+ 				cert_ptr, cert_len, COMPRESSION_AUTO);
+ #else
+-			sc_log(card->ctx, "PIV compression not supported, no zlib");
+			sc_log(card->ctx, "CAC compression not supported, no zlib");
+ 			r = SC_ERROR_NOT_SUPPORTED;
+ #endif
+ 			if (r)
+ 				goto done;
+-		} else {
+		} else if (cert_len > 0) {
+ 			priv->cache_buf = malloc(cert_len);
+ 			if (priv->cache_buf == NULL) {
+ 				r = SC_ERROR_OUT_OF_MEMORY;
+@@ -683,6 +683,9 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx,
+ 			}
+ 			priv->cache_buf_len = cert_len;
+ 			memcpy(priv->cache_buf, cert_ptr, cert_len);
+		} else {
+			sc_log(card->ctx, "Can't read zero-length certificate");
+			goto done;
+ 		}
+ 		break;
+ 	default:
+-- 
+2.9.3
+
+
--- a/SOURCES/opensc-0.16.0-ecdsa-ec-point.patch
+++ b/SOURCES/opensc-0.16.0-ecdsa-ec-point.patch
@ -0,0 +1,27 @@
				@@ -0,0 +1,27 @@
+From ea4baf50d57a7a41164fedcd1b10fdb0438305c5 Mon Sep 17 00:00:00 2001
+From: AnthonyA <ascanio.alba7@gmail.com>
+Date: Mon, 19 Mar 2018 15:58:21 +0800
+Subject: [PATCH] pkcs11-tool: make ECPoint behaviour standards compliant by
+ default
+
+Fixes #1286. The behaviour of pkcs11-tool will follow the standard -
+send DER. If EC_POINT_NO_ASN1_OCTET_STRING is defined then it will
+write plain bytes.
+---
+ src/tools/pkcs11-tool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 876bba2dc..63e5c5f7f 100644
+--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
+@@ -2632,7 +2632,7 @@ parse_ec_pkey(EVP_PKEY *pkey, int private, struct gostkey_info *gost)
+ 		header_len = point-gost->public.value;
+ 		memcpy(point, buf, point_len);
+ 		gost->public.len = header_len+point_len;
+-#ifndef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
+#ifdef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
+ 		gost->public.len   -= header_len;
+ 		gost->public.value += header_len;
+ #endif
+
--- a/SOURCES/opensc-0.16.0-hexadecimal-mechanism.patch
+++ b/SOURCES/opensc-0.16.0-hexadecimal-mechanism.patch
@ -0,0 +1,50 @@
				@@ -0,0 +1,50 @@
+From 74885fb1c174468cc0a505cd7404e228d465efd8 Mon Sep 17 00:00:00 2001
+From: AnthonyA <ascanio.alba7@gmail.com>
+Date: Tue, 27 Mar 2018 00:48:05 +0000
+Subject: [PATCH] pkcs11-tool: allow mechanism to be specified in hexadecimal
+
+To support vendor mechanisms, let -m accept hexadecimal strings,
+e.g., -m 0x80001234
+---
+ doc/tools/pkcs11-tool.1.xml | 3 ++-
+ src/tools/pkcs11-tool.c     | 5 ++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml
+index f8d638b45..e78570b10 100644
+--- a/doc/tools/pkcs11-tool.1.xml
+++ b/doc/tools/pkcs11-tool.1.xml
+@@ -231,7 +231,8 @@
+ 					</term>
+ 					<listitem><para>Use the specified <replaceable>mechanism</replaceable>
+ 					for token operations. See <option>-M</option> for a list
+-					of mechanisms supported by your token.</para></listitem>
+					of mechanisms supported by your token. The mechanism can also be specified in
+					hexadecimal, e.g., <replaceable>0x80001234</replaceable>.</para></listitem>
+ 				</varlistentry>
+ 
+ 				<varlistentry>
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 63e5c5f7f..484c019d8 100644
+--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
+@@ -234,7 +234,7 @@ static const char *option_help[] = {
+ 	"Hash some data",
+ 	"Derive a secret key using another key and some data",
+ 	"Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations",
+-	"Specify mechanism (use -M for a list of supported mechanisms)",
+	"Specify mechanism (use -M for a list of supported mechanisms), or by hexadecimal, e.g., 0x80001234",
+ 
+ 	"Log into the token first",
+ 	"Specify login type ('so', 'user', 'context-specific'; default:'user')",
+@@ -6076,6 +6076,9 @@ static CK_MECHANISM_TYPE p11_name_to_mechanism(const char *name)
+ {
+ 	struct mech_info *mi;
+ 
+	if (strncasecmp("0x", name, 2) == 0) {
+		return strtoul(name, NULL, 0);
+	}
+ 	for (mi = p11_mechanisms; mi->name; mi++) {
+ 		if (!strcasecmp(mi->name, name)
+ 		 || (mi->short_name && !strcasecmp(mi->short_name, name)))
+
--- a/SOURCES/opensc-0.16.0-infinite-loop.patch
+++ b/SOURCES/opensc-0.16.0-infinite-loop.patch
@ -0,0 +1,62 @@
				@@ -0,0 +1,62 @@
+From 645f678af24fc1e0f1559e0384f57f8fd35836b4 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 21 Jul 2017 11:30:47 +0200
+Subject: [PATCH 1/4] cac: Make the retransmitted APDU valid by restoring the
+ resplen
+
+---
+ src/libopensc/card-cac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index ed15ba0a8..47f9aaf0c 100644
+--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
