import opensc-0.19.0-5.el8

.gitignore

@@ -0,0 +1 @@
+SOURCES/opensc-0.19.0.tar.gz

.opensc.metadata

@@ -0,0 +1 @@
+56cd654550aed081eb8ed86edba86e6d766133c4 SOURCES/opensc-0.19.0.tar.gz

SOURCES/opensc-0.19.0-coolkey-matching.patch

@@ -0,0 +1,112 @@
+From 6691487cd7433b4ffc3a99124b5ecf92361b8a76 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 9 Oct 2018 15:10:36 +0200
+Subject: [PATCH 1/3] cac: These functions do not have to be exposed
+
+---
+ src/libopensc/card-cac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index eeab07e4f..bd4e03362 100644
+--- a/src/libopensc/card-cac.c
++++ b/src/libopensc/card-cac.c
+@@ -211,7 +211,7 @@ typedef struct cac_private_data {
+ 
+ #define CAC_DATA(card) ((cac_private_data_t*)card->drv_data)
+ 
+-int cac_list_compare_path(const void *a, const void *b)
++static int cac_list_compare_path(const void *a, const void *b)
+ {
+ 	if (a == NULL || b == NULL)
+ 		return 1;
+@@ -220,7 +220,7 @@ int cac_list_compare_path(const void *a, const void *b)
+ }
+ 
+ /* For SimCList autocopy, we need to know the size of the data elements */
+-size_t cac_list_meter(const void *el) {
++static size_t cac_list_meter(const void *el) {
+ 	return sizeof(cac_object_t);
+ }
+ 
+
+From fab79b70ff45d02d99bc05863be57f8ca8f0acda Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 9 Oct 2018 15:58:12 +0200
+Subject: [PATCH 2/3] coolkey: Improve card matching to avoid mismatches in
+ muscle
+
+---
+ src/libopensc/card-coolkey.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c
+index b97559cc3..2cf2362c8 100644
+--- a/src/libopensc/card-coolkey.c
++++ b/src/libopensc/card-coolkey.c
+@@ -2224,14 +2224,32 @@ static int coolkey_initialize(sc_card_t *card)
+ /* NOTE: returns a bool, 1 card matches, 0 it does not */
+ static int coolkey_match_card(sc_card_t *card)
+ {
++	sc_apdu_t apdu;
+ 	int r;
++
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+ 	/* Since we send an APDU, the card's logout function may be called...
+ 	 * however it may be in dirty memory */
+ 	card->ops->logout = NULL;
+ 
+ 	r = coolkey_select_applet(card);
+-	return (r >= SC_SUCCESS);
++	if (r == SC_SUCCESS) {
++		/* The GET STATUS INS with P1 = 1 returns invalid instruction (0x6D00)
++		 * on Coolkey applet (reserved for GetMemory function),
++		 * while incorrect P1 (0x9C10) on Muscle applets
++		 */
++		sc_format_apdu(card, &apdu, SC_APDU_CASE_1, COOLKEY_INS_GET_STATUS, 0x01, 0x00);
++		apdu.cla = COOLKEY_CLASS;
++		apdu.le = 0x00;
++		apdu.resplen = 0;
++		apdu.resp = NULL;
++		r = sc_transmit_apdu(card, &apdu);
++		if (r == SC_SUCCESS && apdu.sw1 == 0x6d && apdu.sw2 == 0x00) {
++			return 1;
++		}
++		return 0;
++	}
++	return 0;
+ }
+ 
+ 
+
+From 98a1716768d11afd6d0e1e73bf8154dddfe915e9 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 9 Oct 2018 16:01:57 +0200
+Subject: [PATCH 3/3] ctx: Move coolkey driver up after improving the matching
+
+Fixes #1483
+---
+ src/libopensc/ctx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/ctx.c b/src/libopensc/ctx.c
+index f24a61ca0..98e6038a7 100644
+--- a/src/libopensc/ctx.c
++++ b/src/libopensc/ctx.c
+@@ -128,6 +128,7 @@ static const struct _sc_driver_entry internal_card_drivers[] = {
+ 
+ /* Here should be placed drivers that need some APDU transactions in the
+  * driver's `match_card()` function. */
++	{ "coolkey",	(void *(*)(void)) sc_get_coolkey_driver },
+ 	/* MUSCLE card applet returns 9000 on whatever AID is selected, see
+ 	 * https://github.com/JavaCardOS/MuscleCard-Applet/blob/master/musclecard/src/com/musclecard/CardEdge/CardEdge.java#L326
+ 	 * put the muscle driver first to cope with this bug. */
+@@ -144,7 +145,6 @@ static const struct _sc_driver_entry internal_card_drivers[] = {
+ #endif
+ 	{ "openpgp",	(void *(*)(void)) sc_get_openpgp_driver },
+ 	{ "jpki",	(void *(*)(void)) sc_get_jpki_driver },
+-	{ "coolkey",	(void *(*)(void)) sc_get_coolkey_driver },
+ 	{ "npa",	(void *(*)(void)) sc_get_npa_driver },
+ 	/* The default driver should be last, as it handles all the
+ 	 * unrecognized cards. */
+

