20 files changed, 6538 insertions, 0 deletions

diff --git a/vendor/github.com/miekg/pkcs11/.gitignore b/vendor/github.com/miekg/pkcs11/.gitignore
new file mode 100644
index 000000000..5fde17f99
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/.gitignore
@@ -0,0 +1,3 @@
+tags
+test_db/*/generation
+test_db/*/*.lock
diff --git a/vendor/github.com/miekg/pkcs11/.travis.yml b/vendor/github.com/miekg/pkcs11/.travis.yml
new file mode 100644
index 000000000..687044d83
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/.travis.yml
@@ -0,0 +1,14 @@
+language: go
+sudo: required
+dist: trusty
+
+go:
+  - 1.9
+  - tip
+
+script:
+  - go test -v ./...
+
+before_script:
+  - sudo apt-get update
+  - sudo apt-get -y install libsofthsm
diff --git a/vendor/github.com/miekg/pkcs11/LICENSE b/vendor/github.com/miekg/pkcs11/LICENSE
new file mode 100644
index 000000000..ce25d13ab
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2013 Miek Gieben. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Miek Gieben nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/miekg/pkcs11/Makefile.release b/vendor/github.com/miekg/pkcs11/Makefile.release
new file mode 100644
index 000000000..4f58165f9
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/Makefile.release
@@ -0,0 +1,57 @@
+# Makefile for releasing.
+#
+# The release is controlled from version.go. The version found there is
+# used to tag the git repo, we're not building any artifects so there is nothing
+# to upload to github.
+#
+# * Up the version in version.go
+# * Run: make -f Makefile.release release
+#   * will *commit* your change with 'Release $VERSION'
+#   * push to github
+#
+
+define GO
+//+build ignore
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/miekg/pkcs11"
+)
+
+func main() {
+	fmt.Println(pkcs11.Release.String())
+}
+endef
+
+$(file > version_release.go,$(GO))
+VERSION:=$(shell go run -tags release version_release.go)
+TAG="v$(VERSION)"
+
+all:
+	rm -f version_release.go
+	@echo Use the \'release\' target to start a release $(VERSION)
+
+.PHONY: run
+run:
+	rm -f version_release.go
+	@echo $(VERSION)
+
+.PHONY: release
+release: commit push
+	@echo Released $(VERSION)
+
+.PHONY: commit
+commit:
+	rm -f version_release.go
+	@echo Committing release $(VERSION)
+	git commit -am"Release $(VERSION)"
+	git tag $(TAG)
+
+.PHONY: push
+push:
+	@echo Pushing release $(VERSION) to master
+	git push --tags
+	git push
diff --git a/vendor/github.com/miekg/pkcs11/README.md b/vendor/github.com/miekg/pkcs11/README.md
new file mode 100644
index 000000000..0a5c1b7b6
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/README.md
@@ -0,0 +1,68 @@
+# PKCS#11 [![Build Status](https://travis-ci.org/miekg/pkcs11.png?branch=master)](https://travis-ci.org/miekg/pkcs11) [![GoDoc](https://img.shields.io/badge/godoc-reference-blue.svg)](http://godoc.org/github.com/miekg/pkcs11)
+
+This is a Go implementation of the PKCS#11 API. It wraps the library closely, but uses Go idiom were
+it makes sense. It has been tested with SoftHSM.
+
+## SoftHSM
+
+ *  Make it use a custom configuration file `export SOFTHSM_CONF=$PWD/softhsm.conf`
+
+ *  Then use `softhsm` to init it
+
+    ~~~
+    softhsm --init-token --slot 0 --label test --pin 1234
+    ~~~
+
+ *  Then use `libsofthsm.so` as the pkcs11 module:
+
+    ~~~ go
+    p := pkcs11.New("/usr/lib/softhsm/libsofthsm.so")
+    ~~~
+
+## Examples
+
+A skeleton program would look somewhat like this (yes, pkcs#11 is verbose):
+
+~~~ go
+p := pkcs11.New("/usr/lib/softhsm/libsofthsm.so")
+err := p.Initialize()
+if err != nil {
+    panic(err)
+}
+
+defer p.Destroy()
+defer p.Finalize()
+
+slots, err := p.GetSlotList(true)
+if err != nil {
+    panic(err)
+}
+
+session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
+if err != nil {
+    panic(err)
+}
+defer p.CloseSession(session)
+
+err = p.Login(session, pkcs11.CKU_USER, "1234")
+if err != nil {
+    panic(err)
+}
+defer p.Logout(session)
+
+p.DigestInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_SHA_1, nil)})
+hash, err := p.Digest(session, []byte("this is a string"))
+if err != nil {
+    panic(err)
+}
+
+for _, d := range hash {
+        fmt.Printf("%x", d)
+}
+fmt.Println()
+~~~
+
+Further examples are included in the tests.
+
+To expose PKCS#11 keys using the [crypto.Signer interface](https://golang.org/pkg/crypto/#Signer),
+please see [github.com/thalesignite/crypto11](https://github.com/thalesignite/crypto11).
diff --git a/vendor/github.com/miekg/pkcs11/const.go b/vendor/github.com/miekg/pkcs11/const.go
new file mode 100644
index 000000000..408856146
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/const.go
@@ -0,0 +1,736 @@
+// Copyright 2013 Miek Gieben. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkcs11
+
+const (
+	CKU_SO               uint = 0
+	CKU_USER             uint = 1
+	CKU_CONTEXT_SPECIFIC uint = 2
+)
+
+const (
+	CKO_DATA              uint = 0x00000000
+	CKO_CERTIFICATE       uint = 0x00000001
+	CKO_PUBLIC_KEY        uint = 0x00000002
+	CKO_PRIVATE_KEY       uint = 0x00000003
+	CKO_SECRET_KEY        uint = 0x00000004
+	CKO_HW_FEATURE        uint = 0x00000005
+	CKO_DOMAIN_PARAMETERS uint = 0x00000006
+	CKO_MECHANISM         uint = 0x00000007
+	CKO_OTP_KEY           uint = 0x00000008
+	CKO_VENDOR_DEFINED    uint = 0x80000000
+)
+
+const (
+	CKG_MGF1_SHA1     uint = 0x00000001
+	CKG_MGF1_SHA224   uint = 0x00000005
+	CKG_MGF1_SHA256   uint = 0x00000002
+	CKG_MGF1_SHA384   uint = 0x00000003
+	CKG_MGF1_SHA512   uint = 0x00000004
+	CKG_MGF1_SHA3_224 uint = 0x00000006
+	CKG_MGF1_SHA3_256 uint = 0x00000007
+	CKG_MGF1_SHA3_384 uint = 0x00000008
+	CKG_MGF1_SHA3_512 uint = 0x00000009
+)
+
+const (
+	CKZ_DATA_SPECIFIED uint = 0x00000001
+)
+
+// Generated with: awk '/#define CK[AFKMRC]/{ print $2 " = " $3 }' pkcs11t.h | sed -e 's/UL$//g' -e 's/UL)$/)/g'
+
+// All the flag (CKF_), attribute (CKA_), error code (CKR_), key type (CKK_), certificate type (CKC_) and
+// mechanism (CKM_) constants as defined in PKCS#11.
+const (
+	CKF_TOKEN_PRESENT                    = 0x00000001
+	CKF_REMOVABLE_DEVICE                 = 0x00000002
+	CKF_HW_SLOT                          = 0x00000004
+	CKF_RNG                              = 0x00000001
+	CKF_WRITE_PROTECTED                  = 0x00000002
+	CKF_LOGIN_REQUIRED                   = 0x00000004
+	CKF_USER_PIN_INITIALIZED             = 0x00000008
+	CKF_RESTORE_KEY_NOT_NEEDED           = 0x00000020
+	CKF_CLOCK_ON_TOKEN                   = 0x00000040
+	CKF_PROTECTED_AUTHENTICATION_PATH    = 0x00000100
+	CKF_DUAL_CRYPTO_OPERATIONS           = 0x00000200
+	CKF_TOKEN_INITIALIZED                = 0x00000400
+	CKF_SECONDARY_AUTHENTICATION         = 0x00000800
+	CKF_USER_PIN_COUNT_LOW               = 0x00010000
+	CKF_USER_PIN_FINAL_TRY               = 0x00020000
+	CKF_USER_PIN_LOCKED                  = 0x00040000
+	CKF_USER_PIN_TO_BE_CHANGED           = 0x00080000
+	CKF_SO_PIN_COUNT_LOW                 = 0x00100000
+	CKF_SO_PIN_FINAL_TRY                 = 0x00200000
+	CKF_SO_PIN_LOCKED                    = 0x00400000
+	CKF_SO_PIN_TO_BE_CHANGED             = 0x00800000
+	CKF_ERROR_STATE                      = 0x01000000
+	CKF_RW_SESSION                       = 0x00000002
+	CKF_SERIAL_SESSION                   = 0x00000004
+	CKK_RSA                              = 0x00000000
+	CKK_DSA                              = 0x00000001
+	CKK_DH                               = 0x00000002
+	CKK_ECDSA                            = 0x00000003
+	CKK_EC                               = 0x00000003
+	CKK_X9_42_DH                         = 0x00000004
+	CKK_KEA                              = 0x00000005
+	CKK_GENERIC_SECRET                   = 0x00000010
+	CKK_RC2                              = 0x00000011
+	CKK_RC4                              = 0x00000012
+	CKK_DES                              = 0x00000013
+	CKK_DES2                             = 0x00000014
+	CKK_DES3                             = 0x00000015
+	CKK_CAST                             = 0x00000016
+	CKK_CAST3                            = 0x00000017
+	CKK_CAST5                            = 0x00000018
+	CKK_CAST128                          = 0x00000018
+	CKK_RC5                              = 0x00000019
+	CKK_IDEA                             = 0x0000001A
+	CKK_SKIPJACK                         = 0x0000001B
+	CKK_BATON                            = 0x0000001C
+	CKK_JUNIPER                          = 0x0000001D
+	CKK_CDMF                             = 0x0000001E
+	CKK_AES                              = 0x0000001F
+	CKK_BLOWFISH                         = 0x00000020
+	CKK_TWOFISH                          = 0x00000021
+	CKK_SECURID                          = 0x00000022
+	CKK_HOTP                             = 0x00000023
+	CKK_ACTI                             = 0x00000024
+	CKK_CAMELLIA                         = 0x00000025
+	CKK_ARIA                             = 0x00000026
+	CKK_SHA512_224_HMAC                  = 0x00000027
+	CKK_SHA512_256_HMAC                  = 0x00000028
+	CKK_SHA512_T_HMAC                    = 0x00000029
+	CKK_SHA_1_HMAC                       = 0x00000028
+	CKK_SHA224_HMAC                      = 0x0000002E
+	CKK_SHA256_HMAC                      = 0x0000002B
+	CKK_SHA384_HMAC                      = 0x0000002C
+	CKK_SHA512_HMAC                      = 0x0000002D
+	CKK_SEED                             = 0x0000002F
+	CKK_GOSTR3410                        = 0x00000030
+	CKK_GOSTR3411                        = 0x00000031
+	CKK_GOST28147                        = 0x00000032
