From d452d7b5f295463ad1005820e6fa5b1e1c22cb21 Mon Sep 17 00:00:00 2001
From: fengweihao <fengweihao@iie.ac.cn>
Date: Thu, 12 Nov 2020 15:56:34 +0800
Subject: [PATCH] =?UTF-8?q?=E6=94=AF=E6=8C=81CERTEX=20HSM=E6=8E=A5?=
 =?UTF-8?q?=E5=8F=A3=E8=B0=83=E7=94=A8=20=E8=AF=BB=E5=8F=96=E9=85=8D?=
 =?UTF-8?q?=E7=BD=AE=E8=A1=A8PXY=5FPROFILE=5FHSM=20=E9=87=8D=E6=9E=84?=
 =?UTF-8?q?=E9=85=8D=E7=BD=AE=E8=AF=BB=E5=8F=96=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 common/CMakeLists.txt              |    2 +-
 common/rt/include/pkcs11.h         |  301 +++++
 common/rt/include/pkcs11f.h        |  912 +++++++++++++
 common/rt/include/pkcs11g.h        |  236 ++++
 common/rt/include/pkcs11t.h        | 1909 ++++++++++++++++++++++++++++
 common/rt/include/rlib_load.h      |   45 +
 common/rt/src/rlib_load.cpp        |  220 ++++
 program/include/cert_conf.h        |   65 +-
 program/include/cert_session.h     |    2 +-
 program/src/cert_conf.cpp          |  129 +-
 program/src/cert_session.cpp       |  690 +++++++---
 program/src/cert_store.cpp         |   51 +-
 resource/conf/cert_store.ini       |    4 +
 resource/conf/pxy_obj_keyring.json |   22 +-
 resource/conf/table_info.conf      |    1 +
 15 files changed, 4201 insertions(+), 388 deletions(-)
 create mode 100644 common/rt/include/pkcs11.h
 create mode 100644 common/rt/include/pkcs11f.h
 create mode 100644 common/rt/include/pkcs11g.h
 create mode 100644 common/rt/include/pkcs11t.h
 create mode 100644 common/rt/include/rlib_load.h
 create mode 100644 common/rt/src/rlib_load.cpp

diff --git a/common/CMakeLists.txt b/common/CMakeLists.txt
index 3047de0..60b82a3 100644
--- a/common/CMakeLists.txt
+++ b/common/CMakeLists.txt
@@ -2,7 +2,7 @@ add_library(common syslogd/src/logging.cpp json/src/arraylist.c json/src/debug.c
 	json/src/json_object.c json/src/json_object_iterator.c json/src/json_tokener.c
 	json/src/json_util.c json/src/libjson.c json/src/linkhash.c
 	json/src/parse_flags.c json/src/printbuf.c json/src/json_checker.c json/src/random_seed.c
-    rt/src/rt_file.cpp rt/src/rt_stdlib.cpp rt/src/rt_string.cpp rt/src/rt_tmr.cpp rt/src/rt_time.cpp)
+    rt/src/rt_file.cpp rt/src/rt_stdlib.cpp rt/src/rt_string.cpp rt/src/rt_tmr.cpp rt/src/rt_time.cpp rt/src/rlib_load.cpp)
 