SOURCES/opensc-0.19.0-coverity.patch

@@ -0,0 +1,446 @@
+diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c
+index 49b593f9..299520d6 100644
+--- a/src/libopensc/card-epass2003.c
++++ b/src/libopensc/card-epass2003.c
+@@ -1846,11 +1846,6 @@ epass2003_process_fci(struct sc_card *card, sc_file_t * file, const u8 * buf, si
+ 				case 0x04:
+ 					file->ef_structure = SC_FILE_EF_LINEAR_FIXED;
+ 					break;
+-				case 0x03:
+-				case 0x05:
+-				case 0x06:
+-				case 0x07:
+-					break;
+ 				default:
+ 					break;
+ 				}
+diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c
+index 254f8aa5..7eb3f5d0 100644
+--- a/src/libopensc/card-iasecc.c
++++ b/src/libopensc/card-iasecc.c
+@@ -2406,7 +2406,11 @@ iasecc_pin_reset(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_
+ 		sc_format_path("3F00", &path);
+ 		path.type = SC_PATH_TYPE_FILE_ID;
+ 		rv = iasecc_select_file(card, &path, NULL);
+-		LOG_TEST_RET(ctx, rv, "Unable to select MF");
++		if (rv != SC_SUCCESS) {
++			sc_file_free(save_current);
++			sc_log(ctx, "Unable to select MF");
++			LOG_FUNC_RETURN(ctx, rv);
++		}
+ 	}
+ 
+ 	memset(&sdo, 0, sizeof(sdo));
+@@ -3478,9 +3482,12 @@ iasecc_get_free_reference(struct sc_card *card, struct iasecc_ctl_get_free_refer
+ 
+ 			sc_log(ctx, "found empty key slot %i", idx);
+ 			break;
++		} else if (rv != SC_SUCCESS) {
++			iasecc_sdo_free(card, sdo);
++
++			sc_log(ctx, "get new key reference failed");
++			LOG_FUNC_RETURN(ctx, rv);
+ 		}
+-		else
+-			LOG_TEST_RET(ctx, rv, "get new key reference failed");
+ 
+ 		sz = *(sdo->docp.size.value + 0) * 0x100 + *(sdo->docp.size.value + 1);
+ 		sc_log(ctx,
+diff --git a/src/libopensc/card-muscle.c b/src/libopensc/card-muscle.c
+index c91b8d5e..be5b9f14 100644
+--- a/src/libopensc/card-muscle.c
++++ b/src/libopensc/card-muscle.c
+@@ -455,6 +455,7 @@ static int _listFile(mscfs_file_t *file, int reset, void *udata)
+ static int muscle_init(sc_card_t *card)
+ {
+ 	muscle_private_t *priv;
++	int r;
+ 
+ 	card->name = "MuscleApplet";
+ 	card->drv_data = malloc(sizeof(muscle_private_t));
+@@ -478,7 +479,10 @@ static int muscle_init(sc_card_t *card)
+ 	card->caps |= SC_CARD_CAP_RNG;
+ 
+ 	/* Card type detection */
+-	_sc_match_atr(card, muscle_atrs, &card->type);
++	r = _sc_match_atr(card, muscle_atrs, &card->type);
++	if (r < 0) {
++		sc_log(card->ctx, "Failed to match the ATRs");
++	}
+ 	if(card->type == SC_CARD_TYPE_MUSCLE_ETOKEN_72K) {
+ 		card->caps |= SC_CARD_CAP_APDU_EXT;
+ 	}
+diff --git a/src/libopensc/card-piv.c b/src/libopensc/card-piv.c
+index 61acedc8..a678b768 100644
+--- a/src/libopensc/card-piv.c
++++ b/src/libopensc/card-piv.c
+@@ -922,7 +922,11 @@ piv_get_data(sc_card_t * card, int enumtag, u8 **buf, size_t *buf_len)
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+ 	sc_log(card->ctx, "#%d", enumtag);
+ 
+-	sc_lock(card); /* do check len and get data in same transaction */
++	r = sc_lock(card); /* do check len and get data in same transaction */
++	if (r != SC_SUCCESS) {
++		sc_log(card->ctx, "sc_lock failed");
++		return r;
++	}
+ 
+ 	/* assert(enumtag >= 0 && enumtag < PIV_OBJ_LAST_ENUM); */
+ 
+@@ -1481,7 +1485,7 @@ static int piv_get_key(sc_card_t *card, unsigned int alg_id, u8 **key, size_t *l
+ 	FILE *f = NULL;
+ 	char * keyfilename = NULL;
+ 	size_t expected_keylen;
+-	size_t keylen;
++	size_t keylen, readlen;
+ 	u8 * keybuf = NULL;
+ 	u8 * tkey = NULL;
+ 
+@@ -1530,11 +1534,12 @@ static int piv_get_key(sc_card_t *card, unsigned int alg_id, u8 **key, size_t *l
+ 	}
+ 	keybuf[fsize] = 0x00;    /* in case it is text need null */
+ 
+-	if (fread(keybuf, 1, fsize, f) != fsize) {
++	if ((readlen = fread(keybuf, 1, fsize, f)) != fsize) {
+ 		sc_log(card->ctx, " Unable to read key\n");
+ 		r = SC_ERROR_WRONG_LENGTH;
+ 		goto err;
+ 	}
++	keybuf[readlen] = '\0';
+ 
+ 	tkey = malloc(expected_keylen);
+ 	if (!tkey) {
+@@ -2126,14 +2131,16 @@ piv_get_serial_nr_from_CHUI(sc_card_t* card, sc_serial_number_t* serial)
+ 				/* test if guid and the fascn starts with ;9999 (in ISO 4bit + parity code) */
+ 				if (!(gbits && fascn[0] == 0xD4 && fascn[1] == 0xE7
+ 						    && fascn[2] == 0x39 && (fascn[3] | 0x7F) == 0xFF)) {
+-					serial->len = fascnlen < SC_MAX_SERIALNR ? fascnlen : SC_MAX_SERIALNR;
++					/* fascnlen is 25 */
++					serial->len = fascnlen;
+ 					memcpy (serial->value, fascn, serial->len);
+ 					r = SC_SUCCESS;
+ 					gbits = 0; /* set to skip using guid below */
+ 				}
+ 			}
+ 			if (guid && gbits) {
+-				serial->len = guidlen < SC_MAX_SERIALNR ? guidlen : SC_MAX_SERIALNR;
++				/* guidlen is 16 */
++				serial->len = guidlen;
+ 				memcpy (serial->value, guid, serial->len);
+ 				r = SC_SUCCESS;
+ 			}
+@@ -2981,7 +2988,7 @@ static int piv_match_card(sc_card_t *card)
+ 
+ static int piv_match_card_continued(sc_card_t *card)
+ {
+-	int i;
++	int i, r;
+ 	int type  = -1;
+ 	piv_private_data_t *priv = NULL;
+ 	int saved_type = card->type;
+@@ -3080,7 +3087,13 @@ static int piv_match_card_continued(sc_card_t *card)
+ 		if(piv_objects[i].flags & PIV_OBJECT_NOT_PRESENT)
+ 			priv->obj_cache[i].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
+ 
+-	sc_lock(card);
++	r = sc_lock(card);
++	if (r != SC_SUCCESS) {
++		sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "sc_lock failed\n");
++		piv_finish(card);
++		card->type = saved_type;
++		return 0;
++	}
+ 
+ 	/*
+ 	 * detect if active AID is PIV. NIST 800-73 says Only one PIV application per card
+@@ -3464,7 +3477,11 @@ piv_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries_left)
+ 	if (data->cmd == SC_PIN_CMD_VERIFY && data->pin_type == SC_AC_CONTEXT_SPECIFIC) {
+ 		priv->context_specific = 1;
+ 		sc_log(card->ctx,"Starting CONTEXT_SPECIFIC verify");
+-		sc_lock(card);
++		r = sc_lock(card);
++		if (r != SC_SUCCESS) {
++			sc_log(card->ctx, "sc_lock failed");
++			return r;
++		}
+ 	}
+ 
+ 	priv->pin_cmd_verify = 1; /* tell piv_check_sw its a verify to save sw1, sw2 */
+diff --git a/src/libopensc/ctx.c b/src/libopensc/ctx.c
+index 626686a7..f24a61ca 100644
+--- a/src/libopensc/ctx.c
++++ b/src/libopensc/ctx.c
+@@ -452,6 +452,10 @@ static void *load_dynamic_driver(sc_context_t *ctx, void **dll, const char *name
+ 	const char *(*modversion)(void) = NULL;
+ 	const char *(**tmodv)(void) = &modversion;
+ 
++	if (dll == NULL) {
++		sc_log(ctx, "No dll parameter specified");
++		return NULL;
++	}
+ 	if (name == NULL) { /* should not occur, but... */
+ 		sc_log(ctx, "No module specified");
+ 		return NULL;
+@@ -481,8 +485,8 @@ static void *load_dynamic_driver(sc_context_t *ctx, void **dll, const char *name
+ 		sc_dlclose(handle);
+ 		return NULL;
+ 	}
+-	if (dll)
+-		*dll = handle;
++
++	*dll = handle;
+ 	sc_log(ctx, "successfully loaded card driver '%s'", name);
+ 	return modinit(name);
+ }
+diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
+index 718d92ff..6abd2d76 100644
+--- a/src/libopensc/iso7816.c
++++ b/src/libopensc/iso7816.c
+@@ -841,13 +841,18 @@ iso7816_set_security_env(struct sc_card *card,
+ 	if (env->flags & SC_SEC_ENV_FILE_REF_PRESENT) {
+ 		if (env->file_ref.len > 0xFF)
+ 			return SC_ERROR_INVALID_ARGUMENTS;
++		if (sizeof(sbuf) - (p - sbuf) < env->file_ref.len + 2)
++			return SC_ERROR_OFFSET_TOO_LARGE;
++
+ 		*p++ = 0x81;
+ 		*p++ = (u8) env->file_ref.len;
+-		assert(sizeof(sbuf) - (p - sbuf) >= env->file_ref.len);
+ 		memcpy(p, env->file_ref.value, env->file_ref.len);
+ 		p += env->file_ref.len;
+ 	}
+ 	if (env->flags & SC_SEC_ENV_KEY_REF_PRESENT) {
++		if (sizeof(sbuf) - (p - sbuf) < env->key_ref_len + 2)
++			return SC_ERROR_OFFSET_TOO_LARGE;
++
+ 		if (env->flags & SC_SEC_ENV_KEY_REF_SYMMETRIC)
+ 			*p++ = 0x83;
+ 		else
+@@ -855,7 +860,6 @@ iso7816_set_security_env(struct sc_card *card,
+ 		if (env->key_ref_len > 0xFF)
+ 			return SC_ERROR_INVALID_ARGUMENTS;
+ 		*p++ = env->key_ref_len & 0xFF;
+-		assert(sizeof(sbuf) - (p - sbuf) >= env->key_ref_len);