+	CKK_SHA3_224_HMAC                    = 0x00000033
+	CKK_SHA3_256_HMAC                    = 0x00000034
+	CKK_SHA3_384_HMAC                    = 0x00000035
+	CKK_SHA3_512_HMAC                    = 0x00000036
+	CKK_VENDOR_DEFINED                   = 0x80000000
+	CKC_X_509                            = 0x00000000
+	CKC_X_509_ATTR_CERT                  = 0x00000001
+	CKC_WTLS                             = 0x00000002
+	CKC_VENDOR_DEFINED                   = 0x80000000
+	CKF_ARRAY_ATTRIBUTE                  = 0x40000000
+	CKA_CLASS                            = 0x00000000
+	CKA_TOKEN                            = 0x00000001
+	CKA_PRIVATE                          = 0x00000002
+	CKA_LABEL                            = 0x00000003
+	CKA_APPLICATION                      = 0x00000010
+	CKA_VALUE                            = 0x00000011
+	CKA_OBJECT_ID                        = 0x00000012
+	CKA_CERTIFICATE_TYPE                 = 0x00000080
+	CKA_ISSUER                           = 0x00000081
+	CKA_SERIAL_NUMBER                    = 0x00000082
+	CKA_AC_ISSUER                        = 0x00000083
+	CKA_OWNER                            = 0x00000084
+	CKA_ATTR_TYPES                       = 0x00000085
+	CKA_TRUSTED                          = 0x00000086
+	CKA_CERTIFICATE_CATEGORY             = 0x00000087
+	CKA_JAVA_MIDP_SECURITY_DOMAIN        = 0x00000088
+	CKA_URL                              = 0x00000089
+	CKA_HASH_OF_SUBJECT_PUBLIC_KEY       = 0x0000008A
+	CKA_HASH_OF_ISSUER_PUBLIC_KEY        = 0x0000008B
+	CKA_NAME_HASH_ALGORITHM              = 0x0000008C
+	CKA_CHECK_VALUE                      = 0x00000090
+	CKA_KEY_TYPE                         = 0x00000100
+	CKA_SUBJECT                          = 0x00000101
+	CKA_ID                               = 0x00000102
+	CKA_SENSITIVE                        = 0x00000103
+	CKA_ENCRYPT                          = 0x00000104
+	CKA_DECRYPT                          = 0x00000105
+	CKA_WRAP                             = 0x00000106
+	CKA_UNWRAP                           = 0x00000107
+	CKA_SIGN                             = 0x00000108
+	CKA_SIGN_RECOVER                     = 0x00000109
+	CKA_VERIFY                           = 0x0000010A
+	CKA_VERIFY_RECOVER                   = 0x0000010B
+	CKA_DERIVE                           = 0x0000010C
+	CKA_START_DATE                       = 0x00000110
+	CKA_END_DATE                         = 0x00000111
+	CKA_MODULUS                          = 0x00000120
+	CKA_MODULUS_BITS                     = 0x00000121
+	CKA_PUBLIC_EXPONENT                  = 0x00000122
+	CKA_PRIVATE_EXPONENT                 = 0x00000123
+	CKA_PRIME_1                          = 0x00000124
+	CKA_PRIME_2                          = 0x00000125
+	CKA_EXPONENT_1                       = 0x00000126
+	CKA_EXPONENT_2                       = 0x00000127
+	CKA_COEFFICIENT                      = 0x00000128
+	CKA_PUBLIC_KEY_INFO                  = 0x00000129
+	CKA_PRIME                            = 0x00000130
+	CKA_SUBPRIME                         = 0x00000131
+	CKA_BASE                             = 0x00000132
+	CKA_PRIME_BITS                       = 0x00000133
+	CKA_SUBPRIME_BITS                    = 0x00000134
+	CKA_SUB_PRIME_BITS                   = CKA_SUBPRIME_BITS
+	CKA_VALUE_BITS                       = 0x00000160
+	CKA_VALUE_LEN                        = 0x00000161
+	CKA_EXTRACTABLE                      = 0x00000162
+	CKA_LOCAL                            = 0x00000163
+	CKA_NEVER_EXTRACTABLE                = 0x00000164
+	CKA_ALWAYS_SENSITIVE                 = 0x00000165
+	CKA_KEY_GEN_MECHANISM                = 0x00000166
+	CKA_MODIFIABLE                       = 0x00000170
+	CKA_COPYABLE                         = 0x00000171
+	CKA_DESTROYABLE                      = 0x00000172
+	CKA_ECDSA_PARAMS                     = 0x00000180
+	CKA_EC_PARAMS                        = 0x00000180
+	CKA_EC_POINT                         = 0x00000181
+	CKA_SECONDARY_AUTH                   = 0x00000200
+	CKA_AUTH_PIN_FLAGS                   = 0x00000201
+	CKA_ALWAYS_AUTHENTICATE              = 0x00000202
+	CKA_WRAP_WITH_TRUSTED                = 0x00000210
+	CKA_WRAP_TEMPLATE                    = CKF_ARRAY_ATTRIBUTE | 0x00000211
+	CKA_UNWRAP_TEMPLATE                  = CKF_ARRAY_ATTRIBUTE | 0x00000212
+	CKA_OTP_FORMAT                       = 0x00000220
+	CKA_OTP_LENGTH                       = 0x00000221
+	CKA_OTP_TIME_INTERVAL                = 0x00000222
+	CKA_OTP_USER_FRIENDLY_MODE           = 0x00000223
+	CKA_OTP_CHALLENGE_REQUIREMENT        = 0x00000224
+	CKA_OTP_TIME_REQUIREMENT             = 0x00000225
+	CKA_OTP_COUNTER_REQUIREMENT          = 0x00000226
+	CKA_OTP_PIN_REQUIREMENT              = 0x00000227
+	CKA_OTP_COUNTER                      = 0x0000022E
+	CKA_OTP_TIME                         = 0x0000022F
+	CKA_OTP_USER_IDENTIFIER              = 0x0000022A
+	CKA_OTP_SERVICE_IDENTIFIER           = 0x0000022B
+	CKA_OTP_SERVICE_LOGO                 = 0x0000022C
+	CKA_OTP_SERVICE_LOGO_TYPE            = 0x0000022D
+	CKA_GOSTR3410_PARAMS                 = 0x00000250
+	CKA_GOSTR3411_PARAMS                 = 0x00000251
+	CKA_GOST28147_PARAMS                 = 0x00000252
+	CKA_HW_FEATURE_TYPE                  = 0x00000300
+	CKA_RESET_ON_INIT                    = 0x00000301
+	CKA_HAS_RESET                        = 0x00000302
+	CKA_PIXEL_X                          = 0x00000400
+	CKA_PIXEL_Y                          = 0x00000401
+	CKA_RESOLUTION                       = 0x00000402
+	CKA_CHAR_ROWS                        = 0x00000403
+	CKA_CHAR_COLUMNS                     = 0x00000404
+	CKA_COLOR                            = 0x00000405
+	CKA_BITS_PER_PIXEL                   = 0x00000406
+	CKA_CHAR_SETS                        = 0x00000480
+	CKA_ENCODING_METHODS                 = 0x00000481
+	CKA_MIME_TYPES                       = 0x00000482
+	CKA_MECHANISM_TYPE                   = 0x00000500
+	CKA_REQUIRED_CMS_ATTRIBUTES          = 0x00000501
+	CKA_DEFAULT_CMS_ATTRIBUTES           = 0x00000502
+	CKA_SUPPORTED_CMS_ATTRIBUTES         = 0x00000503
+	CKA_ALLOWED_MECHANISMS               = CKF_ARRAY_ATTRIBUTE | 0x00000600
+	CKA_VENDOR_DEFINED                   = 0x80000000
+	CKM_RSA_PKCS_KEY_PAIR_GEN            = 0x00000000
+	CKM_RSA_PKCS                         = 0x00000001
+	CKM_RSA_9796                         = 0x00000002
+	CKM_RSA_X_509                        = 0x00000003
+	CKM_MD2_RSA_PKCS                     = 0x00000004
+	CKM_MD5_RSA_PKCS                     = 0x00000005
+	CKM_SHA1_RSA_PKCS                    = 0x00000006
+	CKM_RIPEMD128_RSA_PKCS               = 0x00000007
+	CKM_RIPEMD160_RSA_PKCS               = 0x00000008
+	CKM_RSA_PKCS_OAEP                    = 0x00000009
+	CKM_RSA_X9_31_KEY_PAIR_GEN           = 0x0000000A
+	CKM_RSA_X9_31                        = 0x0000000B
+	CKM_SHA1_RSA_X9_31                   = 0x0000000C
+	CKM_RSA_PKCS_PSS                     = 0x0000000D
+	CKM_SHA1_RSA_PKCS_PSS                = 0x0000000E
+	CKM_DSA_KEY_PAIR_GEN                 = 0x00000010
+	CKM_DSA                              = 0x00000011
+	CKM_DSA_SHA1                         = 0x00000012
+	CKM_DSA_FIPS_G_GEN                   = 0x00000013
+	CKM_DSA_SHA224                       = 0x00000014
+	CKM_DSA_SHA256                       = 0x00000015
+	CKM_DSA_SHA384                       = 0x00000016
+	CKM_DSA_SHA512                       = 0x00000017
+	CKM_DSA_SHA3_224                     = 0x00000018
+	CKM_DSA_SHA3_256                     = 0x00000019
+	CKM_DSA_SHA3_384                     = 0x0000001A
+	CKM_DSA_SHA3_512                     = 0x0000001B
+	CKM_DH_PKCS_KEY_PAIR_GEN             = 0x00000020
+	CKM_DH_PKCS_DERIVE                   = 0x00000021
+	CKM_X9_42_DH_KEY_PAIR_GEN            = 0x00000030
+	CKM_X9_42_DH_DERIVE                  = 0x00000031
+	CKM_X9_42_DH_HYBRID_DERIVE           = 0x00000032
+	CKM_X9_42_MQV_DERIVE                 = 0x00000033
+	CKM_SHA256_RSA_PKCS                  = 0x00000040
+	CKM_SHA384_RSA_PKCS                  = 0x00000041
+	CKM_SHA512_RSA_PKCS                  = 0x00000042
+	CKM_SHA256_RSA_PKCS_PSS              = 0x00000043
+	CKM_SHA384_RSA_PKCS_PSS              = 0x00000044
+	CKM_SHA512_RSA_PKCS_PSS              = 0x00000045
+	CKM_SHA224_RSA_PKCS                  = 0x00000046
+	CKM_SHA224_RSA_PKCS_PSS              = 0x00000047
+	CKM_SHA512_224                       = 0x00000048
+	CKM_SHA512_224_HMAC                  = 0x00000049
+	CKM_SHA512_224_HMAC_GENERAL          = 0x0000004A
+	CKM_SHA512_224_KEY_DERIVATION        = 0x0000004B
+	CKM_SHA512_256                       = 0x0000004C
+	CKM_SHA512_256_HMAC                  = 0x0000004D
+	CKM_SHA512_256_HMAC_GENERAL          = 0x0000004E
+	CKM_SHA512_256_KEY_DERIVATION        = 0x0000004F
+	CKM_SHA512_T                         = 0x00000050
+	CKM_SHA512_T_HMAC                    = 0x00000051
+	CKM_SHA512_T_HMAC_GENERAL            = 0x00000052
+	CKM_SHA512_T_KEY_DERIVATION          = 0x00000053
+	CKM_SHA3_256_RSA_PKCS                = 0x00000060
+	CKM_SHA3_384_RSA_PKCS                = 0x00000061
+	CKM_SHA3_512_RSA_PKCS                = 0x00000062
+	CKM_SHA3_256_RSA_PKCS_PSS            = 0x00000063
+	CKM_SHA3_384_RSA_PKCS_PSS            = 0x00000064
+	CKM_SHA3_512_RSA_PKCS_PSS            = 0x00000065
+	CKM_SHA3_224_RSA_PKCS                = 0x00000066
+	CKM_SHA3_224_RSA_PKCS_PSS            = 0x00000067
+	CKM_RC2_KEY_GEN                      = 0x00000100
+	CKM_RC2_ECB                          = 0x00000101
+	CKM_RC2_CBC                          = 0x00000102
+	CKM_RC2_MAC                          = 0x00000103