+@@ -1106,6 +1106,7 @@ static int cac_select_file_by_type(sc_card_t *card, const sc_path_t *in_path, sc
+ 		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+ 		if (apdu.sw1 == 0x6A && apdu.sw2 == 0x86)   {
+ 			apdu.p2 = 0x00;
+			apdu.resplen = sizeof(buf);
+ 			if (sc_transmit_apdu(card, &apdu) == SC_SUCCESS)
+ 				r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+ 		}
+
+From a57407a5257b24edf313a4839c523a19cd8b0dc5 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 21 Jul 2017 13:09:14 +0200
+Subject: [PATCH 2/4] cac: Check SWs for all the APDUs and report the errors to
+ underlying layers
+
+---
+ src/libopensc/card-cac.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index 47f9aaf0c..f3b64a33d 100644
+--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
+@@ -390,9 +390,7 @@ static int cac_apdu_io(sc_card_t *card, int ins, int p1, int p2,
+ 		goto err;
+ 	}
+ 
+-	if (apdu.sw1 == 0x61) {
+-		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+-	}
+	r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+ 
+ 	if (r < 0) {
+ 		sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Card returned error ");
+diff -up OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c
+--- OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old	2017-12-19 10:39:08.662925868 +0100
+++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c	2017-12-19 10:39:58.665293224 +0100
+@@ -450,6 +450,10 @@ static int cac_read_file(sc_card_t *card
+ 		if (r < 0) {
+ 			goto fail;
+ 		}
+		if (len == 0) {
+			r = SC_ERROR_FILE_NOT_FOUND;
+			goto fail;
+		}
+ 	}
+ 	*out_len = size;
+ 	*out_buf = out;
--- a/SOURCES/opensc-0.16.0-labels-from-dn.patch
+++ b/SOURCES/opensc-0.16.0-labels-from-dn.patch
@ -0,0 +1,137 @@
				@@ -0,0 +1,137 @@
+From 066fdce95a3a58e312f52c4e14536b4b3a4f5e26 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 9 May 2017 16:46:16 +0200
+Subject: [PATCH 1/3] If the underlying PKCS#15 structure does not provide
+ label for a certificate, try to use DN from the certificate.
+
+---
+ src/libopensc/libopensc.exports |  1 +
+ src/pkcs11/framework-pkcs15.c   | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/src/libopensc/libopensc.exports b/src/libopensc/libopensc.exports
+index 18f80374f..36cf57023 100644
+--- a/src/libopensc/libopensc.exports
+++ b/src/libopensc/libopensc.exports
+@@ -208,6 +208,7 @@ sc_pkcs15_free_prkey_info
+ sc_pkcs15_free_pubkey
+ sc_pkcs15_free_pubkey_info
+ sc_pkcs15_get_application_by_type
+sc_pkcs15_get_name_from_dn
+ sc_pkcs15_get_object_guid
+ sc_pkcs15_get_object_id
+ sc_pkcs15_get_objects
+diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
+index 42c509356..f9063c8cc 100644
+--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
+@@ -553,6 +553,30 @@ public_key_created(struct pkcs15_fw_data *fw_data, const struct sc_pkcs15_id *id
+ 	return SC_ERROR_OBJECT_NOT_FOUND;
+ }
+ 
+static void
+pkcs15_cert_extract_label(struct pkcs15_cert_object *cert)
+{
+	if (!cert || !cert->cert_p15obj || !cert->cert_data)
+		return;
+
+	sc_log(context, "pkcs15_cert_extract_label() called. Current label: %s", cert->cert_p15obj->label);
+
+	/* if we didn't get a label, set one based on the CN */
+	if (*cert->cert_p15obj->label == '\0') { /* can't be NULL -- static array */
+		static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }};
+		u8 *cn_name = NULL;
+		size_t cn_len = 0;
+		int rv = sc_pkcs15_get_name_from_dn(context,
+			cert->cert_data->subject, cert->cert_data->subject_len,
+			&cn_oid, &cn_name, &cn_len);
+		sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name);
+		if (rv == SC_SUCCESS) {
+			memcpy(cert->cert_p15obj->label, cn_name, cn_len);
+			cert->cert_p15obj->label[cn_len] = '\0';
+		}
+		free(cn_name);
+	}
+}
+ 
+ static int
+ __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_object *cert,
+@@ -606,6 +627,9 @@ __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_obj
+ 	obj2->pub_genfrom = object;
+ 	object->cert_pubkey = obj2;
+ 
+	/* Find missing labels for certificate */
+	pkcs15_cert_extract_label(object);
+
+ 	if (cert_object != NULL)
+ 		*cert_object = (struct pkcs15_any_object *) object;
+ 
+@@ -877,6 +901,9 @@ check_cert_data_read(struct pkcs15_fw_data *fw_data, struct pkcs15_cert_object *
+ 	if (!obj2->pub_data)
+ 		rv = sc_pkcs15_pubkey_from_cert(context, &cert->cert_data->data, &obj2->pub_data);
+ 
+	/* Find missing labels for certificate */
+	pkcs15_cert_extract_label(cert);
+
+ 	/* now that we have the cert and pub key, lets see if we can bind anything else */
+ 	pkcs15_bind_related_objects(fw_data);
+ 