+ 		memcpy(p, env->key_ref, env->key_ref_len);
+ 		p += env->key_ref_len;
+ 	}
+diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
+index 93032113..f34425a5 100644
+--- a/src/libopensc/pkcs15-cac.c
++++ b/src/libopensc/pkcs15-cac.c
+@@ -388,6 +388,7 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
+ 			if (r == SC_SUCCESS) {
+ 				token_name = malloc (cn_len+1);
+ 				if (!token_name) {
++					free(cn_name);
+ 					r = SC_ERROR_OUT_OF_MEMORY;
+ 					goto fail;
+ 				}
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index 3415be7c..8c126e46 100644
+--- a/src/libopensc/pkcs15-oberthur.c
++++ b/src/libopensc/pkcs15-oberthur.c
+@@ -206,8 +206,10 @@ sc_oberthur_get_certificate_authority(struct sc_pkcs15_der *der, int *out_author
+ 	buf_mem.max = buf_mem.length = der->len;
+ 
+ 	bio = BIO_new(BIO_s_mem());
+-	if(!bio)
++	if (!bio) {
++		free(buf_mem.data);
+ 		return SC_ERROR_OUT_OF_MEMORY;
++	}
+ 
+ 	BIO_set_mem_buf(bio, &buf_mem, BIO_NOCLOSE);
+ 	x = d2i_X509_bio(bio, 0);
+diff --git a/src/pkcs15init/pkcs15-authentic.c b/src/pkcs15init/pkcs15-authentic.c
+index ddccd032..0b6f9c17 100644
+--- a/src/pkcs15init/pkcs15-authentic.c
++++ b/src/pkcs15init/pkcs15-authentic.c
+@@ -355,7 +355,6 @@ authentic_sdo_allocate_prvkey(struct sc_profile *profile, struct sc_card *card,
+ 		sc_file_free(file);
+ 		LOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot allocate 'sc_authentic_sdo'");
+ 	}
+-	*out = sdo;
+ 
+ 	sdo->magic = AUTHENTIC_SDO_MAGIC;
+ 	sdo->docp.id = key_info->key_reference &  ~AUTHENTIC_OBJECT_REF_FLAG_LOCAL;
+@@ -364,11 +363,16 @@ authentic_sdo_allocate_prvkey(struct sc_profile *profile, struct sc_card *card,
+ 	rv = authentic_docp_set_acls(card, file, authentic_v3_rsa_ac_ops,
+ 			sizeof(authentic_v3_rsa_ac_ops)/sizeof(authentic_v3_rsa_ac_ops[0]), &sdo->docp);
+ 	sc_file_free(file);
+-	LOG_TEST_RET(ctx, rv, "Cannot set key ACLs from file");
++	if (rv != SC_SUCCESS) {
++		free(sdo);
++		sc_log(ctx, "Cannot set key ACLs from file");
++		LOG_FUNC_RETURN(ctx, rv);
++	}
+ 
+ 	sc_log(ctx, "sdo(mech:%X,id:%X,acls:%s)", sdo->docp.mech, sdo->docp.id,
+ 			sc_dump_hex(sdo->docp.acl_data, sdo->docp.acl_data_len));
+ 
++	*out = sdo;
+ 	LOG_FUNC_RETURN(ctx, SC_SUCCESS);
+ }
+ 
+diff --git a/src/pkcs15init/pkcs15-myeid.c b/src/pkcs15init/pkcs15-myeid.c
+index 29f9aa22..10258667 100644
+--- a/src/pkcs15init/pkcs15-myeid.c
++++ b/src/pkcs15init/pkcs15-myeid.c
+@@ -232,6 +232,7 @@ myeid_create_dir(sc_profile_t *profile, sc_pkcs15_card_t *p15card, sc_file_t *df
+ 		for (ii = 0; create_dfs[ii]; ii++) {
+ 			sc_log(ctx, "Create '%s'", create_dfs[ii]);
+ 
++			file = NULL;
+ 			r = sc_profile_get_file(profile, create_dfs[ii], &file);
+ 			sc_file_free(file);
+ 			if (r) {
+@@ -433,7 +434,11 @@ _add_supported_algo(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+ 		    unsigned operations, unsigned mechanism, const struct sc_object_id *oid)
+ {
+ 	struct sc_supported_algo_info *algo;
++	struct sc_context *ctx = p15card->card->ctx;
+ 	algo = sc_pkcs15_get_supported_algo(p15card, operations, mechanism);
++	int rv;
++
++	LOG_FUNC_CALLED(ctx);
+ 	if (!algo) {
+ 		unsigned ref = 1, ii;
+ 
+@@ -451,7 +456,10 @@ _add_supported_algo(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+ 		}
+ 
+ 	}
+-	sc_pkcs15_add_supported_algo_ref(object, algo);
++	rv = sc_pkcs15_add_supported_algo_ref(object, algo);
++	if (rv != SC_SUCCESS) {
++		sc_log(ctx, "Failed to add algorithms refs");
++	}
+ }
+ 
+ static void
+@@ -742,7 +750,6 @@ myeid_generate_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+ 			break;
+ 		default:
+ 			LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Unsupported key type");
+-			break;
+ 	}
+ 
+ 	sc_log(ctx, "Generate key with ID:%s and path:%s",
+diff --git a/src/pkcs15init/pkcs15-oberthur-awp.c b/src/pkcs15init/pkcs15-oberthur-awp.c
+index f9c96373..9b12f06c 100644
+--- a/src/pkcs15init/pkcs15-oberthur-awp.c
++++ b/src/pkcs15init/pkcs15-oberthur-awp.c
+@@ -284,9 +284,10 @@ awp_create_container_record (struct sc_pkcs15_card *p15card, struct sc_profile *
+ 	memset(buff, 0, list_file->record_length);
+ 
+ 	rv = awp_new_container_entry(p15card, buff, list_file->record_length);
+-	if (rv < 0)   {
++	if (rv < 0) {
+ 		free(buff);
+-		SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, rv, "Cannot create container");
++		sc_log(ctx, "Cannot create container");
++		SC_FUNC_RETURN(ctx, SC_LOG_DEBUG_NORMAL, rv);
+ 	}
+ 
+ 	*(buff + 0) = (acc->pubkey_id >> 8) & 0xFF;
+diff --git a/src/tools/npa-tool-cmdline.c b/src/tools/npa-tool-cmdline.c
+index 117c6cb1..26eed929 100644
+--- a/src/tools/npa-tool-cmdline.c
++++ b/src/tools/npa-tool-cmdline.c
+@@ -1685,7 +1685,14 @@ void update_multiple_arg(void *field, char ***orig_field,
+   struct generic_list *tmp;
+ 
+   if (prev_given && list) {
++    char **old = *orig_field;
++    char *old_field = field;
+     *orig_field = (char **) realloc (*orig_field, (field_given + prev_given) * sizeof (char *));
++    if (*orig_field == NULL) {
++      free(*old);
++      fprintf(stderr, "Failed to allocate memory: aborting");
++      exit(1);
++    }
+ 
+     switch(arg_type) {
+     case ARG_INT:
+@@ -1695,6 +1702,11 @@ void update_multiple_arg(void *field, char ***orig_field,
+     default:
+       break;
+     };
++    if (*((void **)field) == NULL) {
++      free(old_field);
++      fprintf(stderr, "Failed to allocate memory: aborting");
++      exit(1);
++    }
+     
+     for (i = (prev_given - 1); i >= 0; --i)
+       {
+diff --git a/src/tools/opensc-explorer.c b/src/tools/opensc-explorer.c
+index ac5292f9..7bc5a3ff 100644
+--- a/src/tools/opensc-explorer.c
++++ b/src/tools/opensc-explorer.c
+@@ -1399,7 +1399,7 @@ static int do_get(int argc, char **argv)
+ 	if (r == SC_SUCCESS)
+ 		r = sc_select_file(card, &path, &file);
+ 	sc_unlock(card);
+-	if (r) {
++	if (r || file == NULL) {
+ 		check_ret(r, SC_AC_OP_SELECT, "unable to select file", current_file);
+ 		goto err;
+ 	}
+diff --git a/src/tools/piv-tool.c b/src/tools/piv-tool.c
+index 6dc8213d..23a58ce6 100644
+--- a/src/tools/piv-tool.c
++++ b/src/tools/piv-tool.c
+@@ -477,6 +477,7 @@ int main(int argc, char *argv[])
+ 	const char *key_info = NULL;
+ 	const char *admin_info = NULL;
+ 	sc_context_param_t ctx_param;
++	char **old_apdus = NULL;
+ 
+ 	setbuf(stderr, NULL);
+ 	setbuf(stdout, NULL);
+@@ -493,9 +494,11 @@ int main(int argc, char *argv[])
+ 			action_count++;
+ 			break;
+ 		case 's':
++			old_apdus = opt_apdus;
+ 			opt_apdus = (char **) realloc(opt_apdus,
+ 					(opt_apdu_count + 1) * sizeof(char *));
+ 			if (!opt_apdus) {
++				free(old_apdus);
+ 				err = 1;
+ 				goto end;
+ 			}
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 64525f6a..5795a8ba 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -2695,6 +2695,7 @@ static int write_object(CK_SESSION_HANDLE session)
+ 		if (!(f = fopen(opt_attr_from_file, "rb")))
+ 			util_fatal("Couldn't open file \"%s\"", opt_attr_from_file);
+ 		certdata_len = fread(certdata, 1, sizeof(certdata), f);
++		certdata[certdata_len] = '\0';
+ 		if (certdata_len < 0)
+ 			util_fatal("Couldn't read from file \"%s\"", opt_attr_from_file);
+ 		fclose(f);
+diff --git a/src/tools/sc-hsm-tool.c b/src/tools/sc-hsm-tool.c
+index 02cdfcc6..2b424cf7 100644
+--- a/src/tools/sc-hsm-tool.c
++++ b/src/tools/sc-hsm-tool.c
+@@ -1503,13 +1503,13 @@ static int unwrap_key(sc_card_t *card, int keyid, const char *inf, const char *p
+ 		return -1;
+ 	}
+ 
+-	if ((keybloblen = fread(keyblob, 1, sizeof(keyblob), in)) < 0) {
++	keybloblen = fread(keyblob, 1, sizeof(keyblob), in);
++	fclose(in);
++	if (keybloblen < 0) {
+ 		perror(inf);
+ 		return -1;
+ 	}
+ 
+-	fclose(in);
+-
+ 	ptr = keyblob;
+ 	if ((sc_asn1_read_tag(&ptr, keybloblen, &cla, &tag, &len) != SC_SUCCESS)
+ 		   	|| ((cla & SC_ASN1_TAG_CONSTRUCTED) != SC_ASN1_TAG_CONSTRUCTED)