+	CKM_RC2_MAC_GENERAL                  = 0x00000104
+	CKM_RC2_CBC_PAD                      = 0x00000105
+	CKM_RC4_KEY_GEN                      = 0x00000110
+	CKM_RC4                              = 0x00000111
+	CKM_DES_KEY_GEN                      = 0x00000120
+	CKM_DES_ECB                          = 0x00000121
+	CKM_DES_CBC                          = 0x00000122
+	CKM_DES_MAC                          = 0x00000123
+	CKM_DES_MAC_GENERAL                  = 0x00000124
+	CKM_DES_CBC_PAD                      = 0x00000125
+	CKM_DES2_KEY_GEN                     = 0x00000130
+	CKM_DES3_KEY_GEN                     = 0x00000131
+	CKM_DES3_ECB                         = 0x00000132
+	CKM_DES3_CBC                         = 0x00000133
+	CKM_DES3_MAC                         = 0x00000134
+	CKM_DES3_MAC_GENERAL                 = 0x00000135
+	CKM_DES3_CBC_PAD                     = 0x00000136
+	CKM_DES3_CMAC_GENERAL                = 0x00000137
+	CKM_DES3_CMAC                        = 0x00000138
+	CKM_CDMF_KEY_GEN                     = 0x00000140
+	CKM_CDMF_ECB                         = 0x00000141
+	CKM_CDMF_CBC                         = 0x00000142
+	CKM_CDMF_MAC                         = 0x00000143
+	CKM_CDMF_MAC_GENERAL                 = 0x00000144
+	CKM_CDMF_CBC_PAD                     = 0x00000145
+	CKM_DES_OFB64                        = 0x00000150
+	CKM_DES_OFB8                         = 0x00000151
+	CKM_DES_CFB64                        = 0x00000152
+	CKM_DES_CFB8                         = 0x00000153
+	CKM_MD2                              = 0x00000200
+	CKM_MD2_HMAC                         = 0x00000201
+	CKM_MD2_HMAC_GENERAL                 = 0x00000202
+	CKM_MD5                              = 0x00000210
+	CKM_MD5_HMAC                         = 0x00000211
+	CKM_MD5_HMAC_GENERAL                 = 0x00000212
+	CKM_SHA_1                            = 0x00000220
+	CKM_SHA_1_HMAC                       = 0x00000221
+	CKM_SHA_1_HMAC_GENERAL               = 0x00000222
+	CKM_RIPEMD128                        = 0x00000230
+	CKM_RIPEMD128_HMAC                   = 0x00000231
+	CKM_RIPEMD128_HMAC_GENERAL           = 0x00000232
+	CKM_RIPEMD160                        = 0x00000240
+	CKM_RIPEMD160_HMAC                   = 0x00000241
+	CKM_RIPEMD160_HMAC_GENERAL           = 0x00000242
+	CKM_SHA256                           = 0x00000250
+	CKM_SHA256_HMAC                      = 0x00000251
+	CKM_SHA256_HMAC_GENERAL              = 0x00000252
+	CKM_SHA224                           = 0x00000255
+	CKM_SHA224_HMAC                      = 0x00000256
+	CKM_SHA224_HMAC_GENERAL              = 0x00000257
+	CKM_SHA384                           = 0x00000260
+	CKM_SHA384_HMAC                      = 0x00000261
+	CKM_SHA384_HMAC_GENERAL              = 0x00000262
+	CKM_SHA512                           = 0x00000270
+	CKM_SHA512_HMAC                      = 0x00000271
+	CKM_SHA512_HMAC_GENERAL              = 0x00000272
+	CKM_SECURID_KEY_GEN                  = 0x00000280
+	CKM_SECURID                          = 0x00000282
+	CKM_HOTP_KEY_GEN                     = 0x00000290
+	CKM_HOTP                             = 0x00000291
+	CKM_ACTI                             = 0x000002A0
+	CKM_ACTI_KEY_GEN                     = 0x000002A1
+	CKM_SHA3_256                         = 0x000002B0
+	CKM_SHA3_256_HMAC                    = 0x000002B1
+	CKM_SHA3_256_HMAC_GENERAL            = 0x000002B2
+	CKM_SHA3_256_KEY_GEN                 = 0x000002B3
+	CKM_SHA3_224                         = 0x000002B5
+	CKM_SHA3_224_HMAC                    = 0x000002B6
+	CKM_SHA3_224_HMAC_GENERAL            = 0x000002B7
+	CKM_SHA3_224_KEY_GEN                 = 0x000002B8
+	CKM_SHA3_384                         = 0x000002C0
+	CKM_SHA3_384_HMAC                    = 0x000002C1
+	CKM_SHA3_384_HMAC_GENERAL            = 0x000002C2
+	CKM_SHA3_384_KEY_GEN                 = 0x000002C3
+	CKM_SHA3_512                         = 0x000002D0
+	CKM_SHA3_512_HMAC                    = 0x000002D1
+	CKM_SHA3_512_HMAC_GENERAL            = 0x000002D2
+	CKM_SHA3_512_KEY_GEN                 = 0x000002D3
+	CKM_CAST_KEY_GEN                     = 0x00000300
+	CKM_CAST_ECB                         = 0x00000301
+	CKM_CAST_CBC                         = 0x00000302
+	CKM_CAST_MAC                         = 0x00000303
+	CKM_CAST_MAC_GENERAL                 = 0x00000304
+	CKM_CAST_CBC_PAD                     = 0x00000305
+	CKM_CAST3_KEY_GEN                    = 0x00000310
+	CKM_CAST3_ECB                        = 0x00000311
+	CKM_CAST3_CBC                        = 0x00000312
+	CKM_CAST3_MAC                        = 0x00000313
+	CKM_CAST3_MAC_GENERAL                = 0x00000314
+	CKM_CAST3_CBC_PAD                    = 0x00000315
+	CKM_CAST5_KEY_GEN                    = 0x00000320
+	CKM_CAST128_KEY_GEN                  = 0x00000320
+	CKM_CAST5_ECB                        = 0x00000321
+	CKM_CAST128_ECB                      = 0x00000321
+	CKM_CAST5_CBC                        = 0x00000322
+	CKM_CAST128_CBC                      = 0x00000322
+	CKM_CAST5_MAC                        = 0x00000323
+	CKM_CAST128_MAC                      = 0x00000323
+	CKM_CAST5_MAC_GENERAL                = 0x00000324
+	CKM_CAST128_MAC_GENERAL              = 0x00000324
+	CKM_CAST5_CBC_PAD                    = 0x00000325
+	CKM_CAST128_CBC_PAD                  = 0x00000325
+	CKM_RC5_KEY_GEN                      = 0x00000330
+	CKM_RC5_ECB                          = 0x00000331
+	CKM_RC5_CBC                          = 0x00000332
+	CKM_RC5_MAC                          = 0x00000333
+	CKM_RC5_MAC_GENERAL                  = 0x00000334
+	CKM_RC5_CBC_PAD                      = 0x00000335
+	CKM_IDEA_KEY_GEN                     = 0x00000340
+	CKM_IDEA_ECB                         = 0x00000341
+	CKM_IDEA_CBC                         = 0x00000342
+	CKM_IDEA_MAC                         = 0x00000343
+	CKM_IDEA_MAC_GENERAL                 = 0x00000344
+	CKM_IDEA_CBC_PAD                     = 0x00000345
+	CKM_GENERIC_SECRET_KEY_GEN           = 0x00000350
+	CKM_CONCATENATE_BASE_AND_KEY         = 0x00000360
+	CKM_CONCATENATE_BASE_AND_DATA        = 0x00000362
+	CKM_CONCATENATE_DATA_AND_BASE        = 0x00000363
+	CKM_XOR_BASE_AND_DATA                = 0x00000364
+	CKM_EXTRACT_KEY_FROM_KEY             = 0x00000365
+	CKM_SSL3_PRE_MASTER_KEY_GEN          = 0x00000370
+	CKM_SSL3_MASTER_KEY_DERIVE           = 0x00000371
+	CKM_SSL3_KEY_AND_MAC_DERIVE          = 0x00000372
+	CKM_SSL3_MASTER_KEY_DERIVE_DH        = 0x00000373
+	CKM_TLS_PRE_MASTER_KEY_GEN           = 0x00000374
+	CKM_TLS_MASTER_KEY_DERIVE            = 0x00000375
+	CKM_TLS_KEY_AND_MAC_DERIVE           = 0x00000376
+	CKM_TLS_MASTER_KEY_DERIVE_DH         = 0x00000377
+	CKM_TLS_PRF                          = 0x00000378
+	CKM_SSL3_MD5_MAC                     = 0x00000380
+	CKM_SSL3_SHA1_MAC                    = 0x00000381
+	CKM_MD5_KEY_DERIVATION               = 0x00000390
+	CKM_MD2_KEY_DERIVATION               = 0x00000391
+	CKM_SHA1_KEY_DERIVATION              = 0x00000392
+	CKM_SHA256_KEY_DERIVATION            = 0x00000393
+	CKM_SHA384_KEY_DERIVATION            = 0x00000394
+	CKM_SHA512_KEY_DERIVATION            = 0x00000395
+	CKM_SHA224_KEY_DERIVATION            = 0x00000396
+	CKM_SHA3_256_KEY_DERIVE              = 0x00000397
+	CKM_SHA3_224_KEY_DERIVE              = 0x00000398
+	CKM_SHA3_384_KEY_DERIVE              = 0x00000399
+	CKM_SHA3_512_KEY_DERIVE              = 0x0000039A
+	CKM_SHAKE_128_KEY_DERIVE             = 0x0000039B
+	CKM_SHAKE_256_KEY_DERIVE             = 0x0000039C
+	CKM_PBE_MD2_DES_CBC                  = 0x000003A0
+	CKM_PBE_MD5_DES_CBC                  = 0x000003A1
+	CKM_PBE_MD5_CAST_CBC                 = 0x000003A2
+	CKM_PBE_MD5_CAST3_CBC                = 0x000003A3
+	CKM_PBE_MD5_CAST5_CBC                = 0x000003A4
+	CKM_PBE_MD5_CAST128_CBC              = 0x000003A4
+	CKM_PBE_SHA1_CAST5_CBC               = 0x000003A5
+	CKM_PBE_SHA1_CAST128_CBC             = 0x000003A5
+	CKM_PBE_SHA1_RC4_128                 = 0x000003A6
+	CKM_PBE_SHA1_RC4_40                  = 0x000003A7
+	CKM_PBE_SHA1_DES3_EDE_CBC            = 0x000003A8
+	CKM_PBE_SHA1_DES2_EDE_CBC            = 0x000003A9
+	CKM_PBE_SHA1_RC2_128_CBC             = 0x000003AA
+	CKM_PBE_SHA1_RC2_40_CBC              = 0x000003AB
+	CKM_PKCS5_PBKD2                      = 0x000003B0
+	CKM_PBA_SHA1_WITH_SHA1_HMAC          = 0x000003C0
+	CKM_WTLS_PRE_MASTER_KEY_GEN          = 0x000003D0
+	CKM_WTLS_MASTER_KEY_DERIVE           = 0x000003D1
+	CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC    = 0x000003D2
+	CKM_WTLS_PRF                         = 0x000003D3
+	CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE   = 0x000003D4
+	CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE   = 0x000003D5
+	CKM_TLS10_MAC_SERVER                 = 0x000003D6
+	CKM_TLS10_MAC_CLIENT                 = 0x000003D7
+	CKM_TLS12_MAC                        = 0x000003D8
+	CKM_TLS12_KDF                        = 0x000003D9
+	CKM_TLS12_MASTER_KEY_DERIVE          = 0x000003E0
+	CKM_TLS12_KEY_AND_MAC_DERIVE         = 0x000003E1
+	CKM_TLS12_MASTER_KEY_DERIVE_DH       = 0x000003E2
+	CKM_TLS12_KEY_SAFE_DERIVE            = 0x000003E3
+	CKM_TLS_MAC                          = 0x000003E4
+	CKM_TLS_KDF                          = 0x000003E5
+	CKM_KEY_WRAP_LYNKS                   = 0x00000400
+	CKM_KEY_WRAP_SET_OAEP                = 0x00000401
+	CKM_CMS_SIG                          = 0x00000500
+	CKM_KIP_DERIVE                       = 0x00000510
+	CKM_KIP_WRAP                         = 0x00000511