 target_include_directories(common PUBLIC syslogd/include json/include rt/include)
 target_link_libraries(common PUBLIC rt MESA_handle_logger breakpad_mini)
diff --git a/common/rt/include/pkcs11.h b/common/rt/include/pkcs11.h
new file mode 100644
index 0000000..26c959f
--- /dev/null
+++ b/common/rt/include/pkcs11.h
@@ -0,0 +1,301 @@
+/* pkcs11.h include file for PKCS #11. */
+/* $Revision: 1.4 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the 
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 6 platform-specific macros must be defined.  These
+ * macros are described below, and typical definitions for them
+ * are also given.  Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a Cryptoki library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 6 macros, the packing convention
+ * for Cryptoki structures should be set.  The Cryptoki
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, this might be done by using the following
+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, this might be done by using
+ * the following preprocessor directive before including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own for this.  You might
+ * not need to do (or be able to do!) anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object.  It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, it might be defined by:
+ *
+ * #define CK_PTR far *
+ *
+ * In a typical UNIX environment, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
+ * an exportable Cryptoki library function definition out of a
+ * return type and a function name.  It should be used in the
+ * following fashion to define the exposed Cryptoki functions in
+ * a Cryptoki library:
+ *
+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * )
+ * {
+ *   ...
+ * }
+ *
+ * If you're using Microsoft Developer Studio 5.0 to define a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllexport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to define a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable Cryptoki library function declaration out of a
+ * return type and a function name.  It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * );
+ *
+ * If you're using Microsoft Developer Studio 5.0 to declare a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllimport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to declare a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a Cryptoki API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name.  It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a Cryptoki API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // Cryptoki API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to access
+ * functions in a Win32 Cryptoki .dll, in might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __declspec(dllimport) (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to access functions in a Win16 Cryptoki .dll, it might
+ * be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV.  It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to do Win32
+ * Cryptoki development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to do Win16 development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should best be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various Cryptoki types and #define'd values are in the
+ * file pkcs11t.h. */
+#pragma pack(push, cryptoki, 1)
+ #include "pkcs11t.h"
+#pragma pack(pop, cryptoki)
+
+#define __PASTE(x,y)      x##y
+
+
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  extern CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points.  That is, for
+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points.  A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's Cryptoki version
+ * and then a whole slew of function pointers to the routines in
+ * the library.  This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  __PASTE(CK_,name) name;
+  
+struct CK_FUNCTION_LIST {
+
+  CK_VERSION    version;  /* Cryptoki version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/common/rt/include/pkcs11f.h b/common/rt/include/pkcs11f.h
new file mode 100644
index 0000000..a479384
--- /dev/null
+++ b/common/rt/include/pkcs11f.h
@@ -0,0 +1,912 @@
+/* pkcs11f.h include file for PKCS #11. */
+/* $Revision: 1.4 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the 
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This header file contains pretty much everything about all the */
+/* Cryptoki function prototypes.  Because this information is */
+/* used for more than just declaring function prototypes, the */
+/* order of the functions appearing herein is important, and */
+/* should not be altered. */
+
+/* General-purpose */
+
+/* C_Initialize initializes the Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
+                            * cast to CK_C_INITIALIZE_ARGS_PTR
+                            * and dereferenced */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about Cryptoki. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_INFO_PTR   pInfo  /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
+                                            * function list */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
+  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
+  CK_ULONG_PTR   pulCount       /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID       slotID,  /* the ID of the slot */
+  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID        slotID,  /* ID of the token's slot */
+  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,          /* ID of token's slot */
+  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
+  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,  /* ID of the token's slot */
+  CK_MECHANISM_TYPE     type,    /* type of mechanism */
+  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
+(
+  CK_SLOT_ID      slotID,    /* ID of the token's slot */
+  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
+  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
+  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
+  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
+  CK_ULONG          ulOldLen,  /* length of the old PIN */
+  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
+  CK_ULONG          ulNewLen   /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,        /* the slot's ID */
+  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
+  CK_VOID_PTR           pApplication,  /* passed to callback */
+  CK_NOTIFY             Notify,        /* callback function */
+  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID     slotID  /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE   hSession,  /* the session's handle */
+  CK_SESSION_INFO_PTR pInfo      /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session. */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,             /* session's handle */
+  CK_BYTE_PTR       pOperationState,      /* gets state */
+  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session. */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR      pOperationState,      /* holds state */
+  CK_ULONG         ulOperationStateLen,  /* holds state length */
+  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
+  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_USER_TYPE      userType,  /* the user type */
+  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
+  CK_ULONG          ulPinLen   /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
+  CK_ULONG          ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy. */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
+  CK_ULONG             ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject    /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
+  CK_ULONG_PTR      pulSize    /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes. */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
+  CK_ULONG          ulCount     /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE    hSession,          /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
+ CK_ULONG             ulMaxObjectCount,  /* max handles to get */
+ CK_ULONG_PTR         pulObjectCount     /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pData,               /* the plaintext data */
+  CK_ULONG          ulDataLen,           /* bytes of plaintext */
+  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pPart,              /* the plaintext data */
+  CK_ULONG          ulPartLen,          /* plaintext data len */
+  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,                /* session handle */
+  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
+  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
+  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
+  CK_BYTE_PTR       pData,              /* gets plaintext */
+  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
+  CK_ULONG          ulEncryptedPartLen,  /* input length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
+  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pData,        /* data to be digested */
+  CK_ULONG          ulDataLen,    /* bytes of data to digest */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* data to be digested */
+  CK_ULONG          ulPartLen  /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested. */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ *signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* the data to sign */
+  CK_ULONG          ulPartLen  /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation, 
+ * returning the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ *  cannot be recovered from the signature (e.g. DSA). */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */ 
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pData,          /* signed data */
+  CK_ULONG          ulDataLen,      /* length of signed data */
+  CK_BYTE_PTR       pSignature,     /* signature */
+  CK_ULONG          ulSignatureLen  /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* signed data */
+  CK_ULONG          ulPartLen  /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pSignature,     /* signature to verify */
+  CK_ULONG          ulSignatureLen  /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* signature to verify */
+  CK_ULONG          ulSignatureLen,  /* signature length */
+  CK_BYTE_PTR       pData,           /* gets signed data */
+  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
+  CK_ULONG             ulCount,     /* # of attrs in template */
+  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,                    /* session
+                                                     * handle */
+  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
+                                                     * mech. */
+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
+                                                     * for pub.
+                                                     * key */
+  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
+                                                     * attrs. */
+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
+                                                     * for priv.
+                                                     * key */
+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
+                                                     * attrs. */
+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
+                                                     * key
+                                                     * handle */
+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
+                                                     * priv. key
+                                                     * handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
+  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
+  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
+  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
+  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object. */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
+  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
+  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
+  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
+  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator. */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pSeed,     /* the seed material */
+  CK_ULONG          ulSeedLen  /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_BYTE_PTR       RandomData,  /* receives the random data */
+  CK_ULONG          ulRandomLen  /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel. */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Functions added in for Cryptoki Version 2.01 or later */
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur. */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FLAGS flags,        /* blocking/nonblocking flag */
+  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
+  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
+);
+#endif
diff --git a/common/rt/include/pkcs11g.h b/common/rt/include/pkcs11g.h
new file mode 100644
index 0000000..24f308c
--- /dev/null
+++ b/common/rt/include/pkcs11g.h
@@ -0,0 +1,236 @@
+//------------------------------------------------------------------------------
+// Tumar CSP
+// Copyright (c) 2009 Scientific Lab. Gamma Technologies. All rights reserved.
+//
+// Definitions for PKCS11 API
+//------------------------------------------------------------------------------
+#ifndef _PKCS11G_H_
+#define _PKCS11G_H_
+//------------------------------------------------------------------------------
+#define CK_GAMMA_VENDOR_DEFINED               0x0F000000
+//------------------------------------------------------------------------------
+#define CKA_TUM_DEFINED                      (CKA_VENDOR_DEFINED | CK_GAMMA_VENDOR_DEFINED)
+#define CKA_TUM_KEY_OID                      (CKA_TUM_DEFINED + 1)
+#define CKA_TUM_KEY_STATE                    (CKA_TUM_DEFINED + 2)
+//------------------------------------------------------------------------------
+#define CKK_TUM_DEFINED                      (CKK_VENDOR_DEFINED | CK_GAMMA_VENDOR_DEFINED)
+#define CKK_TUMAR                            (CKK_TUM_DEFINED + 1)
+#define CKK_TUM_GOST28147                    (CKK_TUM_DEFINED + 2)
+#define CKK_TUM_GOST3410                     (CKK_TUM_DEFINED + 3)
+#define CKK_NONE                              0xFFFFFFFF
+//------------------------------------------------------------------------------
+#define CKM_TUM_DEFINED                      (CKM_VENDOR_DEFINED | CK_GAMMA_VENDOR_DEFINED)
+
+#define CKM_TUM_DH_DERIVE                    (CKM_TUM_DEFINED + 98)
+#define CKM_TUM_DH_DERIVE_VKO                (CKM_TUM_DEFINED + 99)
+
+#define CKM_TUM_GR3410                       (CKM_TUM_DEFINED + 100)
+
+#define CKM_TUM_EXCH_KEY_GEN_DH256_1024_A    (CKM_TUM_DEFINED + 502)
+#define CKM_TUM_EXCH_KEY_GEN_DH256_1024_B    (CKM_TUM_DEFINED + 503)
+#define CKM_TUM_EXCH_KEY_GEN_DH256_1024_C    (CKM_TUM_DEFINED + 504)
+#define CKM_TUM_EXCH_KEY_GEN_DH512_512T      (CKM_TUM_DEFINED + 506)
+#define CKM_TUM_EXCH_KEY_GEN_EC256_512G_A    (CKM_TUM_DEFINED + 510)
+#define CKM_TUM_EXCH_KEY_GEN_EC256_512G_B    (CKM_TUM_DEFINED + 511)
+#define CKM_TUM_EXCH_KEY_GEN_EC256_512F      (CKM_TUM_DEFINED + 512)
+#define CKM_TUM_EXCH_KEY_GEN_EC384_768F      (CKM_TUM_DEFINED + 514)
+#define CKM_TUM_EXCH_KEY_GEN_EC521_1042F     (CKM_TUM_DEFINED + 515)
+
+#define CKM_RSA_PKCS_KEY_PAIR_GEN_X          (CKM_TUM_DEFINED + 520)
+
+#define CKM_TUM_SIGN_KEY_GEN_DH256_1024_T    (CKM_TUM_DEFINED + 601)
+#define CKM_TUM_SIGN_KEY_GEN_DH256_1024_A    (CKM_TUM_DEFINED + 602)
+#define CKM_TUM_SIGN_KEY_GEN_DH256_1024_B    (CKM_TUM_DEFINED + 603)
+#define CKM_TUM_SIGN_KEY_GEN_DH256_1024_C    (CKM_TUM_DEFINED + 604)
+#define CKM_TUM_SIGN_KEY_GEN_DH256_1024_D    (CKM_TUM_DEFINED + 605)
+#define CKM_TUM_SIGN_KEY_GEN_DH512_512T      (CKM_TUM_DEFINED + 606)
+#define CKM_TUM_SIGN_KEY_GEN_EC160_320F      (CKM_TUM_DEFINED + 607)
+#define CKM_TUM_SIGN_KEY_GEN_EC192_384F      (CKM_TUM_DEFINED + 608)
+#define CKM_TUM_SIGN_KEY_GEN_EC224_448F      (CKM_TUM_DEFINED + 609)
+#define CKM_TUM_SIGN_KEY_GEN_EC256_512G_A    (CKM_TUM_DEFINED + 610)
+#define CKM_TUM_SIGN_KEY_GEN_EC256_512G_B    (CKM_TUM_DEFINED + 611)
+#define CKM_TUM_SIGN_KEY_GEN_EC256_512G_C    (CKM_TUM_DEFINED + 612)
+#define CKM_TUM_SIGN_KEY_GEN_EC256_512F      (CKM_TUM_DEFINED + 613)
+#define CKM_TUM_SIGN_KEY_GEN_EC384_768F      (CKM_TUM_DEFINED + 614)
+#define CKM_TUM_SIGN_KEY_GEN_EC521_1042F     (CKM_TUM_DEFINED + 615)
+
+#define CKM_TUM_KEY_GEN_RC2                  CKM_RC2_KEY_GEN
+#define CKM_TUM_CRYPT_RC2_ECB                CKM_RC2_ECB
+#define CKM_TUM_CRYPT_RC2_OFB                (CKM_TUM_DEFINED + 302)
+#define CKM_TUM_CRYPT_RC2_CNT                (CKM_TUM_DEFINED + 303)
+#define CKM_TUM_CRYPT_RC2_CFB                (CKM_TUM_DEFINED + 304)
+#define CKM_TUM_CRYPT_RC2_CBC                CKM_RC2_CBC
+#define CKM_TUM_CRYPT_RC2_CBC_PAD            CKM_RC2_CBC_PAD
+#define CKM_TUM_CRYPT_RC2_MAC                CKM_RC2_MAC
+#define CKM_TUM_CRYPT_RC2_MAC_GENERAL        CKM_RC2_MAC_GENERAL
+
+#define CKM_TUM_KEY_GEN_RC4                  CKM_RC4_KEY_GEN
+#define CKM_TUM_CRYPT_RC4                    CKM_RC4
+
+#define CKM_TUM_KEY_GEN_RC5                  CKM_RC5_KEY_GEN
+#define CKM_TUM_CRYPT_RC5_ECB                CKM_RC5_ECB
+#define CKM_TUM_CRYPT_RC5_OFB                (CKM_TUM_DEFINED + 322)
+#define CKM_TUM_CRYPT_RC5_CNT                (CKM_TUM_DEFINED + 323)
+#define CKM_TUM_CRYPT_RC5_CFB                (CKM_TUM_DEFINED + 324)
+#define CKM_TUM_CRYPT_RC5_CBC                CKM_RC5_CBC
+#define CKM_TUM_CRYPT_RC5_CBC_PAD            CKM_RC5_CBC_PAD
+#define CKM_TUM_CRYPT_RC5_MAC                CKM_RC5_MAC
+#define CKM_TUM_CRYPT_RC5_MAC_GENERAL        CKM_RC5_MAC_GENERAL
+
+#define CKM_TUM_KEY_GEN_DES                  CKM_DES_KEY_GEN
+#define CKM_TUM_CRYPT_DES_ECB                CKM_DES_ECB
+#define CKM_TUM_CRYPT_DES_OFB                (CKM_TUM_DEFINED + 332)
+#define CKM_TUM_CRYPT_DES_CNT                (CKM_TUM_DEFINED + 333)
+#define CKM_TUM_CRYPT_DES_CFB                (CKM_TUM_DEFINED + 334)
+#define CKM_TUM_CRYPT_DES_CBC                CKM_DES_CBC
+#define CKM_TUM_CRYPT_DES_CBC_PAD            CKM_DES_CBC_PAD
+#define CKM_TUM_CRYPT_DES_MAC                CKM_DES_MAC
+#define CKM_TUM_CRYPT_DES_MAC_GENERAL        CKM_DES_MAC_GENERAL
+#define CKM_TUM_CRYPT_DES_X919_MAC           (CKM_TUM_DEFINED + 339)
+#define CKM_TUM_CRYPT_DES_X919_MAC_GENERAL   (CKM_TUM_DEFINED + 340)
+
+#define CKM_TUM_KEY_GEN_DES2                 CKM_DES2_KEY_GEN
+#define CKM_TUM_KEY_GEN_DES3                 CKM_DES3_KEY_GEN
+#define CKM_TUM_CRYPT_DES3_ECB               CKM_DES3_ECB
+#define CKM_TUM_CRYPT_DES3_OFB               (CKM_TUM_DEFINED + 352)
+#define CKM_TUM_CRYPT_DES3_CNT               (CKM_TUM_DEFINED + 353)
+#define CKM_TUM_CRYPT_DES3_CFB               (CKM_TUM_DEFINED + 354)
+#define CKM_TUM_CRYPT_DES3_CBC               CKM_DES3_CBC
+#define CKM_TUM_CRYPT_DES3_CBC_PAD           CKM_DES3_CBC_PAD
+#define CKM_TUM_CRYPT_DES3_MAC               CKM_DES3_MAC
+#define CKM_TUM_CRYPT_DES3_MAC_GENERAL       CKM_DES3_MAC_GENERAL
+
+#define CKM_TUM_KEY_GEN_AES                  CKM_AES_KEY_GEN
+#define CKM_TUM_CRYPT_AES_ECB                CKM_AES_ECB
+#define CKM_TUM_CRYPT_AES_OFB                (CKM_TUM_DEFINED + 102)
+#define CKM_TUM_CRYPT_AES_CNT                CKM_AES_CTR
+#define CKM_TUM_CRYPT_AES_CFB                (CKM_TUM_DEFINED + 104)
+#define CKM_TUM_CRYPT_AES_CBC                CKM_AES_CBC
+#define CKM_TUM_CRYPT_AES_CBC_PAD            CKM_AES_CBC_PAD
+#define CKM_TUM_CRYPT_AES_MAC                CKM_AES_MAC
+#define CKM_TUM_CRYPT_AES_MAC_GENERAL        CKM_AES_MAC_GENERAL
+
+#define CKM_TUM_KEY_GEN_GOST                 (CKM_TUM_DEFINED + 95)
+#define CKM_TUM_KEY_GEN_TUMAR                (CKM_TUM_DEFINED + 96)
+
+#define CKM_TUM_CRYPT_TUMAR_ECB              (CKM_TUM_DEFINED + 111)
+#define CKM_TUM_CRYPT_TUMAR_OFB              (CKM_TUM_DEFINED + 112)
+#define CKM_TUM_CRYPT_TUMAR_CNT              (CKM_TUM_DEFINED + 113)
+#define CKM_TUM_CRYPT_TUMAR_CFB              (CKM_TUM_DEFINED + 114)
+#define CKM_TUM_CRYPT_TUMAR_CBC              (CKM_TUM_DEFINED + 115)
+#define CKM_TUM_CRYPT_TUMAR_CBC_PAD          (CKM_TUM_DEFINED + 116)
+#define CKM_TUM_CRYPT_TUMAR_MAC              (CKM_TUM_DEFINED + 117)
+#define CKM_TUM_CRYPT_TUMAR_MAC_GENERAL      (CKM_TUM_DEFINED + 118)
+
+#define CKM_TUM_CRYPT_GOST_G_ECB             (CKM_TUM_DEFINED + 121)
+#define CKM_TUM_CRYPT_GOST_G_OFB             (CKM_TUM_DEFINED + 122)
+#define CKM_TUM_CRYPT_GOST_G_CNT             (CKM_TUM_DEFINED + 123)
+#define CKM_TUM_CRYPT_GOST_G_CFB             (CKM_TUM_DEFINED + 124)
+#define CKM_TUM_CRYPT_GOST_G_CBC             (CKM_TUM_DEFINED + 125)
+#define CKM_TUM_CRYPT_GOST_G_CBC_PAD         (CKM_TUM_DEFINED + 126)
+#define CKM_TUM_CRYPT_GOST_G_MAC             (CKM_TUM_DEFINED + 127)
+#define CKM_TUM_CRYPT_GOST_G_MAC_GENERAL     (CKM_TUM_DEFINED + 128)
+#define CKM_TUM_CRYPT_GOST_G_MAC_OLD         (CKM_TUM_DEFINED + 298)
+#define CKM_TUM_CRYPT_GOST_G_MAC_OLD_GENERAL (CKM_TUM_DEFINED + 299)
+
+#define CKM_TUM_CRYPT_GOST_A_ECB             (CKM_TUM_DEFINED + 131)
+#define CKM_TUM_CRYPT_GOST_A_OFB             (CKM_TUM_DEFINED + 132)
+#define CKM_TUM_CRYPT_GOST_A_CNT             (CKM_TUM_DEFINED + 133)
+#define CKM_TUM_CRYPT_GOST_A_CFB             (CKM_TUM_DEFINED + 134)
+#define CKM_TUM_CRYPT_GOST_A_CBC             (CKM_TUM_DEFINED + 135)
+#define CKM_TUM_CRYPT_GOST_A_CBC_PAD         (CKM_TUM_DEFINED + 136)
+#define CKM_TUM_CRYPT_GOST_A_MAC             (CKM_TUM_DEFINED + 137)
+#define CKM_TUM_CRYPT_GOST_A_MAC_GENERAL     (CKM_TUM_DEFINED + 138)
+
+#define CKM_TUM_CRYPT_GOST_B_ECB             (CKM_TUM_DEFINED + 141)
+#define CKM_TUM_CRYPT_GOST_B_OFB             (CKM_TUM_DEFINED + 142)
+#define CKM_TUM_CRYPT_GOST_B_CNT             (CKM_TUM_DEFINED + 143)
+#define CKM_TUM_CRYPT_GOST_B_CFB             (CKM_TUM_DEFINED + 144)
+#define CKM_TUM_CRYPT_GOST_B_CBC             (CKM_TUM_DEFINED + 145)
+#define CKM_TUM_CRYPT_GOST_B_CBC_PAD         (CKM_TUM_DEFINED + 146)
+#define CKM_TUM_CRYPT_GOST_B_MAC             (CKM_TUM_DEFINED + 147)
+#define CKM_TUM_CRYPT_GOST_B_MAC_GENERAL     (CKM_TUM_DEFINED + 148)
+
+#define CKM_TUM_CRYPT_GOST_C_ECB             (CKM_TUM_DEFINED + 151)
+#define CKM_TUM_CRYPT_GOST_C_OFB             (CKM_TUM_DEFINED + 152)
+#define CKM_TUM_CRYPT_GOST_C_CNT             (CKM_TUM_DEFINED + 153)
+#define CKM_TUM_CRYPT_GOST_C_CFB             (CKM_TUM_DEFINED + 154)
+#define CKM_TUM_CRYPT_GOST_C_CBC             (CKM_TUM_DEFINED + 155)
+#define CKM_TUM_CRYPT_GOST_C_CBC_PAD         (CKM_TUM_DEFINED + 156)
+#define CKM_TUM_CRYPT_GOST_C_MAC             (CKM_TUM_DEFINED + 157)
+#define CKM_TUM_CRYPT_GOST_C_MAC_GENERAL     (CKM_TUM_DEFINED + 158)
+
+#define CKM_TUM_CRYPT_GOST_D_ECB             (CKM_TUM_DEFINED + 161)
+#define CKM_TUM_CRYPT_GOST_D_OFB             (CKM_TUM_DEFINED + 162) 
+#define CKM_TUM_CRYPT_GOST_D_CNT             (CKM_TUM_DEFINED + 163)
+#define CKM_TUM_CRYPT_GOST_D_CFB             (CKM_TUM_DEFINED + 164)
+#define CKM_TUM_CRYPT_GOST_D_CBC             (CKM_TUM_DEFINED + 165)
+#define CKM_TUM_CRYPT_GOST_D_CBC_PAD         (CKM_TUM_DEFINED + 166)
+#define CKM_TUM_CRYPT_GOST_D_MAC             (CKM_TUM_DEFINED + 167)
+#define CKM_TUM_CRYPT_GOST_D_MAC_GENERAL     (CKM_TUM_DEFINED + 168)
+
+#define CKM_TUM_CRYPT_ELGAMAL                (CKM_TUM_DEFINED + 190)
+#define CKM_TUM_CRYPT_ELGAMAL_PAD            (CKM_TUM_DEFINED + 191)
+
+#define CKM_TUM_HASH_MD2                     CKM_MD2
+#define CKM_TUM_HASH_MD2_HMAC                CKM_MD2_HMAC
+#define CKM_TUM_HASH_MD2_HMAC_GENERAL        CKM_MD2_HMAC_GENERAL
+
+#define CKM_TUM_HASH_MD4                     (CKM_TUM_DEFINED + 206)
+#define CKM_TUM_HASH_MD4_HMAC                (CKM_TUM_DEFINED + 207)
+#define CKM_TUM_HASH_MD4_HMAC_GENERAL        (CKM_TUM_DEFINED + 208)
+
+#define CKM_TUM_HASH_MD5                     CKM_MD5
+#define CKM_TUM_HASH_MD5_HMAC                CKM_MD5_HMAC
+#define CKM_TUM_HASH_MD5_HMAC_GENERAL        CKM_MD5_HMAC_GENERAL
+
+#define CKM_TUM_HASH_SHA_1                   CKM_SHA_1
+#define CKM_TUM_HASH_SHA_1_HMAC              CKM_SHA_1_HMAC
+#define CKM_TUM_HASH_SHA_1_HMAC_GENERAL      CKM_SHA_1_HMAC_GENERAL
+
+#define CKM_TUM_HASH_SHA_256                 CKM_SHA256
+#define CKM_TUM_HASH_SHA_256_HMAC            CKM_SHA256_HMAC
+#define CKM_TUM_HASH_SHA_256_HMAC_GENERAL    CKM_SHA256_HMAC_GENERAL
+
+#define CKM_TUM_HASH_SHA_384                 CKM_SHA384
+#define CKM_TUM_HASH_SHA_384_HMAC            CKM_SHA384_HMAC
+#define CKM_TUM_HASH_SHA_384_HMAC_GENERAL    CKM_SHA384_HMAC_GENERAL
+
+#define CKM_TUM_HASH_SHA_512                 CKM_SHA512
+#define CKM_TUM_HASH_SHA_512_HMAC            CKM_SHA512_HMAC
+#define CKM_TUM_HASH_SHA_512_HMAC_GENERAL    CKM_SHA512_HMAC_GENERAL
+
+#define CKM_TUM_HASH_TUMAR                   (CKM_TUM_DEFINED + 261)
+
+#define CKM_TUM_HASH_GOST                    (CKM_TUM_DEFINED + 271)
+#define CKM_TUM_HASH_GOST_HMAC               (CKM_TUM_DEFINED + 272)
+#define CKM_TUM_HASH_GOST_HMAC_GENERAL       (CKM_TUM_DEFINED + 273)
+
+#define CKM_TUM_HASH_GOSTCP                  (CKM_TUM_DEFINED + 281)
+#define CKM_TUM_HASH_GOSTCP_HMAC             (CKM_TUM_DEFINED + 282)
+#define CKM_TUM_HASH_GOSTCP_HMAC_GENERAL     (CKM_TUM_DEFINED + 283)
+
+#define CKM_TUM_SIGN_R3410                   (CKM_TUM_DEFINED + 700)
+#define CKM_TUM_SIGN_MD2_R3410               (CKM_TUM_DEFINED + 701)
+#define CKM_TUM_SIGN_MD4_R3410               (CKM_TUM_DEFINED + 702)
+#define CKM_TUM_SIGN_MD5_R3410               (CKM_TUM_DEFINED + 703)
+#define CKM_TUM_SIGN_SHA_1_R3410             (CKM_TUM_DEFINED + 704)
+#define CKM_TUM_SIGN_SHA_256_R3410           (CKM_TUM_DEFINED + 705)
+#define CKM_TUM_SIGN_SHA_384_R3410           (CKM_TUM_DEFINED + 706)
+#define CKM_TUM_SIGN_SHA_512_R3410           (CKM_TUM_DEFINED + 707)
+#define CKM_TUM_SIGN_TUMAR_R3410             (CKM_TUM_DEFINED + 708)
+#define CKM_TUM_SIGN_GOST3411_R3410          (CKM_TUM_DEFINED + 709)
+#define CKM_TUM_SIGN_GOST3411CP_R3410        (CKM_TUM_DEFINED + 710)
+
+#define CKM_TUM_SIGN_MD2_RSA                 CKM_MD2_RSA_PKCS
+#define CKM_TUM_SIGN_MD4_RSA                 (CKM_TUM_DEFINED + 802)
+#define CKM_TUM_SIGN_MD5_RSA                 CKM_MD5_RSA_PKCS
+#define CKM_TUM_SIGN_SHA_1_RSA               CKM_SHA1_RSA_PKCS
+#define CKM_TUM_SIGN_SHA_256_RSA             CKM_SHA256_RSA_PKCS
+#define CKM_TUM_SIGN_SHA_384_RSA             CKM_SHA384_RSA_PKCS
+#define CKM_TUM_SIGN_SHA_512_RSA             CKM_SHA512_RSA_PKCS
+#define CKM_TUM_SIGN_TUMAR_RSA               (CKM_TUM_DEFINED + 808)
+#define CKM_TUM_SIGN_GOST3411_RSA            (CKM_TUM_DEFINED + 809)
+#define CKM_TUM_SIGN_GOST3411CP_RSA          (CKM_TUM_DEFINED + 810)
+//------------------------------------------------------------------------------
+#endif
diff --git a/common/rt/include/pkcs11t.h b/common/rt/include/pkcs11t.h
new file mode 100644
index 0000000..25f687f
--- /dev/null
+++ b/common/rt/include/pkcs11t.h
@@ -0,0 +1,1909 @@
+/* pkcs11t.h include file for PKCS #11. */
+/* $Revision: 1.10 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* See top of pkcs11.h for information about the macros that
+ * must be defined and the structure-packing conventions that
+ * must be set before including this file. */
+
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+#define CRYPTOKI_VERSION_MAJOR 2
+#define CRYPTOKI_VERSION_MINOR 20
+#define CRYPTOKI_VERSION_AMENDMENT 3
+
+#define CK_TRUE 1
+#define CK_FALSE 0
+
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE CK_FALSE
+#endif
+
+#ifndef TRUE
+#define TRUE CK_TRUE
+#endif
+#endif
+
+/* an unsigned 8-bit value */
+typedef unsigned char     CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE           CK_CHAR;
+
+/* an 8-bit UTF-8 character */
+typedef CK_BYTE           CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE           CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+/* CK_LONG is new for v2.0 */
+typedef long int          CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG          CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION (~0UL)
+#define CK_EFFECTIVELY_INFINITE    0
+
+
+typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
+typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
+typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
+typedef void        CK_PTR   CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session */
+/* handle or object handle */
+#define CK_INVALID_HANDLE 0
+
+
+typedef struct CK_VERSION {
+  CK_BYTE       major;  /* integer portion of version number */
+  CK_BYTE       minor;  /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+  /* manufacturerID and libraryDecription have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_FLAGS      flags;               /* must be zero */
+
+  /* libraryDescription and libraryVersion are new for v2.0 */
+  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
+  CK_VERSION    libraryVersion;          /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR    CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * Cryptoki provides to an application */
+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER       0
+
+/* The following notification is new for PKCS #11 v2.20 amendment 3 */
+#define CKN_OTP_CHANGED     1
+
+
+typedef CK_ULONG          CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+  /* slotDescription and manufacturerID have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
+  CK_FLAGS      flags;
+
+  /* hardwareVersion and firmwareVersion are new for v2.0 */
+  CK_VERSION    hardwareVersion;  /* version of hardware */
+  CK_VERSION    firmwareVersion;  /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag              Mask        Meaning
+ */
+#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
+#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
+#define CKF_HW_SLOT           0x00000004  /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+  /* label, manufacturerID, and model have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_UTF8CHAR   label[32];           /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_UTF8CHAR   model[16];           /* blank padded */
+  CK_CHAR       serialNumber[16];    /* blank padded */
+  CK_FLAGS      flags;               /* see below */
+
+  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
+   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
+   * changed from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
+  CK_ULONG      ulSessionCount;        /* sess. now open */
+  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
+  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
+  CK_ULONG      ulMaxPinLen;           /* in bytes */
+  CK_ULONG      ulMinPinLen;           /* in bytes */
+  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
+  CK_ULONG      ulFreePublicMemory;    /* in bytes */
+  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
+  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
+
+  /* hardwareVersion, firmwareVersion, and time are new for
+   * v2.0 */
+  CK_VERSION    hardwareVersion;       /* version of hardware */
+  CK_VERSION    firmwareVersion;       /* version of firmware */
+  CK_CHAR       utcTime[16];           /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ *      Bit Flag                    Mask        Meaning
+ */
+#define CKF_RNG                     0x00000001  /* has random #
+                                                 * generator */
+#define CKF_WRITE_PROTECTED         0x00000002  /* token is
+                                                 * write-
+                                                 * protected */
+#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
+                                                 * login */
+#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
+                                                 * PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state */
+#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
+
+/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
+ * that the token has some sort of clock.  The time on that
+ * clock is returned in the token info structure */
+#define CKF_CLOCK_ON_TOKEN          0x00000040
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the Cryptoki library itself */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
+
+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign) */
+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
+
+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
+ * token has been initialized using C_InitializeToken or an
+ * equivalent mechanism outside the scope of PKCS #11.
+ * Calling C_InitializeToken when this flag is set will cause
+ * the token to be reinitialized. */
+#define CKF_TOKEN_INITIALIZED       0x00000400
+
+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
+ * true, the token supports secondary authentication for
+ * private key objects. This flag is deprecated in v2.11 and
+   onwards. */
+#define CKF_SECONDARY_AUTHENTICATION  0x00000800
+
+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect user login PIN has been entered at least once
+ * since the last successful authentication. */
+#define CKF_USER_PIN_COUNT_LOW       0x00010000
+
+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect user PIN will it to become locked. */
+#define CKF_USER_PIN_FINAL_TRY       0x00020000
+
+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
+ * user PIN has been locked. User login to the token is not
+ * possible. */
+#define CKF_USER_PIN_LOCKED          0x00040000
+
+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the user PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
+
+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect SO login PIN has been entered at least once since
+ * the last successful authentication. */
+#define CKF_SO_PIN_COUNT_LOW         0x00100000
+
+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect SO PIN will it to become locked. */
+#define CKF_SO_PIN_FINAL_TRY         0x00200000
+
+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
+ * PIN has been locked. SO login to the token is not possible.
+ */
+#define CKF_SO_PIN_LOCKED            0x00400000
+
+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the SO PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
+ * identifies a session */
+typedef CK_ULONG          CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
+
+
+/* CK_USER_TYPE enumerates the types of Cryptoki users */
+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO    0
+/* Normal user */
+#define CKU_USER  1
+/* Context specific (added in v2.20) */
+#define CKU_CONTEXT_SPECIFIC   2
+
+/* CK_STATE enumerates the session states */
+/* CK_STATE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_STATE;
+#define CKS_RO_PUBLIC_SESSION  0
+#define CKS_RO_USER_FUNCTIONS  1
+#define CKS_RW_PUBLIC_SESSION  2
+#define CKS_RW_USER_FUNCTIONS  3
+#define CKS_RW_SO_FUNCTIONS    4
+
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+  CK_SLOT_ID    slotID;
+  CK_STATE      state;
+  CK_FLAGS      flags;          /* see below */
+
+  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulDeviceError;  /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ *      Bit Flag                Mask        Meaning
+ */
+#define CKF_RW_SESSION          0x00000002  /* session is r/w */
+#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object  */
+typedef CK_ULONG          CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that Cryptoki recognizes.  It is defined
+ * as follows: */
+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+/* CKO_HW_FEATURE is new for v2.10 */
+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
+/* CKO_MECHANISM is new for v2.20 */
+#define CKO_DATA              0x00000000
+#define CKO_CERTIFICATE       0x00000001
+#define CKO_PUBLIC_KEY        0x00000002
+#define CKO_PRIVATE_KEY       0x00000003
+#define CKO_SECRET_KEY        0x00000004
+#define CKO_HW_FEATURE        0x00000005
+#define CKO_DOMAIN_PARAMETERS 0x00000006
+#define CKO_MECHANISM         0x00000007
+
+/* CKO_OTP_KEY is new for PKCS #11 v2.20 amendment 1 */
+#define CKO_OTP_KEY           0x00000008
+
+#define CKO_VENDOR_DEFINED    0x80000000
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
+ * value that identifies the hardware feature type of an object
+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
+typedef CK_ULONG          CK_HW_FEATURE_TYPE;
+
+/* The following hardware feature types are defined */
+/* CKH_USER_INTERFACE is new for v2.20 */
+#define CKH_MONOTONIC_COUNTER  0x00000001
+#define CKH_CLOCK           0x00000002
+#define CKH_USER_INTERFACE  0x00000003
+#define CKH_VENDOR_DEFINED  0x80000000
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA             0x00000000
+#define CKK_DSA             0x00000001
+#define CKK_DH              0x00000002
+
+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
+#define CKK_ECDSA           0x00000003
+#define CKK_EC              0x00000003
+#define CKK_X9_42_DH        0x00000004
+#define CKK_KEA             0x00000005
+
+#define CKK_GENERIC_SECRET  0x00000010
+#define CKK_RC2             0x00000011
+#define CKK_RC4             0x00000012
+#define CKK_DES             0x00000013
+#define CKK_DES2            0x00000014
+#define CKK_DES3            0x00000015
+
+/* all these key types are new for v2.0 */
+#define CKK_CAST            0x00000016
+#define CKK_CAST3           0x00000017
+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
+#define CKK_CAST5           0x00000018
+#define CKK_CAST128         0x00000018
+#define CKK_RC5             0x00000019
+#define CKK_IDEA            0x0000001A
+#define CKK_SKIPJACK        0x0000001B
+#define CKK_BATON           0x0000001C
+#define CKK_JUNIPER         0x0000001D
+#define CKK_CDMF            0x0000001E
+#define CKK_AES             0x0000001F
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKK_BLOWFISH        0x00000020
+#define CKK_TWOFISH         0x00000021
+
+/* SecurID, HOTP, and ACTI are new for PKCS #11 v2.20 amendment 1 */
+#define CKK_SECURID         0x00000022
+#define CKK_HOTP            0x00000023
+#define CKK_ACTI            0x00000024
+
+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
+#define CKK_CAMELLIA                   0x00000025
+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
+#define CKK_ARIA                       0x00000026
+
+
+#define CKK_VENDOR_DEFINED  0x80000000
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type */
+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG          CK_CERTIFICATE_TYPE;
+
+/* The following certificate types are defined: */
+/* CKC_X_509_ATTR_CERT is new for v2.10 */
+/* CKC_WTLS is new for v2.20 */
+#define CKC_X_509           0x00000000
+#define CKC_X_509_ATTR_CERT 0x00000001
+#define CKC_WTLS            0x00000002
+#define CKC_VENDOR_DEFINED  0x80000000
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type */
+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
+
+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
+   consists of an array of values. */
+#define CKF_ARRAY_ATTRIBUTE    0x40000000
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
+   and relates to the CKA_OTP_FORMAT attribute */
+#define CK_OTP_FORMAT_DECIMAL      0
+#define CK_OTP_FORMAT_HEXADECIMAL  1
+#define CK_OTP_FORMAT_ALPHANUMERIC 2
+#define CK_OTP_FORMAT_BINARY       3
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
+   and relates to the CKA_OTP_..._REQUIREMENT attributes */
+#define CK_OTP_PARAM_IGNORED       0
+#define CK_OTP_PARAM_OPTIONAL      1
+#define CK_OTP_PARAM_MANDATORY     2
+
+/* The following attribute types are defined: */
+#define CKA_CLASS              0x00000000
+#define CKA_TOKEN              0x00000001
+#define CKA_PRIVATE            0x00000002
+#define CKA_LABEL              0x00000003
+#define CKA_APPLICATION        0x00000010
+#define CKA_VALUE              0x00000011
+
+/* CKA_OBJECT_ID is new for v2.10 */
+#define CKA_OBJECT_ID          0x00000012
+
+#define CKA_CERTIFICATE_TYPE   0x00000080
+#define CKA_ISSUER             0x00000081
+#define CKA_SERIAL_NUMBER      0x00000082
+
+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
+ * for v2.10 */
+#define CKA_AC_ISSUER          0x00000083
+#define CKA_OWNER              0x00000084
+#define CKA_ATTR_TYPES         0x00000085
+
+/* CKA_TRUSTED is new for v2.11 */
+#define CKA_TRUSTED            0x00000086
+
+/* CKA_CERTIFICATE_CATEGORY ...
+ * CKA_CHECK_VALUE are new for v2.20 */
+#define CKA_CERTIFICATE_CATEGORY        0x00000087
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
+#define CKA_URL                         0x00000089
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
+#define CKA_CHECK_VALUE                 0x00000090
+
+#define CKA_KEY_TYPE           0x00000100
+#define CKA_SUBJECT            0x00000101
+#define CKA_ID                 0x00000102
+#define CKA_SENSITIVE          0x00000103
+#define CKA_ENCRYPT            0x00000104
+#define CKA_DECRYPT            0x00000105
+#define CKA_WRAP               0x00000106
+#define CKA_UNWRAP             0x00000107
+#define CKA_SIGN               0x00000108
+#define CKA_SIGN_RECOVER       0x00000109
+#define CKA_VERIFY             0x0000010A
+#define CKA_VERIFY_RECOVER     0x0000010B
+#define CKA_DERIVE             0x0000010C
+#define CKA_START_DATE         0x00000110
+#define CKA_END_DATE           0x00000111
+#define CKA_MODULUS            0x00000120
+#define CKA_MODULUS_BITS       0x00000121
+#define CKA_PUBLIC_EXPONENT    0x00000122
+#define CKA_PRIVATE_EXPONENT   0x00000123
+#define CKA_PRIME_1            0x00000124
+#define CKA_PRIME_2            0x00000125
+#define CKA_EXPONENT_1         0x00000126
+#define CKA_EXPONENT_2         0x00000127
+#define CKA_COEFFICIENT        0x00000128
+#define CKA_PRIME              0x00000130
+#define CKA_SUBPRIME           0x00000131
+#define CKA_BASE               0x00000132
+
+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
+#define CKA_PRIME_BITS         0x00000133
+#define CKA_SUBPRIME_BITS      0x00000134
+#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
+/* (To retain backwards-compatibility) */
+
+#define CKA_VALUE_BITS         0x00000160
+#define CKA_VALUE_LEN          0x00000161
+
+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
+ * and CKA_EC_POINT are new for v2.0 */
+#define CKA_EXTRACTABLE        0x00000162
+#define CKA_LOCAL              0x00000163
+#define CKA_NEVER_EXTRACTABLE  0x00000164
+#define CKA_ALWAYS_SENSITIVE   0x00000165
+
+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
+#define CKA_KEY_GEN_MECHANISM  0x00000166
+
+#define CKA_MODIFIABLE         0x00000170
+
+/* CKA_ECDSA_PARAMS is deprecated in v2.11,
+ * CKA_EC_PARAMS is preferred. */
+#define CKA_ECDSA_PARAMS       0x00000180
+#define CKA_EC_PARAMS          0x00000180
+
+#define CKA_EC_POINT           0x00000181
+
+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
+ * are new for v2.10. Deprecated in v2.11 and onwards. */
+#define CKA_SECONDARY_AUTH     0x00000200
+#define CKA_AUTH_PIN_FLAGS     0x00000201
+
+/* CKA_ALWAYS_AUTHENTICATE ...
+ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
+#define CKA_ALWAYS_AUTHENTICATE  0x00000202
+
+#define CKA_WRAP_WITH_TRUSTED    0x00000210
+#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
+#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
+
+/* CKA_OTP... atttributes are new for PKCS #11 v2.20 amendment 3. */
+#define CKA_OTP_FORMAT                0x00000220
+#define CKA_OTP_LENGTH                0x00000221
+#define CKA_OTP_TIME_INTERVAL         0x00000222
+#define CKA_OTP_USER_FRIENDLY_MODE    0x00000223
+#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224
+#define CKA_OTP_TIME_REQUIREMENT      0x00000225
+#define CKA_OTP_COUNTER_REQUIREMENT   0x00000226
+#define CKA_OTP_PIN_REQUIREMENT       0x00000227
+#define CKA_OTP_COUNTER               0x0000022E
+#define CKA_OTP_TIME                  0x0000022F
+#define CKA_OTP_USER_IDENTIFIER       0x0000022A
+#define CKA_OTP_SERVICE_IDENTIFIER    0x0000022B
+#define CKA_OTP_SERVICE_LOGO          0x0000022C
+#define CKA_OTP_SERVICE_LOGO_TYPE     0x0000022D
+
+
+/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
+ * are new for v2.10 */
+#define CKA_HW_FEATURE_TYPE    0x00000300
+#define CKA_RESET_ON_INIT      0x00000301
+#define CKA_HAS_RESET          0x00000302
+
+/* The following attributes are new for v2.20 */
+#define CKA_PIXEL_X                     0x00000400
+#define CKA_PIXEL_Y                     0x00000401
+#define CKA_RESOLUTION                  0x00000402
+#define CKA_CHAR_ROWS                   0x00000403
+#define CKA_CHAR_COLUMNS                0x00000404
+#define CKA_COLOR                       0x00000405
+#define CKA_BITS_PER_PIXEL              0x00000406
+#define CKA_CHAR_SETS                   0x00000480
+#define CKA_ENCODING_METHODS            0x00000481
+#define CKA_MIME_TYPES                  0x00000482
+#define CKA_MECHANISM_TYPE              0x00000500
+#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
+#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
+#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
+#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
+
+#define CKA_VENDOR_DEFINED     0x80000000
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute */
+typedef struct CK_ATTRIBUTE {
+  CK_ATTRIBUTE_TYPE type;
+  CK_VOID_PTR       pValue;
+
+  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG          ulValueLen;  /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
+  CK_CHAR       month[2];  /* the month ("01" - "12") */
+  CK_CHAR       day[2];    /* the day   ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type */
+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
+#define CKM_RSA_PKCS                   0x00000001
+#define CKM_RSA_9796                   0x00000002
+#define CKM_RSA_X_509                  0x00000003
+
+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
+ * are new for v2.0.  They are mechanisms which hash and sign */
+#define CKM_MD2_RSA_PKCS               0x00000004
+#define CKM_MD5_RSA_PKCS               0x00000005
+#define CKM_SHA1_RSA_PKCS              0x00000006
+
+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
+ * CKM_RSA_PKCS_OAEP are new for v2.10 */
+#define CKM_RIPEMD128_RSA_PKCS         0x00000007
+#define CKM_RIPEMD160_RSA_PKCS         0x00000008
+#define CKM_RSA_PKCS_OAEP              0x00000009
+
+/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
+ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
+#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