SOURCES/opensc-0.19.0-dual.patch

@@ -0,0 +1,609 @@
+diff --git a/src/libopensc/card-piv.c b/src/libopensc/card-piv.c
+index 03c83868f1..794472134c 100644
+--- a/src/libopensc/card-piv.c
++++ b/src/libopensc/card-piv.c
+@@ -3,7 +3,7 @@
+  * card-default.c: Support for cards with no driver
+  *
+  * Copyright (C) 2001, 2002  Juha Yrjölä <juha.yrjola@iki.fi>
+- * Copyright (C) 2005-2016  Douglas E. Engert <deengert@gmail.com>
++ * Copyright (C) 2005-2018  Douglas E. Engert <deengert@gmail.com>
+  * Copyright (C) 2006, Identity Alliance, Thomas Harning <thomas.harning@identityalliance.com>
+  * Copyright (C) 2007, EMC, Russell Larner <rlarner@rsa.com>
+  *
+@@ -53,6 +53,7 @@
+ #ifdef ENABLE_ZLIB
+ #include "compression.h"
+ #endif
++#include "simpletlv.h"
+ 
+ enum {
+ 	PIV_OBJ_CCC = 0,
+@@ -146,6 +147,16 @@ enum {
+ 	PIV_STATE_INIT
+ };
+ 
++/* ccc_flags */
++#define PIV_CCC_FOUND		0x00000001
++#define PIV_CCC_F0_PIV		0x00000002
++#define PIV_CCC_F0_CAC		0x00000004
++#define PIV_CCC_F0_JAVA		0x00000008
++#define PIV_CCC_F3_CAC_PKI	0x00000010
++
++#define PIV_CCC_TAG_F0		0xF0
++#define PIV_CCC_TAG_F3		0xF3
++
+ typedef struct piv_private_data {
+ 	int enumtag;
+ 	int  selected_obj; /* The index into the piv_objects last selected */
+@@ -174,6 +185,7 @@ typedef struct piv_private_data {
+ 	unsigned int card_issues; /* card_issues flags for this card */
+ 	int object_test_verify; /* Can test this object to set verification state of card */
+ 	int yubico_version; /* 3 byte version number of NEO or Yubikey4  as integer */
++	unsigned int ccc_flags;	    /* From  CCC indicate if CAC card */
+ } piv_private_data_t;
+ 
+ #define PIV_DATA(card) ((piv_private_data_t*)card->drv_data)
+@@ -198,6 +210,37 @@ struct piv_aid {
+  * These can be discovered by trying GET DATA
+  */
+ 
++/* ATRs of cards known to have PIV applet. But must still be tested for a PIV applet */
++static const struct sc_atr_table piv_atrs[] = {
++	/* CAC cards with PIV from: CAC-utilziation-and-variation-matrix-v2.03-20May2016.doc */
++	/* Oberthur Card Systems (PIV Endpoint) with PIV endpoint applet and PIV auth cert OBSOLETE */
++	{ "3B:DB:96:00:80:1F:03:00:31:C0:64:77:E3:03:00:82:90.00:C1", NULL, NULL, SC_CARD_TYPE_PIV_II_OBERTHUR, 0, NULL },
++
++	/* Gemalto (PIV Endpoint) with PIV endpoint applet and PIV auth cert OBSOLETE */
++	{ "3B 7D 96 00 00 80 31 80 65 B0 83 11 13 AC 83 00 90 00", NULL, NULL, SC_CARD_TYPE_PIV_II_GEMALTO, 0, NULL },
++
++	/* Gemalto (PIV Endpoint) 2 entries */
++	{ "3B:7D:96:00:00:80:31:80:65:B0:83:11:17:D6:83:00:90:00", NULL, NULL, SC_CARD_TYPE_PIV_II_GEMALTO, 0, NULL },
++
++	/* Oberthur Card System (PIV Endpoint)  2 entries*/
++	{ "3B:DB:96:00:80:1F:03:00:31:C0:64:B0:F3:10:00:07:90:00:80", NULL, NULL, SC_CARD_TYPE_PIV_II_OBERTHUR, 0, NULL },
++
++	/* Giesecke & Devrient (PIV Endpoint)  2 entries */
++	{ "3B:7A:18:00:00:73:66:74:65:20:63:64:31:34:34", NULL, NULL, SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC, 0, NULL },
++
++	/* PIVKEY from Taligo */
++	/* PIVKEY T600 token and T800  on Feitian eJAVA */
++	{ "3B:FC:18:00:00:81:31:80:45:90:67:46:4A:00:64:2D:70:C1:72:FE:E0:FE", NULL, NULL, SC_CARD_TYPE_PIV_II_PIVKEY, 0, NULL },
++
++	/* PIVKEY C910 */
++	{ "3b:fc:18:00:00:81:31:80:45:90:67:46:4a:00:64:16:06:f2:72:7e:00:e0", NULL, NULL, SC_CARD_TYPE_PIV_II_PIVKEY, 0, NULL },
++
++	/* PIVKEY C980 */
++	{ "3B:f9:96:00:00:81:31:fe:45:53:50:49:56:4b:45:59:37:30:28", NULL, NULL, SC_CARD_TYPE_PIV_II_PIVKEY, 0, NULL },
++
++	{ NULL, NULL, NULL, 0, 0, NULL }
++};
++
+ /* all have same AID */
+ static struct piv_aid piv_aids[] = {
+ 	{SC_CARD_TYPE_PIV_II_GENERIC, /* TODO not really card type but what PIV AID is supported */
+@@ -209,9 +252,10 @@ static struct piv_aid piv_aids[] = {
+ #define CI_VERIFY_630X			    0x00000001U /* VERIFY tries left returns 630X rather then 63CX */
+ #define CI_VERIFY_LC0_FAIL		    0x00000002U /* VERIFY Lc=0 never returns 90 00 if PIN not needed */
+ 							/* will also test after first PIN verify if protected object can be used instead */
++#define CI_NO_RANDOM			    0x00000004U /* can not use Challenge to get random data or no 9B key */
+ #define CI_CANT_USE_GETDATA_FOR_STATE	    0x00000008U /* No object to test verification inplace of VERIFY Lc=0 */
+ #define CI_LEAKS_FILE_NOT_FOUND		    0x00000010U /* GET DATA of empty object returns 6A 82 even if PIN not verified */
+-#define CI_DISCOVERY_USELESS		    0x00000020U /* Discovery can not be used to query active AID */
++#define CI_DISCOVERY_USELESS		    0x00000020U /* Discovery can not be used to query active AID invalid or no data returned */
+ #define CI_PIV_AID_LOSE_STATE		    0x00000040U /* PIV AID can lose the login state run with out it*/
+ 
+ #define CI_OTHER_AID_LOSE_STATE		    0x00000100U /* Other drivers match routines may reset our security state and lose AID!!! */
+@@ -219,7 +263,7 @@ static struct piv_aid piv_aids[] = {
+ 
+ #define CI_NO_RSA2048			    0x00010000U /* does not have RSA 2048 */
+ #define CI_NO_EC384			    0x00020000U /* does not have EC 384 */
+-
++#define CI_NO_EC			    0x00040000U /* No EC at all */
+ 
+ /*
+  * Flags in the piv_object:
+@@ -2222,11 +2266,33 @@ static int piv_get_challenge(sc_card_t *card, u8 *rnd, size_t len)
+ 	size_t rbuf_len = 0, out_len = 0;
+ 	int r;
+ 	unsigned int tag, cla;
++	piv_private_data_t * priv = PIV_DATA(card);
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+ 
++	if (priv->card_issues & CI_NO_RANDOM) {
++		r = SC_ERROR_NOT_SUPPORTED;
++		LOG_TEST_GOTO_ERR(card->ctx, r, "No support for random data");
++	}
++
+ 	/* NIST 800-73-3 says use 9B, previous verisons used 00 */
+ 	r = piv_general_io(card, 0x87, 0x00, 0x9B, sbuf, sizeof sbuf, &rbuf, &rbuf_len);
++	/*
++	 * piv_get_challenge is called in a loop. 
++	 * some cards may allow 1 challenge expecting it to be part of 
++	 * NIST 800-73-3 part 2 "Authentication of PIV Card Application Administrator"
++	 * and return "6A 80" if last command was a get_challenge.
++	 * Now that the card returned error, we can try one more time.
++	 */
++	 if (r == SC_ERROR_INCORRECT_PARAMETERS) {
++		if (rbuf)
++			free(rbuf);
++		rbuf_len = 0;
++		r = piv_general_io(card, 0x87, 0x00, 0x9B, sbuf, sizeof sbuf, &rbuf, &rbuf_len);
++		if (r == SC_ERROR_INCORRECT_PARAMETERS) {
++			r = SC_ERROR_NOT_SUPPORTED;
++		}
++	}
+ 	LOG_TEST_GOTO_ERR(card->ctx, r, "GENERAL AUTHENTICATE failed");
+ 
+ 	p = rbuf;
+@@ -2635,6 +2701,91 @@ static int piv_process_discovery(sc_card_t *card)
+ 	LOG_FUNC_RETURN(card->ctx, r);
+ }
+ 
++/*
++ * parse a CCC to test  if this is a Dual CAC/PIV
++ * We read teh CCC using the PIV API.
++ * Look for CAC RID=A0 00 00 00 79
++ */
++ static int piv_parse_ccc(sc_card_t *card, u8* rbuf, size_t rbuflen)
++{
++	int r = 0;
++	const u8 * body;
++	size_t bodylen;
++	unsigned int cla_out, tag_out;
++
++	u8  tag;
++	const u8 * end;
++	size_t len;
++
++	piv_private_data_t * priv = PIV_DATA(card);
++
++	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
++
++	if (rbuf == NULL || rbuflen == 0) {
++		r = SC_ERROR_WRONG_LENGTH;
++		goto  err;
++	}
++
++	/* Outer layer is a DER tlv */
++	body = rbuf;
++	if ((r = sc_asn1_read_tag(&body, rbuflen, &cla_out, &tag_out,  &bodylen)) != SC_SUCCESS) {
++		sc_log(card->ctx, "DER problem %d",r);
++		r = SC_ERROR_INVALID_ASN1_OBJECT;
++		goto err;
++	}
++
++	priv->ccc_flags |= PIV_CCC_FOUND;
++
++	/* CCC  entries are simple tlv */
++	end = body + bodylen;
++	
++	for(; (body < end); body += len) {
++	
++		r = sc_simpletlv_read_tag((u8**)&body, end - body , &tag, &len);
++		if (r < 0)
++			goto err;
++		switch (tag) {
++			case PIV_CCC_TAG_F0:
++				if (len == 0x15) {
++					if (memcmp(body ,"\xA0\x00\x00\x03\08", 5) == 0)
++						priv->ccc_flags |= PIV_CCC_F0_PIV;
++					else if (memcmp(body ,"\xA0\x00\x00\x00\x79", 5) == 0)
++						priv->ccc_flags |= PIV_CCC_F0_CAC;
++					if (*(body + 6) == 0x02)
++						priv->ccc_flags |= PIV_CCC_F0_JAVA;
++				}
++				break;
++			case PIV_CCC_TAG_F3:
++				if (len == 0x10) {
++					if (memcmp(body ,"\xA0\x00\x00\x00\x79\x04", 6) == 0)
++						priv->ccc_flags |= PIV_CCC_F3_CAC_PKI;
++				}
++				break;
++		}
++	}
++
++err:
++	LOG_FUNC_RETURN(card->ctx, r);
++}
++
++static int piv_process_ccc(sc_card_t *card)
++{