+	CKM_KIP_MAC                          = 0x00000512
+	CKM_CAMELLIA_KEY_GEN                 = 0x00000550
+	CKM_CAMELLIA_ECB                     = 0x00000551
+	CKM_CAMELLIA_CBC                     = 0x00000552
+	CKM_CAMELLIA_MAC                     = 0x00000553
+	CKM_CAMELLIA_MAC_GENERAL             = 0x00000554
+	CKM_CAMELLIA_CBC_PAD                 = 0x00000555
+	CKM_CAMELLIA_ECB_ENCRYPT_DATA        = 0x00000556
+	CKM_CAMELLIA_CBC_ENCRYPT_DATA        = 0x00000557
+	CKM_CAMELLIA_CTR                     = 0x00000558
+	CKM_ARIA_KEY_GEN                     = 0x00000560
+	CKM_ARIA_ECB                         = 0x00000561
+	CKM_ARIA_CBC                         = 0x00000562
+	CKM_ARIA_MAC                         = 0x00000563
+	CKM_ARIA_MAC_GENERAL                 = 0x00000564
+	CKM_ARIA_CBC_PAD                     = 0x00000565
+	CKM_ARIA_ECB_ENCRYPT_DATA            = 0x00000566
+	CKM_ARIA_CBC_ENCRYPT_DATA            = 0x00000567
+	CKM_SEED_KEY_GEN                     = 0x00000650
+	CKM_SEED_ECB                         = 0x00000651
+	CKM_SEED_CBC                         = 0x00000652
+	CKM_SEED_MAC                         = 0x00000653
+	CKM_SEED_MAC_GENERAL                 = 0x00000654
+	CKM_SEED_CBC_PAD                     = 0x00000655
+	CKM_SEED_ECB_ENCRYPT_DATA            = 0x00000656
+	CKM_SEED_CBC_ENCRYPT_DATA            = 0x00000657
+	CKM_SKIPJACK_KEY_GEN                 = 0x00001000
+	CKM_SKIPJACK_ECB64                   = 0x00001001
+	CKM_SKIPJACK_CBC64                   = 0x00001002
+	CKM_SKIPJACK_OFB64                   = 0x00001003
+	CKM_SKIPJACK_CFB64                   = 0x00001004
+	CKM_SKIPJACK_CFB32                   = 0x00001005
+	CKM_SKIPJACK_CFB16                   = 0x00001006
+	CKM_SKIPJACK_CFB8                    = 0x00001007
+	CKM_SKIPJACK_WRAP                    = 0x00001008
+	CKM_SKIPJACK_PRIVATE_WRAP            = 0x00001009
+	CKM_SKIPJACK_RELAYX                  = 0x0000100a
+	CKM_KEA_KEY_PAIR_GEN                 = 0x00001010
+	CKM_KEA_KEY_DERIVE                   = 0x00001011
+	CKM_KEA_DERIVE                       = 0x00001012
+	CKM_FORTEZZA_TIMESTAMP               = 0x00001020
+	CKM_BATON_KEY_GEN                    = 0x00001030
+	CKM_BATON_ECB128                     = 0x00001031
+	CKM_BATON_ECB96                      = 0x00001032
+	CKM_BATON_CBC128                     = 0x00001033
+	CKM_BATON_COUNTER                    = 0x00001034
+	CKM_BATON_SHUFFLE                    = 0x00001035
+	CKM_BATON_WRAP                       = 0x00001036
+	CKM_ECDSA_KEY_PAIR_GEN               = 0x00001040
+	CKM_EC_KEY_PAIR_GEN                  = 0x00001040
+	CKM_ECDSA                            = 0x00001041
+	CKM_ECDSA_SHA1                       = 0x00001042
+	CKM_ECDSA_SHA224                     = 0x00001043
+	CKM_ECDSA_SHA256                     = 0x00001044
+	CKM_ECDSA_SHA384                     = 0x00001045
+	CKM_ECDSA_SHA512                     = 0x00001046
+	CKM_ECDH1_DERIVE                     = 0x00001050
+	CKM_ECDH1_COFACTOR_DERIVE            = 0x00001051
+	CKM_ECMQV_DERIVE                     = 0x00001052
+	CKM_ECDH_AES_KEY_WRAP                = 0x00001053
+	CKM_RSA_AES_KEY_WRAP                 = 0x00001054
+	CKM_JUNIPER_KEY_GEN                  = 0x00001060
+	CKM_JUNIPER_ECB128                   = 0x00001061
+	CKM_JUNIPER_CBC128                   = 0x00001062
+	CKM_JUNIPER_COUNTER                  = 0x00001063
+	CKM_JUNIPER_SHUFFLE                  = 0x00001064
+	CKM_JUNIPER_WRAP                     = 0x00001065
+	CKM_FASTHASH                         = 0x00001070
+	CKM_AES_KEY_GEN                      = 0x00001080
+	CKM_AES_ECB                          = 0x00001081
+	CKM_AES_CBC                          = 0x00001082
+	CKM_AES_MAC                          = 0x00001083
+	CKM_AES_MAC_GENERAL                  = 0x00001084
+	CKM_AES_CBC_PAD                      = 0x00001085
+	CKM_AES_CTR                          = 0x00001086
+	CKM_AES_GCM                          = 0x00001087
+	CKM_AES_CCM                          = 0x00001088
+	CKM_AES_CMAC_GENERAL                 = 0x00001089
+	CKM_AES_CMAC                         = 0x0000108A
+	CKM_AES_CTS                          = 0x0000108B
+	CKM_AES_XCBC_MAC                     = 0x0000108C
+	CKM_AES_XCBC_MAC_96                  = 0x0000108D
+	CKM_AES_GMAC                         = 0x0000108E
+	CKM_BLOWFISH_KEY_GEN                 = 0x00001090
+	CKM_BLOWFISH_CBC                     = 0x00001091
+	CKM_TWOFISH_KEY_GEN                  = 0x00001092
+	CKM_TWOFISH_CBC                      = 0x00001093
+	CKM_BLOWFISH_CBC_PAD                 = 0x00001094
+	CKM_TWOFISH_CBC_PAD                  = 0x00001095
+	CKM_DES_ECB_ENCRYPT_DATA             = 0x00001100
+	CKM_DES_CBC_ENCRYPT_DATA             = 0x00001101
+	CKM_DES3_ECB_ENCRYPT_DATA            = 0x00001102
+	CKM_DES3_CBC_ENCRYPT_DATA            = 0x00001103
+	CKM_AES_ECB_ENCRYPT_DATA             = 0x00001104
+	CKM_AES_CBC_ENCRYPT_DATA             = 0x00001105
+	CKM_GOSTR3410_KEY_PAIR_GEN           = 0x00001200
+	CKM_GOSTR3410                        = 0x00001201
+	CKM_GOSTR3410_WITH_GOSTR3411         = 0x00001202
+	CKM_GOSTR3410_KEY_WRAP               = 0x00001203
+	CKM_GOSTR3410_DERIVE                 = 0x00001204
+	CKM_GOSTR3411                        = 0x00001210
+	CKM_GOSTR3411_HMAC                   = 0x00001211
+	CKM_GOST28147_KEY_GEN                = 0x00001220
+	CKM_GOST28147_ECB                    = 0x00001221
+	CKM_GOST28147                        = 0x00001222
+	CKM_GOST28147_MAC                    = 0x00001223
+	CKM_GOST28147_KEY_WRAP               = 0x00001224
+	CKM_DSA_PARAMETER_GEN                = 0x00002000
+	CKM_DH_PKCS_PARAMETER_GEN            = 0x00002001
+	CKM_X9_42_DH_PARAMETER_GEN           = 0x00002002
+	CKM_DSA_PROBABLISTIC_PARAMETER_GEN   = 0x00002003
+	CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN   = 0x00002004
+	CKM_AES_OFB                          = 0x00002104
+	CKM_AES_CFB64                        = 0x00002105
+	CKM_AES_CFB8                         = 0x00002106
+	CKM_AES_CFB128                       = 0x00002107
+	CKM_AES_CFB1                         = 0x00002108
+	CKM_AES_KEY_WRAP                     = 0x00002109
+	CKM_AES_KEY_WRAP_PAD                 = 0x0000210A
+	CKM_RSA_PKCS_TPM_1_1                 = 0x00004001
+	CKM_RSA_PKCS_OAEP_TPM_1_1            = 0x00004002
+	CKM_VENDOR_DEFINED                   = 0x80000000
+	CKF_HW                               = 0x00000001
+	CKF_ENCRYPT                          = 0x00000100
+	CKF_DECRYPT                          = 0x00000200
+	CKF_DIGEST                           = 0x00000400
+	CKF_SIGN                             = 0x00000800
+	CKF_SIGN_RECOVER                     = 0x00001000
+	CKF_VERIFY                           = 0x00002000
+	CKF_VERIFY_RECOVER                   = 0x00004000
+	CKF_GENERATE                         = 0x00008000
+	CKF_GENERATE_KEY_PAIR                = 0x00010000
+	CKF_WRAP                             = 0x00020000
+	CKF_UNWRAP                           = 0x00040000
+	CKF_DERIVE                           = 0x00080000
+	CKF_EC_F_P                           = 0x00100000
+	CKF_EC_F_2M                          = 0x00200000
+	CKF_EC_ECPARAMETERS                  = 0x00400000
+	CKF_EC_NAMEDCURVE                    = 0x00800000
+	CKF_EC_UNCOMPRESS                    = 0x01000000
+	CKF_EC_COMPRESS                      = 0x02000000
+	CKF_EXTENSION                        = 0x80000000
+	CKR_OK                               = 0x00000000
+	CKR_CANCEL                           = 0x00000001
+	CKR_HOST_MEMORY                      = 0x00000002
+	CKR_SLOT_ID_INVALID                  = 0x00000003
+	CKR_GENERAL_ERROR                    = 0x00000005
+	CKR_FUNCTION_FAILED                  = 0x00000006
+	CKR_ARGUMENTS_BAD                    = 0x00000007
+	CKR_NO_EVENT                         = 0x00000008
+	CKR_NEED_TO_CREATE_THREADS           = 0x00000009
+	CKR_CANT_LOCK                        = 0x0000000A
+	CKR_ATTRIBUTE_READ_ONLY              = 0x00000010
+	CKR_ATTRIBUTE_SENSITIVE              = 0x00000011
+	CKR_ATTRIBUTE_TYPE_INVALID           = 0x00000012
+	CKR_ATTRIBUTE_VALUE_INVALID          = 0x00000013
+	CKR_ACTION_PROHIBITED                = 0x0000001B
+	CKR_DATA_INVALID                     = 0x00000020
+	CKR_DATA_LEN_RANGE                   = 0x00000021
+	CKR_DEVICE_ERROR                     = 0x00000030
+	CKR_DEVICE_MEMORY                    = 0x00000031
+	CKR_DEVICE_REMOVED                   = 0x00000032
+	CKR_ENCRYPTED_DATA_INVALID           = 0x00000040
+	CKR_ENCRYPTED_DATA_LEN_RANGE         = 0x00000041
+	CKR_FUNCTION_CANCELED                = 0x00000050
+	CKR_FUNCTION_NOT_PARALLEL            = 0x00000051
+	CKR_FUNCTION_NOT_SUPPORTED           = 0x00000054
+	CKR_KEY_HANDLE_INVALID               = 0x00000060
+	CKR_KEY_SIZE_RANGE                   = 0x00000062
+	CKR_KEY_TYPE_INCONSISTENT            = 0x00000063
+	CKR_KEY_NOT_NEEDED                   = 0x00000064
+	CKR_KEY_CHANGED                      = 0x00000065
+	CKR_KEY_NEEDED                       = 0x00000066
+	CKR_KEY_INDIGESTIBLE                 = 0x00000067
+	CKR_KEY_FUNCTION_NOT_PERMITTED       = 0x00000068
+	CKR_KEY_NOT_WRAPPABLE                = 0x00000069
+	CKR_KEY_UNEXTRACTABLE                = 0x0000006A
+	CKR_MECHANISM_INVALID                = 0x00000070
+	CKR_MECHANISM_PARAM_INVALID          = 0x00000071
+	CKR_OBJECT_HANDLE_INVALID            = 0x00000082
+	CKR_OPERATION_ACTIVE                 = 0x00000090
+	CKR_OPERATION_NOT_INITIALIZED        = 0x00000091