+#define CKM_RSA_X9_31                  0x0000000B
+#define CKM_SHA1_RSA_X9_31             0x0000000C
+#define CKM_RSA_PKCS_PSS               0x0000000D
+#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
+
+#define CKM_DSA_KEY_PAIR_GEN           0x00000010
+#define CKM_DSA                        0x00000011
+#define CKM_DSA_SHA1                   0x00000012
+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
+#define CKM_DH_PKCS_DERIVE             0x00000021
+
+/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
+ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
+ * v2.11 */
+#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
+#define CKM_X9_42_DH_DERIVE            0x00000031
+#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
+#define CKM_X9_42_MQV_DERIVE           0x00000033
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_RSA_PKCS            0x00000040
+#define CKM_SHA384_RSA_PKCS            0x00000041
+#define CKM_SHA512_RSA_PKCS            0x00000042
+#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
+#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
+#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
+
+/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224_RSA_PKCS            0x00000046
+#define CKM_SHA224_RSA_PKCS_PSS        0x00000047
+
+#define CKM_RC2_KEY_GEN                0x00000100
+#define CKM_RC2_ECB                    0x00000101
+#define CKM_RC2_CBC                    0x00000102
+#define CKM_RC2_MAC                    0x00000103
+
+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
+#define CKM_RC2_MAC_GENERAL            0x00000104
+#define CKM_RC2_CBC_PAD                0x00000105
+
+#define CKM_RC4_KEY_GEN                0x00000110
+#define CKM_RC4                        0x00000111
+#define CKM_DES_KEY_GEN                0x00000120
+#define CKM_DES_ECB                    0x00000121
+#define CKM_DES_CBC                    0x00000122
+#define CKM_DES_MAC                    0x00000123
+
+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
+#define CKM_DES_MAC_GENERAL            0x00000124
+#define CKM_DES_CBC_PAD                0x00000125
+
+#define CKM_DES2_KEY_GEN               0x00000130
+#define CKM_DES3_KEY_GEN               0x00000131
+#define CKM_DES3_ECB                   0x00000132
+#define CKM_DES3_CBC                   0x00000133
+#define CKM_DES3_MAC                   0x00000134
+
+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
+#define CKM_DES3_MAC_GENERAL           0x00000135
+#define CKM_DES3_CBC_PAD               0x00000136
+#define CKM_CDMF_KEY_GEN               0x00000140
+#define CKM_CDMF_ECB                   0x00000141
+#define CKM_CDMF_CBC                   0x00000142
+#define CKM_CDMF_MAC                   0x00000143
+#define CKM_CDMF_MAC_GENERAL           0x00000144
+#define CKM_CDMF_CBC_PAD               0x00000145
+
+/* the following four DES mechanisms are new for v2.20 */
+#define CKM_DES_OFB64                  0x00000150
+#define CKM_DES_OFB8                   0x00000151
+#define CKM_DES_CFB64                  0x00000152
+#define CKM_DES_CFB8                   0x00000153
+
+#define CKM_MD2                        0x00000200
+
+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD2_HMAC                   0x00000201
+#define CKM_MD2_HMAC_GENERAL           0x00000202
+
+#define CKM_MD5                        0x00000210
+
+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD5_HMAC                   0x00000211
+#define CKM_MD5_HMAC_GENERAL           0x00000212
+
+#define CKM_SHA_1                      0x00000220
+
+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
+#define CKM_SHA_1_HMAC                 0x00000221
+#define CKM_SHA_1_HMAC_GENERAL         0x00000222
+
+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
+#define CKM_RIPEMD128                  0x00000230
+#define CKM_RIPEMD128_HMAC             0x00000231
+#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
+#define CKM_RIPEMD160                  0x00000240
+#define CKM_RIPEMD160_HMAC             0x00000241
+#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256                     0x00000250
+#define CKM_SHA256_HMAC                0x00000251
+#define CKM_SHA256_HMAC_GENERAL        0x00000252
+
+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224                     0x00000255
+#define CKM_SHA224_HMAC                0x00000256
+#define CKM_SHA224_HMAC_GENERAL        0x00000257
+
+#define CKM_SHA384                     0x00000260
+#define CKM_SHA384_HMAC                0x00000261
+#define CKM_SHA384_HMAC_GENERAL        0x00000262
+#define CKM_SHA512                     0x00000270
+#define CKM_SHA512_HMAC                0x00000271
+#define CKM_SHA512_HMAC_GENERAL        0x00000272
+
+/* SecurID is new for PKCS #11 v2.20 amendment 1 */
+#define CKM_SECURID_KEY_GEN            0x00000280
+#define CKM_SECURID                    0x00000282
+
+/* HOTP is new for PKCS #11 v2.20 amendment 1 */
+#define CKM_HOTP_KEY_GEN    0x00000290
+#define CKM_HOTP            0x00000291
+
+/* ACTI is new for PKCS #11 v2.20 amendment 1 */
+#define CKM_ACTI            0x000002A0
+#define CKM_ACTI_KEY_GEN    0x000002A1
+
+/* All of the following mechanisms are new for v2.0 */
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST_KEY_GEN               0x00000300
+#define CKM_CAST_ECB                   0x00000301
+#define CKM_CAST_CBC                   0x00000302
+#define CKM_CAST_MAC                   0x00000303
+#define CKM_CAST_MAC_GENERAL           0x00000304
+#define CKM_CAST_CBC_PAD               0x00000305
+#define CKM_CAST3_KEY_GEN              0x00000310
+#define CKM_CAST3_ECB                  0x00000311
+#define CKM_CAST3_CBC                  0x00000312
+#define CKM_CAST3_MAC                  0x00000313
+#define CKM_CAST3_MAC_GENERAL          0x00000314
+#define CKM_CAST3_CBC_PAD              0x00000315
+#define CKM_CAST5_KEY_GEN              0x00000320
+#define CKM_CAST128_KEY_GEN            0x00000320
+#define CKM_CAST5_ECB                  0x00000321
+#define CKM_CAST128_ECB                0x00000321
+#define CKM_CAST5_CBC                  0x00000322
+#define CKM_CAST128_CBC                0x00000322
+#define CKM_CAST5_MAC                  0x00000323
+#define CKM_CAST128_MAC                0x00000323
+#define CKM_CAST5_MAC_GENERAL          0x00000324
+#define CKM_CAST128_MAC_GENERAL        0x00000324
+#define CKM_CAST5_CBC_PAD              0x00000325
+#define CKM_CAST128_CBC_PAD            0x00000325
+#define CKM_RC5_KEY_GEN                0x00000330
+#define CKM_RC5_ECB                    0x00000331
+#define CKM_RC5_CBC                    0x00000332
+#define CKM_RC5_MAC                    0x00000333
+#define CKM_RC5_MAC_GENERAL            0x00000334
+#define CKM_RC5_CBC_PAD                0x00000335
+#define CKM_IDEA_KEY_GEN               0x00000340
+#define CKM_IDEA_ECB                   0x00000341
+#define CKM_IDEA_CBC                   0x00000342
+#define CKM_IDEA_MAC                   0x00000343
+#define CKM_IDEA_MAC_GENERAL           0x00000344
+#define CKM_IDEA_CBC_PAD               0x00000345
+#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
+#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
+#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
+#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
+#define CKM_XOR_BASE_AND_DATA          0x00000364
+#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
+#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
+#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
+#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
+
+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
+ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
+#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
+#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
+#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
+#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
+
+/* CKM_TLS_PRF is new for v2.20 */
+#define CKM_TLS_PRF                    0x00000378
+
+#define CKM_SSL3_MD5_MAC               0x00000380
+#define CKM_SSL3_SHA1_MAC              0x00000381
+#define CKM_MD5_KEY_DERIVATION         0x00000390
+#define CKM_MD2_KEY_DERIVATION         0x00000391
+#define CKM_SHA1_KEY_DERIVATION        0x00000392
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_KEY_DERIVATION      0x00000393
+#define CKM_SHA384_KEY_DERIVATION      0x00000394
+#define CKM_SHA512_KEY_DERIVATION      0x00000395
+
+/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224_KEY_DERIVATION      0x00000396
+
+#define CKM_PBE_MD2_DES_CBC            0x000003A0
+#define CKM_PBE_MD5_DES_CBC            0x000003A1
+#define CKM_PBE_MD5_CAST_CBC           0x000003A2
+#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
+#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
+#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
+#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
+#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
+#define CKM_PBE_SHA1_RC4_128           0x000003A6
+#define CKM_PBE_SHA1_RC4_40            0x000003A7
+#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
+#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
+#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
+#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
+
+/* CKM_PKCS5_PBKD2 is new for v2.10 */
+#define CKM_PKCS5_PBKD2                0x000003B0
+
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
+
+/* WTLS mechanisms are new for v2.20 */
+#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0
+#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2
+#define CKM_WTLS_PRF                        0x000003D3
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5
+
+#define CKM_KEY_WRAP_LYNKS             0x00000400
+#define CKM_KEY_WRAP_SET_OAEP          0x00000401
+
+/* CKM_CMS_SIG is new for v2.20 */
+#define CKM_CMS_SIG                    0x00000500
+
+/* CKM_KIP mechanisms are new for PKCS #11 v2.20 amendment 2 */
+#define CKM_KIP_DERIVE	               0x00000510
+#define CKM_KIP_WRAP	               0x00000511
+#define CKM_KIP_MAC	               0x00000512
+
+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_CAMELLIA_KEY_GEN           0x00000550
+#define CKM_CAMELLIA_ECB               0x00000551
+#define CKM_CAMELLIA_CBC               0x00000552
+#define CKM_CAMELLIA_MAC               0x00000553
+#define CKM_CAMELLIA_MAC_GENERAL       0x00000554
+#define CKM_CAMELLIA_CBC_PAD           0x00000555
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557
+#define CKM_CAMELLIA_CTR               0x00000558
+
+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_ARIA_KEY_GEN               0x00000560
+#define CKM_ARIA_ECB                   0x00000561
+#define CKM_ARIA_CBC                   0x00000562
+#define CKM_ARIA_MAC                   0x00000563
+#define CKM_ARIA_MAC_GENERAL           0x00000564
+#define CKM_ARIA_CBC_PAD               0x00000565
+#define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566
+#define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567
+
+/* Fortezza mechanisms */
+#define CKM_SKIPJACK_KEY_GEN           0x00001000
+#define CKM_SKIPJACK_ECB64             0x00001001
+#define CKM_SKIPJACK_CBC64             0x00001002
+#define CKM_SKIPJACK_OFB64             0x00001003
+#define CKM_SKIPJACK_CFB64             0x00001004
+#define CKM_SKIPJACK_CFB32             0x00001005
+#define CKM_SKIPJACK_CFB16             0x00001006
+#define CKM_SKIPJACK_CFB8              0x00001007
+#define CKM_SKIPJACK_WRAP              0x00001008
+#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
+#define CKM_SKIPJACK_RELAYX            0x0000100a
+#define CKM_KEA_KEY_PAIR_GEN           0x00001010
+#define CKM_KEA_KEY_DERIVE             0x00001011
+#define CKM_FORTEZZA_TIMESTAMP         0x00001020
+#define CKM_BATON_KEY_GEN              0x00001030
+#define CKM_BATON_ECB128               0x00001031
+#define CKM_BATON_ECB96                0x00001032
+#define CKM_BATON_CBC128               0x00001033
+#define CKM_BATON_COUNTER              0x00001034
+#define CKM_BATON_SHUFFLE              0x00001035
+#define CKM_BATON_WRAP                 0x00001036
+
+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
+ * CKM_EC_KEY_PAIR_GEN is preferred */
+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
+#define CKM_EC_KEY_PAIR_GEN            0x00001040
+
+#define CKM_ECDSA                      0x00001041
+#define CKM_ECDSA_SHA1                 0x00001042
+
+/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
+ * are new for v2.11 */
+#define CKM_ECDH1_DERIVE               0x00001050
+#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
+#define CKM_ECMQV_DERIVE               0x00001052
+
+#define CKM_JUNIPER_KEY_GEN            0x00001060
+#define CKM_JUNIPER_ECB128             0x00001061
+#define CKM_JUNIPER_CBC128             0x00001062
+#define CKM_JUNIPER_COUNTER            0x00001063
+#define CKM_JUNIPER_SHUFFLE            0x00001064
+#define CKM_JUNIPER_WRAP               0x00001065
+#define CKM_FASTHASH                   0x00001070
+
+/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
+ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
+ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
+ * new for v2.11 */
+#define CKM_AES_KEY_GEN                0x00001080
+#define CKM_AES_ECB                    0x00001081
+#define CKM_AES_CBC                    0x00001082
+#define CKM_AES_MAC                    0x00001083
+#define CKM_AES_MAC_GENERAL            0x00001084
+#define CKM_AES_CBC_PAD                0x00001085
+
+/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_AES_CTR                    0x00001086
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKM_BLOWFISH_KEY_GEN           0x00001090
+#define CKM_BLOWFISH_CBC               0x00001091
+#define CKM_TWOFISH_KEY_GEN            0x00001092
+#define CKM_TWOFISH_CBC                0x00001093
+
+
+/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
+#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100
+#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101
+#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102
+#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103
+#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
+#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
+
+#define CKM_DSA_PARAMETER_GEN          0x00002000
+#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
+#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
+
+#define CKM_VENDOR_DEFINED             0x80000000
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism  */
+typedef struct CK_MECHANISM {
+  CK_MECHANISM_TYPE mechanism;
+  CK_VOID_PTR       pParameter;
+
+  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG          ulParameterLen;  /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism */
+typedef struct CK_MECHANISM_INFO {
+    CK_ULONG    ulMinKeySize;
+    CK_ULONG    ulMaxKeySize;
+    CK_FLAGS    flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ *      Bit Flag               Mask        Meaning */
+#define CKF_HW                 0x00000001  /* performed by HW */
+
+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
+ * and CKF_DERIVE are new for v2.0.  They specify whether or not
+ * a mechanism can be used for a particular task */
+#define CKF_ENCRYPT            0x00000100
+#define CKF_DECRYPT            0x00000200
+#define CKF_DIGEST             0x00000400
+#define CKF_SIGN               0x00000800
+#define CKF_SIGN_RECOVER       0x00001000
+#define CKF_VERIFY             0x00002000
+#define CKF_VERIFY_RECOVER     0x00004000
+#define CKF_GENERATE           0x00008000
+#define CKF_GENERATE_KEY_PAIR  0x00010000
+#define CKF_WRAP               0x00020000
+#define CKF_UNWRAP             0x00040000
+#define CKF_DERIVE             0x00080000
+
+/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
+ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
+ * describe a token's EC capabilities not available in mechanism
+ * information. */
+#define CKF_EC_F_P             0x00100000
+#define CKF_EC_F_2M            0x00200000
+#define CKF_EC_ECPARAMETERS    0x00400000
+#define CKF_EC_NAMEDCURVE      0x00800000
+#define CKF_EC_UNCOMPRESS      0x01000000
+#define CKF_EC_COMPRESS        0x02000000
+
+#define CKF_EXTENSION          0x80000000 /* FALSE for this version */
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+
+/* CK_RV is a value that identifies the return value of a
+ * Cryptoki function */
+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_RV;
+
+#define CKR_OK                                0x00000000
+#define CKR_CANCEL                            0x00000001
+#define CKR_HOST_MEMORY                       0x00000002
+#define CKR_SLOT_ID_INVALID                   0x00000003
+
+/* CKR_FLAGS_INVALID was removed for v2.0 */
+
+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
+#define CKR_GENERAL_ERROR                     0x00000005
+#define CKR_FUNCTION_FAILED                   0x00000006
+
+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
+ * and CKR_CANT_LOCK are new for v2.01 */
+#define CKR_ARGUMENTS_BAD                     0x00000007
+#define CKR_NO_EVENT                          0x00000008
+#define CKR_NEED_TO_CREATE_THREADS            0x00000009
+#define CKR_CANT_LOCK                         0x0000000A
+
+#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
+#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
+#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
+#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
+#define CKR_DATA_INVALID                      0x00000020
+#define CKR_DATA_LEN_RANGE                    0x00000021
+#define CKR_DEVICE_ERROR                      0x00000030
+#define CKR_DEVICE_MEMORY                     0x00000031
+#define CKR_DEVICE_REMOVED                    0x00000032
+#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
+#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
+#define CKR_FUNCTION_CANCELED                 0x00000050
+#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
+
+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
+#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
+
+#define CKR_KEY_HANDLE_INVALID                0x00000060
+
+/* CKR_KEY_SENSITIVE was removed for v2.0 */
+
+#define CKR_KEY_SIZE_RANGE                    0x00000062
+#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
+
+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
+ * v2.0 */
+#define CKR_KEY_NOT_NEEDED                    0x00000064
+#define CKR_KEY_CHANGED                       0x00000065
+#define CKR_KEY_NEEDED                        0x00000066
+#define CKR_KEY_INDIGESTIBLE                  0x00000067
+#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
+#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
+#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
+
+#define CKR_MECHANISM_INVALID                 0x00000070
+#define CKR_MECHANISM_PARAM_INVALID           0x00000071
+
+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
+ * were removed for v2.0 */
+#define CKR_OBJECT_HANDLE_INVALID             0x00000082
+#define CKR_OPERATION_ACTIVE                  0x00000090
+#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
+#define CKR_PIN_INCORRECT                     0x000000A0
+#define CKR_PIN_INVALID                       0x000000A1
+#define CKR_PIN_LEN_RANGE                     0x000000A2
+
+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
+#define CKR_PIN_EXPIRED                       0x000000A3
+#define CKR_PIN_LOCKED                        0x000000A4
+
+#define CKR_SESSION_CLOSED                    0x000000B0
+#define CKR_SESSION_COUNT                     0x000000B1
+#define CKR_SESSION_HANDLE_INVALID            0x000000B3
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
+#define CKR_SESSION_READ_ONLY                 0x000000B5
+#define CKR_SESSION_EXISTS                    0x000000B6
+
+/* CKR_SESSION_READ_ONLY_EXISTS and
+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
+#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
+#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
+
+#define CKR_SIGNATURE_INVALID                 0x000000C0
+#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
+#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
+#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
+#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
+#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
+#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
+#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
+#define CKR_USER_NOT_LOGGED_IN                0x00000101
+#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
+#define CKR_USER_TYPE_INVALID                 0x00000103
+
+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
+ * are new to v2.01 */
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
+#define CKR_USER_TOO_MANY_TYPES               0x00000105
+
+#define CKR_WRAPPED_KEY_INVALID               0x00000110
+#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
+#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
+#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
+#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
+
+/* These are new to v2.0 */
+#define CKR_RANDOM_NO_RNG                     0x00000121
+
+/* These are new to v2.11 */
+#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
+
+/* These are new to v2.0 */
+#define CKR_BUFFER_TOO_SMALL                  0x00000150
+#define CKR_SAVED_STATE_INVALID               0x00000160
+#define CKR_INFORMATION_SENSITIVE             0x00000170
+#define CKR_STATE_UNSAVEABLE                  0x00000180
+
+/* These are new to v2.01 */
+#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
+#define CKR_MUTEX_BAD                         0x000001A0
+#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
+
+/* The following return values are new for PKCS #11 v2.20 amendment 3 */
+#define CKR_NEW_PIN_MODE                      0x000001B0
+#define CKR_NEXT_OTP                          0x000001B1
+
+/* This is new to v2.20 */
+#define CKR_FUNCTION_REJECTED                 0x00000200
+
+#define CKR_VENDOR_DEFINED                    0x80000000
+
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_NOTIFICATION   event,
+  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
+);
+
+
+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
+ * version and pointers of appropriate types to all the
+ * Cryptoki functions */
+/* CK_FUNCTION_LIST is new for v2.0 */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize */
+typedef struct CK_C_INITIALIZE_ARGS {
+  CK_CREATEMUTEX CreateMutex;
+  CK_DESTROYMUTEX DestroyMutex;
+  CK_LOCKMUTEX LockMutex;
+  CK_UNLOCKMUTEX UnlockMutex;
+  CK_FLAGS flags;
+  CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag                           Mask       Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
+#define CKF_OS_LOCKING_OK                  0x00000002
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK     1
+
+/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_MGF_TYPE  is used to indicate the Message
+ * Generation Function (MGF) applied to a message block when
+ * formatting a message block for the PKCS #1 OAEP encryption
+ * scheme. */
+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
+
+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
+
+/* The following MGFs are defined */
+/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
+ * are new for v2.20 */
+#define CKG_MGF1_SHA1         0x00000001
+#define CKG_MGF1_SHA256       0x00000002
+#define CKG_MGF1_SHA384       0x00000003
+#define CKG_MGF1_SHA512       0x00000004
+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
+#define CKG_MGF1_SHA224       0x00000005
+
+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
+ * of the encoding parameter when formatting a message block
+ * for the PKCS #1 OAEP encryption scheme. */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
+
+/* The following encoding parameter sources are defined */
+#define CKZ_DATA_SPECIFIED    0x00000001
+
+/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
+ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_OAEP mechanism. */
+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+        CK_MECHANISM_TYPE hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+        CK_VOID_PTR pSourceData;
+        CK_ULONG ulSourceDataLen;
+} CK_RSA_PKCS_OAEP_PARAMS;
+
+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
+ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_PSS mechanism(s). */
+typedef struct CK_RSA_PKCS_PSS_PARAMS {
+        CK_MECHANISM_TYPE    hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_ULONG             sLen;
+} CK_RSA_PKCS_PSS_PARAMS;
+
+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+/* CK_EC_KDF_TYPE is new for v2.11. */
+typedef CK_ULONG CK_EC_KDF_TYPE;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL                 0x00000001
+#define CKD_SHA1_KDF             0x00000002
+
+/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
+ * where each party contributes one key pair.
+ */
+typedef struct CK_ECDH1_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_ECDH1_DERIVE_PARAMS;
+
+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
+
+
+/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
+typedef struct CK_ECDH2_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_ECDH2_DERIVE_PARAMS;
+
+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_ECMQV_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_ECMQV_DERIVE_PARAMS;
+
+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
+
+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
+
+/* The following X9.42 DH key derivation functions are defined
+   (besides CKD_NULL already defined : */
+#define CKD_SHA1_KDF_ASN1        0x00000003
+#define CKD_SHA1_KDF_CONCATENATE 0x00000004
+
+/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
+ * contributes one key pair */
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_X9_42_DH1_DERIVE_PARAMS;
+
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
+
+/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
+ * mechanisms, where each party contributes two key pairs */
+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_X9_42_DH2_DERIVE_PARAMS;
+
+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_X9_42_MQV_DERIVE_PARAMS;
+
+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism */
+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
+typedef struct CK_KEA_DERIVE_PARAMS {
+  CK_BBOOL      isSender;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pRandomB;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
+ * holds the effective keysize */
+typedef CK_ULONG          CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism */
+typedef struct CK_RC2_CBC_PARAMS {
+  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+
+  CK_BYTE       iv[8];            /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism */
+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms */
+/* CK_RC5_PARAMS is new for v2.0 */
+typedef struct CK_RC5_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism */
+/* CK_RC5_CBC_PARAMS is new for v2.0 */
+typedef struct CK_RC5_CBC_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+  CK_BYTE_PTR   pIv;         /* pointer to IV */
+  CK_ULONG      ulIvLen;     /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism */
+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulWordsize;   /* wordsize in bits */
+  CK_ULONG      ulRounds;     /* number of rounds */
+  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
+ * the MAC */
+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[8];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[16];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+  CK_ULONG      ulPasswordLen;
+  CK_BYTE_PTR   pPassword;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+  CK_ULONG      ulPAndGLen;
+  CK_ULONG      ulQLen;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pPrimeP;
+  CK_BYTE_PTR   pBaseG;
+  CK_BYTE_PTR   pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+  CK_SKIPJACK_PRIVATE_WRAP_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism */
+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+  CK_ULONG      ulOldWrappedXLen;
+  CK_BYTE_PTR   pOldWrappedX;
+  CK_ULONG      ulOldPasswordLen;
+  CK_BYTE_PTR   pOldPassword;
+  CK_ULONG      ulOldPublicDataLen;
+  CK_BYTE_PTR   pOldPublicData;
+  CK_ULONG      ulOldRandomLen;
+  CK_BYTE_PTR   pOldRandomA;
+  CK_ULONG      ulNewPasswordLen;
+  CK_BYTE_PTR   pNewPassword;
+  CK_ULONG      ulNewPublicDataLen;
+  CK_BYTE_PTR   pNewPublicData;
+  CK_ULONG      ulNewRandomLen;
+  CK_BYTE_PTR   pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+  CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+  CK_BYTE_PTR      pInitVector;
+  CK_UTF8CHAR_PTR  pPassword;
+  CK_ULONG         ulPasswordLen;
+  CK_BYTE_PTR      pSalt;
+  CK_ULONG         ulSaltLen;
+  CK_ULONG         ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism */
+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+  CK_BYTE       bBC;     /* block contents byte */
+  CK_BYTE_PTR   pX;      /* extra data */
+  CK_ULONG      ulXLen;  /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
+  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_RANDOM_DATA {
+  CK_BYTE_PTR  pClientRandom;
+  CK_ULONG     ulClientRandomLen;
+  CK_BYTE_PTR  pServerRandom;
+  CK_ULONG     ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+  CK_SSL3_RANDOM_DATA RandomInfo;
+  CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hClientMacSecret;
+  CK_OBJECT_HANDLE hServerMacSecret;
+  CK_OBJECT_HANDLE hClientKey;
+  CK_OBJECT_HANDLE hServerKey;
+  CK_BYTE_PTR      pIVClient;
+  CK_BYTE_PTR      pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_BBOOL                bIsExport;
+  CK_SSL3_RANDOM_DATA     RandomInfo;
+  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+/* CK_TLS_PRF_PARAMS is new for version 2.20 */
+typedef struct CK_TLS_PRF_PARAMS {
+  CK_BYTE_PTR  pSeed;
+  CK_ULONG     ulSeedLen;
+  CK_BYTE_PTR  pLabel;
+  CK_ULONG     ulLabelLen;
+  CK_BYTE_PTR  pOutput;
+  CK_ULONG_PTR pulOutputLen;
+} CK_TLS_PRF_PARAMS;
+
+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
+
+/* WTLS is new for version 2.20 */
+typedef struct CK_WTLS_RANDOM_DATA {
+  CK_BYTE_PTR pClientRandom;
+  CK_ULONG    ulClientRandomLen;
+  CK_BYTE_PTR pServerRandom;
+  CK_ULONG    ulServerRandomLen;
+} CK_WTLS_RANDOM_DATA;
+
+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
+
+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
+  CK_MECHANISM_TYPE   DigestMechanism;
+  CK_WTLS_RANDOM_DATA RandomInfo;
+  CK_BYTE_PTR         pVersion;
+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_WTLS_PRF_PARAMS {
+  CK_MECHANISM_TYPE DigestMechanism;
+  CK_BYTE_PTR       pSeed;
+  CK_ULONG          ulSeedLen;
+  CK_BYTE_PTR       pLabel;
+  CK_ULONG          ulLabelLen;
+  CK_BYTE_PTR       pOutput;
+  CK_ULONG_PTR      pulOutputLen;
+} CK_WTLS_PRF_PARAMS;
+
+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hMacSecret;
+  CK_OBJECT_HANDLE hKey;
+  CK_BYTE_PTR      pIV;
+} CK_WTLS_KEY_MAT_OUT;
+
+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_PARAMS {
+  CK_MECHANISM_TYPE       DigestMechanism;
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_ULONG                ulSequenceNumber;
+  CK_BBOOL                bIsExport;
+  CK_WTLS_RANDOM_DATA     RandomInfo;
+  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_WTLS_KEY_MAT_PARAMS;
+
+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
+
+/* CMS is new for version 2.20 */
+typedef struct CK_CMS_SIG_PARAMS {
+  CK_OBJECT_HANDLE      certificateHandle;
+  CK_MECHANISM_PTR      pSigningMechanism;
+  CK_MECHANISM_PTR      pDigestMechanism;
+  CK_UTF8CHAR_PTR       pContentType;
+  CK_BYTE_PTR           pRequestedAttributes;
+  CK_ULONG              ulRequestedAttributesLen;
+  CK_BYTE_PTR           pRequiredAttributes;
+  CK_ULONG              ulRequiredAttributesLen;
+} CK_CMS_SIG_PARAMS;
+
+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+  CK_BYTE_PTR pData;
+  CK_ULONG    ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+  CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key */
+/* CK_EXTRACT_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
+ * indicate the Pseudo-Random Function (PRF) used to generate
+ * key bits using PKCS #5 PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
+
+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
+
+/* The following PRFs are defined in PKCS #5 v2.0. */
+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
+
+
+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
+ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
+ * source of the salt value when deriving a key using PKCS #5
+ * PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
+
+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
+
+/* The following salt value sources are defined in PKCS #5 v2.0. */
+#define CKZ_SALT_SPECIFIED        0x00000001
+
+/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
+ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
+ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
+typedef struct CK_PKCS5_PBKD2_PARAMS {
+        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
+        CK_VOID_PTR                                pSaltSourceData;
+        CK_ULONG                                   ulSaltSourceDataLen;
+        CK_ULONG                                   iterations;
+        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+        CK_VOID_PTR                                pPrfData;
+        CK_ULONG                                   ulPrfDataLen;
+        CK_UTF8CHAR_PTR                            pPassword;
+        CK_ULONG_PTR                               ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS;
+
+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
+
+/* All CK_OTP structs are new for PKCS #11 v2.20 amendment 3 */
+
+typedef CK_ULONG CK_OTP_PARAM_TYPE;
+typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* B/w compatibility */
+
+typedef struct CK_OTP_PARAM {
+    CK_OTP_PARAM_TYPE type;
+    CK_VOID_PTR pValue;
+    CK_ULONG ulValueLen;
+} CK_OTP_PARAM;
+
+typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR;
+
+typedef struct CK_OTP_PARAMS {
+    CK_OTP_PARAM_PTR pParams;
+    CK_ULONG ulCount;
+} CK_OTP_PARAMS;
+
+typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR;
+
+typedef struct CK_OTP_SIGNATURE_INFO {
+    CK_OTP_PARAM_PTR pParams;
+    CK_ULONG ulCount;
+} CK_OTP_SIGNATURE_INFO;
+
+typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR;
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
+#define CK_OTP_VALUE          0
+#define CK_OTP_PIN            1
+#define CK_OTP_CHALLENGE      2
+#define CK_OTP_TIME           3
+#define CK_OTP_COUNTER        4
+#define CK_OTP_FLAGS          5
+#define CK_OTP_OUTPUT_LENGTH  6
+#define CK_OTP_OUTPUT_FORMAT  7
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
+#define CKF_NEXT_OTP          0x00000001
+#define CKF_EXCLUDE_TIME      0x00000002
+#define CKF_EXCLUDE_COUNTER   0x00000004
+#define CKF_EXCLUDE_CHALLENGE 0x00000008
+#define CKF_EXCLUDE_PIN       0x00000010
+#define CKF_USER_FRIENDLY_OTP 0x00000020
+
+/* CK_KIP_PARAMS is new for PKCS #11 v2.20 amendment 2 */
+typedef struct CK_KIP_PARAMS {
+    CK_MECHANISM_PTR  pMechanism;
+    CK_OBJECT_HANDLE  hKey;
+    CK_BYTE_PTR       pSeed;
+    CK_ULONG          ulSeedLen;
+} CK_KIP_PARAMS;
+
+typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR;
+
+/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_AES_CTR_PARAMS {
+    CK_ULONG ulCounterBits;
+    CK_BYTE cb[16];
+} CK_AES_CTR_PARAMS;
+
+typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
+
+/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_CAMELLIA_CTR_PARAMS {
+    CK_ULONG ulCounterBits;
+    CK_BYTE cb[16];
+} CK_CAMELLIA_CTR_PARAMS;
+
+typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
+
+/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE      iv[16];
+    CK_BYTE_PTR  pData;
+    CK_ULONG     length;
+} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE      iv[16];
+    CK_BYTE_PTR  pData;
+    CK_ULONG     length;
+} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* Key Gost */
+#define CKK_CERTEX_DEFINED                      (CKK_VENDOR_DEFINED + 0x0E000000)                // = 0x8E000000
+/* GOST 28147.89 */
+#define CKK_CERTEX_GOST_28147_89                (CKK_CERTEX_DEFINED + 0x00000001)
+/* RDS - GOST R 34.10-2001 */
+#define CKK_CERTEX_RDS                          (CKK_CERTEX_DEFINED + 0x00000002)
+/* Atributes Gost*/
+#define CKA_CERTEX_DEFINED                      (CKA_VENDOR_DEFINED + 0x0E000000)                // = 0x8E000000
+#define CKA_CERTEX_RDS_TYPE                     (CKA_CERTEX_DEFINED + 0x00000011)
+/* Mechanisms Gost*/
+#define CKM_CERTEX_DEFINED                      (CKM_VENDOR_DEFINED + 0x0E000000)                // = 0x8E000000
+/* GOST 28147.89 */
+#define CKM_CERTEX_GOST_28147_89_KEY_GEN        (CKM_CERTEX_DEFINED + 0x00000000)
+#define CKM_CERTEX_GOST_28147_89                (CKM_CERTEX_DEFINED + 0x00000001)
+#define CKM_CERTEX_GOST_28147_89_MAC            (CKM_CERTEX_DEFINED + 0x00000002)
+/* Hash for GOST R 34.11-94 */				
+#define CKM_CERTEX_GOSTR3411                    (CKM_CERTEX_DEFINED + 0x0000000A)
+/* GOST R 34.10-2001 keypair generation mechanism */
+#define CKM_CERTEX_GOSTR3410_2001_KEY_PAIR_GEN  (CKM_CERTEX_DEFINED + 0x0000000B)
+/* GOST R 34.10-2001 'raw' mechanism */
+#define CKM_CERTEX_GOSTR3410_2001               (CKM_CERTEX_DEFINED + 0x0000000C)
+/* GOST R 34.11-94 hash with GOST R 34.10-2001 mechanism */
+#define CKM_CERTEX_GOSTR3411_94_GOSTR3410_2001  (CKM_CERTEX_DEFINED + 0x0000000D)
+
+#endif
diff --git a/common/rt/include/rlib_load.h b/common/rt/include/rlib_load.h
new file mode 100644
index 0000000..eb331d5
--- /dev/null
+++ b/common/rt/include/rlib_load.h
@@ -0,0 +1,45 @@
+//------------------------------------------------------------------------------
+// RCSP Project
+// Copyright (c) 2007 Scientific Lab. Gamma Technologies. All rights reserved.
+//
+// R-CSP/R-PKCS11 LIB Loader
+//------------------------------------------------------------------------------
+#ifndef __RLIB_LOAD_H
+#define __RLIB_LOAD_H
+//------------------------------------------------------------------------------
+#define LOADLIBRARY
+//------------------------------------------------------------------------------
+#ifndef CK_PTR
+#define CK_PTR *
+#endif
+#ifndef NULL_PTR
+#define NULL_PTR 0
+#endif
+#ifndef CK_CALLBACK_FUNCTION
+#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
+#endif
+#ifndef CK_DEFINE_FUNCTION
+#define CK_DEFINE_FUNCTION(returnType, name)           returnType name
+#endif
+#ifndef CK_DECLARE_FUNCTION
+#define CK_DECLARE_FUNCTION(returnType, name)          returnType name
+#endif
+#ifndef CK_DECLARE_FUNCTION_POINTER
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name)  returnType (* name)
+#endif
+
+#pragma pack(push, cryptoki, 1)
+#include "pkcs11.h"
+#pragma pack(pop, cryptoki)
+//------------------------------------------------------------------------------
+#define CSP_REGKEY "SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Tumar CSP"
+#define CAPI_LIB_PATH ""
+#define PKCS_LIB_PATH ""
+//------------------------------------------------------------------------------
+int LoadPkcsLib (char *dllpkcs);
+void FreePkcsLib(void);
+int do_GetFunctionList( void );
+//------------------------------------------------------------------------------
+extern CK_C_GetFunctionList     FC_GetFunctionList;
+//------------------------------------------------------------------------------
+#endif
diff --git a/common/rt/src/rlib_load.cpp b/common/rt/src/rlib_load.cpp
new file mode 100644
index 0000000..abcc7e0
--- /dev/null
+++ b/common/rt/src/rlib_load.cpp
@@ -0,0 +1,220 @@
+//------------------------------------------------------------------------------
+// RCSP Project
+// Copyright (c) 2007 Scientific Lab. Gamma Technologies. All rights reserved.
+//
+// R-CSP/R-PKCS11 LIB Loader
+//------------------------------------------------------------------------------
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include "rlib_load.h"
+//------------------------------------------------------------------------------
+#ifndef F_CPAcquireContext
+#define F_CPAcquireContext     1
+#define F_CPGetProvParam       2
+#define F_CPReleaseContext     3
+#define F_CPSetProvParam       4
+#define F_CPDeriveKey          5
+#define F_CPDestroyKey         6
+#define F_CPDuplicateKey       7
+#define F_CPExportKey          8
+#define F_CPGenKey             9
+#define F_CPGenRandom         10
+#define F_CPGetKeyParam       11
+#define F_CPGetUserKey        12
+#define F_CPImportKey         13
+#define F_CPSetKeyParam       14
+#define F_CPDecrypt           15
+#define F_CPEncrypt           16
+#define F_CPCreateHash        17
+#define F_CPDestroyHash       18
+#define F_CPDuplicateHash     19
+#define F_CPGetHashParam      20
+#define F_CPHashData          21
+#define F_CPHashSessionKey    22
+#define F_CPSetHashParam      23
+#define F_CPSignHash          24
+#define F_CPVerifySignature   25
+#endif
+//------------------------------------------------------------------------------
+#ifndef F_Initialize
+#define F_Initialize          31
+#define F_Finalize            32
+#define F_GetInfo             33
+#define F_GetFunctionList     34
+#define F_GetSlotList         35
+#define F_GetSlotInfo         36
+#define F_GetTokenInfo        37
+#define F_GetMechanismList    38
+#define F_GetMechanismInfo    39
+#define F_InitToken           40
+#define F_InitPIN             41
+#define F_SetPIN              42
+#define F_OpenSession         43
+#define F_CloseSession        44
+#define F_CloseAllSessions    45
+#define F_GetSessionInfo      46
+#define F_GetOperationState   47
+#define F_SetOperationState   48
+#define F_Login               49
+#define F_Logout              50
+#define F_CreateObject        51
+#define F_CopyObject          52
+#define F_DestroyObject       53
+#define F_GetObjectSize       54
+#define F_GetAttributeValue   55
+#define F_SetAttributeValue   56
+#define F_FindObjectsInit     57
+#define F_FindObjects         58
+#define F_FindObjectsFinal    59
+#define F_EncryptInit         60
+#define F_Encrypt             61
+#define F_EncryptUpdate       62
+#define F_EncryptFinal        63
+#define F_DecryptInit         64
+#define F_Decrypt             65
+#define F_DecryptUpdate       66
+#define F_DecryptFinal        67
+#define F_DigestInit          68
+#define F_Digest              69
+#define F_DigestUpdate        70
+#define F_DigestKey           71
+#define F_DigestFinal         72
+#define F_SignInit            73
+#define F_Sign                74
+#define F_SignUpdate          75
+#define F_SignFinal           76
+#define F_SignRecoverInit     77
+#define F_SignRecover         78
+#define F_VerifyInit          79
+#define F_Verify              80
+#define F_VerifyUpdate        81
+#define F_VerifyFinal         82
+#define F_VerifyRecoverInit   83
+#define F_VerifyRecover       84
+#define F_DigestEncryptUpdate 85
+#define F_DecryptDigestUpdate 86
+#define F_SignEncryptUpdate   87
+#define F_DecryptVerifyUpdate 88
+#define F_GenerateKey         89
+#define F_GenerateKeyPair     90
+#define F_WrapKey             91
+#define F_UnwrapKey           92
+#define F_DeriveKey           93
+#define F_SeedRandom          94
+#define F_GenerateRandom      95
+#define F_GetFunctionStatus   96
+#define F_CancelFunction      97
+#define F_WaitForSlotEvent    98
+#endif
+
+#define  HINSTANCE void*
+
+//------------------------------------------------------------------------------
+CK_C_Initialize          FC_Initialize;
+CK_C_GetFunctionList     FC_GetFunctionList;
+//------------------------------------------------------------------------------
+HINSTANCE load_lib(char *lib)
+{
+	return dlopen(lib, RTLD_LAZY | RTLD_LOCAL);
+}
+//------------------------------------------------------------------------------
+void* get_sym(HINSTANCE inst, const char *proc)
+{
+	return (void*)dlsym(inst,proc);
+}
+//------------------------------------------------------------------------------
+void free_lib(HINSTANCE inst)
+{
+	dlclose(inst);
+}
+//------------------------------------------------------------------------------
+int Get_PKCS_Fancs(HINSTANCE hLib)
+{
+	FC_GetFunctionList =(CK_C_GetFunctionList) get_sym(hLib,"C_GetFunctionList");
+	if (!FC_GetFunctionList)
+		return F_GetFunctionList;
+	return 0;
+}
+//------------------------------------------------------------------------------
+HINSTANCE hPkcsLib=NULL;
+//------------------------------------------------------------------------------
+#ifdef WIND32
+int GetCapiPath(char *path)
+{
+	HKEY hKey;
+	DWORD Disposition,DataSize;
+	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,CSP_REGKEY,0,KEY_READ,&hKey)!=ERROR_SUCCESS)
+		return 1;
+	path[0]=0;
+	DataSize=255;
+	RegQueryValueEx(hKey,"Image Path",0,&Disposition,(BYTE *)path,&DataSize);
+	RegCloseKey(hKey);
+ 	if (!strlen(path))
+		return 2;
+ 	return 0;
+}
+#else
+int GetCapiPath(char *path)
+{
+	strcpy(path,CAPI_LIB_PATH);
+	return 0;
+}
+#endif
+//------------------------------------------------------------------------------
+#ifdef WIND32
+int GetPkcsPath(char *path)
+{
+	return GetCapiPath(path);
+}
+#else
+int GetPkcsPath(char *path)
+{
+	strcpy(path,PKCS_LIB_PATH);
+	return 0;
+}
+#endif
+//------------------------------------------------------------------------------
+int LoadPkcsLib(char *dllpkcs)
+{
+	int code;
+	char path[260];
+	if (hPkcsLib)
+		return 0;
+
+ 	if ((dllpkcs)&&(*dllpkcs))
+		strcpy(path,dllpkcs);
+ 	else if (GetPkcsPath(path))
+		return -1;
+
+	hPkcsLib=load_lib(path);
+	if (!hPkcsLib)
+		return -2;
+
+	code=Get_PKCS_Fancs(hPkcsLib);
+ 	if(code)
+	{
+		free_lib(hPkcsLib);
+		hPkcsLib=NULL;
+	}
+	return code;
+}
+//------------------------------------------------------------------------------
+void FreePkcsLib(void)
+{
+	if (hPkcsLib)
+	{
+		free_lib(hPkcsLib);
+		hPkcsLib=NULL;
+	}
+}
+//------------------------------------------------------------------------------
+int do_GetFunctionList( void )
+{
+   CK_RV rc = 0;
+   extern CK_FUNCTION_LIST  *funcs;
+   rc=FC_GetFunctionList(&funcs);
+   if (rc != CKR_OK) {printf ("err %x\n",rc); return rc;}
+   return 0;
+}
+//------------------------------------------------------------------------------
diff --git a/program/include/cert_conf.h b/program/include/cert_conf.h
index 160af03..3b2e5fa 100644
--- a/program/include/cert_conf.h
+++ b/program/include/cert_conf.h
@@ -18,6 +18,8 @@
 #include <MESA/Maat_rule.h>
 #include <MESA/MESA_htable.h>
 