++	int r = 0;
++	u8 * rbuf = NULL;
++	size_t rbuflen = 0;
++
++	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
++	r = piv_get_cached_data(card, PIV_OBJ_CCC, &rbuf, &rbuflen);
++
++	if (r < 0)
++		goto err;
++
++	/* the object is now cached, see what we have */
++	r = piv_parse_ccc(card, rbuf, rbuflen);
++err:
++	LOG_FUNC_RETURN(card->ctx, r);
++}
++
+ 
+ static int piv_find_discovery(sc_card_t *card)
+ {
+@@ -2922,7 +3073,8 @@ piv_finish(sc_card_t *card)
+ static int piv_match_card(sc_card_t *card)
+ {
+ 	int r = 0;
+-
++	
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d\n", card->type);
+ 	/* piv_match_card may be called with card->type, set by opensc.conf */
+ 	/* user provide card type must be one we know */
+ 	switch (card->type) {
+@@ -2931,7 +3083,13 @@ static int piv_match_card(sc_card_t *card)
+ 		case SC_CARD_TYPE_PIV_II_HIST:
+ 		case SC_CARD_TYPE_PIV_II_NEO:
+ 		case SC_CARD_TYPE_PIV_II_YUBIKEY4:
++		case SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC:
+ 		case SC_CARD_TYPE_PIV_II_GI_DE:
++		case SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC:
++		case SC_CARD_TYPE_PIV_II_GEMALTO:
++		case SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC:
++		case SC_CARD_TYPE_PIV_II_OBERTHUR:
++		case SC_CARD_TYPE_PIV_II_PIVKEY:
+ 			break;
+ 		default:
+ 			return 0; /* can not handle the card */
+@@ -2950,13 +3108,14 @@ static int piv_match_card(sc_card_t *card)
+ 		piv_finish(card);
+ 	}
+ 
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d r:%d\n", card->type,r);
+ 	return r;
+ }
+ 
+ 
+ static int piv_match_card_continued(sc_card_t *card)
+ {
+-	int i, r;
++	int i, r = 0;
+ 	int type  = -1;
+ 	piv_private_data_t *priv = NULL;
+ 	int saved_type = card->type;
+@@ -2973,12 +3132,19 @@ static int piv_match_card_continued(sc_card_t *card)
+ 		case SC_CARD_TYPE_PIV_II_HIST:
+ 		case SC_CARD_TYPE_PIV_II_NEO:
+ 		case SC_CARD_TYPE_PIV_II_YUBIKEY4:
++		case SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC:
+ 		case SC_CARD_TYPE_PIV_II_GI_DE:
++		case SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC:
++		case SC_CARD_TYPE_PIV_II_GEMALTO:
++		case SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC:
++		case SC_CARD_TYPE_PIV_II_OBERTHUR:
++		case SC_CARD_TYPE_PIV_II_PIVKEY:
+ 			type = card->type;
+ 			break;
+ 		default:
+ 			return 0; /* can not handle the card */
+ 	}
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d type:%d r:%d\n", card->type, type, r);
+ 	if (type == -1) {
+ 
+ 		/*
+@@ -2997,18 +3163,6 @@ static int piv_match_card_continued(sc_card_t *card)
+ 					!(memcmp(card->reader->atr_info.hist_bytes, "Yubikey", 7))) {
+ 				type = SC_CARD_TYPE_PIV_II_NEO;
+ 			}
+-			/*
+-			 * https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1239.pdf
+-			 * lists 2 ATRS with historical bytes:
+-			 *   73 66 74 65 2D 63 64 30 38 30
+-			 *   73 66 74 65 20 63 64 31 34 34
+-			 * will check for 73 66 74 65
+-			 */
+-			else if (card->reader->atr_info.hist_bytes_len >= 4
+-					&& !(memcmp(card->reader->atr_info.hist_bytes, "sfte", 4))) {
+-				type = SC_CARD_TYPE_PIV_II_GI_DE;
+-			}
+-
+ 			else if (card->reader->atr_info.hist_bytes_len > 0
+ 					&& card->reader->atr_info.hist_bytes[0] == 0x80u) { /* compact TLV */
+ 				size_t datalen;
+@@ -3029,10 +3183,17 @@ static int piv_match_card_continued(sc_card_t *card)
+ 				}
+ 			}
+ 		}
+-		if (type == -1)
+-			type = SC_CARD_TYPE_PIV_II_GENERIC;
++		sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d type:%d r:%d\n", card->type, type, r);
++
++		if (type == -1) {
++			/* use known ATRs  */
++			i = _sc_match_atr(card, piv_atrs, &type);
++			if (type == -1)
++				type = SC_CARD_TYPE_PIV_II_GENERIC; /* may  still be CAC with PIV Endpoint */
++		}
+ 	}
+ 
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d type:%d r:%d\n", card->type, type, r);
+ 	/* allocate and init basic fields */
+ 
+ 	priv = calloc(1, sizeof(piv_private_data_t));
+@@ -3046,6 +3207,7 @@ static int piv_match_card_continued(sc_card_t *card)
+ 	card->drv_data = priv; /* will free if no match, or pass on to piv_init */
+ 	priv->selected_obj = -1;
+ 	priv->pin_preference = 0x80; /* 800-73-3 part 1, table 3 */
++	/* TODO Dual CAC/PIV are bases on 800-73-1 were priv->pin_preference = 0. need to check later */
+ 	priv->logged_in = SC_PIN_STATE_UNKNOWN;
+ 	priv->tries_left = 10; /* will assume OK at start */
+ 	priv->pstate = PIV_STATE_MATCH;
+@@ -3064,38 +3226,104 @@ static int piv_match_card_continued(sc_card_t *card)
+ 	}
+ 
+ 	/*
+-	 * detect if active AID is PIV. NIST 800-73 says Only one PIV application per card
+-	 * and PIV must be the default application
+-	 * This can avoid doing doing a select_aid and losing the login state on some cards
++	 * Detect if active AID is PIV. NIST 800-73 says only one PIV application per card
++	 * and PIV must be the default application.
++	 * Try to avoid doing a select_aid and losing the login state on some cards.
+ 	 * We may get interference on some cards by other drivers trying SELECT_AID before
+-	 * we get to see if PIV application is still active.
++	 * we get to see if PIV application is still active
+ 	 * putting PIV driver first might help. 
+-	 * This may fail if the wrong AID is active
++	 * This may fail if the wrong AID is active.
++	 * Discovery Object introduced in 800-73-3 so will return 0 if found and PIV applet active.
++	 * Will fail with SC_ERROR_FILE_NOT_FOUND if 800-73-3 and no Discovery object.
++	 * But some other card could also return SC_ERROR_FILE_NOT_FOUND.
++	 * Will fail for other reasons if wrong applet is selected, or bad PIV implimentation. 
+ 	 */
+-	i = piv_find_discovery(card);
++	
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d CI:%08x r:%d\n", card->type,  priv->card_issues, r);
++	if (priv->card_issues & CI_DISCOVERY_USELESS) /* TODO may be in wrong place */
++		i = -1;
++	else
++		i = piv_find_discovery(card);
+ 
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i:%d CI:%08x r:%d\n", card->type, i, priv->card_issues, r);
+ 	if (i < 0) {
+ 		/* Detect by selecting applet */
+ 		i = piv_find_aid(card);
+ 	}
+ 
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i:%d CI:%08x r:%d\n", card->type, i, priv->card_issues, r);
+ 	if (i >= 0) {
++		int iccc = 0;
++		 /* We now know PIV AID is active, test CCC object  800-73-* say CCC is required */
++		switch (card->type)  {
++			/*
++			 * For cards that may also be CAC, try and read the CCC
++			 * CCC is required and all Dual PIV/CAC will have a CCC
++			 * Currently Dual PIV/CAC are based on NIST 800-73-1 which does not have Discovery or History
++			 */
++			case SC_CARD_TYPE_PIV_II_GENERIC: /* i.e. really dont know what this is */
++			case SC_CARD_TYPE_PIV_II_HIST:
++			case SC_CARD_TYPE_PIV_II_GI_DE:
++			case SC_CARD_TYPE_PIV_II_GEMALTO:
++			case SC_CARD_TYPE_PIV_II_OBERTHUR:
++				iccc = piv_process_ccc(card);
++				sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d iccc:%d ccc_flags:%08x CI:%08x r:%d\n",
++						card->type, iccc, priv->ccc_flags, priv->card_issues, r);
++				/* ignore an error? */
++				/* if CCC says it has CAC with PKI on card set to one of the SC_CARD_TYPE_PIV_II_*_DUAL_CAC */
++				if (priv->ccc_flags & PIV_CCC_F3_CAC_PKI) {
++					switch (card->type)  {
++						case SC_CARD_TYPE_PIV_II_GENERIC:
++						case SC_CARD_TYPE_PIV_II_HIST:
++						case SC_CARD_TYPE_PIV_II_GI_DE:
++						    card->type = SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC;
++						    priv->card_issues |= CI_DISCOVERY_USELESS;
++						    priv->obj_cache[PIV_OBJ_DISCOVERY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
++						    break;
++						case SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC:
++						case SC_CARD_TYPE_PIV_II_GEMALTO:
++							card->type = SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC;
++							priv->card_issues |= CI_DISCOVERY_USELESS;
++							priv->obj_cache[PIV_OBJ_DISCOVERY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
++							break;
++						case SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC:
++						case SC_CARD_TYPE_PIV_II_OBERTHUR:
++							card->type =  SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC;
++							priv->card_issues |= CI_DISCOVERY_USELESS;