+	CKR_PIN_INCORRECT                    = 0x000000A0
+	CKR_PIN_INVALID                      = 0x000000A1
+	CKR_PIN_LEN_RANGE                    = 0x000000A2
+	CKR_PIN_EXPIRED                      = 0x000000A3
+	CKR_PIN_LOCKED                       = 0x000000A4
+	CKR_SESSION_CLOSED                   = 0x000000B0
+	CKR_SESSION_COUNT                    = 0x000000B1
+	CKR_SESSION_HANDLE_INVALID           = 0x000000B3
+	CKR_SESSION_PARALLEL_NOT_SUPPORTED   = 0x000000B4
+	CKR_SESSION_READ_ONLY                = 0x000000B5
+	CKR_SESSION_EXISTS                   = 0x000000B6
+	CKR_SESSION_READ_ONLY_EXISTS         = 0x000000B7
+	CKR_SESSION_READ_WRITE_SO_EXISTS     = 0x000000B8
+	CKR_SIGNATURE_INVALID                = 0x000000C0
+	CKR_SIGNATURE_LEN_RANGE              = 0x000000C1
+	CKR_TEMPLATE_INCOMPLETE              = 0x000000D0
+	CKR_TEMPLATE_INCONSISTENT            = 0x000000D1
+	CKR_TOKEN_NOT_PRESENT                = 0x000000E0
+	CKR_TOKEN_NOT_RECOGNIZED             = 0x000000E1
+	CKR_TOKEN_WRITE_PROTECTED            = 0x000000E2
+	CKR_UNWRAPPING_KEY_HANDLE_INVALID    = 0x000000F0
+	CKR_UNWRAPPING_KEY_SIZE_RANGE        = 0x000000F1
+	CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT = 0x000000F2
+	CKR_USER_ALREADY_LOGGED_IN           = 0x00000100
+	CKR_USER_NOT_LOGGED_IN               = 0x00000101
+	CKR_USER_PIN_NOT_INITIALIZED         = 0x00000102
+	CKR_USER_TYPE_INVALID                = 0x00000103
+	CKR_USER_ANOTHER_ALREADY_LOGGED_IN   = 0x00000104
+	CKR_USER_TOO_MANY_TYPES              = 0x00000105
+	CKR_WRAPPED_KEY_INVALID              = 0x00000110
+	CKR_WRAPPED_KEY_LEN_RANGE            = 0x00000112
+	CKR_WRAPPING_KEY_HANDLE_INVALID      = 0x00000113
+	CKR_WRAPPING_KEY_SIZE_RANGE          = 0x00000114
+	CKR_WRAPPING_KEY_TYPE_INCONSISTENT   = 0x00000115
+	CKR_RANDOM_SEED_NOT_SUPPORTED        = 0x00000120
+	CKR_RANDOM_NO_RNG                    = 0x00000121
+	CKR_DOMAIN_PARAMS_INVALID            = 0x00000130
+	CKR_CURVE_NOT_SUPPORTED              = 0x00000140
+	CKR_BUFFER_TOO_SMALL                 = 0x00000150
+	CKR_SAVED_STATE_INVALID              = 0x00000160
+	CKR_INFORMATION_SENSITIVE            = 0x00000170
+	CKR_STATE_UNSAVEABLE                 = 0x00000180
+	CKR_CRYPTOKI_NOT_INITIALIZED         = 0x00000190
+	CKR_CRYPTOKI_ALREADY_INITIALIZED     = 0x00000191
+	CKR_MUTEX_BAD                        = 0x000001A0
+	CKR_MUTEX_NOT_LOCKED                 = 0x000001A1
+	CKR_NEW_PIN_MODE                     = 0x000001B0
+	CKR_NEXT_OTP                         = 0x000001B1
+	CKR_EXCEEDED_MAX_ITERATIONS          = 0x000001C0
+	CKR_FIPS_SELF_TEST_FAILED            = 0x000001C1
+	CKR_LIBRARY_LOAD_FAILED              = 0x000001C2
+	CKR_PIN_TOO_WEAK                     = 0x000001C3
+	CKR_PUBLIC_KEY_INVALID               = 0x000001C4
+	CKR_FUNCTION_REJECTED                = 0x00000200
+	CKR_VENDOR_DEFINED                   = 0x80000000
+	CKF_LIBRARY_CANT_CREATE_OS_THREADS   = 0x00000001
+	CKF_OS_LOCKING_OK                    = 0x00000002
+	CKF_DONT_BLOCK                       = 1
+	CKF_NEXT_OTP                         = 0x00000001
+	CKF_EXCLUDE_TIME                     = 0x00000002
+	CKF_EXCLUDE_COUNTER                  = 0x00000004
+	CKF_EXCLUDE_CHALLENGE                = 0x00000008
+	CKF_EXCLUDE_PIN                      = 0x00000010
+	CKF_USER_FRIENDLY_OTP                = 0x00000020
+	CKD_NULL                             = 0x00000001
+	CKD_SHA1_KDF                         = 0x00000002
+)
+
+// Special return values defined in PKCS#11 v2.40 section 3.2.
+const (
+	// CK_EFFECTIVELY_INFINITE may be returned in the CK_TOKEN_INFO fields ulMaxSessionCount and ulMaxRwSessionCount.
+	// It indicates there is no practical limit on the number of sessions.
+	CK_EFFECTIVELY_INFINITE = 0
+
+	// CK_UNAVAILABLE_INFORMATION may be returned for several fields within CK_TOKEN_INFO. It indicates
+	// the token is unable or unwilling to provide the requested information.
+	CK_UNAVAILABLE_INFORMATION = ^uint(0)
+)
diff --git a/vendor/github.com/miekg/pkcs11/error.go b/vendor/github.com/miekg/pkcs11/error.go
new file mode 100644
index 000000000..7df0e93a6
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/error.go
@@ -0,0 +1,98 @@
+// Copyright 2013 Miek Gieben. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkcs11
+
+// awk '/#define CKR_/{ print $3":\""$2"\"," }' pkcs11t.h
+
+var strerror = map[uint]string{
+	0x00000000: "CKR_OK",
+	0x00000001: "CKR_CANCEL",
+	0x00000002: "CKR_HOST_MEMORY",
+	0x00000003: "CKR_SLOT_ID_INVALID",
+	0x00000005: "CKR_GENERAL_ERROR",
+	0x00000006: "CKR_FUNCTION_FAILED",
+	0x00000007: "CKR_ARGUMENTS_BAD",
+	0x00000008: "CKR_NO_EVENT",
+	0x00000009: "CKR_NEED_TO_CREATE_THREADS",
+	0x0000000A: "CKR_CANT_LOCK",
+	0x00000010: "CKR_ATTRIBUTE_READ_ONLY",
+	0x00000011: "CKR_ATTRIBUTE_SENSITIVE",
+	0x00000012: "CKR_ATTRIBUTE_TYPE_INVALID",
+	0x00000013: "CKR_ATTRIBUTE_VALUE_INVALID",
+	0x00000020: "CKR_DATA_INVALID",
+	0x00000021: "CKR_DATA_LEN_RANGE",
+	0x00000030: "CKR_DEVICE_ERROR",
+	0x00000031: "CKR_DEVICE_MEMORY",
+	0x00000032: "CKR_DEVICE_REMOVED",
+	0x00000040: "CKR_ENCRYPTED_DATA_INVALID",
+	0x00000041: "CKR_ENCRYPTED_DATA_LEN_RANGE",
+	0x00000050: "CKR_FUNCTION_CANCELED",
+	0x00000051: "CKR_FUNCTION_NOT_PARALLEL",
+	0x00000054: "CKR_FUNCTION_NOT_SUPPORTED",
+	0x00000060: "CKR_KEY_HANDLE_INVALID",
+	0x00000062: "CKR_KEY_SIZE_RANGE",
+	0x00000063: "CKR_KEY_TYPE_INCONSISTENT",
+	0x00000064: "CKR_KEY_NOT_NEEDED",
+	0x00000065: "CKR_KEY_CHANGED",
+	0x00000066: "CKR_KEY_NEEDED",
+	0x00000067: "CKR_KEY_INDIGESTIBLE",
+	0x00000068: "CKR_KEY_FUNCTION_NOT_PERMITTED",
+	0x00000069: "CKR_KEY_NOT_WRAPPABLE",
+	0x0000006A: "CKR_KEY_UNEXTRACTABLE",
+	0x00000070: "CKR_MECHANISM_INVALID",
+	0x00000071: "CKR_MECHANISM_PARAM_INVALID",
+	0x00000082: "CKR_OBJECT_HANDLE_INVALID",
+	0x00000090: "CKR_OPERATION_ACTIVE",
+	0x00000091: "CKR_OPERATION_NOT_INITIALIZED",
+	0x000000A0: "CKR_PIN_INCORRECT",
+	0x000000A1: "CKR_PIN_INVALID",
+	0x000000A2: "CKR_PIN_LEN_RANGE",
+	0x000000A3: "CKR_PIN_EXPIRED",
+	0x000000A4: "CKR_PIN_LOCKED",
+	0x000000B0: "CKR_SESSION_CLOSED",
+	0x000000B1: "CKR_SESSION_COUNT",
+	0x000000B3: "CKR_SESSION_HANDLE_INVALID",
+	0x000000B4: "CKR_SESSION_PARALLEL_NOT_SUPPORTED",
+	0x000000B5: "CKR_SESSION_READ_ONLY",
+	0x000000B6: "CKR_SESSION_EXISTS",
+	0x000000B7: "CKR_SESSION_READ_ONLY_EXISTS",
+	0x000000B8: "CKR_SESSION_READ_WRITE_SO_EXISTS",
+	0x000000C0: "CKR_SIGNATURE_INVALID",
+	0x000000C1: "CKR_SIGNATURE_LEN_RANGE",
+	0x000000D0: "CKR_TEMPLATE_INCOMPLETE",
+	0x000000D1: "CKR_TEMPLATE_INCONSISTENT",
+	0x000000E0: "CKR_TOKEN_NOT_PRESENT",
+	0x000000E1: "CKR_TOKEN_NOT_RECOGNIZED",
+	0x000000E2: "CKR_TOKEN_WRITE_PROTECTED",
+	0x000000F0: "CKR_UNWRAPPING_KEY_HANDLE_INVALID",
+	0x000000F1: "CKR_UNWRAPPING_KEY_SIZE_RANGE",
+	0x000000F2: "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT",
+	0x00000100: "CKR_USER_ALREADY_LOGGED_IN",
+	0x00000101: "CKR_USER_NOT_LOGGED_IN",
+	0x00000102: "CKR_USER_PIN_NOT_INITIALIZED",
+	0x00000103: "CKR_USER_TYPE_INVALID",
+	0x00000104: "CKR_USER_ANOTHER_ALREADY_LOGGED_IN",
+	0x00000105: "CKR_USER_TOO_MANY_TYPES",
+	0x00000110: "CKR_WRAPPED_KEY_INVALID",
+	0x00000112: "CKR_WRAPPED_KEY_LEN_RANGE",
+	0x00000113: "CKR_WRAPPING_KEY_HANDLE_INVALID",
+	0x00000114: "CKR_WRAPPING_KEY_SIZE_RANGE",
+	0x00000115: "CKR_WRAPPING_KEY_TYPE_INCONSISTENT",
+	0x00000120: "CKR_RANDOM_SEED_NOT_SUPPORTED",
+	0x00000121: "CKR_RANDOM_NO_RNG",
+	0x00000130: "CKR_DOMAIN_PARAMS_INVALID",
+	0x00000150: "CKR_BUFFER_TOO_SMALL",
+	0x00000160: "CKR_SAVED_STATE_INVALID",
+	0x00000170: "CKR_INFORMATION_SENSITIVE",
+	0x00000180: "CKR_STATE_UNSAVEABLE",
+	0x00000190: "CKR_CRYPTOKI_NOT_INITIALIZED",
+	0x00000191: "CKR_CRYPTOKI_ALREADY_INITIALIZED",
+	0x000001A0: "CKR_MUTEX_BAD",
+	0x000001A1: "CKR_MUTEX_NOT_LOCKED",
+	0x000001B0: "CKR_NEW_PIN_MODE",
+	0x000001B1: "CKR_NEXT_OTP",
+	0x00000200: "CKR_FUNCTION_REJECTED",
+	0x80000000: "CKR_VENDOR_DEFINED",
+}
diff --git a/vendor/github.com/miekg/pkcs11/go.mod b/vendor/github.com/miekg/pkcs11/go.mod
new file mode 100644
index 000000000..704296fc9
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/go.mod
@@ -0,0 +1,3 @@
+module github.com/miekg/pkcs11
+
+go 1.12
diff --git a/vendor/github.com/miekg/pkcs11/hsm.db b/vendor/github.com/miekg/pkcs11/hsm.db
new file mode 100644
index 000000000..eb3f10dad
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/hsm.db
diff --git a/vendor/github.com/miekg/pkcs11/params.go b/vendor/github.com/miekg/pkcs11/params.go
new file mode 100644
index 000000000..6d9ce96ae
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/params.go
@@ -0,0 +1,190 @@
+// Copyright 2013 Miek Gieben. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkcs11
+
+/*
+#include <stdlib.h>
+#include <string.h>
+#include "pkcs11go.h"
+
+static inline void putOAEPParams(CK_RSA_PKCS_OAEP_PARAMS_PTR params, CK_VOID_PTR pSourceData, CK_ULONG ulSourceDataLen)
+{
+	params->pSourceData = pSourceData;
+	params->ulSourceDataLen = ulSourceDataLen;
+}
+
+static inline void putECDH1SharedParams(CK_ECDH1_DERIVE_PARAMS_PTR params, CK_VOID_PTR pSharedData, CK_ULONG ulSharedDataLen)
+{
+	params->pSharedData = pSharedData;
+	params->ulSharedDataLen = ulSharedDataLen;
+}
+
+static inline void putECDH1PublicParams(CK_ECDH1_DERIVE_PARAMS_PTR params, CK_VOID_PTR pPublicData, CK_ULONG ulPublicDataLen)
+{
+	params->pPublicData = pPublicData;
+	params->ulPublicDataLen = ulPublicDataLen;
+}
+*/
+import "C"
+import "unsafe"
+
+// GCMParams represents the parameters for the AES-GCM mechanism.