+#include "rlib_load.h"
+
 #define CT_PATH_MAX 256
 #define CT_ARRARY_LEN (CT_PATH_MAX/2)
 #define CT_STRING_MAX 1024
@@ -38,57 +40,58 @@ struct tfe_http_request{
 struct pxy_obj_keyring{
 	int keyring_id;
     int use_hsm;
-    int slot_id;
+
+    atomic64_t ref_cnt;
 	uint64_t expire_time;
+    time_t op_time;
+
 	EVP_PKEY *key;
     X509 *issuer;
+
+    char v3_ctl[CT_STRING_MAX];
     char keyring_type[CT_ARRARY_LEN];
 	char public_algo[CT_STRING_MAX];
-	char v3_ctl[CT_STRING_MAX];
-	int is_send;
-	int is_valid;
-    time_t op_time;
-	atomic64_t ref_cnt;
+
+    CK_SESSION_HANDLE session;
     STACK_OF(X509) *stack_ca;
 };
 
-struct _initer_addr_t{
-    uint16_t e_port;       /*libevent prot*/
-    uint16_t maat_port;    /*maat redis port*/
-    char maat_ip[16];      /*maat redis ip */
-    int dbindex;           /*maat redis dbindex*/
-
-    uint16_t store_port;   /*store redis port */
-    char store_ip[16];     /*store redis ip*/
-
-    uint16_t statsd_port;
-    char statsd_server[16];
+struct pxy_profile_hsm
+{
+	int profile_id;
+	int ref_cnt;
+	char *server_ip;
+	char *passwd;
+	pthread_mutex_t lock;
 };
 