++							priv->obj_cache[PIV_OBJ_DISCOVERY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
++							break;
++					}
++				}
++				break;
++
++				/* if user forced it to be one of the CAC types, assume it is CAC */
++			case SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC:
++			case SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC:
++			case SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC:
++				priv->card_issues |= CI_DISCOVERY_USELESS;
++				priv->obj_cache[PIV_OBJ_DISCOVERY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
++				break;
++			}
++		}
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i:%d CI:%08x r:%d\n", card->type, i, priv->card_issues, r);
++	if (i >= 0 && (priv->card_issues & CI_DISCOVERY_USELESS) == 0) {
+ 		/*
+-		 * We now know PIV AID is active, test DISCOVERY object 
+-		 * Some CAC cards with PIV don't support DISCOVERY and return 
+-		 * SC_ERROR_INCORRECT_PARAMETERS. Any error other then 
+-		 * SC_ERROR_FILE_NOT_FOUND means we cannot use discovery 
++		 * We now know PIV AID is active, test DISCOVERY object again 
++		 * Some PIV don't support DISCOVERY and return 
++		 * SC_ERROR_INCORRECT_PARAMETERS. Any error 
++		 * including SC_ERROR_FILE_NOT_FOUND means we cannot use discovery 
+ 		 * to test for active AID.
+ 		 */
+ 		int i7e = piv_find_discovery(card);
+ 
+-		if (i7e != 0 && i7e !=  SC_ERROR_FILE_NOT_FOUND) {
++		sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i7e:%d CI:%08x r:%d\n", card->type, i7e, priv->card_issues, r);
++		if (i7e != 0) {
+ 			priv->card_issues |= CI_DISCOVERY_USELESS;
+ 			priv->obj_cache[PIV_OBJ_DISCOVERY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
+ 		}
+ 	}
+ 
+-
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i:%d CI:%08x r:%d\n", card->type, i, priv->card_issues, r);
+ 	if (i < 0) {
+ 		/* don't match. Does not have a PIV applet. */
+ 		sc_unlock(card);
+@@ -3104,6 +3332,7 @@ static int piv_match_card_continued(sc_card_t *card)
+ 		return 0;
+ 	}
+ 
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i:%d CI:%08x r:%d\n", card->type, i, priv->card_issues, r);
+ 	/* Matched, caller will use or free priv and sc_lock as needed */
+ 	priv->pstate=PIV_STATE_INIT;
+ 	return 1; /* match */
+@@ -3124,7 +3353,7 @@ static int piv_init(sc_card_t *card)
+ 	/* continue the matching get a lock and the priv */
+ 	r = piv_match_card_continued(card);
+ 	if (r != 1)  {
+-		sc_log(card->ctx,"piv_match_card_continued failed");
++		sc_log(card->ctx,"piv_match_card_continued failed card->type:%d", card->type);
+ 		piv_finish(card);
+ 		/* tell sc_connect_card to try other drivers */
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_CARD);
+@@ -3147,6 +3376,7 @@ static int piv_init(sc_card_t *card)
+ 	 * Set card_issues based on card type either set by piv_match_card or by opensc.conf
+ 	 */
+ 
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d CI:%08x r:%d\n", card->type, priv->card_issues, r);
+ 	switch(card->type) {
+ 		case SC_CARD_TYPE_PIV_II_NEO:
+ 		case SC_CARD_TYPE_PIV_II_YUBIKEY4:
+@@ -3178,6 +3408,7 @@ static int piv_init(sc_card_t *card)
+ 	 * may be set earlier or later then in the following code. 
+ 	 */
+ 
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d CI:%08x r:%d\n", card->type, priv->card_issues, r);
+ 	switch(card->type) {
+ 		case SC_CARD_TYPE_PIV_II_NEO:
+ 			priv->card_issues |= CI_NO_EC384
+@@ -3196,30 +3427,53 @@ static int piv_init(sc_card_t *card)
+ 				priv->card_issues |= CI_VERIFY_LC0_FAIL;
+ 			break;
+ 
++		case SC_CARD_TYPE_PIV_II_GI_DE:
++		case SC_CARD_TYPE_PIV_II_OBERTHUR:
++		case SC_CARD_TYPE_PIV_II_GEMALTO:
++			priv->card_issues |= 0; /* could add others here */
++			break;
++
+ 		case SC_CARD_TYPE_PIV_II_HIST:
+-			priv->card_issues |= 0;
++			priv->card_issues |= 0; /* could add others here */
+ 			break;
+ 
+-		case SC_CARD_TYPE_PIV_II_GI_DE:
++		case SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC:
++		case SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC:
++		case SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC:
+ 			priv->card_issues |= CI_VERIFY_LC0_FAIL
+ 				| CI_PIV_AID_LOSE_STATE
+-				| CI_OTHER_AID_LOSE_STATE;;
++				| CI_NO_RANDOM
++				| CI_OTHER_AID_LOSE_STATE;
+ 			/* TODO may need more research */
+ 			break;
+ 
++
+ 		case SC_CARD_TYPE_PIV_II_GENERIC:
+ 			priv->card_issues |= CI_VERIFY_LC0_FAIL
+ 				| CI_OTHER_AID_LOSE_STATE;
+ 			/* TODO may need more research */
+ 			break;
+ 
++		case SC_CARD_TYPE_PIV_II_PIVKEY:
++			priv->card_issues |= CI_VERIFY_LC0_FAIL
++				| CI_PIV_AID_LOSE_STATE /* be conservative */
++				| CI_NO_EC384 | CI_NO_EC
++				| CI_NO_RANDOM; /* does not have 9B key */
++				/* Discovery object returns 6A 82 so is not on card by default */
++				/*  TODO may need more research */
++			break;
++
+ 		default:
+-		     priv->card_issues = 0; /* opensc.conf may have it wrong, continue anyway */
+-		     sc_log(card->ctx, "Unknown PIV card->type %d", card->type);
+-		     card->type = SC_CARD_TYPE_PIV_II_BASE;
++			priv->card_issues |= CI_VERIFY_LC0_FAIL
++				| CI_OTHER_AID_LOSE_STATE;
++			/* opensc.conf may have it wrong, continue anyway */
++			sc_log(card->ctx, "Unknown PIV card->type %d", card->type);
++			card->type = SC_CARD_TYPE_PIV_II_GENERIC;
+ 	}
+ 	sc_log(card->ctx, "PIV card-type=%d card_issues=0x%08x", card->type, priv->card_issues);
+ 
++	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d CI:%08x r:%d\n", card->type, priv->card_issues, r);
++
+ 	priv->enumtag = piv_aids[0].enumtag;
+ 
+ 	/* PKCS#11 may try to generate session keys, and get confused
+@@ -3233,15 +3487,20 @@ static int piv_init(sc_card_t *card)
+ 	_sc_card_add_rsa_alg(card, 2048, flags, 0); /* optional */
+ 	_sc_card_add_rsa_alg(card, 3072, flags, 0); /* optional */
+ 
+-	flags = SC_ALGORITHM_ECDSA_RAW | SC_ALGORITHM_ECDH_CDH_RAW | SC_ALGORITHM_ECDSA_HASH_NONE;
+-	ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES;
++	if (!(priv->card_issues & CI_NO_EC)) {
++		flags = SC_ALGORITHM_ECDSA_RAW | SC_ALGORITHM_ECDH_CDH_RAW | SC_ALGORITHM_ECDSA_HASH_NONE;
++		ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES;
++
++		_sc_card_add_ec_alg(card, 256, flags, ext_flags, NULL);
++		if (!(priv->card_issues & CI_NO_EC384))
++			_sc_card_add_ec_alg(card, 384, flags, ext_flags, NULL);
++	}
+ 
+-	_sc_card_add_ec_alg(card, 256, flags, ext_flags, NULL);
+-	if (!(priv->card_issues & CI_NO_EC384))
+-		_sc_card_add_ec_alg(card, 384, flags, ext_flags, NULL);
++	if (!(priv->card_issues & CI_NO_RANDOM))
++		card->caps |= SC_CARD_CAP_RNG;
+ 
+-	/* TODO may turn off SC_CARD_CAP_ISO7816_PIN_INFO later */
+-	card->caps |= SC_CARD_CAP_RNG | SC_CARD_CAP_ISO7816_PIN_INFO;
++	/* May turn off SC_CARD_CAP_ISO7816_PIN_INFO later */
++	card->caps |=  SC_CARD_CAP_ISO7816_PIN_INFO;
+ 
+ 	/*
+ 	 * 800-73-3 cards may have a history object and/or a discovery object
+@@ -3565,11 +3824,13 @@ static int piv_card_reader_lock_obtained(sc_card_t *card, int was_reset)
+ 	    r =  SC_ERROR_NO_CARD_SUPPORT;
+ 	} else {
+ 	    r = piv_find_discovery(card);
++	    sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH piv_find_discovery card->type:%d r:%d\n", card->type, r);
+ 	}
+ 
+ 	if (r < 0) {
+ 		if (was_reset > 0 || !(priv->card_issues & CI_PIV_AID_LOSE_STATE)) {
+ 			r = piv_select_aid(card, piv_aids[0].value, piv_aids[0].len_short, temp, &templen);
++			sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH piv_select_aid card->type:%d r:%d\n", card->type, r);
+ 		} else {
+ 			r = 0; /* cant do anything with this card, hope there was no interference */
+ 		}
+diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h
+index f4df17fb04..121182bb6a 100644
+--- a/src/libopensc/cards.h
++++ b/src/libopensc/cards.h
+@@ -136,7 +136,13 @@ enum {
+ 	SC_CARD_TYPE_PIV_II_HIST,
+ 	SC_CARD_TYPE_PIV_II_NEO,
+ 	SC_CARD_TYPE_PIV_II_YUBIKEY4,
++	SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC,
+ 	SC_CARD_TYPE_PIV_II_GI_DE,
++	SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC,
++	SC_CARD_TYPE_PIV_II_GEMALTO,
++	SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC,
++	SC_CARD_TYPE_PIV_II_OBERTHUR,
++	SC_CARD_TYPE_PIV_II_PIVKEY,
+ 
+ 	/* MuscleApplet */
+ 	SC_CARD_TYPE_MUSCLE_BASE = 15000,
+