+@@ -3165,6 +3192,10 @@ pkcs15_cert_get_attribute(struct sc_pkcs11_session *session, void *object, CK_AT
+ 		*(CK_BBOOL*)attr->pValue = FALSE;
+ 		break;
+ 	case CKA_LABEL:
+		if (check_cert_data_read(fw_data, cert) != 0) {
+			attr->ulValueLen = 0;
+			return CKR_OK;
+		}
+ 		len = strnlen(cert->cert_p15obj->label, sizeof cert->cert_p15obj->label);
+ 		check_attribute_buffer(attr, len);
+ 		memcpy(attr->pValue, cert->cert_p15obj->label, len);
+
+From 4d8b75c1f0a901d661ed00b29175e2fdaee940ca Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 19 May 2017 17:52:09 +0200
+Subject: [PATCH 2/3] Properly check bounds for long DNs
+
+---
+ src/pkcs11/framework-pkcs15.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
+index f9063c8cc..863ad02a1 100644
+--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
+@@ -566,8 +566,9 @@ pkcs15_cert_extract_label(struct pkcs15_cert_object *cert)
+ 		int rv = sc_pkcs15_get_name_from_dn(context,
+ 			cert->cert_data->subject, cert->cert_data->subject_len,
+ 			&cn_oid, &cn_name, &cn_len);
+-		sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name);
+ 		if (rv == SC_SUCCESS) {
+			sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name);
+			cn_len = MIN(cn_len, SC_PKCS15_MAX_LABEL_SIZE-1);
+ 			memcpy(cert->cert_p15obj->label, cn_name, cn_len);
+ 			cert->cert_p15obj->label[cn_len] = '\0';
+ 		}
+
+From 4621251bbff5cc1df826aa7fdc2aa7dfbae3c8ab Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 22 May 2017 09:46:56 +0200
+Subject: [PATCH 3/3] Missing include
+
+---
+ src/pkcs11/framework-pkcs15.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
+index 863ad02a1..ce890b7a1 100644
+--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
+@@ -22,6 +22,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include "libopensc/log.h"
+#include "libopensc/internal.h"
+ #include "libopensc/asn1.h"
+ #include "libopensc/cardctl.h"
+ #include "common/compat_strnlen.h"
+
--- a/SOURCES/opensc-0.16.0-lock.patch
+++ b/SOURCES/opensc-0.16.0-lock.patch
@ -0,0 +1,59 @@
				@@ -0,0 +1,59 @@
+From 6b36a341c372f3dcec13c5ddee52fdb907a255a9 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 12 Apr 2017 17:42:54 +0200
+Subject: [PATCH 1/2] Make sure the lock is released when returning
+
+---
+ src/pkcs11/framework-pkcs15.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
+index 2f78a63..3441b99 100644
+--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
+@@ -487,12 +487,16 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
+ 		goto out;
+ 	}
+ 
+-	if (slot->p11card == NULL)
+-		return CKR_TOKEN_NOT_PRESENT;
+	if (slot->p11card == NULL) {
+		rv = CKR_TOKEN_NOT_PRESENT;
+		goto out;
+	}
+ 
+ 	fw_data = (struct pkcs15_fw_data *) slot->p11card->fws_data[slot->fw_data_idx];
+-	if (!fw_data)
+-		return sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo");
+	if (!fw_data) {
+		rv = sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo");
+		goto out;
+	}
+ 	p15card = fw_data->p15_card;
+ 
+ 	/* User PIN flags are cleared before re-calculation */
+
+From 8e8f0ffdcc959f9dd7ea9036aea887917e961bd1 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 12 Apr 2017 17:43:32 +0200
+Subject: [PATCH 2/2] pkcs11-tool: Do not use unitialized data when
+ C_GetTokenInfo() failed
+
+---
+ src/tools/pkcs11-tool.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index ef5d2a6..555029d 100644
+--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
+@@ -1105,6 +1105,9 @@ static void show_token(CK_SLOT_ID slot)
+ 	if (rv == CKR_TOKEN_NOT_RECOGNIZED) {
+ 		printf("  (token not recognized)\n");
+ 		return;
+	} else if (rv != CKR_OK) {
+		printf("C_GetTokenInfo() failed: rv = %s\n", CKR2Str(rv));
+		return;
+ 	}
+ 	if (!(info.flags & CKF_TOKEN_INITIALIZED) && (!verbose)) {
+ 		printf("  token state:   uninitialized\n");
--- a/SOURCES/opensc-0.16.0-pinpad.patch
+++ b/SOURCES/opensc-0.16.0-pinpad.patch
@ -0,0 +1,13 @@
				@@ -0,0 +1,13 @@
+diff -up OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in.pinpad OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in
+--- OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in.pinpad	2018-05-28 14:30:05.605085241 +0200
+++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in	2018-05-28 14:31:00.963495548 +0200
+@@ -101,7 +101,8 @@ app default {
+ 		#
+ 		# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
+ 		# Default: true
+-		# enable_pinpad = false;
+		# RHEL 7.6: Disabled by default, because of many broken readers
+		enable_pinpad = false;
+ 		#
+ 		# Use specific pcsc provider.