+type GCMParams struct {
+	arena
+	params  *C.CK_GCM_PARAMS
+	iv      []byte
+	aad     []byte
+	tagSize int
+}
+
+// NewGCMParams returns a pointer to AES-GCM parameters that can be used with the CKM_AES_GCM mechanism.
+// The Free() method must be called after the operation is complete.
+//
+// Note that some HSMs, like CloudHSM, will ignore the IV you pass in and write their
+// own. As a result, to support all libraries, memory is not freed
+// automatically, so that after the EncryptInit/Encrypt operation the HSM's IV
+// can be read back out. It is up to the caller to ensure that Free() is called
+// on the GCMParams object at an appropriate time, which is after
+//
+// Encrypt/Decrypt. As an example:
+//
+//    gcmParams := pkcs11.NewGCMParams(make([]byte, 12), nil, 128)
+//    p.ctx.EncryptInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_AES_GCM, gcmParams)},
+//			aesObjHandle)
+//    ct, _ := p.ctx.Encrypt(session, pt)
+//    iv := gcmParams.IV()
+//    gcmParams.Free()
+//
+func NewGCMParams(iv, aad []byte, tagSize int) *GCMParams {
+	return &GCMParams{
+		iv:      iv,
+		aad:     aad,
+		tagSize: tagSize,
+	}
+}
+
+func cGCMParams(p *GCMParams) []byte {
+	params := C.CK_GCM_PARAMS{
+		ulTagBits: C.CK_ULONG(p.tagSize),
+	}
+	var arena arena
+	if len(p.iv) > 0 {
+		iv, ivLen := arena.Allocate(p.iv)
+		params.pIv = C.CK_BYTE_PTR(iv)
+		params.ulIvLen = ivLen
+		params.ulIvBits = ivLen * 8
+	}
+	if len(p.aad) > 0 {
+		aad, aadLen := arena.Allocate(p.aad)
+		params.pAAD = C.CK_BYTE_PTR(aad)
+		params.ulAADLen = aadLen
+	}
+	p.Free()
+	p.arena = arena
+	p.params = &params
+	return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params)))
+}
+
+// IV returns a copy of the actual IV used for the operation.
+//
+// Some HSMs may ignore the user-specified IV and write their own at the end of
+// the encryption operation; this method allows you to retrieve it.
+func (p *GCMParams) IV() []byte {
+	if p == nil || p.params == nil {
+		return nil
+	}
+	newIv := C.GoBytes(unsafe.Pointer(p.params.pIv), C.int(p.params.ulIvLen))
+	iv := make([]byte, len(newIv))
+	copy(iv, newIv)
+	return iv
+}
+
+// Free deallocates the memory reserved for the HSM to write back the actual IV.
+//
+// This must be called after the entire operation is complete, i.e. after
+// Encrypt or EncryptFinal. It is safe to call Free multiple times.
+func (p *GCMParams) Free() {
+	if p == nil || p.arena == nil {
+		return
+	}
+	p.arena.Free()
+	p.params = nil
+	p.arena = nil
+}
+
+// NewPSSParams creates a CK_RSA_PKCS_PSS_PARAMS structure and returns it as a byte array for use with the CKM_RSA_PKCS_PSS mechanism.
+func NewPSSParams(hashAlg, mgf, saltLength uint) []byte {
+	p := C.CK_RSA_PKCS_PSS_PARAMS{
+		hashAlg: C.CK_MECHANISM_TYPE(hashAlg),
+		mgf:     C.CK_RSA_PKCS_MGF_TYPE(mgf),
+		sLen:    C.CK_ULONG(saltLength),
+	}
+	return C.GoBytes(unsafe.Pointer(&p), C.int(unsafe.Sizeof(p)))
+}
+
+// OAEPParams can be passed to NewMechanism to implement CKM_RSA_PKCS_OAEP.
+type OAEPParams struct {
+	HashAlg    uint
+	MGF        uint
+	SourceType uint
+	SourceData []byte
+}
+
+// NewOAEPParams creates a CK_RSA_PKCS_OAEP_PARAMS structure suitable for use with the CKM_RSA_PKCS_OAEP mechanism.
+func NewOAEPParams(hashAlg, mgf, sourceType uint, sourceData []byte) *OAEPParams {
+	return &OAEPParams{
+		HashAlg:    hashAlg,
+		MGF:        mgf,
+		SourceType: sourceType,
+		SourceData: sourceData,
+	}
+}
+
+func cOAEPParams(p *OAEPParams, arena arena) ([]byte, arena) {
+	params := C.CK_RSA_PKCS_OAEP_PARAMS{
+		hashAlg: C.CK_MECHANISM_TYPE(p.HashAlg),
+		mgf:     C.CK_RSA_PKCS_MGF_TYPE(p.MGF),
+		source:  C.CK_RSA_PKCS_OAEP_SOURCE_TYPE(p.SourceType),
+	}
+	if len(p.SourceData) != 0 {
+		buf, len := arena.Allocate(p.SourceData)
+		// field is unaligned on windows so this has to call into C
+		C.putOAEPParams(&params, buf, len)
+	}
+	return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params))), arena
+}
+
+// ECDH1DeriveParams can be passed to NewMechanism to implement CK_ECDH1_DERIVE_PARAMS.
+type ECDH1DeriveParams struct {
+	KDF           uint
+	SharedData    []byte
+	PublicKeyData []byte
+}
+
+// NewECDH1DeriveParams creates a CK_ECDH1_DERIVE_PARAMS structure suitable for use with the CKM_ECDH1_DERIVE mechanism.
+func NewECDH1DeriveParams(kdf uint, sharedData []byte, publicKeyData []byte) *ECDH1DeriveParams {
+	return &ECDH1DeriveParams{
+		KDF:           kdf,
+		SharedData:    sharedData,
+		PublicKeyData: publicKeyData,
+	}
+}
+
+func cECDH1DeriveParams(p *ECDH1DeriveParams, arena arena) ([]byte, arena) {
+	params := C.CK_ECDH1_DERIVE_PARAMS{
+		kdf: C.CK_EC_KDF_TYPE(p.KDF),
+	}
+
+	// SharedData MUST be null if key derivation function (KDF) is CKD_NULL
+	if len(p.SharedData) != 0 {
+		sharedData, sharedDataLen := arena.Allocate(p.SharedData)
+		C.putECDH1SharedParams(&params, sharedData, sharedDataLen)
+	}
+
+	publicKeyData, publicKeyDataLen := arena.Allocate(p.PublicKeyData)
+	C.putECDH1PublicParams(&params, publicKeyData, publicKeyDataLen)
+
+	return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params))), arena
+}
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11.go b/vendor/github.com/miekg/pkcs11/pkcs11.go
new file mode 100644
index 000000000..e21d23b73
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/pkcs11.go
@@ -0,0 +1,1606 @@
+// Copyright 2013 Miek Gieben. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package pkcs11 is a wrapper around the PKCS#11 cryptographic library.
+package pkcs11
+
+// It is *assumed*, that:
+//
+// * Go's uint size == PKCS11's CK_ULONG size
+// * CK_ULONG never overflows an Go int
+
+/*
+#cgo windows CFLAGS: -DPACKED_STRUCTURES
+#cgo linux LDFLAGS: -ldl
+#cgo darwin LDFLAGS: -ldl
+#cgo openbsd LDFLAGS: -ldl
+#cgo freebsd LDFLAGS: -ldl
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "pkcs11go.h"
+
+#ifdef _WIN32
+#include <windows.h>
+
+struct ctx {
+	HMODULE handle;
+	CK_FUNCTION_LIST_PTR sym;
+};
+
+// New initializes a ctx and fills the symbol table.
+struct ctx *New(const char *module)
+{
+	CK_C_GetFunctionList list;
+	struct ctx *c = calloc(1, sizeof(struct ctx));
+	c->handle = LoadLibrary(module);
+	if (c->handle == NULL) {
+		free(c);
+		return NULL;
+	}
+	list = (CK_C_GetFunctionList) GetProcAddress(c->handle, "C_GetFunctionList");
+	if (list == NULL) {
+		free(c);
+		return NULL;
+	}
+	list(&c->sym);
+	return c;
+}
+
+// Destroy cleans up a ctx.
+void Destroy(struct ctx *c)
+{
+	if (!c) {
+		return;
+	}
+	free(c);
+}
+#else
+#include <dlfcn.h>
+
+struct ctx {
+	void *handle;
+	CK_FUNCTION_LIST_PTR sym;
+};
+
+// New initializes a ctx and fills the symbol table.
+struct ctx *New(const char *module)
+{
+	CK_C_GetFunctionList list;
+	struct ctx *c = calloc(1, sizeof(struct ctx));
+	c->handle = dlopen(module, RTLD_LAZY);
+	if (c->handle == NULL) {
+		free(c);
+		return NULL;
+	}
+	list = (CK_C_GetFunctionList) dlsym(c->handle, "C_GetFunctionList");
+	if (list == NULL) {
+		free(c);
+		return NULL;
+	}
+	list(&c->sym);
+	return c;
+}
+
+// Destroy cleans up a ctx.