-struct ntc_maat_t{
-    unsigned int maat_json_switch;
-    unsigned int effective_interval_s;
-    char info_path[128];
-    char pxy_path[128];
-    char inc_cfg_dir[128];
-    char full_cfg_dir[128];
+enum kerying_profile_table
+{
+	POLICY_PROFLIE_TABLE_KERING,
+	POLICY_PROFILE_TABLE_HSM,
+	POLICY_PROFILE_TABLE_MAX
 };
 
-struct config_bucket_t{
-    Maat_feather_t feather;
-    int table_id;
+struct cert_store_policy{
 	int mode;
+    unsigned int enable;
     unsigned int local_debug;
     unsigned int thread_nu;
 	unsigned int expire_after;
+
+    Maat_feather_t feather;
+    int plolicy_table_id[POLICY_PROFILE_TABLE_MAX];
+
+    uint16_t e_port;
+    uint16_t store_port;
+    char store_ip[46];
+
     char ca_path[128];
     char uninsec_path[128];
-    struct ntc_maat_t maat_t;
-    struct _initer_addr_t addr_t;
 };
 
-extern struct config_bucket_t *cfg_instanec();
+extern struct cert_store_policy * g_certstore_policy;
 
-void cert_store_init_config(const char *config);
+void cert_store_init_config(struct cert_store_policy *certstore_policy, const char *main_profile);
 
 #endif
diff --git a/program/include/cert_session.h b/program/include/cert_session.h
index fae1ac0..ae9172e 100644
--- a/program/include/cert_session.h
+++ b/program/include/cert_session.h
@@ -103,7 +103,7 @@ typedef struct {
 
 } x509_forge_thread;
 
-int cert_store_session_init();
+int cert_store_session_init(struct cert_store_policy *certstore_policy, const char *main_profile);
 
 void sigproc(int __attribute__((__unused__))sig);
 
diff --git a/program/src/cert_conf.cpp b/program/src/cert_conf.cpp
index c4816ff..e8d6dcc 100644
--- a/program/src/cert_conf.cpp
+++ b/program/src/cert_conf.cpp
@@ -18,51 +18,41 @@
 
 #include <MESA/MESA_prof_load.h>
 
-struct config_bucket_t certConfig;
-
-
-struct config_bucket_t *cfg_instanec()
-{
-    return &certConfig;
-}
-
-static int load_system_config(const char *config)
+static int load_system_config(struct cert_store_policy *certstore_policy, const char *main_profile)
 {
     int xret = -1;
 
-    struct config_bucket_t *rte = cfg_instanec();
-
-    xret = MESA_load_profile_uint_nodef(config, "CONFIG", "thread-nu", &(rte->thread_nu));
+    xret = MESA_load_profile_uint_nodef(main_profile, "CONFIG", "thread-nu", &(certstore_policy->thread_nu));
     if (xret < 0){
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of running threads failed");
     }
 
-	xret = MESA_load_profile_int_def(config, "CONFIG", "mode", &(rte->mode), 0);
+	xret = MESA_load_profile_int_def(main_profile, "CONFIG", "mode", &(certstore_policy->mode), 0);
 	if (xret < 0){
 		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of run mode failed");
 	}
 
-    xret = MESA_load_profile_uint_nodef(config, "CONFIG", "expire_after", &(rte->expire_after));
+    xret = MESA_load_profile_uint_nodef(main_profile, "CONFIG", "expire_after", &(certstore_policy->expire_after));
     if (xret < 0){
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of valid time failed");
     }
 
-    xret = MESA_load_profile_string_nodef(config, "CONFIG", "ca_path", rte->ca_path, 128);
-    if (xret <0 && rt_file_exsit(rte->ca_path)){
+    xret = MESA_load_profile_string_nodef(main_profile, "CONFIG", "ca_path", certstore_policy->ca_path, 128);
+    if (xret <0 && rt_file_exsit(certstore_policy->ca_path)){
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the ca path failed or the (%s) does not exist",
-                         rte->ca_path);
+                         certstore_policy->ca_path);
         goto finish;
 