+ 		# Default: @DEFAULT_PCSC_PROVIDER@
--- a/SOURCES/opensc-0.16.0-piv-cardholder-name.patch
+++ b/SOURCES/opensc-0.16.0-piv-cardholder-name.patch
@ -0,0 +1,121 @@
				@@ -0,0 +1,121 @@
+From bac1ced89dde5780ecb5014b3887e4fd81c7d81c Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 18 Aug 2017 13:49:57 +0200
+Subject: [PATCH 1/3] Use shorter PIN name for default PIN to accomodate Card
+ Holder name in future
+
+---
+ src/libopensc/pkcs15-piv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
+index d38d7ba73..7f9015dcc 100644
+--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
+@@ -359,7 +359,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
+ 	};
+ 
+ 	static const pindata pins[] = {
+-		{ "01", "PIV Card Holder pin", "", 0x80,
+		{ "01", "PIN", "", 0x80,
+ 		  /* label, flag  and ref will change if using global pin */
+ 		  SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
+ 		  8, 4, 8, 
+@@ -932,7 +932,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
+ 			pin_info.attrs.pin.reference = pin_ref;
+ 			pin_info.attrs.pin.flags &= ~SC_PKCS15_PIN_FLAG_LOCAL;
+ 			label = "Global PIN";
+-		} 
+		}
+ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label);
+ 		strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1);
+ 		pin_obj.flags = pins[i].obj_flags;
+
+From 74b070128c27e24aa67db041a049a9eee5dddcd6 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 18 Aug 2017 14:18:00 +0200
+Subject: [PATCH 2/3] Get cardholder name from the first certificate
+
+---
+ src/libopensc/pkcs15-piv.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
+index 7f9015dcc..6f3c9199d 100644
+--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
+@@ -613,7 +613,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
+ 	char buf[SC_MAX_SERIALNR * 2 + 1];
+ 	common_key_info ckis[PIV_NUM_CERTS_AND_KEYS];
+ 	int follows_nist_fascn = 0;
+-
+	char *token_name = NULL;
+ 
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+ 
+@@ -765,6 +765,30 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
+ 				sc_pkcs15_free_certificate(cert_out);
+ 			continue;
+ 		}
+
+		/* set the token name to the name of the CN of the first certificate */
+		if (!token_name) {
+			u8 * cn_name = NULL;
+			size_t cn_len = 0;
+			static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }};
+			r = sc_pkcs15_get_name_from_dn(card->ctx, cert_out->subject,
+				cert_out->subject_len, &cn_oid, &cn_name, &cn_len);
+			if (r == SC_SUCCESS) {
+				token_name = malloc (cn_len+1);
+				if (!token_name) {
+					sc_pkcs15_free_certificate(cert_out);
+					free(cn_name);
+					SC_FUNC_RETURN(card->ctx,
+						SC_ERROR_OUT_OF_MEMORY, r);
+				}
+				memcpy(token_name, cn_name, cn_len);
+				free(cn_name);
+				token_name[cn_len] = 0;
+				free(p15card->tokeninfo->label);
+				p15card->tokeninfo->label = token_name;
+			}
+		}
+
+ 		/* 
+ 		 * get keyUsage if present save in ckis[i]
+ 		 * Will only use it if this in a non FED issued card
+
+From 78c2b7b970a8c2d841552926a7f4c386c31abeb8 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 21 Aug 2017 13:43:08 +0200
+Subject: [PATCH 3/3] Do not add non-informative PIN to the token label
+
+---
+ src/pkcs11/framework-pkcs15.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
+index 5b3cb32e5..8ded1125b 100644
+--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
+@@ -1024,6 +1024,7 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
+ 	struct sc_pkcs15_auth_info *pin_info = NULL;
+ 	char label[64];
+ 
+	sc_log(context, "Called");
+ 	pkcs15_init_token_info(p15card, &slot->token_info);
+ 	slot->token_info.flags |= CKF_TOKEN_INITIALIZED;
+ 	if (auth != NULL)
+@@ -1048,9 +1049,10 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
+ 			pin_info = NULL;
+ 		}
+ 		else   {
+-			if (auth->label[0])
+			if (auth->label[0] && strncmp(auth->label, "PIN", 4) != 0)
+ 				snprintf(label, sizeof(label), "%.*s (%s)", (int) sizeof auth->label, auth->label, p15card->tokeninfo->label);
+ 			else
+				/* The PIN label is empty or says just non-useful "PIN" */
+ 				snprintf(label, sizeof(label), "%s", p15card->tokeninfo->label);
+ 			slot->token_info.flags |= CKF_LOGIN_REQUIRED;
+ 		}
+
--- a/SOURCES/opensc-0.16.0-simpletlv.patch
+++ b/SOURCES/opensc-0.16.0-simpletlv.patch
@ -0,0 +1,21 @@
				@@ -0,0 +1,21 @@
+commit 602279acecb9aaff1154ac1e2993562741a57281
+Author: Jakub Jelen <jjelen@redhat.com>
+Date:   Tue Jan 2 11:08:31 2018 +0100
+
+    Skip correctly two bytes after reading 2b size
+
+diff --git a/src/libopensc/simpletlv.c b/src/libopensc/simpletlv.c
+index f526a1cd..ab0401b5 100644
+--- a/src/libopensc/simpletlv.c
+++ b/src/libopensc/simpletlv.c
+@@ -90,8 +90,9 @@ sc_simpletlv_read_tag(u8 **buf, size_t buflen, u8 *tag_out, size_t *taglen)
+ 			*taglen = 0;
+ 			return SC_ERROR_INVALID_ARGUMENTS;
+ 		}
+		/* skip two bytes (the size) */
+ 		len = lebytes2ushort(p);
+-		p++;
+		p+=2;
+ 	}
+ 	*taglen = len;
+ 	*buf = p;
--- a/SOURCES/pkcs11-switch.sh
+++ b/SOURCES/pkcs11-switch.sh
@ -0,0 +1,77 @@
				@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# Paths, names and functions definitions
+NSSDB="/etc/pki/nssdb/"
+COOLKEY_NAME="CoolKey PKCS #11 Module"
+COOLKEY_LIBRARY="libcoolkeypk11.so"
+OPENSC_NAME="OpenSC PKCS #11 Module"
+OPENSC_LIBRARY="opensc-pkcs11.so"
+
+add_module() {
+	NAME="$1"
+	LIBRARY="$2"
+	modutil -add "$NAME" -dbdir "$NSSDB" -libfile "$LIBRARY"
+}
+remove_module() {
+	NAME="$1"
+	modutil -delete "$NAME" -dbdir "$NSSDB" -force
+}
+
+# Parse arguments. If wrong, print usage
+TARGET="$1"
+if [ "$TARGET" = "" ]; then
+	# Print currently installed module
+	PRINT_CURRENT="1"
+elif [ "$TARGET" = "opensc" ] || [ "$TARGET" = "coolkey" ]; then
+	: # Correct arguments
+else
+	echo "Simple tool to switch between OpenSC and Coolkey PKCS#11 modules in main NSS DB."