+void Destroy(struct ctx *c)
+{
+	if (!c) {
+		return;
+	}
+	if (c->handle == NULL) {
+		return;
+	}
+	if (dlclose(c->handle) < 0) {
+		return;
+	}
+	free(c);
+}
+#endif
+
+CK_RV Initialize(struct ctx * c)
+{
+	CK_C_INITIALIZE_ARGS args;
+	memset(&args, 0, sizeof(args));
+	args.flags = CKF_OS_LOCKING_OK;
+	return c->sym->C_Initialize(&args);
+}
+
+CK_RV Finalize(struct ctx * c)
+{
+	return c->sym->C_Finalize(NULL);
+}
+
+CK_RV GetInfo(struct ctx * c, ckInfoPtr info)
+{
+	CK_INFO p;
+	CK_RV e = c->sym->C_GetInfo(&p);
+	if (e != CKR_OK) {
+		return e;
+	}
+	info->cryptokiVersion = p.cryptokiVersion;
+	memcpy(info->manufacturerID, p.manufacturerID, sizeof(p.manufacturerID));
+	info->flags = p.flags;
+	memcpy(info->libraryDescription, p.libraryDescription, sizeof(p.libraryDescription));
+	info->libraryVersion = p.libraryVersion;
+	return e;
+}
+
+CK_RV GetSlotList(struct ctx * c, CK_BBOOL tokenPresent,
+		  CK_ULONG_PTR * slotList, CK_ULONG_PTR ulCount)
+{
+	CK_RV e = c->sym->C_GetSlotList(tokenPresent, NULL, ulCount);
+	if (e != CKR_OK) {
+		return e;
+	}
+	*slotList = calloc(*ulCount, sizeof(CK_SLOT_ID));
+	e = c->sym->C_GetSlotList(tokenPresent, *slotList, ulCount);
+	return e;
+}
+
+CK_RV GetSlotInfo(struct ctx * c, CK_ULONG slotID, CK_SLOT_INFO_PTR info)
+{
+	CK_RV e = c->sym->C_GetSlotInfo((CK_SLOT_ID) slotID, info);
+	return e;
+}
+
+CK_RV GetTokenInfo(struct ctx * c, CK_ULONG slotID, CK_TOKEN_INFO_PTR info)
+{
+	CK_RV e = c->sym->C_GetTokenInfo((CK_SLOT_ID) slotID, info);
+	return e;
+}
+
+CK_RV GetMechanismList(struct ctx * c, CK_ULONG slotID,
+		       CK_ULONG_PTR * mech, CK_ULONG_PTR mechlen)
+{
+	CK_RV e =
+	    c->sym->C_GetMechanismList((CK_SLOT_ID) slotID, NULL, mechlen);
+	// Gemaltos PKCS11 implementation returns CKR_BUFFER_TOO_SMALL on a NULL ptr instad of CKR_OK as the spec states.
+	if (e != CKR_OK && e != CKR_BUFFER_TOO_SMALL) {
+		return e;
+	}
+	*mech = calloc(*mechlen, sizeof(CK_MECHANISM_TYPE));
+	e = c->sym->C_GetMechanismList((CK_SLOT_ID) slotID,
+				       (CK_MECHANISM_TYPE_PTR) * mech, mechlen);
+	return e;
+}
+
+CK_RV GetMechanismInfo(struct ctx * c, CK_ULONG slotID, CK_MECHANISM_TYPE mech,
+		       CK_MECHANISM_INFO_PTR info)
+{
+	CK_RV e = c->sym->C_GetMechanismInfo((CK_SLOT_ID) slotID, mech, info);
+	return e;
+}
+
+CK_RV InitToken(struct ctx * c, CK_ULONG slotID, char *pin, CK_ULONG pinlen,
+		char *label)
+{
+	CK_RV e =
+	    c->sym->C_InitToken((CK_SLOT_ID) slotID, (CK_UTF8CHAR_PTR) pin,
+				pinlen, (CK_UTF8CHAR_PTR) label);
+	return e;
+}
+
+CK_RV InitPIN(struct ctx * c, CK_SESSION_HANDLE sh, char *pin, CK_ULONG pinlen)
+{
+	CK_RV e = c->sym->C_InitPIN(sh, (CK_UTF8CHAR_PTR) pin, pinlen);
+	return e;
+}
+
+CK_RV SetPIN(struct ctx * c, CK_SESSION_HANDLE sh, char *oldpin,
+	     CK_ULONG oldpinlen, char *newpin, CK_ULONG newpinlen)
+{
+	CK_RV e = c->sym->C_SetPIN(sh, (CK_UTF8CHAR_PTR) oldpin, oldpinlen,
+				   (CK_UTF8CHAR_PTR) newpin, newpinlen);
+	return e;
+}
+
+CK_RV OpenSession(struct ctx * c, CK_ULONG slotID, CK_ULONG flags,
+		  CK_SESSION_HANDLE_PTR session)
+{
+	CK_RV e =
+	    c->sym->C_OpenSession((CK_SLOT_ID) slotID, (CK_FLAGS) flags, NULL,
+				  NULL, session);
+	return e;
+}
+
+CK_RV CloseSession(struct ctx * c, CK_SESSION_HANDLE session)
+{
+	CK_RV e = c->sym->C_CloseSession(session);
+	return e;
+}
+
+CK_RV CloseAllSessions(struct ctx * c, CK_ULONG slotID)
+{
+	CK_RV e = c->sym->C_CloseAllSessions(slotID);
+	return e;
+}
+
+CK_RV GetSessionInfo(struct ctx * c, CK_SESSION_HANDLE session,
+		     CK_SESSION_INFO_PTR info)
+{
+	CK_RV e = c->sym->C_GetSessionInfo(session, info);
+	return e;
+}
+
+CK_RV GetOperationState(struct ctx * c, CK_SESSION_HANDLE session,
+			CK_BYTE_PTR * state, CK_ULONG_PTR statelen)
+{
+	CK_RV rv = c->sym->C_GetOperationState(session, NULL, statelen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*state = calloc(*statelen, sizeof(CK_BYTE));
+	if (*state == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_GetOperationState(session, *state, statelen);
+	return rv;
+}
+
+CK_RV SetOperationState(struct ctx * c, CK_SESSION_HANDLE session,
+			CK_BYTE_PTR state, CK_ULONG statelen,
+			CK_OBJECT_HANDLE encryptkey, CK_OBJECT_HANDLE authkey)
+{
+	return c->sym->C_SetOperationState(session, state, statelen, encryptkey,
+					   authkey);
+}
+
+CK_RV Login(struct ctx *c, CK_SESSION_HANDLE session, CK_USER_TYPE userType,
+	    char *pin, CK_ULONG pinLen)
+{
+	if (pinLen == 0) {
+		pin = NULL;
+	}
+	CK_RV e =
+	    c->sym->C_Login(session, userType, (CK_UTF8CHAR_PTR) pin, pinLen);
+	return e;
+}
+
+CK_RV Logout(struct ctx * c, CK_SESSION_HANDLE session)
+{
+	CK_RV e = c->sym->C_Logout(session);
+	return e;
+}
+
+CK_RV CreateObject(struct ctx * c, CK_SESSION_HANDLE session,
+		   CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount,
+		   CK_OBJECT_HANDLE_PTR obj)
+{
+	return c->sym->C_CreateObject(session, temp, tempCount, obj);
+}
+
+CK_RV CopyObject(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE o,
+		 CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount,
+		 CK_OBJECT_HANDLE_PTR obj)
+{
+	return c->sym->C_CopyObject(session, o, temp, tempCount, obj);
+}
+
+CK_RV DestroyObject(struct ctx * c, CK_SESSION_HANDLE session,
+		    CK_OBJECT_HANDLE object)
+{
+	CK_RV e = c->sym->C_DestroyObject(session, object);
+	return e;
+}
+
+CK_RV GetObjectSize(struct ctx * c, CK_SESSION_HANDLE session,
+		    CK_OBJECT_HANDLE object, CK_ULONG_PTR size)
+{
+	CK_RV e = c->sym->C_GetObjectSize(session, object, size);
+	return e;
+}
+
+CK_RV GetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session,
+			CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp,
+			CK_ULONG templen)
+{
+	// Call for the first time, check the returned ulValue in the attributes, then
+	// allocate enough space and try again.
+	CK_RV e = c->sym->C_GetAttributeValue(session, object, temp, templen);
+	if (e != CKR_OK) {
+		return e;
+	}
+	CK_ULONG i;
+	for (i = 0; i < templen; i++) {
+		if ((CK_LONG) temp[i].ulValueLen == -1) {
+			// either access denied or no such object
+			continue;
+		}
+		temp[i].pValue = calloc(temp[i].ulValueLen, sizeof(CK_BYTE));
+	}
+	return c->sym->C_GetAttributeValue(session, object, temp, templen);
+}
+
+CK_RV SetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session,
+			CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp,
+			CK_ULONG templen)
+{
+	return c->sym->C_SetAttributeValue(session, object, temp, templen);
+}
+
+CK_RV FindObjectsInit(struct ctx * c, CK_SESSION_HANDLE session,
+		      CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount)
+{
+	return c->sym->C_FindObjectsInit(session, temp, tempCount);
+}
+
+CK_RV FindObjects(struct ctx * c, CK_SESSION_HANDLE session,
+		  CK_OBJECT_HANDLE_PTR * obj, CK_ULONG max,
+		  CK_ULONG_PTR objCount)
+{
+	*obj = calloc(max, sizeof(CK_OBJECT_HANDLE));
+	CK_RV e = c->sym->C_FindObjects(session, *obj, max, objCount);
+	return e;
+}
+
+CK_RV FindObjectsFinal(struct ctx * c, CK_SESSION_HANDLE session)
+{
+	CK_RV e = c->sym->C_FindObjectsFinal(session);
+	return e;
+}
+
+CK_RV EncryptInit(struct ctx * c, CK_SESSION_HANDLE session,
+		  CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+	return c->sym->C_EncryptInit(session, mechanism, key);
+}
+
+CK_RV Encrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
+	      CK_ULONG mlen, CK_BYTE_PTR * enc, CK_ULONG_PTR enclen)
+{
+	CK_RV rv = c->sym->C_Encrypt(session, message, mlen, NULL, enclen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*enc = calloc(*enclen, sizeof(CK_BYTE));
+	if (*enc == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_Encrypt(session, message, mlen, *enc, enclen);
+	return rv;
+}
+
+CK_RV EncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+		    CK_BYTE_PTR plain, CK_ULONG plainlen, CK_BYTE_PTR * cipher,
+		    CK_ULONG_PTR cipherlen)
+{
+	CK_RV rv =
+	    c->sym->C_EncryptUpdate(session, plain, plainlen, NULL, cipherlen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*cipher = calloc(*cipherlen, sizeof(CK_BYTE));
+	if (*cipher == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_EncryptUpdate(session, plain, plainlen, *cipher,
+				     cipherlen);
+	return rv;
+}
+
+CK_RV EncryptFinal(struct ctx * c, CK_SESSION_HANDLE session,
+		   CK_BYTE_PTR * cipher, CK_ULONG_PTR cipherlen)
+{
+	CK_RV rv = c->sym->C_EncryptFinal(session, NULL, cipherlen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*cipher = calloc(*cipherlen, sizeof(CK_BYTE));
+	if (*cipher == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_EncryptFinal(session, *cipher, cipherlen);
+	return rv;
+}
+
+CK_RV DecryptInit(struct ctx * c, CK_SESSION_HANDLE session,
+		  CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+	return c->sym->C_DecryptInit(session, mechanism, key);
+}
+
+CK_RV Decrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR cipher,
+	      CK_ULONG clen, CK_BYTE_PTR * plain, CK_ULONG_PTR plainlen)
+{
+	CK_RV e = c->sym->C_Decrypt(session, cipher, clen, NULL, plainlen);
+	if (e != CKR_OK) {
+		return e;
+	}
+	*plain = calloc(*plainlen, sizeof(CK_BYTE));
+	if (*plain == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	e = c->sym->C_Decrypt(session, cipher, clen, *plain, plainlen);
+	return e;
+}
+
+CK_RV DecryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+		    CK_BYTE_PTR cipher, CK_ULONG cipherlen, CK_BYTE_PTR * part,
+		    CK_ULONG_PTR partlen)
+{
+	CK_RV rv =
+	    c->sym->C_DecryptUpdate(session, cipher, cipherlen, NULL, partlen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*part = calloc(*partlen, sizeof(CK_BYTE));
+	if (*part == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_DecryptUpdate(session, cipher, cipherlen, *part,
+				     partlen);
+	return rv;
+}
+
+CK_RV DecryptFinal(struct ctx * c, CK_SESSION_HANDLE session,
+		   CK_BYTE_PTR * plain, CK_ULONG_PTR plainlen)
+{
+	CK_RV rv = c->sym->C_DecryptFinal(session, NULL, plainlen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*plain = calloc(*plainlen, sizeof(CK_BYTE));
+	if (*plain == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_DecryptFinal(session, *plain, plainlen);
+	return rv;
+}
+
+CK_RV DigestInit(struct ctx * c, CK_SESSION_HANDLE session,
+		 CK_MECHANISM_PTR mechanism)
+{
+	return c->sym->C_DigestInit(session, mechanism);