     }
-    xret = MESA_load_profile_uint_nodef(config, "CONFIG", "local_debug", &(rte->local_debug));
+    xret = MESA_load_profile_uint_nodef(main_profile, "CONFIG", "local_debug", &(certstore_policy->local_debug));
     if (xret < 0){
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of local_debug failed");
     }
 
-    xret = MESA_load_profile_string_nodef(config, "CONFIG", "untrusted_ca_path", rte->uninsec_path, 128);
-    if (xret <0 && rt_file_exsit(rte->uninsec_path)){
+    xret = MESA_load_profile_string_nodef(main_profile, "CONFIG", "untrusted_ca_path", certstore_policy->uninsec_path, 128);
+    if (xret <0 && rt_file_exsit(certstore_policy->uninsec_path)){
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the untrusted ca path failed or the (%s) does not exist",
-                             rte->ca_path);
+                             certstore_policy->ca_path);
         goto finish;
 
     }
@@ -70,55 +60,23 @@ finish:
     return xret;
 }
 
-static int load_module_config(const char *config)
+static int load_module_config(struct cert_store_policy *certstore_policy, const char *main_profile)
 {
     int xret = -1;
 
-    struct config_bucket_t *rte = cfg_instanec();
-
-    xret = MESA_load_profile_short_nodef(config, "LIBEVENT", "port", (short *)&(rte->addr_t.e_port));
+    xret = MESA_load_profile_short_nodef(main_profile, "LIBEVENT", "port", (short *)&(certstore_policy->e_port));
     if (xret < 0){
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Libevent Port invalid");
         goto finish;
     }
 
-    xret = MESA_load_profile_string_nodef(config, "MAAT_REDIS", "ip", rte->addr_t.maat_ip, 16);
-    if (xret < 0){
-        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Maat redis ip invalid");
-        goto finish;
-    }
-
-    xret = MESA_load_profile_short_nodef(config, "MAAT_REDIS", "port", (short *)&(rte->addr_t.maat_port));
-    if (xret < 0){
-        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Maat redis port invalid");
-        goto finish;
-    }
-
-    xret = MESA_load_profile_short_nodef(config, "MAAT_REDIS", "dbindex", (short *)&(rte->addr_t.dbindex));
-    if (xret < 0){
-        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Maat redis dbindex invalid");
-        goto finish;
-    }
-
-    xret = MESA_load_profile_string_nodef(config, "CERTSTORE_REDIS", "ip", rte->addr_t.store_ip, 16);
+    xret = MESA_load_profile_string_nodef(main_profile, "CERTSTORE_REDIS", "ip", certstore_policy->store_ip, 16);
     if (xret < 0){
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis ip invalid");
         goto finish;
     }
 
-    xret = MESA_load_profile_short_nodef(config, "CERTSTORE_REDIS", "port", (short *)&(rte->addr_t.store_port));
-    if (xret < 0){
-        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis port invalid");
-        goto finish;
-    }
-
-	xret = MESA_load_profile_string_nodef(config, "stat", "statsd_server", rte->addr_t.statsd_server, 16);
-    if (xret < 0){
-        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis ip invalid");
-        goto finish;
-    }
-
-    xret = MESA_load_profile_short_nodef(config, "stat", "statsd_port", (short *)&(rte->addr_t.statsd_port));
+    xret = MESA_load_profile_short_nodef(main_profile, "CERTSTORE_REDIS", "port", (short *)&(certstore_policy->store_port));
     if (xret < 0){
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certsotre redis port invalid");
         goto finish;
@@ -127,61 +85,10 @@ finish:
     return xret;
 }
 
-static int load_maat_config(const char *config)
+void cert_store_init_config(struct cert_store_policy *certstore_policy, const char *main_profile)
 {
-    int xret = -1;
+    load_system_config(certstore_policy, main_profile);
 
-    struct ntc_maat_t *maat_t = &cfg_instanec()->maat_t;
-
-    xret = MESA_load_profile_uint_nodef(config, "MAAT", "maat_json_switch", &(maat_t->maat_json_switch));
-    if (xret < 0){
-        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of running threads failed");
-    }
-
-    xret = MESA_load_profile_string_nodef(config, "MAAT", "table_info", maat_t->info_path, 128);
-    if (xret < 0 && !rt_file_exsit( maat_t->info_path)){
-        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the table info failed or the (%s) does not exist",
-                          maat_t->info_path);
-        goto finish;
-    }
-
-    if (maat_t->maat_json_switch == 1){
-        xret = MESA_load_profile_string_nodef(config, "MAAT", "pxy_obj_keyring", maat_t->pxy_path, 128);
-         if (xret < 0 && !rt_file_exsit(maat_t->pxy_path)){
-             mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the pxy obj keyring failed or the (%s) does not exist",
-                              maat_t->pxy_path);
-             goto finish;
-         }
-    }
-
-    if (maat_t->maat_json_switch == 0){
-        xret = MESA_load_profile_uint_nodef(config, "MAAT", "effective_interval", &(maat_t->effective_interval_s));
-        if (xret < 0){
-            mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the interval of scan failed");
-        }
-        xret = MESA_load_profile_string_nodef(config, "MAAT", "inc_cfg_dir", maat_t->inc_cfg_dir, 128);
-        if (xret < 0 && !rt_file_exsit( maat_t->inc_cfg_dir)){
-            mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the table info failed or the (%s) does not exist",
-                              maat_t->inc_cfg_dir);
-            goto finish;
-        }
-        xret = MESA_load_profile_string_nodef(config, "MAAT", "full_cfg_dir", maat_t->full_cfg_dir, 128);
-        if (xret < 0 && !rt_file_exsit( maat_t->full_cfg_dir)){
-            mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the table info failed or the (%s) does not exist",
-                              maat_t->full_cfg_dir);
-            goto finish;
-        }
-    }
-finish:
-    return xret;
-}
-
-void cert_store_init_config(const char *config)
-{
-    load_system_config(config);
-
-    load_maat_config(config);
-
-    load_module_config(config);
+    load_module_config(certstore_policy, main_profile);
 }
 
diff --git a/program/src/cert_session.cpp b/program/src/cert_session.cpp
index 2be2249..9de5cfb 100644
--- a/program/src/cert_session.cpp
+++ b/program/src/cert_session.cpp
@@ -32,6 +32,8 @@
 #include <openssl/engine.h>
 #include <openssl/pkcs12.h>
 #include <openssl/rsa.h>
+#include <openssl/asn1.h>
+#include <openssl/ossl_typ.h>
 
 #include <event2/listener.h>
 #include <event2/http.h>
@@ -61,6 +63,8 @@
 
 static x509_forge_thread *threads;
 
+CK_FUNCTION_LIST    *funcs=NULL;
+
 enum keypair_action
 {
 	KEYPAIR_ACTION_REQ = 0,
@@ -681,108 +685,8 @@ finish:
 	return;
 }
 
-X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo)
+const EVP_MD* ssl_x509_set_md(const EVP_MD *md, EVP_PKEY *cakey, X509 *origcrt)
 {
-	int rv;
-	X509 *crt = NULL;
-    EVP_PKEY* key = NULL;
-	X509_NAME *subject = NULL, *issuer = NULL;
-
-    if(!ssl_key_gen(&key, pkey, public_algo)){
-        goto err;
-    }
-
-	//subjectname,issuername
-	subject = X509_get_subject_name(origcrt);
-	issuer = X509_get_subject_name(cacrt);
-	if (!subject || !issuer)
-		return NULL;
-
-	crt = X509_new();
-	if (!crt)
-		return NULL;
-	//version,subjectname,issuername,serialnum,time,pubkey
-	if (!X509_set_version(crt, 0x02) ||
-	    !X509_set_subject_name(crt, subject) ||
-	    !X509_set_issuer_name(crt, issuer) ||
-	    ssl_x509_set_serial(X509_get_serialNumber(crt)) == -1 ||
-	    !X509_set_pubkey(crt, key))
-		goto errout;
-
-	if (*expire_time <= 0)
-	{
-		int day = 0, sec = 0;
-		ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt)));
-		ASN1_TIME_set(X509_get_notAfter(crt), ASN1_GetTimeT(X509_get_notAfter(origcrt)));
-		ASN1_TIME_diff(&day, &sec, X509_get_notBefore(crt), X509_get_notAfter(crt));
-		*expire_time = MIN(sizeof_seconds(day) + sec, sizeof_seconds(1));
-	}
-	else
-	{
-		if(!X509_gmtime_adj(X509_get_notBefore(crt), (long)(0 - half_hours(*expire_time))) ||
-		   !X509_gmtime_adj(X509_get_notAfter(crt), (long)(half_hours(*expire_time))))
-		{
-			goto errout;
-		}
-		*expire_time = half_hours(*expire_time);
-	}
-
-    EVP_PKEY_free(key);
-//extensions
-	X509V3_CTX ctx;
-	X509V3_set_ctx(&ctx, cacrt, crt, NULL, NULL, 0);
-
-	if (ssl_x509_v3ext_add(&ctx, crt, "subjectKeyIdentifier",
-	                                  "hash") == -1 ||
-	    ssl_x509_v3ext_add(&ctx, crt, "authorityKeyIdentifier",
-	                                  "keyid,issuer:always") == -1)
-		goto errout;
-
-	rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt,
-	                                NID_basic_constraints);
-	if (rv == 0)
-		rv = ssl_x509_v3ext_add(&ctx, crt, "basicConstraints",
-		                                   "CA:FALSE");
-	if (rv == -1)
-		goto errout;
-
-	rv = ssl_x509_v3ext_add(&ctx, crt, "keyUsage",
-		                               "digitalSignature,"
-		                               "keyEncipherment");
-	if (rv == -1)
-		goto errout;
-
-	rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt,
-	                                NID_ext_key_usage);
-	if (rv == 0)
-		rv = ssl_x509_v3ext_add(&ctx, crt, "extendedKeyUsage",
-		                                   "serverAuth");
-	if (rv == -1)
-		goto errout;
-
-    if (crlurl != NULL && strcasecmp(crlurl, "null")){
-        mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Sign certificate the CRL is %s", crlurl);
-		char * crlurlval;
-		if (asprintf(&crlurlval, "URI:%s", crlurl) < 0)
-			goto errout;
-		if (ssl_x509_v3ext_add(&ctx, crt, "crlDistributionPoints", crlurlval) == -1)
-		{
-			free(crlurlval);
-			goto errout;
-		}
-		free(crlurlval);
-    }
-	/* no extraname provided: copy original subjectAltName ext */
-	if (ssl_x509_v3ext_copy_by_nid(crt, origcrt,
-	                               NID_subject_alt_name) == -1)
-    {
-		goto errout;
-    }
-#ifdef DEBUG_CERTIFICATE
-	ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL);
-#endif /* DEBUG_CERTIFICATE */
-
-	const EVP_MD *md;
 	switch (EVP_PKEY_type(EVP_PKEY_base_id(cakey))) {
 #ifndef OPENSSL_NO_RSA
 	case EVP_PKEY_RSA:
@@ -868,10 +772,184 @@ X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, in
 		break;
 #endif /* !OPENSSL_NO_ECDSA */
 	default:
+		md = NULL;
+	}
+
+	return md;
+}
+
+int pkcs11_signature_algotonid(unsigned long algo)
+{
+    switch(algo)
+    {
+    	case CKM_SHA1_RSA_PKCS:
+			return NID_sha1WithRSAEncryption;
+		case CKM_RSA_PKCS:
+    	case CKM_SHA256_RSA_PKCS:
+			return NID_sha256WithRSAEncryption;
+		default:
+			break;
+    }
+	return 0;
+}
+
+int X509_pkcs11_sign(X509* x509, unsigned long pkcs11_signing_algo, CK_SESSION_HANDLE pkcs11_session)
+{
+	int rv =0;
+	CK_OBJECT_HANDLE pkcs11_key_handle = 0;
+
+    // set signature algorithm in the certificate
+	const X509_ALGOR *tsig_alg_org = X509_get0_tbs_sigalg(x509);
+	X509_ALGOR *tsig_alg=const_cast<X509_ALGOR *>(tsig_alg_org);
+	if (tsig_alg)
+    {
+        const int signingAlgoNid = pkcs11_signature_algotonid(pkcs11_signing_algo);
+        X509_ALGOR_set0(tsig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
+    }
+
+	const X509_ALGOR *sig_alg_org;
+	X509_get0_signature(NULL, &sig_alg_org, x509);
+	X509_ALGOR *sig_alg=const_cast<X509_ALGOR *>(sig_alg_org);
+    if (sig_alg)
+    {
+        const int signingAlgoNid = pkcs11_signature_algotonid(pkcs11_signing_algo);
+        X509_ALGOR_set0(sig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
+    }
+
+    // DER-encode certificate
+    unsigned char *x509_der_buf;
+	const size_t x509_der_len = i2d_re_X509_tbs(x509, &x509_der_buf);
+
+    CK_MECHANISM mechanism = { pkcs11_signing_algo, NULL_PTR, 0 };
+    rv = funcs->C_SignInit(pkcs11_session, &mechanism, pkcs11_key_handle);
+
+    // determine signature size
+    CK_ULONG signature_size = 0;
+    rv= funcs->C_Sign(pkcs11_session, x509_der_buf, x509_der_len, NULL, &signature_size);
+    // sign
+	const ASN1_BIT_STRING *psig_org;
+	X509_get0_signature(&psig_org, NULL, x509);
+	ASN1_BIT_STRING *psig=const_cast<ASN1_BIT_STRING *>(psig_org);
+    if (psig->data)
+        OPENSSL_free(psig->data);
+    psig->data = (unsigned char*)OPENSSL_malloc(signature_size);
+    psig->length = signature_size;
+    rv = funcs->C_Sign(pkcs11_session, x509_der_buf, x509_der_len, psig->data, &signature_size);
+
+    psig->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
+    psig->flags|=ASN1_STRING_FLAG_BITS_LEFT;
+    OPENSSL_free(x509_der_buf);
+
+	return rv;
+}
+
+X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo, CK_SESSION_HANDLE session)
+{
+	int rv;
+	X509 *crt=NULL;
+    EVP_PKEY* key=NULL;
+	const EVP_MD *md=NULL;
+	X509_NAME *subject=NULL, *issuer=NULL;
+
+    if(!ssl_key_gen(&key, pkey, public_algo)){
+        goto err;
+    }
+
+	subject = X509_get_subject_name(origcrt);
+	issuer = X509_get_subject_name(cacrt);
+	if (!subject || !issuer)
+		return NULL;
+
+	crt = X509_new();
+	if (!crt)
+		return NULL;
+
+	if (!X509_set_version(crt, 0x02) ||
+	    !X509_set_subject_name(crt, subject) ||
+	    !X509_set_issuer_name(crt, issuer) ||
+	    ssl_x509_set_serial(X509_get_serialNumber(crt)) == -1 ||
+	    !X509_set_pubkey(crt, key))
+		goto errout;
+
+	if (*expire_time <= 0)
+	{
+		int day = 0, sec = 0;
+		ASN1_TIME_set(X509_get_notBefore(crt), ASN1_GetTimeT(X509_get_notBefore(origcrt)));
+		ASN1_TIME_set(X509_get_notAfter(crt), ASN1_GetTimeT(X509_get_notAfter(origcrt)));
+		ASN1_TIME_diff(&day, &sec, X509_get_notBefore(crt), X509_get_notAfter(crt));
+		*expire_time = MIN(sizeof_seconds(day) + sec, sizeof_seconds(1));
+	}
+	else
+	{
+		if(!X509_gmtime_adj(X509_get_notBefore(crt), (long)(0 - half_hours(*expire_time))) ||
+		   !X509_gmtime_adj(X509_get_notAfter(crt), (long)(half_hours(*expire_time))))
+		{
+			goto errout;
+		}
+		*expire_time = half_hours(*expire_time);
+	}
+
+    EVP_PKEY_free(key);
+
+	X509V3_CTX ctx;
+	X509V3_set_ctx(&ctx, cacrt, crt, NULL, NULL, 0);
+
+	if (ssl_x509_v3ext_add(&ctx, crt, "subjectKeyIdentifier","hash") == -1 ||
+	    ssl_x509_v3ext_add(&ctx, crt, "authorityKeyIdentifier","keyid,issuer:always") == -1)
+		goto errout;
+
+	rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt, NID_basic_constraints);
+	if (rv == 0)
+		rv = ssl_x509_v3ext_add(&ctx, crt, "basicConstraints","CA:FALSE");
+	if (rv == -1)
+		goto errout;
+
+	rv = ssl_x509_v3ext_add(&ctx, crt, "keyUsage", "digitalSignature," "keyEncipherment");
+	if (rv == -1)
+		goto errout;
+
+	rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt, NID_ext_key_usage);
+	if (rv == 0)
+		rv = ssl_x509_v3ext_add(&ctx, crt, "extendedKeyUsage","serverAuth");
+	if (rv == -1)
+		goto errout;
+
+    if (crlurl != NULL && strcasecmp(crlurl, "null")){
+        mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Sign certificate the CRL is %s", crlurl);
+		char * crlurlval;
+		if (asprintf(&crlurlval, "URI:%s", crlurl) < 0)
+			goto errout;
+		if (ssl_x509_v3ext_add(&ctx, crt, "crlDistributionPoints", crlurlval) == -1)
+		{
+			free(crlurlval);
+			goto errout;
+		}
+		free(crlurlval);
+    }
+	/* no extraname provided: copy original subjectAltName ext */
+	if (ssl_x509_v3ext_copy_by_nid(crt, origcrt, NID_subject_alt_name) == -1)
+    {
+		goto errout;
+    }
+#ifdef DEBUG_CERTIFICATE
+	ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL);
+#endif /* DEBUG_CERTIFICATE */
+
+	if (ssl_x509_set_md(md, cakey, origcrt)==NULL)
+	{
 		goto errout;
 	}
-	if (!X509_sign(crt, cakey, md))
-		goto errout;
+
+	if(session==0)
+	{
+		if (!X509_sign(crt, cakey, md))
+			goto errout;
+	}
+	else
+	{
+		if(!X509_pkcs11_sign(crt, CKM_RSA_PKCS, session))
+			goto errout;
+	}
 
 	return crt;
 errout:
@@ -956,9 +1034,7 @@ static
 int redis_rsync_init(struct event_base *base, struct redisAsyncContext **cl_ctx)
 {
     int xret = -1;
-    struct config_bucket_t *redis = cfg_instanec();
-
-    *cl_ctx = redisAsyncConnect(redis->addr_t.store_ip, redis->addr_t.store_port);
+    *cl_ctx = redisAsyncConnect(g_certstore_policy->store_ip, g_certstore_policy->store_port);
 	if((*cl_ctx)->err )	{
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Redis Connect error : %s", (*cl_ctx)->errstr);
 		goto finish;
@@ -1120,13 +1196,11 @@ static struct pxy_obj_keyring* get_obj_for_id(int keyring_id)
 {
 	struct pxy_obj_keyring *pxy_obj=NULL;
 
-    struct config_bucket_t *rte = cfg_instanec();
-
 	char cfg_id_str[16] = {0};
 	snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", keyring_id);
 
-	int tables_id = rte->table_id;
-	pxy_obj = (struct pxy_obj_keyring*)Maat_plugin_get_EX_data(rte->feather, tables_id, (const char*)cfg_id_str);
+	int tables_id = g_certstore_policy->plolicy_table_id[POLICY_PROFLIE_TABLE_KERING];
+	pxy_obj = (struct pxy_obj_keyring*)Maat_plugin_get_EX_data(g_certstore_policy->feather, tables_id, (const char*)cfg_id_str);
 	return pxy_obj;
 }
 
@@ -1139,15 +1213,13 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
     X509 *cacrt = NULL; EVP_PKEY *cakey = NULL;
 	char *v3_ctl=NULL, *public_algo=NULL;
 