+	echo "Usage: $0 [coolkey|opensc]"
+	echo "    [coolkey|opensc]   says which of the modules should be used."
+	echo "                       The other one will be removed from database."
+	echo
+	echo "    If there is no argument specified, prints the current module in NSS DB"
+	exit 255
+fi
+
+if [ ! -x /usr/bin/modutil ]; then
+	echo "The modutil is not installed. Please install package nss-util"
+	exit 255
+fi
+
+# Find the current library in NSS DB
+CURRENT="" # none
+LIBS=$(modutil -rawlist -dbdir "$NSSDB" | grep "^library=")
+if echo "$LIBS" | grep "$COOLKEY_NAME" > /dev/null; then
+	CURRENT="coolkey"
+fi
+if echo "$LIBS" | grep "$OPENSC_NAME" > /dev/null; then
+	if [ -n "$CURRENT" ]; then
+		CURRENT="opensc coolkey"
+		echo "There are both modules in NSS DB, which is not recommended."
+		echo "I will remove the other."
+	else
+		CURRENT="opensc"
+	fi
+fi
+
+if [ "$PRINT_CURRENT" = "1" ]; then
+	echo "$CURRENT"
+	exit 0
+fi
+
+# Do we need to change something?
+if [ "$CURRENT" = "$TARGET" ]; then
+	echo "The requested module is already in the NSS DB"
+	exit 0
+fi
+
+# Do the actual change
+if [ "$TARGET" = "opensc" ]; then
+	add_module "$OPENSC_NAME" "$OPENSC_LIBRARY"
+	remove_module "$COOLKEY_NAME"
+fi
+if [ "$TARGET" = "coolkey" ]; then
+	add_module "$COOLKEY_NAME" "$COOLKEY_LIBRARY"
+	remove_module "$OPENSC_NAME"
+fi
--- a/SPECS/opensc.spec
+++ b/SPECS/opensc.spec
@ -0,0 +1,555 @@
				@@ -0,0 +1,555 @@
+%global commit0 777e2a3751e3f6d53f056c98e9e20e42af674fb1
+%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
+
+Name:           opensc
+Version:        0.16.0
+Release:        10.20170227git%{shortcommit0}%{?dist}
+Summary:        Smart card library and applications
+
+Group:          System Environment/Libraries
+License:        LGPLv2+
+URL:            https://github.com/OpenSC/OpenSC/wiki
+Source0:        https://github.com/OpenSC/OpenSC/archive/%{commit0}.zip#/%{name}-%{version}-git%{shortcommit0}.zip
+Source1:        opensc.module
+Source2:        pkcs11-switch.sh
+Patch0:		opensc-0.16.0-coverity.patch
+Patch1:		opensc-0.16.0-cardos.patch
+Patch2:		opensc-0.16.0-lock.patch
+# Use label from certificate DN if there is none (#1448555)
+Patch3:		opensc-0.16.0-labels-from-dn.patch
+# Use Cardholder name in the token label (#1449740)
+Patch4:		opensc-0.16.0-piv-cardholder-name.patch
+# Avoid infinite loop when reading CAC cards (#1473335)
+Patch5:		opensc-0.16.0-infinite-loop.patch
+# Workaround for CAC Alt tokens (#1473418)
+Patch6:		opensc-0.16.0-cac-alt.patch
+# Copy labels from certificate (#1448555)
+Patch7:		opensc-0.16.0-coolkey-labels.patch
+# Properly parse multi-byte length (#1473418)
+Patch8:		opensc-0.16.0-simpletlv.patch
+# Disable pinpad by default (#1547117, #1547744)
+Patch9:		opensc-0.16.0-pinpad.patch
+# https://github.com/OpenSC/OpenSC/commit/74885fb
+Patch10:	opensc-0.16.0-hexadecimal-mechanism.patch
+# https://github.com/OpenSC/OpenSC/commit/ea4baf5
+Patch11:	opensc-0.16.0-ecdsa-ec-point.patch
+# https://github.com/OpenSC/OpenSC/commit/60dbebf
+Patch12:	opensc-0.16.0-cardos5.patch
+
+BuildRequires:  pcsc-lite-devel
+BuildRequires:  readline-devel
+BuildRequires:  openssl-devel
+BuildRequires:  /usr/bin/xsltproc
+BuildRequires:  docbook-style-xsl
+BuildRequires:  autoconf automake libtool
+Requires:       pcsc-lite-libs%{?_isa}
+Requires:	pcsc-lite
+Obsoletes:      mozilla-opensc-signer < 0.12.0
+Obsoletes:      opensc-devel < 0.12.0
+
+%description
+OpenSC provides a set of libraries and utilities to work with smart cards. Its
+main focus is on cards that support cryptographic operations, and facilitate
+their use in security applications such as authentication, mail encryption and
+digital signatures. OpenSC implements the PKCS#11 API so applications
+supporting this API (such as Mozilla Firefox and Thunderbird) can use it. On
+the card OpenSC implements the PKCS#15 standard and aims to be compatible with
+every software/card that does so, too.
+
+
+%prep
+%setup -q -n OpenSC-%{commit0}
+%patch0 -p1 -b .coverity
+%patch1 -p1 -b .cardos
+%patch2 -p1 -b .lock
+%patch3 -p1 -b .label
+%patch4 -p1 -b .cardholder
+%patch5 -p1 -b .infinite
+%patch6 -p1 -b .cac-alt
+%patch7 -p1 -b .coolkey-labels
+%patch8 -p1 -b .simpletlv
+%patch9 -p1 -b .pinpad
+%patch10 -p1 -b .hex-mech
+%patch11 -p1 -b .ec-point
+%patch12 -p1 -b .cardos5
+
+cp -p src/pkcs15init/README ./README.pkcs15init
+cp -p src/scconf/README.scconf .