SOURCES/opensc-0.19.0-pinpad.patch

@@ -0,0 +1,13 @@
+diff -up opensc-0.19.0/etc/opensc.conf.pinpad opensc-0.19.0/etc/opensc.conf
+--- opensc-0.19.0/etc/opensc.conf.pinpad	2018-10-22 14:31:12.082963540 +0200
++++ opensc-0.19.0/etc/opensc.conf	2018-10-22 14:33:59.939410701 +0200
+@@ -4,4 +4,9 @@ app default {
+ 	framework pkcs15 {
+ 		# use_file_caching = true;
+ 	}
++	reader_driver pcsc {
++		# The pinpad is disabled by default,
++		# because of many broken readers out there
++		enable_pinpad = false;
++	}
+ }

SOURCES/opensc.module

@@ -0,0 +1,8 @@
+# This file describes how to load the opensc module
+# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
+
+# This is a relative path, which means it will be loaded from
+# the p11-kit default path which is usually $(libdir)/pkcs11.
+# Doing it this way allows for packagers to package opensc for
+# 32-bit and 64-bit and make them parallel installable
+module: opensc-pkcs11.so

SPECS/opensc.spec

@@ -0,0 +1,676 @@
+%define opensc_module "OpenSC PKCS #11 Module"
+%define nssdb %{_sysconfdir}/pki/nssdb
+
+Name:           opensc
+Version:        0.19.0
+Release:        5%{?dist}
+Summary:        Smart card library and applications
+
+Group:          System Environment/Libraries
+License:        LGPLv2+
+URL:            https://github.com/OpenSC/OpenSC/wiki
+Source0:        https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
+Source1:        opensc.module
+# https://github.com/OpenSC/OpenSC/pull/1435
+# https://github.com/OpenSC/OpenSC/pull/1521
+# parts of
+# https://github.com/OpenSC/OpenSC/pull/1556
+# https://github.com/OpenSC/OpenSC/pull/1503
+# https://github.com/OpenSC/OpenSC/pull/1505
+Patch2:         opensc-0.19.0-rsa-pss.patch
+# https://github.com/OpenSC/OpenSC/pull/1489
+Patch3:         opensc-0.19.0-coverity.patch
+# https://github.com/OpenSC/OpenSC/pull/1500
+Patch4:         opensc-0.19.0-coolkey-matching.patch
+# https://github.com/OpenSC/OpenSC/pull/1502
+Patch5:         opensc-0.19.0-cac1.patch
+Patch6:         opensc-0.19.0-pinpad.patch
+# https://github.com/OpenSC/OpenSC/pull/1549
+Patch7:         opensc-0.19.0-dual.patch
+
+BuildRequires:  pcsc-lite-devel
+BuildRequires:  readline-devel
+BuildRequires:  openssl-devel
+BuildRequires:  /usr/bin/xsltproc
+BuildRequires:  docbook-style-xsl
+BuildRequires:  autoconf automake libtool gcc
+BuildRequires:  desktop-file-utils
+BuildRequires:  bash-completion
+Requires:       pcsc-lite-libs%{?_isa}
+Requires:       pcsc-lite
+Obsoletes:      mozilla-opensc-signer < 0.12.0
+Obsoletes:      opensc-devel < 0.12.0
+Obsoletes:      coolkey <= 1.1.0-36
+
+%description
+OpenSC provides a set of libraries and utilities to work with smart cards. Its
+main focus is on cards that support cryptographic operations, and facilitate
+their use in security applications such as authentication, mail encryption and
+digital signatures. OpenSC implements the PKCS#11 API so applications
+supporting this API (such as Mozilla Firefox and Thunderbird) can use it. On
+the card OpenSC implements the PKCS#15 standard and aims to be compatible with
+every software/card that does so, too.
+
+
+%prep
+%setup -q
+%patch2 -p1 -b .pss
+%patch3 -p1 -b .coverity
+%patch4 -p1 -b .coolkey-match
+%patch5 -p1 -b .cac1
+%patch6 -p1 -b .pinpad
+%patch7 -p1 -b .dual
+
+cp -p src/pkcs15init/README ./README.pkcs15init
+cp -p src/scconf/README.scconf .
+# No {_libdir} here to avoid multilib conflicts; it's just an example
+sed -i -e 's|/usr/local/towitoko/lib/|/usr/lib/ctapi/|' etc/opensc.conf.example.in
+
+
+%build
+autoreconf -fvi
+%ifarch %{ix86} ppc s390
+sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in
+%endif
+sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths
+%configure  --disable-static \
+  --disable-assert \
+  --enable-pcsc \
+  --disable-tests \
+  --enable-sm \
+  --with-pcsc-provider=libpcsclite.so.1
+make %{?_smp_mflags} V=1
+
+
+%install
+make install DESTDIR=$RPM_BUILD_ROOT
+install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opensc.module
+
+%ifarch %{ix86} ppc s390
+# To avoid multilib issues, move these files on 32b intel architectures
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/opensc.conf
+install -Dpm 644 etc/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf
+rm -f $RPM_BUILD_ROOT%{_mandir}/man5/opensc.conf.5
+install -Dpm 644 doc/files/opensc.conf.5 $RPM_BUILD_ROOT%{_mandir}/man5/opensc-%{_arch}.conf.5
+# use NEWS file timestamp as reference for configuration file
+touch -r NEWS $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf
+touch -r NEWS $RPM_BUILD_ROOT%{_mandir}/man5/opensc-%{_arch}.conf.5
+%else
+# For backward compatibility, symlink the old location to the new files
+ln -s %{_sysconfdir}/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf
+%endif
+
+find $RPM_BUILD_ROOT%{_libdir} -type f -name "*.la" | xargs rm
+
+rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/opensc
+
+# Upstream considers libopensc API internal and no longer ships
+# public headers and pkgconfig files.
+# Remove the symlink as nothing is supposed to link against libopensc.
+rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so
+rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so
+%if 0%{?rhel} && 0%{?rhel} < 7
+rm -rf %{buildroot}%{_datadir}/bash-completion/
+%endif
+
+# the npa-tool builds to nothing since we do not have OpenPACE library
+rm -rf %{buildroot}%{_bindir}/npa-tool
+rm -rf %{buildroot}%{_mandir}/man1/npa-tool.1*
+
+desktop-file-validate %{buildroot}/%{_datadir}/applications/org.opensc.notify.desktop
+
+%post
+/sbin/ldconfig
+# Remove our PKCS#11 module from NSS DB, if there is NSS installed, because
+# it is already loaded by p11-kit-proxy. Using both of them can cause
+# race conditions and hard-to-debug problems
+# TODO Remove with F30 or so
+if [ -x /usr/bin/modutil ]; then
+	isThere=`modutil -rawlist -dbdir %{nssdb} | grep %{opensc_module} || echo NO`
+	if [ ! "$isThere" == "NO" ]; then
+		modutil -delete %{opensc_module} -dbdir %{nssdb} -force || :
+
+	fi
+	isThere=`modutil -rawlist -dbdir sql:%{nssdb} | grep %{opensc_module} || echo NO`
+	if [ ! "$isThere" == "NO" ]; then
+		modutil -delete %{opensc_module} -dbdir sql:%{nssdb} -force || :
+	fi
+fi
+
+%postun
+/sbin/ldconfig
+
+%files
+%doc COPYING NEWS README*
+
+%if ! 0%{?rhel} || 0%{?rhel} >= 7
+%{_datadir}/bash-completion/*
+%endif
+
+%ifarch %{ix86} ppc s390
+%{_mandir}/man5/opensc-%{_arch}.conf.5*
+%else
+%config(noreplace) %{_sysconfdir}/opensc.conf
+%{_mandir}/man5/opensc.conf.5*
+%endif
+
+%config(noreplace) %{_sysconfdir}/opensc-%{_arch}.conf
+%{_datadir}/p11-kit/modules/opensc.module
+%{_bindir}/cardos-tool
+%{_bindir}/cryptoflex-tool
+%{_bindir}/eidenv
+%{_bindir}/iasecc-tool
+%{_bindir}/gids-tool
+%{_bindir}/netkey-tool
+%{_bindir}/openpgp-tool
+%{_bindir}/opensc-explorer
+%{_bindir}/opensc-tool
+%{_bindir}/opensc-asn1
+%{_bindir}/opensc-notify
+%{_bindir}/piv-tool
+%{_bindir}/pkcs11-tool
+%{_bindir}/pkcs15-crypt
+%{_bindir}/pkcs15-init
+%{_bindir}/pkcs15-tool
+%{_bindir}/sc-hsm-tool
+%{_bindir}/dnie-tool
+%{_bindir}/westcos-tool
+%{_bindir}/egk-tool
+%{_datadir}/applications/org.opensc.notify.desktop
+%{_libdir}/lib*.so.*
+%{_libdir}/opensc-pkcs11.so
+%{_libdir}/pkcs11-spy.so
+%{_libdir}/onepin-opensc-pkcs11.so
+%{_libdir}/pkgconfig/*.pc
+%%dir %{_libdir}/pkcs11
+%{_libdir}/pkcs11/opensc-pkcs11.so
+%{_libdir}/pkcs11/onepin-opensc-pkcs11.so
+%{_libdir}/pkcs11/pkcs11-spy.so
+%{_datadir}/opensc/
+%{_mandir}/man1/cardos-tool.1*
+%{_mandir}/man1/cryptoflex-tool.1*
+%{_mandir}/man1/eidenv.1*
+%{_mandir}/man1/gids-tool.1*
+%{_mandir}/man1/iasecc-tool.1*
+%{_mandir}/man1/netkey-tool.1*
+%{_mandir}/man1/openpgp-tool.1*
+%{_mandir}/man1/opensc-explorer.*
+%{_mandir}/man1/opensc-tool.1*
+%{_mandir}/man1/opensc-asn1.1*
+%{_mandir}/man1/opensc-notify.1*
+%{_mandir}/man1/piv-tool.1*
+%{_mandir}/man1/pkcs11-tool.1*
+%{_mandir}/man1/pkcs15-crypt.1*
+%{_mandir}/man1/pkcs15-init.1*
+%{_mandir}/man1/pkcs15-tool.1*
+%{_mandir}/man1/sc-hsm-tool.1*
+%{_mandir}/man1/westcos-tool.1*
+%{_mandir}/man1/dnie-tool.1*
+%{_mandir}/man1/egk-tool.1*
+%{_mandir}/man5/pkcs15-profile.5*
+
+
+%changelog
+* Thu Apr 18 2019 Jakub Jelen <jjelen@redhat.com> - 0.19.0-5
+- Avoid multilib issues (#1693380)
+
+* Wed Dec 12 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-4
+- Unbreak the Dual CAC cards in PIV driver (#1651748)
+- Fix few more corner cases for handling different types of padding (#1595626)
+- Unbreak signature verification in pkcs11-tool (#1651748)
+
+* Wed Oct 31 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-3
+- Unbreak the RSA-PSS mechanisms (#1595626)
+- Unbreak the signing using hashed mechanisms in CardOS and others (#1644338)
+
+* Mon Oct 22 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-2
+- Avoid mismatching coolkey cards for muscle ones (#1588722)
+- Implement legacy CAC1 driver (#1638052)
+- Disable pinpad
+- Fixup verification after RSA-PSS implementation
+
+* Tue Sep 25 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-1
+- New upstream release fixing various CVE-2018-16418 - 16421, 16423 - 16427
+- Add support for RSA-PSS signatures
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.18.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jul 12 2018 Jakub Jelen <jjelen@redhat.com> - 0.18.0-3
+- Do not add pkcs11 module to NSS after installation
+  (NSS is loading p11-kit modules by default)
+- Remove pkcs11-switch since there is nothing to switch to
+
+* Mon May 21 2018 Jakub Jelen <jjelen@redhat.com> - 0.18.0-2
+- Backport a fix for C_WaitForSlotEvent crash (#1579933)
+
+* Thu May 17 2018 Jakub Jelen <jjelen@redhat.com> - 0.18.0-1
+- New upstream release (#1567503)
+
+* Wed Apr 04 2018 Jakub Jelen <jjelen@redhat.com> - 0.17.0-10
+- Install the PKCS#11 modules also to the new NSS DB
+- Drop the pkcs11-switch as the coolkey is gone
+
+* Tue Apr 03 2018 Jakub Jelen <jjelen@redhat.com> - 0.17.0-9
+- Improved support for CloudHSM (#1562572)
+
+* Mon Mar 19 2018 Jakub Jelen <jjelen@redhat.com> - 0.17.0-8
+- Build requires gcc
+- Backport a fix for feitian tokens (#1558099)
+
+* Fri Mar 02 2018 Jakub Jelen <jjelen@redhat.com> - 0.17.0-7
+- Obsolete coolkey
+- Do not report bogus errors from pkcs11-switch
+- Do not delete nonexisting modules during uninstall (#1526670)
+
+* Wed Feb 21 2018 Jakub Jelen <jjelen@redhat.com> - 0.17.0-6
+- PIV: Use Cardholder name in the token label
+- Avoid infinite loop when reading CAC cards
+- Properly parse multi-byte length in SimpleTLV
+- Support CAC Alt tokens
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Dec 04 2017 Jakub Jelen <jjelen@redhat.com> - 0.17.0-4
+- Allow functionality of a new Estonia ID cards (#1519751)
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Jul 19 2017 Jakub Jelen <jjelen@redhat.com> - 0.17.0-1
+- New upstream release including support for Coolkey and CAC cards
+
+* Tue Feb 28 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-5.20161016git0362439
+- Add PKCS#11 library to the NSS DB (#1421692)
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.0-4.20161016git0362439
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Jan 12 2017 Igor Gnatenko <ignatenko@redhat.com> - 0.16.0-3.20161016git0362439
+- Rebuild for readline 7.x
+
+* Mon Oct 31 2016 Jakub Jelen <jjelen@redhat.com> - 0.16.0-2.20161016git0362439
+- Updated to latest git to address openssl 1.1.0 compilation issues (#1388895)
+- Do not own /etc/bash_completion.d directory (#1303441)
+
+* Tue Aug 02 2016 Jakub Jelen <jjelen@redhat.com> - 0.16.0-1
+- New upstream release 0.16.0 (#1306071)
+
+* Tue Jul 12 2016 Jakub Jelen <jjelen@redhat.com> - 0.15.0-6
+- Add support for 2048 key length (#1350588)
+- Explicitly set CKA_PRIVATE to false when writing certificates (#1272127)
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.15.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Mon Jan 18 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.15.0-4
+- Fix a crash in accessing public key (#1298669)
+
+* Thu Nov 19 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.15.0-3
+- Export PKCS#11 symbols from spy library (#1283306)
+
+* Tue Aug  4 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.15.0-2
+- Updated fix for issue with C_Initialize after fork() (#1218797)
+
+* Tue Jul 14 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.15.0-1
+- Update to 0.15.0 (#1209682)
+- Solve issue with C_Initialize after fork() (#1218797)
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.14.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.14.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Tue Jul 01 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.14.0-1