-    struct config_bucket_t *rte = cfg_instanec();
-
     if (is_valid == 0 && keyring_id != 0) keyring_id = 0;
     if (is_valid == 1 && keyring_id == 0) keyring_id = 1;
 
     struct pxy_obj_keyring *pxy_obj = get_obj_for_id(keyring_id);
     if (NULL == pxy_obj)
     {
-        if (!rte->local_debug)
+        if (!g_certstore_policy->local_debug)
         {
             if (1==is_valid)  pxy_obj = get_obj_for_id(1);
             if (0==is_valid)  pxy_obj = get_obj_for_id(0);
@@ -1165,7 +1237,7 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
         {
             cacrt = (is_valid == 1) ? def->root : def->insec_root;
             cakey  = (is_valid == 1) ? def->key  : def->insec_key;
-            expire_time = cfg_instanec()->expire_after;
+            expire_time = g_certstore_policy->expire_after;
             mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: Use local keypair, sign cert!!!");
             goto modify;
         }
@@ -1173,10 +1245,13 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
 
 	if(pxy_obj->use_hsm)
 	{
-		cacrt = (is_valid == 1) ? def->root : def->insec_root;
-		cakey  = (is_valid == 1) ? def->key  : def->insec_key;
-		expire_time = cfg_instanec()->expire_after;
-		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: HSM is not supported, use local keypair, sign cert!!!");
+		if(pxy_obj->session==0)
+		{
+			cacrt = (is_valid == 1) ? def->root : def->insec_root;
+			cakey  = (is_valid == 1) ? def->key  : def->insec_key;
+			expire_time = g_certstore_policy->expire_after;
+			mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: HSM is not connected, use local keypair, sign cert!!!");
+		}
 		goto modify;
 	}
     if (!STRCMP(pxy_obj->keyring_type, "end-entity"))
@@ -1199,7 +1274,7 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque
     expire_time = pxy_obj->expire_time;
 	*stack_ca = pxy_obj->stack_ca;
 modify:
-    x509 = ssl_x509_forge(cacrt, cakey, request->origin, pkey, &expire_time, v3_ctl, public_algo);
+    x509 = ssl_x509_forge(cacrt, cakey, request->origin, pkey, &expire_time, v3_ctl, public_algo, pxy_obj->session);
     if (!x509){
         goto finish;
     }
@@ -1261,7 +1336,6 @@ rediSyncCommand(redisContext *sync, struct tfe_http_request *request, char *odat
     int xret = -1;
     redisReply *reply;
 
-	struct config_bucket_t *config = cfg_instanec();
     x509_forge_thread *thread        = threads + request->thread_id;
     struct evhttp_request *evh_req = request->evh_req;
 
@@ -1278,7 +1352,7 @@ rediSyncCommand(redisContext *sync, struct tfe_http_request *request, char *odat
         case '$' :
             mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Writing data(%s) to redis failed", request->rkey);
 			fp_stat_latency(request->create_time, KEYPAIR_ACTION_SQL);
-			if (config->mode){
+			if (g_certstore_policy->mode){
             	redisAsyncCommand(thread->cl_ctx, redis_reget_callback, request, "GET %s", request->rkey);
 			}else{
 				redis_sync_reget_callback(request, sync);
@@ -1363,8 +1437,7 @@ static int web_json_table_add(char *privatekey, char *sign, char **digital_certi
     return 0;
 }
 
-static int
-redis_clnt_pdu_send(struct tfe_http_request *request)
+static int redis_clnt_pdu_send(struct tfe_http_request *request)
 {
 #define MAX_CHAIN_LEN 6
     int xret = -1, i = 0;
@@ -1722,7 +1795,6 @@ void http_get_cb(struct evhttp_request *evh_req, void *arg)
 	struct evbuffer * evbuf_body = NULL;
 	char *input = NULL; ssize_t inputlen=0;
     x509_forge_thread *info = (x509_forge_thread *)arg;
-    struct config_bucket_t *config = cfg_instanec();
 
 	if (evhttp_request_get_command(evh_req) != EVHTTP_REQ_POST) {
 		mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "FAILED (post type)");
@@ -1763,7 +1835,7 @@ void http_get_cb(struct evhttp_request *evh_req, void *arg)
 	}
 	FS_operate(g_FP_instance.handle, g_FP_instance.line_ids[KEYPAIR_ACTION_REQ], 0, FS_OP_ADD, 1);
 
-	xret = get_keypair_cache(info, request, config->mode);
+	xret = get_keypair_cache(info, request, g_certstore_policy->mode);
 	if (xret >= 0)
 	{
 		goto finish;
@@ -1777,11 +1849,10 @@ finish:
 int redis_sync_init(struct redisContext **c)
 {
     int xret = -1;
-    struct config_bucket_t *redis = cfg_instanec();
 
     struct timeval timeout = { 1, 500000 }; // 1.5 seconds
 
-    *c = redisConnectWithTimeout(redis->addr_t.store_ip, redis->addr_t.store_port, timeout);
+    *c = redisConnectWithTimeout(g_certstore_policy->store_ip, g_certstore_policy->store_port, timeout);
     if (*c == NULL || (*c)->err) {
         if (*c) {
             mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Sync connection error: %s", (*c)->errstr);
@@ -1801,10 +1872,9 @@ static int
 worker_private_init(struct event_base *base, x509_forge_thread *thread)
 {
     int xret = -1;
-    struct config_bucket_t *config = cfg_instanec();
 
     /* Initialize the redis connection*/
-	if (config->mode)
+	if (g_certstore_policy->mode)
 	{
 		xret = redis_rsync_init(base, &thread->cl_ctx);
 		if (xret < 0 || !thread->cl_ctx){
@@ -1817,10 +1887,10 @@ worker_private_init(struct event_base *base, x509_forge_thread *thread)
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Initialize the sync redis connection is failure");
     }
 
-    if (config->local_debug)
+    if (g_certstore_policy->local_debug)
     {
         /* Initialize the X509 CA*/
-        xret = x509_key_pair_init(config->ca_path, &thread->def.key, &thread->def.root);
+        xret = x509_key_pair_init(g_certstore_policy->ca_path, &thread->def.key, &thread->def.root);
         if (xret < 0 || !(thread->def.key) || !(thread->def.root))
 		{
             mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the x509 certificate");
@@ -1828,7 +1898,7 @@ worker_private_init(struct event_base *base, x509_forge_thread *thread)
         }
 
         /* Initialize the insec CA*/
-        xret = x509_key_pair_init(config->uninsec_path, &thread->def.insec_key, &thread->def.insec_root);
+        xret = x509_key_pair_init(g_certstore_policy->uninsec_path, &thread->def.insec_key, &thread->def.insec_root);
         if (xret < 0 || !(thread->def.key) || !(thread->def.root))
 		{
             mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the insec x509 certificate");
@@ -1868,7 +1938,7 @@ static void *pthread_worker_libevent(void *arg)
     bound = evhttp_accept_socket_with_handle(http, thread_ctx->accept_fd);
     if (bound != NULL) {
         mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Bound(%p) to port %d - Awaiting connections ... ", bound,
-                        cfg_instanec()->addr_t.e_port);
+                        g_certstore_policy->e_port);
 	}
 	mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Work thread %u is run...", thread_ctx->id);
 
@@ -2002,7 +2072,7 @@ redis_link_detection(uint32_t __attribute__((__unused__)) uid,
     x509_forge_thread *info   = NULL;
     x509_forge_thread *threads = (x509_forge_thread *)argv;
 
-    unsigned int thread_nu = cfg_instanec()->thread_nu;
+    unsigned int thread_nu = g_certstore_policy->thread_nu;
     for (tid = 0; tid < (int)thread_nu; tid++) {
         info  = threads + tid;
         if(info->sync == NULL){
@@ -2015,7 +2085,7 @@ redis_link_detection(uint32_t __attribute__((__unused__)) uid,
                 mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "[%d]trying to connect sync redis success", tid);
             }
 
-			if(cfg_instanec()->mode)
+			if(g_certstore_policy->mode)
 			{
 				 xret = redis_rsync_init(info->base, &info->cl_ctx);
 				if (xret < 0 || !info->cl_ctx){
@@ -2028,21 +2098,20 @@ redis_link_detection(uint32_t __attribute__((__unused__)) uid,
     }
 }
 
-static int
-keyring_server_init()
+static int keyring_server_init(struct cert_store_policy *certstore_policy)
 {
     int xret                  = -1;
     unsigned int tid          = 0;
     x509_forge_thread *thread   = NULL;
 	uint32_t tm_link_detetion = 0;
 
-    unsigned int thread_nu    = cfg_instanec()->thread_nu;
+    unsigned int thread_nu    = certstore_policy->thread_nu;
 
     /* Create a new evhttp object to handle requests. */
     struct sockaddr_in sin;
     memset(&sin, 0, sizeof(struct sockaddr_in));
     sin.sin_family = AF_INET;
-    sin.sin_port   = htons(cfg_instanec()->addr_t.e_port);
+    sin.sin_port   = htons(g_certstore_policy->e_port);
     evutil_socket_t accept_fd = evhttp_listen_socket_byuser((struct sockaddr*)&sin, sizeof(struct sockaddr_in), LEV_OPT_REUSEABLE_PORT|LEV_OPT_CLOSE_ON_FREE, -1);
     if (accept_fd < 0)
 	{
@@ -2114,9 +2183,7 @@ void sigproc(int __attribute__((__unused__))sig)
     unsigned int tid            = 0;
     x509_forge_thread *thread     = NULL;
 
-    struct config_bucket_t *rte = cfg_instanec();
-
-    for (tid = 0; tid <  rte->thread_nu; tid++)
+    for (tid = 0; tid <  g_certstore_policy->thread_nu; tid++)
 	{
         thread = threads + tid;
         if (thread->sync)
@@ -2131,12 +2198,15 @@ void sigproc(int __attribute__((__unused__))sig)
     exit(1);
 }
 
-static int mesa_fiel_stat_init()
+static int field_stat_init(struct cert_store_policy *certstore_policy, const char *profile)
 {
-	int value=0, i=0;
+	int value=0, i=0, statsd_port=0;
+	char statsd_server[46]={0};
 	char stat_path[128] ={0}, pname[32]={0};
 
-    struct _initer_addr_t *addr_t = &(cfg_instanec()->addr_t);
+	MESA_load_profile_string_def(profile, "stat", "statsd_server", statsd_server, sizeof(statsd_server), "");
+	MESA_load_profile_int_def(profile, "stat", "statsd_port", &(statsd_port), 0);
+	mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Filed initiate from %s:%d.", statsd_server, statsd_port);
 
 	g_FP_instance.favorite=FS_CALC_CURRENT;
 	strcpy(g_FP_instance.histogram_bins, FP_HISTOGRAM_BINS);
@@ -2155,10 +2225,10 @@ static int mesa_fiel_stat_init()
 	FS_set_para(fs, CREATE_THREAD, &value, sizeof(value));
 	value=2;
 	FS_set_para(fs, STAT_CYCLE, &value, sizeof(value));
-	if(strlen(addr_t->statsd_server)>0 && addr_t->statsd_port!=0)
+	if(strlen(statsd_server)>0 && statsd_port!=0)
 	{
-		FS_set_para(fs, STATS_SERVER_IP, addr_t->statsd_server, strlen(addr_t->statsd_server)+1);
-		FS_set_para(fs, STATS_SERVER_PORT, &(addr_t->statsd_port), sizeof(addr_t->statsd_port));
+		FS_set_para(fs, STATS_SERVER_IP, statsd_server, strlen(statsd_server)+1);
+		FS_set_para(fs, STATS_SERVER_PORT, &(statsd_port), sizeof(statsd_port));
 	}
 	FS_set_para(fs, HISTOGRAM_GLOBAL_BINS, g_FP_instance.histogram_bins, strlen(g_FP_instance.histogram_bins)+1);
 
@@ -2186,15 +2256,58 @@ static int mesa_fiel_stat_init()
     return 0;
 }
 
-void keyring_table_new_cb(int __attribute__((__unused__))table_id, const char  __attribute__((__unused__))*key,
-const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__))argl, void __attribute__((__unused__))* argp)
+static struct pxy_profile_hsm* get_profile_by_id(int profile_id)
 {
+	struct pxy_profile_hsm* ply_profile=NULL;
+
+	char cfg_id_str[16] = {0};
+	snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", profile_id);
+	int table_id = g_certstore_policy->plolicy_table_id[POLICY_PROFILE_TABLE_HSM];
+
+	ply_profile = (struct pxy_profile_hsm*)Maat_plugin_get_EX_data(g_certstore_policy->feather, table_id, (const char*)cfg_id_str);
+	return ply_profile;
+}
+
+CK_SESSION_HANDLE keyring_pkcs11_login(int slot_id)
+{
+	int ret=0;
+	CK_FLAGS flags;
+	CK_SESSION_HANDLE session=0;
+
+	struct pxy_profile_hsm* ply_profile = get_profile_by_id(0);
+	if(ply_profile == NULL || funcs->C_OpenSession==NULL)
+	{
+		goto error;
+	}
+
+	flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
+	ret = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &session);
+	if(ret)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "hsm_sdk open session faild, error : %d", ret);
+		goto error;
+	}
+	ret = funcs->C_Login(session, CKU_USER, (CK_UTF8CHAR_PTR)ply_profile->passwd, strlen(ply_profile->passwd));
+	if(ret)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "hsm_sdk login faild, error : %d", ret);
+		goto error;
+	}
+	return session;
+error:
+	if(session)
+	{
+		funcs->C_CloseSession(session);
+	}
+	return 0;
+}
+
+void keyring_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+{
+    int ret=0, slot_id=-1;
+	int include_root=0, is_valid=0;
     char profile_name[CT_ARRARY_LEN]={0};
     char private_file[CT_STRING_MAX] = {0}, public_file[CT_STRING_MAX]={0};
-    char __attribute__((__unused__))_priv_file[CT_PATH_MAX] = {0};
-    char __attribute__((__unused__))_publi_file[CT_PATH_MAX] = {0};
-    int ret=0;
-
 	struct pxy_obj_keyring *pxy_obj = NULL;
 
     pxy_obj = (struct pxy_obj_keyring *)malloc(sizeof(struct pxy_obj_keyring));
@@ -2208,7 +2321,7 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
 
 	ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d\t%d\t%d\t%d", &pxy_obj->keyring_id, profile_name,
 		       pxy_obj->keyring_type, private_file, public_file, &pxy_obj->expire_time, pxy_obj->public_algo,
-		       pxy_obj->v3_ctl, &pxy_obj->is_send, &pxy_obj->use_hsm, &pxy_obj->slot_id, &pxy_obj->is_valid);
+		       pxy_obj->v3_ctl, &include_root, &pxy_obj->use_hsm, &slot_id, &is_valid);
 	if(ret!=12)
 	{
         kfree(pxy_obj);
@@ -2218,7 +2331,7 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
 	pxy_obj->op_time = time(NULL);
 
     /*Load PUBLICKEY***/
-    if ((pxy_obj->issuer = x509_get_root_ca(public_file, pxy_obj->is_send, pxy_obj->keyring_type, &pxy_obj->stack_ca)) == NULL ){
+    if ((pxy_obj->issuer = x509_get_root_ca(public_file, include_root, pxy_obj->keyring_type, &pxy_obj->stack_ca)) == NULL ){
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 publickey failed, the keyring id is %d",
                          pxy_obj->keyring_id);
 		goto finish;
@@ -2227,12 +2340,16 @@ const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__)
 	if(pxy_obj->use_hsm == 0)
 	{
 		/*Load PRIVATEKEY**/
-	    if ((pxy_obj->key = cert_load_key(private_file)) == NULL){
-	        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 privatekey failed, the keyring id is %d",
-	                         pxy_obj->keyring_id);
+	    if ((pxy_obj->key = cert_load_key(private_file)) == NULL)
+		{
+	        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 privatekey failed, the keyring id is %d", pxy_obj->keyring_id);
 	        goto finish;
 	    }
 	}
+	else
+	{
+		pxy_obj->session = keyring_pkcs11_login(slot_id);
+	}
 
     mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "initialize the x509 certificate, the keyring id is %d",
                      pxy_obj->keyring_id);
@@ -2254,21 +2371,19 @@ long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp)
     *((struct pxy_obj_keyring**)to)=pxy_obj;
 }
 
-int maat_table_ex_init(const char* table_name,
+int maat_table_ex_init(const char* table_name,int profile_id,
 					   Maat_plugin_EX_new_func_t* new_func,
 					   Maat_plugin_EX_free_func_t* free_func,
 					   Maat_plugin_EX_dup_func_t* dup_func)
 {
 	int table_id = 0;
 
-    struct config_bucket_t *rte = cfg_instanec();
-
-	table_id= rte->table_id = Maat_table_register(rte->feather, table_name);
+	table_id= g_certstore_policy->plolicy_table_id[profile_id] = Maat_table_register(g_certstore_policy->feather, table_name);
 	if(table_id<0)
 	{
 		goto finish;
 	}
-	table_id=Maat_plugin_EX_register(rte->feather,
+	table_id=Maat_plugin_EX_register(g_certstore_policy->feather,
  						             table_id,
  						             new_func,free_func,
  						             dup_func,NULL,0,NULL);
@@ -2276,65 +2391,234 @@ finish:
 	return table_id;
 }
 
-int maat_feather_init()
+#define MAAT_INPUT_JSON			1
+#define MAAT_INPUT_REDIS    	2
+#define MAAT_INPUT_FILE        	0
+
+static Maat_feather_t create_maat_feather(const char *profile, const char *section, int max_thread)
 {
-    int ret = -1;
-    Maat_feather_t feather = NULL;
-	int scan_interval_ms = 1000;
+    Maat_feather_t target;
+    int input_mode = 0;
+    int ret = 0, effect_interval = 60;
+    char table_info[CT_STRING_MAX] = {0}, inc_cfg_dir[CT_STRING_MAX] = {0}, ful_cfg_dir[CT_STRING_MAX] = {0};
+    char redis_server[CT_STRING_MAX] = {0};
+    char redis_port_range[CT_STRING_MAX] = {0};
+    char accept_tags[CT_STRING_MAX] = {0};
+    char accept_path[CT_PATH_MAX] = {0};
+    int redis_port_begin = 0, redis_port_end = 0;
+    int redis_port_select = 0;
+    int redis_db_idx = 0;
+    char json_cfg_file[CT_STRING_MAX] = {0};
 
-    struct config_bucket_t *rte = cfg_instanec();
-    struct ntc_maat_t *maat_t = &rte->maat_t;
+    MESA_load_profile_int_def(profile, section, "maat_json_switch", &(input_mode), 0);
+    MESA_load_profile_string_def(profile, section, "table_info", table_info, sizeof(table_info), "");
+    MESA_load_profile_string_def(profile, section, "accept_path", accept_path, sizeof(accept_path), "");
+    MESA_load_profile_string_def(profile, section, "pxy_obj_keyring", json_cfg_file, sizeof(json_cfg_file), "");
+    MESA_load_profile_string_def(profile, "MAAT_REDIS", "ip", redis_server, sizeof(redis_server), "");
+    MESA_load_profile_string_def(profile, "MAAT_REDIS", "port", redis_port_range, sizeof(redis_server), "6379");
+    MESA_load_profile_int_def(profile, "MAAT_REDIS", "dbindex", &(redis_db_idx), 0);
+    MESA_load_profile_string_def(profile, section, "inc_cfg_dir", inc_cfg_dir, sizeof(inc_cfg_dir), "");
+    MESA_load_profile_string_def(profile, section, "full_cfg_dir", ful_cfg_dir, sizeof(ful_cfg_dir), "");
+    MESA_load_profile_int_def(profile, section, "effective_interval", &(effect_interval), 60);
 
-    int effective_interval_ms = maat_t->effective_interval_s * 1000;
+    effect_interval *= 1000; //convert s to ms
 