+# No {_libdir} here to avoid multilib conflicts; it's just an example
+sed -i -e 's|/usr/local/towitoko/lib/|/usr/lib/ctapi/|' etc/opensc.conf.in
+
+
+%build
+autoreconf -fvi
+sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in
+sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths
+%configure  --disable-static \
+  --disable-assert \
+  --enable-pcsc \
+  --enable-sm \
+  --with-pcsc-provider=libpcsclite.so.1
+make %{?_smp_mflags} V=1
+
+
+%install
+make install DESTDIR=$RPM_BUILD_ROOT
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/opensc.conf
+install -Dpm 644 etc/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf
+install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opensc.module
+install -Dpm 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/pkcs11-switch
+# use NEWS file timestamp as reference for configuration file
+touch -r NEWS $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf
+
+find $RPM_BUILD_ROOT%{_libdir} -type f -name "*.la" | xargs rm
+
+rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/opensc
+
+# Upstream considers libopensc API internal and no longer ships
+# public headers and pkgconfig files.
+# Remove the symlink as nothing is supposed to link against libopensc.
+rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so
+rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so
+%if 0%{?rhel}
+rm -rf %{buildroot}%{_sysconfdir}/bash_completion.d/
+%endif
+
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+
+%files
+%defattr(-,root,root,-)
+%doc COPYING NEWS README*
+
+%if ! 0%{?rhel}
+%{_sysconfdir}/bash_completion.d/*
+%endif
+
+%config(noreplace) %{_sysconfdir}/opensc-%{_arch}.conf
+%{_datadir}/p11-kit/modules/opensc.module
+%{_bindir}/cardos-tool
+%{_bindir}/cryptoflex-tool
+%{_bindir}/eidenv
+%{_bindir}/iasecc-tool
+%{_bindir}/gids-tool
+%{_bindir}/netkey-tool
+%{_bindir}/openpgp-tool
+%{_bindir}/opensc-explorer
+%{_bindir}/opensc-tool
+%{_bindir}/piv-tool
+%{_bindir}/pkcs11-tool
+%{_bindir}/pkcs11-switch
+%{_bindir}/pkcs15-crypt
+%{_bindir}/pkcs15-init
+%{_bindir}/pkcs15-tool
+%{_bindir}/sc-hsm-tool
+%{_bindir}/dnie-tool
+%{_bindir}/westcos-tool
+%{_libdir}/lib*.so.*
+%{_libdir}/opensc-pkcs11.so
+%{_libdir}/pkcs11-spy.so
+%{_libdir}/onepin-opensc-pkcs11.so
+%{_libdir}/pkgconfig/*.pc
+%%dir %{_libdir}/pkcs11
+%{_libdir}/pkcs11/opensc-pkcs11.so
+%{_libdir}/pkcs11/onepin-opensc-pkcs11.so
+%{_libdir}/pkcs11/pkcs11-spy.so
+%{_datadir}/opensc/
+%{_mandir}/man1/cardos-tool.1*
+%{_mandir}/man1/cryptoflex-tool.1*
+%{_mandir}/man1/eidenv.1*
+%{_mandir}/man1/gids-tool.1*
+%{_mandir}/man1/iasecc-tool.1*
+%{_mandir}/man1/netkey-tool.1*
+%{_mandir}/man1/openpgp-tool.1*
+%{_mandir}/man1/opensc-explorer.*
+%{_mandir}/man1/opensc-tool.1*
+%{_mandir}/man1/piv-tool.1*
+%{_mandir}/man1/pkcs11-tool.1*
+%{_mandir}/man1/pkcs15-crypt.1*
+%{_mandir}/man1/pkcs15-init.1*
+%{_mandir}/man1/pkcs15-tool.1*
+%{_mandir}/man1/sc-hsm-tool.1*
+%{_mandir}/man1/westcos-tool.1*
+%{_mandir}/man1/dnie-tool.1*
+%{_mandir}/man5/*.5*
+
+
+%changelog
+* Tue Jul 03 2018 Jakub Jelen <jjelen@redhat.com> - 0.16.0-10.20170227git
+- Improve support for ECC-enabled CardOS 5.3 card (#1562277)
+
+* Tue Jun 19 2018 Jakub Jelen <jjelen@redhat.com> - 0.16.0-9.20170227git
+- make ECPoint behavior standards compliant by default (#1562572)
+- allow mechanism to be specified in hexadecimal (#1562572)
+- Disable pinpad by default (#1547117, #1547744)
+
+* Wed Jan 03 2018 Jakub Jelen <jjelen@redhat.com> - 0.16.0-8.20170227git
+- Copy labels from certificate (#1448555)
+- Avoid infinite loop in CAC driver when reading non-CAC cards (#1473335)
+- Properly parse Simple TLV structures in CAC driver (#1473418)
+
+* Tue Nov 07 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-7.20170227git
+- Fix issues reported by Coverity
+- Use upstream accepted fix for CAC Alt tokens (#1473418)
+
+* Fri Nov 03 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-6.20170227git
+- Use label from certificate DN if there is none (#1448555)
+- Use Cardholder name in the token label (#1449740)
+- Avoid infinite loop when reading CAC cards (#1473335)
+- Workaround for CAC Alt tokens (#1473418)
+
+* Thu May 18 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-5.20170227git
+- Add missing pkcs11-switch script
+
+* Thu Apr 13 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-4.20170227git
+- Release aquired lock for uninitialized ASEPCOS cards (#1376090)
+
+* Thu Mar 23 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-3.20170227git
+- Fix more issues identified by Coverity scan
+
+* Thu Mar 23 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-2.20170227git
+- Add support for CardOS 5.3
+- Fix coverity issues
+- Provide simple tool to swith PKCS#11 library in NSS DB
+
+* Tue Jan 10 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-1.20170110git
+- Rebase to OpenSC master with support for CAC cards (#1373164)
+
+* Thu Feb 25 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.14.0-2
+- Export PKCS#11 symbols from spy library (#1283305)
+
+* Thu Apr 23 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.14.0-1
+- Updated to opensc 0.14.0
+
+* Fri Mar 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.13.0-9
+- Configuration file includes arch to allow it operate under multilib
+
+* Mon Mar 10 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.13.0-8
+- Ensure that variables are in scope when used (#1062307)
+
+* Tue Feb 25 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.13.0-7
+- Corrected path of opensc.module (#1060034)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.13.0-6
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.13.0-5
+- Mass rebuild 2013-12-27
+
+* Fri Mar 08 2013 Stef Walter <stefw@redhat.com> - 0.13.0-4
+- Use the standard name format for p11-kit module configs
+- Put the p11-kit module config is the system location
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Sun Jan 13 2013 Kalev Lember <kalevlember@gmail.com> - 0.13.0-2
+- Backport an upstream patch for fixing pkcs15 cert length calculation
+
+* Thu Jan 03 2013 Milan Broz <mbroz@redhat.com> - 0.13.0-1
+- Update to 0.13.0 (#890770)
+- Remove no longer provided onepin-opensc-pkcs11.so.