+- new upstream version
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.0-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri Feb 28 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.13.0-12
+- Added fix for crash when calling pkcs11-tool with an invalid module (#1071368)
+- Added fix for invalid parameters passed to module by pkcs11-tool
+  when importing a private key (#1071369)
+- Configuration file opensc.conf was renamed to opensc-arch.conf to
+  avoid multi-arch issues.
+
+* Fri Jan 31 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.13.0-11
+- Corrected installation path of opensc.module (#1060053)
+
+* Mon Jan 06 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.13.0-10
+- Applied myeid related patch (#1048576)
+
+* Thu Jan 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.13.0-9
+- Applied epass2003 related patch (#981462)
+
+* Mon Dec 23 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.13.0-8
+- Compile using the --enable-sm option (related but does not fix #981462)
+
+* Wed Dec 18 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.13.0-7
+- Ensure that pcsc-lite is depended on (#1029133)
+
+* Mon Sep 23 2013 Stef Walter <stefw@redhat.com> - 0.13.0-6
+- Install p11-kit config file to the right place (#999190)
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Fri Mar 08 2013 Stef Walter <stefw@redhat.com> - 0.13.0-4
+- Use the standard name format for p11-kit module configs
+- Put the p11-kit module config is the system location
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Sun Jan 13 2013 Kalev Lember <kalevlember@gmail.com> - 0.13.0-2
+- Backport an upstream patch for fixing pkcs15 cert length calculation
+
+* Thu Jan 03 2013 Milan Broz <mbroz@redhat.com> - 0.13.0-1
+- Update to 0.13.0 (#890770)
+- Remove no longer provided onepin-opensc-pkcs11.so.
+- Add iasecc-tool, openpgp-tool and sc-hsm-tool.
+
+* Fri Jul 27 2012 Tomas Mraz <tmraz@redhat.com> - 0.12.2-6
+- Add a configuration file for p11-kit (#840504)
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun Mar  4 2012 Peter Robinson <pbrobinson@fedoraproject.org> - 0.12.2-4
+- Add patch for dso
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Aug 17 2011 Tomas Mraz <tmraz@redhat.com> - 0.12.2-2
+- Rebuilt to fix trailing slashes in filelist from rpmbuild bug
+
+* Tue Jul 19 2011 Kalev Lember <kalevlember@gmail.com> - 0.12.2-1
+- Update to 0.12.2 (#722659)
+
+* Wed May 18 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.1-1
+- Update to 0.12.1 (#705743)
+- Removed BR libtool-ltdl-devel to build with glibc's libdl instead
+
+* Tue Apr 12 2011 Tomas Mraz <tmraz@redhat.com> - 0.12.0-4
+- drop multilib conflicting and duplicated doc file (#695368)
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Mon Jan 03 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.0-2
+- Disabled asserts
+
+* Mon Jan 03 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.0-1
+- Update to 0.12.0
+- Removed and obsoleted mozilla-opensc-signer and opensc-devel subpackages
+- Dropped patches which are now upstreamed
+- It is no longer possible to build in both pcsc-lite and openct support,
+  so opensc now gets built exclusively with pcsc-lite.
+
+* Tue Dec 21 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-6
+- fix buffer overflow on rogue card serial numbers
+
+* Tue Oct 19 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-5
+- own the _libdir/pkcs11 subdirectory (#644527)
+
+* Tue Sep  7 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-4
+- fix build with new pcsc-lite
+
+* Wed Aug 11 2010 Rex Dieter <rdieter@fedoraproject.org> - 0.11.13-3
+- build against libassuan1 (f14+)
+
+* Wed Jun  9 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-2
+- replace file dependency (#601943)
+
+* Tue Feb 16 2010 Kalev Lember <kalev@smartlink.ee> - 0.11.13-1
+- new upstream version
+
+* Sun Feb 14 2010 Kalev Lember <kalev@smartlink.ee> - 0.11.12-2
+- Added patch to fix linking with the new --no-add-needed default (#564758)
+
+* Mon Dec 21 2009 Kalev Lember <kalev@smartlink.ee> - 0.11.12-1
+- new upstream version
+- replaced %%define with %%global
+- BR clean up from items not applicable to current Fedora releases
+
+* Tue Dec  8 2009 Michael Schwendt <mschwendt@fedoraproject.org> - 0.11.11-2
+- Explicitly BR libassuan-static in accordance with the Packaging
+  Guidelines (libassuan-devel is still static-only).
+
+* Thu Nov 19 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.11-1
+- new upstream version
+
+* Tue Sep 29 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.9-2
+- fix multilib conflict in the configuration file (#526269)
+
+* Wed Sep 09 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.9-1
+- new upstream version
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-5
+- rebuilt with new openssl
+
+* Mon Jul 27 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-4
+- Depend on specific arch of pcsc-lite-libs (reported by Kalev Lember)
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Jun 15 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-2
+- Rebuilt with new openct
+
+* Mon May 11 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-1
+- new upstream version - fixes security issue
+
+* Fri Feb 27 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.7-1
+- new upstream version - fixes CVE-2009-0368
+
+* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Jan 15 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.6-2
+- Add explicit requires for pcsc-lite-libs. Dlopen libpcsclite with the full
+  soname.
+
+* Tue Sep  2 2008 Tomas Mraz <tmraz@redhat.com> - 0.11.6-1
+- Update to latest upstream, fixes CVE-2008-2235
+
+* Thu Apr 10 2008 Hans de Goede <j.w.r.degoede@hhs.nl> - 0.11.4-5
+- BuildRequire libassuan-devel instead of libassuan-static (bz 441812)
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.11.4-4
+- Autorebuild for GCC 4.3
+
+* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 0.11.4-3
+ - Rebuild for deps
+
+* Wed Dec  5 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-2
+- Rebuild.
+
+* Mon Sep 10 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-1
+- 0.11.4.
+
+* Mon Aug 20 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-0.1.rc1
+- 0.11.4-rc1, pkcs11-tool usage message fix applied upstream.
+- License: LGPLv2+
+
+* Thu Jul 26 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-2
+- Fix pkcs11-tool usage message crash (#249702).
+
+* Tue Jul 17 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-1
+- 0.11.3.
+
+* Sat Jun 30 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-0.1.pre2
+- 0.11.3-pre2.
+
+* Thu Jun 21 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-0.1.pre1
+- 0.11.3-pre1.
+
+* Sun May  6 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-2
+- Add explicit build dependency on ncurses-devel.
+
+* Sat May  5 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-1
+- 0.11.2.
+
+* Tue Apr 24 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.3.rc2
+- 0.11.2-rc2.
+
+* Fri Mar 23 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.3.rc1
+- 0.11.2-rc1.
+
+* Thu Mar 15 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.2.pre6
+- 0.11.2-pre6.
+
+* Tue Mar  6 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.2.pre4
+- 0.11.2-pre4.
+- Require pinentry-gui instead of the pinentry executable in signer.
+
+* Sun Dec  3 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.1.pre3
+- 0.11.2-pre3.
+- Build with new libassuan.
+- Don't run autotools during build.
+- Adjust to readline/termcap/ncurses changes.
+
+* Sat Oct 14 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-6
+- Rebuild with new libassuan.
+
+* Sun Oct  8 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-5
+- Rebuild with new libassuan.
+
+* Mon Oct  2 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-4
+- Rebuild.
+
+* Tue Sep 26 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-3
+- Rebuild with new libassuan.
+
+* Sat Sep  2 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-2
+- Rebuild.
+
+* Wed May 31 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-1
+- 0.11.1.
+- Avoid some multilib conflicts.
+
+* Sun May  7 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-2
+- Sync example paths in openct.conf with ctapi-common.
+- Update URL.
+
+* Thu May  4 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-1
+- 0.11.0.
+
+* Thu Apr 27 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-0.1.rc2
+- 0.11.0-rc2.
+
+* Sat Apr 22 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-0.1.rc1
+- 0.11.0-rc1.
+
+* Mon Mar  6 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-3
+- Rebuild.
+
+* Wed Feb 15 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-2
+- Avoid standard rpaths on lib64 archs.
+
+* Sun Jan  8 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-1
+- 0.10.1.
+
+* Wed Nov  9 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-1
+- 0.10.0.
+- Adapt to modularized X.Org.
+
+* Wed Oct 26 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.rc2
+- 0.10.0-rc2.
+- Install signer plugin only to plugin dir.
+
+* Sat Oct 22 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.rc1
+- 0.10.0-rc1.
+
+* Wed Oct 19 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.beta2.rc1
+- 0.10.0-beta2-rc1.
+- Specfile cleanups.
+
+* Tue Apr 26 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.6-2
+- 0.9.6, build patch applied upstream.
+- Package summary and description improvements.
+- Drop explicit openct dependency.
+
+* Fri Mar 18 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.4-3
+- Fix FC4 build.
+- Rename opensc-pam to pam_opensc per package naming guidelines.
+
+* Wed Feb  9 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.9.4-2
+- Substitute hardcoded 'lib' in OpenSSL checks for multi-lib platforms.
+- Use --with-plugin-dir instead of --with-plugin-path (fixes x86_64).
+
+* Thu Feb  3 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.4-1
+- Drop unnecessary Epochs, pre-FC1 compat cruft, and no longer relevant
+  --with(out) rpmbuild options.
+- Exclude *.la.
+
+* Wed Nov  3 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.4-0.fdr.1
+- Update to 0.9.4, parallel build patch applied upstream.
+- Patch to fix library paths and LDFLAGS.
+- Don't require mozilla, but the plugin dir in signer.
+- Build with dependency tracking disabled.
+
+* Tue Jul 27 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.2-0.fdr.2
+- Building the signer plugin can be disabled with "--without signer".
+  Thanks to Fritz Elfert for the idea.
+- Update description.
+
+* Sun Jul 25 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.2-0.fdr.1
+- Update to 0.9.2, old patches applied upstream.
+- Add patch to fix parallel builds.
+- Convert man pages to UTF-8.
+
+* Thu Jul 22 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.1-0.fdr.1
+- Update to 0.9.1 (preview).
+
+* Thu Jul  1 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.0-0.fdr.0.1.alpha
+- Update to 0.9.0-alpha.
+
+* Sat May  1 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.8
+- Rebuild with libassuan 0.6.5.
+
+* Sat Jan 31 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.7
+- Rebuild with libassuan 0.6.3.
+- Add gdm example to PAM quickstart.
+
+* Mon Jan 19 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.6
+- Use /%%{_lib} instead of hardcoding /lib.
+
+* Sat Dec 20 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.5
+- Split PAM support into a subpackage.
+- Rebuild with libassuan 0.6.2.
+
+* Sun Nov 23 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.4
+- Rebuild with libassuan 0.6.1.
+- Include PAM quickstart doc snippet.
+
+* Fri Nov 14 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.3
+- Require OpenCT.
+
+* Fri Oct 17 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.2
+- Install example config files as documentation.
+
+* Tue Oct 14 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.1
+- Update to 0.8.1.
+
+* Wed Aug 27 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.2
+- Signer can be built with oldssl too.
+
+* Wed Aug 27 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.1
+- Update to 0.8.0.
+
+* Wed Jul 30 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.0.2.cvs20030730
+- Update to 20030730.
+- Clean up %%docs.
+- Include *.la (uses ltdl).
+- Own the %%{_libdir}/pkcs11 directory.
+- Disable signer; assuan has disappeared from the tarball :(
+
+* Fri May 23 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.0.1.rc1
+- First build.