-	feather = Maat_feather(rte->thread_nu, maat_t->info_path, logging_sc_lid.run_log_handle);
-
-	Maat_set_feather_opt(feather, MAAT_OPT_INSTANCE_NAME, "certstore", strlen("certstore") + 1);
-
-    if (maat_t->maat_json_switch == 1){
-        Maat_set_feather_opt(feather, MAAT_OPT_JSON_FILE_PATH, maat_t->pxy_path, strlen(maat_t->pxy_path)+1);
+    target = Maat_feather(max_thread, table_info, logging_sc_lid.run_log_handle);
+    Maat_set_feather_opt(target, MAAT_OPT_INSTANCE_NAME, "certstore", strlen("certstore") + 1);
+    switch (input_mode)
+    {
+		case MAAT_INPUT_JSON:
+		    Maat_set_feather_opt(target, MAAT_OPT_JSON_FILE_PATH, json_cfg_file, strlen(json_cfg_file) + 1);
+		    break;
+		case MAAT_INPUT_REDIS:
+		    ret = sscanf(redis_port_range, "%d-%d", &redis_port_begin, &redis_port_end);
+		    if (ret == 1)
+		    {
+		        redis_port_select = redis_port_begin;
+		    }
+		    else if (ret == 2)
+		    {
+		        srand(time(NULL));
+		        redis_port_select = redis_port_begin + rand() % (redis_port_end - redis_port_begin);
+		    }
+		    Maat_set_feather_opt(target, MAAT_OPT_REDIS_IP, redis_server, strlen(redis_server) + 1);
+		    Maat_set_feather_opt(target, MAAT_OPT_REDIS_PORT, &redis_port_select, sizeof(redis_port_select));
+		    Maat_set_feather_opt(target, MAAT_OPT_REDIS_INDEX, &redis_db_idx, sizeof(redis_db_idx));
+		    break;
+		case MAAT_INPUT_FILE:
+		    Maat_set_feather_opt(target, MAAT_OPT_FULL_CFG_DIR, ful_cfg_dir, strlen(ful_cfg_dir) + 1);
+		    Maat_set_feather_opt(target, MAAT_OPT_INC_CFG_DIR, inc_cfg_dir, strlen(inc_cfg_dir) + 1);
+		    break;
+		default:
+			mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Invalid MAAT Input Mode: %d.", input_mode);
+		    goto error_out;
     }
-    if (maat_t->maat_json_switch == 0){
-        Maat_set_feather_opt(feather, MAAT_OPT_FULL_CFG_DIR, maat_t->full_cfg_dir, strlen(maat_t->full_cfg_dir)+1);
-        Maat_set_feather_opt(feather, MAAT_OPT_INC_CFG_DIR, maat_t->inc_cfg_dir, strlen(maat_t->inc_cfg_dir)+1);
-    }
-    if (maat_t->maat_json_switch == 2){
-        Maat_set_feather_opt(feather, MAAT_OPT_REDIS_IP, rte->addr_t.maat_ip, strlen(rte->addr_t.maat_ip)+1);
-        Maat_set_feather_opt(feather, MAAT_OPT_REDIS_PORT, &rte->addr_t.maat_port, sizeof(rte->addr_t.maat_port));
-        Maat_set_feather_opt(feather, MAAT_OPT_REDIS_INDEX, &rte->addr_t.dbindex, sizeof(rte->addr_t.dbindex));
+    Maat_set_feather_opt(target, MAAT_OPT_FOREIGN_CONT_DIR, "./foreign_files/", strlen("./foreign_files/") + 1);
+    Maat_set_feather_opt(target, MAAT_OPT_EFFECT_INVERVAL_MS, &effect_interval, sizeof(effect_interval));
+    if (strlen(accept_path) > 0)
+    {
+        MESA_load_profile_string_def(accept_path, "maat", "ACCEPT_TAGS", accept_tags, sizeof(accept_tags), "{\"tags\":[{\"tag\":\"device_id\",\"value\":\"device_1\"}]}");
+        Maat_set_feather_opt(target, MAAT_OPT_ACCEPT_TAGS, &accept_tags, sizeof(accept_tags));
+        mesa_runtime_log(RLOG_LV_INFO, "accept tags	  : %s", accept_tags);
     }
 
-    Maat_set_feather_opt(feather, MAAT_OPT_SCANDIR_INTERVAL_MS,&scan_interval_ms, sizeof(scan_interval_ms));
-	Maat_set_feather_opt(feather, MAAT_OPT_EFFECT_INVERVAL_MS,&effective_interval_ms, sizeof(effective_interval_ms));
-    /***/
-    const char* foregin_dir="./foreign_files/";
-    Maat_set_feather_opt(feather, MAAT_OPT_FOREIGN_CONT_DIR,foregin_dir, strlen(foregin_dir)+1);
-	ret = Maat_initiate_feather(feather);
-	if (ret < 0)
-	{
+    ret = Maat_initiate_feather(target);
+    if (ret < 0)
+    {
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s MAAT init failed.", __FUNCTION__);
-	}
-    rte->feather = feather;
+        goto error_out;
+    }
+    return target;
+error_out:
+    Maat_burn_feather(target);
+    return NULL;
+}
 
-    int table_id = maat_table_ex_init("PXY_PROFILE_KEYRING",
-                                      keyring_table_new_cb,
-        					          keyring_table_free_cb,
-        					          keyring_table_dup_cb);
+void hsm_profile_table_start_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+{
+	int ret=0, profile_id=0, is_valid=0;
+	char server_type[128]={0};
+	char ip[46]={0}, passwd[128] = {0};
+	char effective_range[256] = {0};
+
+	ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%d", &profile_id, server_type, ip, passwd, effective_range, &is_valid);
+	if(ret!=6)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Policy table parse config failed: %s", table_line);
+		return;
+	}
+
+	/*Whether to take effect**/
+
+	struct pxy_profile_hsm* ply_profile = (struct pxy_profile_hsm*)kmalloc(sizeof(struct pxy_profile_hsm), MPF_CLR, -1);
+
+	ply_profile->profile_id=profile_id;
+	ply_profile->ref_cnt=1;
+	pthread_mutex_init(&(ply_profile->lock), NULL);
+	ply_profile->server_ip=strdup(ip);
+	ply_profile->passwd=strdup(passwd);
+
+	mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Policy table add success %d", profile_id);
+	*ad = ply_profile;
+	return;
+}
+
+void hsm_profile_table_dup_cb(int table_id,	MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp)
+{
+	struct pxy_profile_hsm* ply_obj=(struct pxy_profile_hsm*)(*from);
+	pthread_mutex_lock(&(ply_obj->lock));
+	ply_obj->ref_cnt++;
+	pthread_mutex_unlock(&(ply_obj->lock));
+	*to=ply_obj;
+}
+
+void hsm_profile_table_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp)
+{
+	if(*ad==NULL)
+	{
+		return;
+	}
+	struct pxy_profile_hsm* ply_obj=(struct pxy_profile_hsm*)(*ad);
+	if(ply_obj==NULL)
+	{
+		return;
+	}
+
+	pthread_mutex_lock(&(ply_obj->lock));
+	ply_obj->ref_cnt--;
+	if(ply_obj->ref_cnt>0)
+	{
+		pthread_mutex_unlock(&(ply_obj->lock));
+		return;
+	}
+	pthread_mutex_unlock(&(ply_obj->lock));
+	pthread_mutex_destroy(&(ply_obj->lock));
+
+	kfree(&ply_obj->server_ip);
+	kfree(&ply_obj->passwd);
+	kfree(&ply_obj);
+	*ad=NULL;
+	return;
+}
+
+int maat_feather_init(struct cert_store_policy *certstore_policy, const char *main_profile)
+{
+	int table_id = 0;
+
+	certstore_policy->feather = create_maat_feather(main_profile, "maat", certstore_policy->thread_nu);
+	if(!certstore_policy->feather)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s MAAT init failed.", __FUNCTION__);
+		return 0;
+	}
+
+    table_id = maat_table_ex_init("PXY_PROFILE_KEYRING", POLICY_PROFLIE_TABLE_KERING, keyring_table_new_cb, keyring_table_free_cb, keyring_table_dup_cb);
     if(table_id<0)
     {
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore register table PXY_PROFILE_KEYRING failed");
     }
 
+	table_id = maat_table_ex_init("PXY_PROFILE_HSM", POLICY_PROFILE_TABLE_HSM, hsm_profile_table_start_cb, hsm_profile_table_free_cb, hsm_profile_table_dup_cb);
+    if(table_id<0)
+    {
+        mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Register table PXY_PROFILE_HSM failed");
+		return 0;
+    }
+
+	field_stat_init(certstore_policy, main_profile);
+
     return 0;
 }
 
-int cert_store_session_init()
+int do_user_GetFunctionList(void)
 {
-    mesa_fiel_stat_init();
+	return FC_GetFunctionList(&funcs);
+}
 
-    maat_feather_init();
+int pkcs11_module_init(struct cert_store_policy *certstore_policy, const char *main_profile)
+{
+	int xret=0;
+	char library_path[256]={0};
+	CK_C_INITIALIZE_ARGS  cinit_args;
 
-    keyring_server_init();
+	MESA_load_profile_uint_nodef(main_profile, "certex_hsm", "enable", &(certstore_policy->enable));
+	MESA_load_profile_string_def(main_profile, "certex_hsm", "library_path", library_path, sizeof(library_path), "");
+
+	if(certstore_policy->enable == 0)
+	{
+		goto finish;
+	}
+
+	xret=LoadPkcsLib(library_path);
+	if(xret!=0)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Load %s failed", library_path);
+		goto finish;
+	}
+	xret = do_user_GetFunctionList();
+	if(xret!=0 || funcs->C_Initialize==NULL)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Get function list failed, errro = %d",xret);
+		goto finish;
+	}
+	memset(&cinit_args, 0x0, sizeof(cinit_args));
+	cinit_args.flags = CKF_OS_LOCKING_OK;
+	xret = funcs->C_Initialize(&cinit_args);
+	if(xret!=0)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Function Initialize failed");
+	}
+finish:
+	return xret;
+}
+
+int cert_store_session_init(struct cert_store_policy *certstore_policy, const char *main_profile)
+{
+    maat_feather_init(certstore_policy, main_profile);
+
+	pkcs11_module_init(certstore_policy, main_profile);
+
+    keyring_server_init(certstore_policy);
 
     return 0;
 }
diff --git a/program/src/cert_store.cpp b/program/src/cert_store.cpp
index 3df16f7..fbf14a5 100644
--- a/program/src/cert_store.cpp
+++ b/program/src/cert_store.cpp
@@ -12,14 +12,15 @@
 #include <unistd.h>
 
 #include "rt_string.h"
+#include "rt_stdlib.h"
 #include "rt_common.h"
-#include <cert_conf.h>
-#include <cert_session.h>
+#include "cert_conf.h"
+#include "cert_session.h"
 #include "logging.h"
 
 #include <MESA/MESA_prof_load.h>
 
-#define CERT_BASIC_CFG "./conf/cert_store.ini"
+struct cert_store_policy * g_certstore_policy = NULL;
 
 /* VERSION STRING */
 #ifdef TARGET_GIT_VERSION
@@ -39,33 +40,18 @@ enum syslog_display_format{
     FORMAT_SYSLOG
 };
 
-static
-void cert_store_preview ()
+static void cert_store_preview()
 {
-    struct config_bucket_t *rte = cfg_instanec();
-
     printf("\r\nBasic Configuration of CertStore \n");
-	printf("%30s:%45s\n", "Run Mode", (rte->mode == 1)?"async":"sync");
-    printf("%30s:%45d\n", "The Threads", rte->thread_nu);
-    printf("%30s:%45s\n", "Store Redis Ip", rte->addr_t.store_ip);
-    printf("%30s:%45d\n", "Store Redis Port", rte->addr_t.store_port);
-    printf("%30s:%45s\n", "Maat Redis Ip", rte->addr_t.maat_ip);
-    printf("%30s:%45d\n", "Maat Redis Port", rte->addr_t.maat_port);
-    printf("%30s:%45d\n", "Maat Redis index", rte->addr_t.dbindex);
-    printf("%30s:%45d\n", "Libevent Port", rte->addr_t.e_port);
-    printf("%30s:%45s\n", "Cert Path", rte->ca_path);
-    printf("%30s:%45s\n", "Uninsec cert Path", rte->uninsec_path);
+	printf("%30s:%45s\n", "Run Mode", (g_certstore_policy->mode == 1)?"async":"sync");
+    printf("%30s:%45d\n", "The Threads", g_certstore_policy->thread_nu);
+    printf("%30s:%45s\n", "Store Redis Ip", g_certstore_policy->store_ip);
+    printf("%30s:%45d\n", "Store Redis Port", g_certstore_policy->store_port);
+    printf("%30s:%45d\n", "Libevent Port", g_certstore_policy->e_port);
+    printf("%30s:%45s\n", "Cert Path", g_certstore_policy->ca_path);
+    printf("%30s:%45s\n", "Uninsec cert Path", g_certstore_policy->uninsec_path);
     printf("%30s:%45s\n", "Log Directory", logging_sc_lid.run_log_path);
-    printf("%30s:%45s\n", "Table Info", rte->maat_t.info_path);
-    if (rte->maat_t.maat_json_switch == 1){
-        printf("%30s:%45s\n", "Pxy Obj Keyring", rte->maat_t.pxy_path);
-    }
-    if (rte->maat_t.maat_json_switch == 0){
-        printf("%30s:%45d\n", "Scan Interval", rte->maat_t.effective_interval_s);
-        printf("%30s:%45s\n", "Full Cfg Path", rte->maat_t.full_cfg_dir);
-        printf("%30s:%45s\n", "Inc  Cfg Path", rte->maat_t.inc_cfg_dir);
 
-    }
     printf("\r\n");
 }
 
@@ -93,6 +79,8 @@ void __signal_handler_cb(int sig)
 int main(int argc, char **argv)
 {
 	int opt = 0;
+	const char * main_profile = "./conf/cert_store.ini";
+
 	while ((opt = getopt(argc, argv, "v")) != -1)
 	{
 		switch (opt)
@@ -104,9 +92,13 @@ int main(int argc, char **argv)
 				break;
 		}
 	}
-    cert_store_syslog_init(CERT_BASIC_CFG, version());
 
-    cert_store_init_config(CERT_BASIC_CFG);
+	g_certstore_policy = (struct cert_store_policy *) kmalloc (sizeof(struct cert_store_policy), MPF_CLR, -1);
+	assert(g_certstore_policy);
+
+    cert_store_syslog_init(main_profile, version());
+
+    cert_store_init_config(g_certstore_policy, main_profile);
 
     cert_store_preview();
 
@@ -116,8 +108,7 @@ int main(int argc, char **argv)
 	{
 		signal(signals[i], __signal_handler_cb);
 	}
-
-    cert_store_session_init();
+    cert_store_session_init(g_certstore_policy, main_profile);
 
     return 0;
 }
diff --git a/resource/conf/cert_store.ini b/resource/conf/cert_store.ini
index 93661b5..19e4550 100644
--- a/resource/conf/cert_store.ini
+++ b/resource/conf/cert_store.ini
@@ -58,3 +58,7 @@ dbindex = 4
 statsd_server=192.168.10.72
 statsd_port=8126
 
+[certex_hsm]
+enable=0
+library_path=lib/libcertex-rcsp_r.so.v.3.0.40.2
+
diff --git a/resource/conf/pxy_obj_keyring.json b/resource/conf/pxy_obj_keyring.json
index 0350b8b..1fda0a3 100644
--- a/resource/conf/pxy_obj_keyring.json
+++ b/resource/conf/pxy_obj_keyring.json
@@ -73,18 +73,18 @@
         {
             "table_name": "PXY_PROFILE_KEYRING",
 			  "table_content": [
-                "0\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-untrust-ca.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-untrust-ca.pem\t0\trsa1024\tNULL\t1\t1\t2019112101\t",
-				"11\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-trust-ca.pem\t//home/fengweihao/tool/test_cert/root/tango-ca-v3-trust-ca.pem\t0\trsa1024\tNULL\t0\t1\t2019112102\t",
+                "0\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-untrust-ca.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-untrust-ca.pem\t0\trsa1024\tNULL\t1\t0\t1\t1\t2019112101\t",
+				"11\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-v3-trust-ca.pem\t//home/fengweihao/tool/test_cert/root/tango-ca-v3-trust-ca.pem\t0\trsa1024\tNULL\t0\t0\t1\t\t1\t2019112102\t",
 				
-				"1\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-cer.pem\t24\trsa2048\tNULL\t0\t1\t20191121990\t",
-				"3\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-cer.pem\t30\trsa4096\tNULL\t1\t1\t2019112102\t",
-				"9\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-cer.pem\t30\trsa1024\tNULL\t1\t1\t2019112104\t",
-				"8\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-ca-l1-cert.pem\t30\trsa1024\tNULL\t1\t1\t2019112105\t",
-				"12\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-v2-v1-ca.cer\t30\trsa1024\tNULL\t0\t1\t20191106\t",
-				"13\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-ca-v1-v2.cer\t30\trsa1024\tNULL\t0\t1\t20191107\t",
-				"4\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-v1-ca-v2.cer\t30\trsa1024\tNULL\t0\t1\t20191108\t",
-				"5\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/ca01-mle-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/ca01-mle.pem\t30\trsa4096\tNULL\t1\t1\t20191108\t",
-				"10\tname_01\tend-entity\t/home/fengweihao/tool/test_cert/end-entity/tang-ca-v3-www.bing.com-key.pem\t/home/fengweihao/tool/test_cert/end-entity/tang-ca-v3-www.bing.com-cer.pem\t30\trsa4096\tNULL\t0\t1\t20191107\t"
+				"1\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-cer.pem\t24\trsa2048\tNULL\t0\t0\t1\t1\t20191121990\t",
+				"3\tname_01\troot\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-key.pem\t/home/fengweihao/tool/test_cert/root/tango-ca-trust-ca-cer.pem\t30\trsa4096\tNULL\t1\t0\t1\t1\t2019112102\t",
+				"9\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-cer.pem\t30\trsa1024\tNULL\t1\t0\t1\t1\t2019112104\t",
+				"8\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-01-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/tang-ca-v3-intermediate-ca-l1-cert.pem\t30\trsa1024\tNULL\t1\t0\t1\t1\t2019112105\t",
+				"12\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-v2-v1-ca.cer\t30\trsa1024\tNULL\t0\t0\t1\t1\t20191106\t",
+				"13\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-ca-v1-v2.cer\t30\trsa1024\tNULL\t0\t0\t1\t1\t20191107\t",
+				"4\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2.key\t/home/fengweihao/tool/test_cert/Intermediate/Tang-Ca-IIS-v2-v1-ca-v2.cer\t30\trsa1024\tNULL\t0\t0\t1\t1\t20191108\t",
+				"5\tname_01\tintermediate\t/home/fengweihao/tool/test_cert/Intermediate/ca01-mle-key.pem\t/home/fengweihao/tool/test_cert/Intermediate/ca01-mle.pem\t30\trsa4096\tNULL\t1\t0\t1\t1\t20191108\t",
+				"10\tname_01\tend-entity\t/home/fengweihao/tool/test_cert/end-entity/tang-ca-v3-www.bing.com-key.pem\t/home/fengweihao/tool/test_cert/end-entity/tang-ca-v3-www.bing.com-cer.pem\t30\trsa4096\tNULL\t0\t0\t1\t1\t20191107\t"
             ]
         }
     ]
diff --git a/resource/conf/table_info.conf b/resource/conf/table_info.conf
index df14e30..c7360d1 100644
--- a/resource/conf/table_info.conf
+++ b/resource/conf/table_info.conf
@@ -18,3 +18,4 @@
 1	COMPILE	compile
 2   GROUP group
 3   PXY_PROFILE_KEYRING plugin	 {"key":1,"valid":12,"foreign":"4,5"}
+4   PXY_PROFILE_HSM	plugin	{"key":1,"valid":6}