+- Add iasecc-tool, openpgp-tool and sc-hsm-tool.
+
+* Fri Jul 27 2012 Tomas Mraz <tmraz@redhat.com> - 0.12.2-6
+- Add a configuration file for p11-kit (#840504)
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun Mar  4 2012 Peter Robinson <pbrobinson@fedoraproject.org> - 0.12.2-4
+- Add patch for dso
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Aug 17 2011 Tomas Mraz <tmraz@redhat.com> - 0.12.2-2
+- Rebuilt to fix trailing slashes in filelist from rpmbuild bug
+
+* Tue Jul 19 2011 Kalev Lember <kalevlember@gmail.com> - 0.12.2-1
+- Update to 0.12.2 (#722659)
+
+* Wed May 18 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.1-1
+- Update to 0.12.1 (#705743)
+- Removed BR libtool-ltdl-devel to build with glibc's libdl instead
+
+* Tue Apr 12 2011 Tomas Mraz <tmraz@redhat.com> - 0.12.0-4
+- drop multilib conflicting and duplicated doc file (#695368)
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Mon Jan 03 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.0-2
+- Disabled asserts
+
+* Mon Jan 03 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.0-1
+- Update to 0.12.0
+- Removed and obsoleted mozilla-opensc-signer and opensc-devel subpackages
+- Dropped patches which are now upstreamed
+- It is no longer possible to build in both pcsc-lite and openct support,
+  so opensc now gets built exclusively with pcsc-lite.
+
+* Tue Dec 21 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-6
+- fix buffer overflow on rogue card serial numbers
+
+* Tue Oct 19 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-5
+- own the _libdir/pkcs11 subdirectory (#644527)
+
+* Tue Sep  7 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-4
+- fix build with new pcsc-lite
+
+* Wed Aug 11 2010 Rex Dieter <rdieter@fedoraproject.org> - 0.11.13-3
+- build against libassuan1 (f14+)
+
+* Wed Jun  9 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-2
+- replace file dependency (#601943)
+
+* Tue Feb 16 2010 Kalev Lember <kalev@smartlink.ee> - 0.11.13-1
+- new upstream version
+
+* Sun Feb 14 2010 Kalev Lember <kalev@smartlink.ee> - 0.11.12-2
+- Added patch to fix linking with the new --no-add-needed default (#564758)
+
+* Mon Dec 21 2009 Kalev Lember <kalev@smartlink.ee> - 0.11.12-1
+- new upstream version
+- replaced %%define with %%global
+- BR clean up from items not applicable to current Fedora releases
+
+* Tue Dec  8 2009 Michael Schwendt <mschwendt@fedoraproject.org> - 0.11.11-2
+- Explicitly BR libassuan-static in accordance with the Packaging
+  Guidelines (libassuan-devel is still static-only).
+
+* Thu Nov 19 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.11-1
+- new upstream version
+
+* Tue Sep 29 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.9-2
+- fix multilib conflict in the configuration file (#526269)
+
+* Wed Sep 09 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.9-1
+- new upstream version
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-5
+- rebuilt with new openssl
+
+* Mon Jul 27 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-4
+- Depend on specific arch of pcsc-lite-libs (reported by Kalev Lember)
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Jun 15 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-2
+- Rebuilt with new openct
+
+* Mon May 11 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-1
+- new upstream version - fixes security issue
+
+* Fri Feb 27 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.7-1
+- new upstream version - fixes CVE-2009-0368
+
+* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Jan 15 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.6-2
+- Add explicit requires for pcsc-lite-libs. Dlopen libpcsclite with the full
+  soname.
+
+* Tue Sep  2 2008 Tomas Mraz <tmraz@redhat.com> - 0.11.6-1
+- Update to latest upstream, fixes CVE-2008-2235
+
+* Thu Apr 10 2008 Hans de Goede <j.w.r.degoede@hhs.nl> - 0.11.4-5
+- BuildRequire libassuan-devel instead of libassuan-static (bz 441812)
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.11.4-4
+- Autorebuild for GCC 4.3
+
+* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 0.11.4-3
+ - Rebuild for deps
+
+* Wed Dec  5 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-2
+- Rebuild.
+
+* Mon Sep 10 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-1
+- 0.11.4.
+
+* Mon Aug 20 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-0.1.rc1
+- 0.11.4-rc1, pkcs11-tool usage message fix applied upstream.
+- License: LGPLv2+
+
+* Thu Jul 26 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-2
+- Fix pkcs11-tool usage message crash (#249702).
+
+* Tue Jul 17 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-1
+- 0.11.3.
+
+* Sat Jun 30 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-0.1.pre2
+- 0.11.3-pre2.
+
+* Thu Jun 21 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-0.1.pre1
+- 0.11.3-pre1.
+
+* Sun May  6 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-2
+- Add explicit build dependency on ncurses-devel.
+
+* Sat May  5 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-1
+- 0.11.2.
+
+* Tue Apr 24 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.3.rc2
+- 0.11.2-rc2.
+
+* Fri Mar 23 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.3.rc1
+- 0.11.2-rc1.
+
+* Thu Mar 15 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.2.pre6
+- 0.11.2-pre6.
+
+* Tue Mar  6 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.2.pre4
+- 0.11.2-pre4.
+- Require pinentry-gui instead of the pinentry executable in signer.
+
+* Sun Dec  3 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.1.pre3
+- 0.11.2-pre3.
+- Build with new libassuan.
+- Don't run autotools during build.
+- Adjust to readline/termcap/ncurses changes.
+
+* Sat Oct 14 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-6
+- Rebuild with new libassuan.
+
+* Sun Oct  8 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-5
+- Rebuild with new libassuan.
+
+* Mon Oct  2 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-4
+- Rebuild.
+
+* Tue Sep 26 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-3
+- Rebuild with new libassuan.
+
+* Sat Sep  2 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-2
+- Rebuild.
+
+* Wed May 31 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-1
+- 0.11.1.
+- Avoid some multilib conflicts.
+
+* Sun May  7 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-2
+- Sync example paths in openct.conf with ctapi-common.
+- Update URL.
+
+* Thu May  4 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-1
+- 0.11.0.
+
+* Thu Apr 27 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-0.1.rc2
+- 0.11.0-rc2.
+
+* Sat Apr 22 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-0.1.rc1
+- 0.11.0-rc1.
+
+* Mon Mar  6 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-3
+- Rebuild.
+
+* Wed Feb 15 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-2
+- Avoid standard rpaths on lib64 archs.
+
+* Sun Jan  8 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-1
+- 0.10.1.
+
+* Wed Nov  9 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-1
+- 0.10.0.
+- Adapt to modularized X.Org.
+
+* Wed Oct 26 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.rc2
+- 0.10.0-rc2.
+- Install signer plugin only to plugin dir.
+
+* Sat Oct 22 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.rc1
+- 0.10.0-rc1.
+
+* Wed Oct 19 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.beta2.rc1
+- 0.10.0-beta2-rc1.
+- Specfile cleanups.
+
+* Tue Apr 26 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.6-2
+- 0.9.6, build patch applied upstream.
+- Package summary and description improvements.
+- Drop explicit openct dependency.
+
+* Fri Mar 18 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.4-3
+- Fix FC4 build.
+- Rename opensc-pam to pam_opensc per package naming guidelines.
+
+* Wed Feb  9 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.9.4-2
+- Substitute hardcoded 'lib' in OpenSSL checks for multi-lib platforms.
+- Use --with-plugin-dir instead of --with-plugin-path (fixes x86_64).
+
+* Thu Feb  3 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.4-1
+- Drop unnecessary Epochs, pre-FC1 compat cruft, and no longer relevant
+  --with(out) rpmbuild options.
+- Exclude *.la.
+
+* Wed Nov  3 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.4-0.fdr.1
+- Update to 0.9.4, parallel build patch applied upstream.
+- Patch to fix library paths and LDFLAGS.
+- Don't require mozilla, but the plugin dir in signer.
+- Build with dependency tracking disabled.
+
+* Tue Jul 27 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.2-0.fdr.2
+- Building the signer plugin can be disabled with "--without signer".
+  Thanks to Fritz Elfert for the idea.
+- Update description.
+
+* Sun Jul 25 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.2-0.fdr.1
+- Update to 0.9.2, old patches applied upstream.
+- Add patch to fix parallel builds.
+- Convert man pages to UTF-8.
+
+* Thu Jul 22 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.1-0.fdr.1
+- Update to 0.9.1 (preview).
+
+* Thu Jul  1 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.0-0.fdr.0.1.alpha
+- Update to 0.9.0-alpha.
+
+* Sat May  1 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.8
+- Rebuild with libassuan 0.6.5.
+
+* Sat Jan 31 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.7
+- Rebuild with libassuan 0.6.3.
+- Add gdm example to PAM quickstart.
+
+* Mon Jan 19 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.6
+- Use /%%{_lib} instead of hardcoding /lib.
+
+* Sat Dec 20 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.5
+- Split PAM support into a subpackage.
+- Rebuild with libassuan 0.6.2.
+
+* Sun Nov 23 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.4
+- Rebuild with libassuan 0.6.1.
+- Include PAM quickstart doc snippet.
+
+* Fri Nov 14 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.3
+- Require OpenCT.
+
+* Fri Oct 17 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.2
+- Install example config files as documentation.
+
+* Tue Oct 14 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.1
+- Update to 0.8.1.
+
+* Wed Aug 27 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.2
+- Signer can be built with oldssl too.
+
+* Wed Aug 27 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.1
+- Update to 0.8.0.
+
+* Wed Jul 30 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.0.2.cvs20030730
+- Update to 20030730.
+- Clean up %%docs.
+- Include *.la (uses ltdl).
+- Own the %%{_libdir}/pkcs11 directory.
+- Disable signer; assuan has disappeared from the tarball :(
+
+* Fri May 23 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.0.1.rc1
+- First build.