+}
+
+CK_RV Digest(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
+	     CK_ULONG mlen, CK_BYTE_PTR * hash, CK_ULONG_PTR hashlen)
+{
+	CK_RV rv = c->sym->C_Digest(session, message, mlen, NULL, hashlen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*hash = calloc(*hashlen, sizeof(CK_BYTE));
+	if (*hash == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_Digest(session, message, mlen, *hash, hashlen);
+	return rv;
+}
+
+CK_RV DigestUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+		   CK_BYTE_PTR message, CK_ULONG mlen)
+{
+	CK_RV rv = c->sym->C_DigestUpdate(session, message, mlen);
+	return rv;
+}
+
+CK_RV DigestKey(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key)
+{
+	CK_RV rv = c->sym->C_DigestKey(session, key);
+	return rv;
+}
+
+CK_RV DigestFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * hash,
+		  CK_ULONG_PTR hashlen)
+{
+	CK_RV rv = c->sym->C_DigestFinal(session, NULL, hashlen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*hash = calloc(*hashlen, sizeof(CK_BYTE));
+	if (*hash == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_DigestFinal(session, *hash, hashlen);
+	return rv;
+}
+
+CK_RV SignInit(struct ctx * c, CK_SESSION_HANDLE session,
+	       CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+	return c->sym->C_SignInit(session, mechanism, key);
+}
+
+CK_RV Sign(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
+	   CK_ULONG mlen, CK_BYTE_PTR * sig, CK_ULONG_PTR siglen)
+{
+	CK_RV rv = c->sym->C_Sign(session, message, mlen, NULL, siglen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*sig = calloc(*siglen, sizeof(CK_BYTE));
+	if (*sig == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_Sign(session, message, mlen, *sig, siglen);
+	return rv;
+}
+
+CK_RV SignUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+		 CK_BYTE_PTR message, CK_ULONG mlen)
+{
+	CK_RV rv = c->sym->C_SignUpdate(session, message, mlen);
+	return rv;
+}
+
+CK_RV SignFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * sig,
+		CK_ULONG_PTR siglen)
+{
+	CK_RV rv = c->sym->C_SignFinal(session, NULL, siglen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*sig = calloc(*siglen, sizeof(CK_BYTE));
+	if (*sig == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_SignFinal(session, *sig, siglen);
+	return rv;
+}
+
+CK_RV SignRecoverInit(struct ctx * c, CK_SESSION_HANDLE session,
+		      CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+	return c->sym->C_SignRecoverInit(session, mechanism, key);
+}
+
+CK_RV SignRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR data,
+		  CK_ULONG datalen, CK_BYTE_PTR * sig, CK_ULONG_PTR siglen)
+{
+	CK_RV rv = c->sym->C_SignRecover(session, data, datalen, NULL, siglen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*sig = calloc(*siglen, sizeof(CK_BYTE));
+	if (*sig == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_SignRecover(session, data, datalen, *sig, siglen);
+	return rv;
+}
+
+CK_RV VerifyInit(struct ctx * c, CK_SESSION_HANDLE session,
+		 CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+	return c->sym->C_VerifyInit(session, mechanism, key);
+}
+
+CK_RV Verify(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
+	     CK_ULONG mesglen, CK_BYTE_PTR sig, CK_ULONG siglen)
+{
+	CK_RV rv = c->sym->C_Verify(session, message, mesglen, sig, siglen);
+	return rv;
+}
+
+CK_RV VerifyUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+		   CK_BYTE_PTR part, CK_ULONG partlen)
+{
+	CK_RV rv = c->sym->C_VerifyUpdate(session, part, partlen);
+	return rv;
+}
+
+CK_RV VerifyFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR sig,
+		  CK_ULONG siglen)
+{
+	CK_RV rv = c->sym->C_VerifyFinal(session, sig, siglen);
+	return rv;
+}
+
+CK_RV VerifyRecoverInit(struct ctx * c, CK_SESSION_HANDLE session,
+			CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+	return c->sym->C_VerifyRecoverInit(session, mechanism, key);
+}
+
+CK_RV VerifyRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR sig,
+		    CK_ULONG siglen, CK_BYTE_PTR * data, CK_ULONG_PTR datalen)
+{
+	CK_RV rv = c->sym->C_VerifyRecover(session, sig, siglen, NULL, datalen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*data = calloc(*datalen, sizeof(CK_BYTE));
+	if (*data == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_VerifyRecover(session, sig, siglen, *data, datalen);
+	return rv;
+}
+
+CK_RV DigestEncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+			  CK_BYTE_PTR part, CK_ULONG partlen, CK_BYTE_PTR * enc,
+			  CK_ULONG_PTR enclen)
+{
+	CK_RV rv =
+	    c->sym->C_DigestEncryptUpdate(session, part, partlen, NULL, enclen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*enc = calloc(*enclen, sizeof(CK_BYTE));
+	if (*enc == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_DigestEncryptUpdate(session, part, partlen, *enc,
+					   enclen);
+	return rv;
+}
+
+CK_RV DecryptDigestUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+			  CK_BYTE_PTR cipher, CK_ULONG cipherlen,
+			  CK_BYTE_PTR * part, CK_ULONG_PTR partlen)
+{
+	CK_RV rv =
+	    c->sym->C_DecryptDigestUpdate(session, cipher, cipherlen, NULL,
+					  partlen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*part = calloc(*partlen, sizeof(CK_BYTE));
+	if (*part == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_DecryptDigestUpdate(session, cipher, cipherlen, *part,
+					   partlen);
+	return rv;
+}
+
+CK_RV SignEncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+			CK_BYTE_PTR part, CK_ULONG partlen, CK_BYTE_PTR * enc,
+			CK_ULONG_PTR enclen)
+{
+	CK_RV rv =
+	    c->sym->C_SignEncryptUpdate(session, part, partlen, NULL, enclen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*enc = calloc(*enclen, sizeof(CK_BYTE));
+	if (*enc == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_SignEncryptUpdate(session, part, partlen, *enc, enclen);
+	return rv;
+}
+
+CK_RV DecryptVerifyUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+			  CK_BYTE_PTR cipher, CK_ULONG cipherlen,
+			  CK_BYTE_PTR * part, CK_ULONG_PTR partlen)
+{
+	CK_RV rv =
+	    c->sym->C_DecryptVerifyUpdate(session, cipher, cipherlen, NULL,
+					  partlen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*part = calloc(*partlen, sizeof(CK_BYTE));
+	if (*part == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_DecryptVerifyUpdate(session, cipher, cipherlen, *part,
+					   partlen);
+	return rv;
+}
+
+CK_RV GenerateKey(struct ctx * c, CK_SESSION_HANDLE session,
+		  CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR temp,
+		  CK_ULONG tempCount, CK_OBJECT_HANDLE_PTR key)
+{
+	return c->sym->C_GenerateKey(session, mechanism, temp, tempCount, key);
+}
+
+CK_RV GenerateKeyPair(struct ctx * c, CK_SESSION_HANDLE session,
+		      CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR pub,
+		      CK_ULONG pubCount, CK_ATTRIBUTE_PTR priv,
+		      CK_ULONG privCount, CK_OBJECT_HANDLE_PTR pubkey,
+		      CK_OBJECT_HANDLE_PTR privkey)
+{
+	return c->sym->C_GenerateKeyPair(session, mechanism, pub, pubCount,
+		priv, privCount, pubkey, privkey);
+}
+
+CK_RV WrapKey(struct ctx * c, CK_SESSION_HANDLE session,
+	      CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE wrappingkey,
+	      CK_OBJECT_HANDLE key, CK_BYTE_PTR * wrapped,
+	      CK_ULONG_PTR wrappedlen)
+{
+	CK_RV rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, NULL,
+				     wrappedlen);
+	if (rv != CKR_OK) {
+		return rv;
+	}
+	*wrapped = calloc(*wrappedlen, sizeof(CK_BYTE));
+	if (*wrapped == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, *wrapped,
+			       wrappedlen);
+	return rv;
+}
+
+CK_RV DeriveKey(struct ctx * c, CK_SESSION_HANDLE session,
+		CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE basekey,
+		CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
+{
+	return c->sym->C_DeriveKey(session, mechanism, basekey, a, alen, key);
+}
+
+CK_RV UnwrapKey(struct ctx * c, CK_SESSION_HANDLE session,
+		CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE unwrappingkey,
+		CK_BYTE_PTR wrappedkey, CK_ULONG wrappedkeylen,
+		CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
+{
+	return c->sym->C_UnwrapKey(session, mechanism, unwrappingkey, wrappedkey,
+				      wrappedkeylen, a, alen, key);
+}
+
+CK_RV SeedRandom(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR seed,
+		 CK_ULONG seedlen)
+{
+	CK_RV e = c->sym->C_SeedRandom(session, seed, seedlen);
+	return e;
+}
+
+CK_RV GenerateRandom(struct ctx * c, CK_SESSION_HANDLE session,
+		     CK_BYTE_PTR * rand, CK_ULONG length)
+{
+	*rand = calloc(length, sizeof(CK_BYTE));
+	if (*rand == NULL) {
+		return CKR_HOST_MEMORY;
+	}
+	CK_RV e = c->sym->C_GenerateRandom(session, *rand, length);
+	return e;
+}
+
+CK_RV WaitForSlotEvent(struct ctx * c, CK_FLAGS flags, CK_ULONG_PTR slot)
+{
+	CK_RV e =
+	    c->sym->C_WaitForSlotEvent(flags, (CK_SLOT_ID_PTR) slot, NULL);
+	return e;
+}
+
+static inline CK_VOID_PTR getAttributePval(CK_ATTRIBUTE_PTR a)
+{
+	return a->pValue;
+}
+
+*/
+import "C"
+import "strings"
+
+import "unsafe"
+
+// Ctx contains the current pkcs11 context.
+type Ctx struct {
+	ctx *C.struct_ctx
+}
+
+// New creates a new context and initializes the module/library for use.
+func New(module string) *Ctx {
+	c := new(Ctx)
+	mod := C.CString(module)
+	defer C.free(unsafe.Pointer(mod))
+	c.ctx = C.New(mod)
+	if c.ctx == nil {
+		return nil
+	}
+	return c
+}
+
+// Destroy unloads the module/library and frees any remaining memory.
+func (c *Ctx) Destroy() {
+	if c == nil || c.ctx == nil {
+		return
+	}
+	C.Destroy(c.ctx)
+	c.ctx = nil
+}
+
+// Initialize initializes the Cryptoki library.
+func (c *Ctx) Initialize() error {
+	e := C.Initialize(c.ctx)
+	return toError(e)
+}
+
+// Finalize indicates that an application is done with the Cryptoki library.
+func (c *Ctx) Finalize() error {
+	if c.ctx == nil {
+		return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
+	}
+	e := C.Finalize(c.ctx)
+	return toError(e)
+}
+
+// GetInfo returns general information about Cryptoki.
+func (c *Ctx) GetInfo() (Info, error) {
+	var p C.ckInfo
+	e := C.GetInfo(c.ctx, &p)
+	i := Info{
+		CryptokiVersion:    toVersion(p.cryptokiVersion),
+		ManufacturerID:     strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&p.manufacturerID[0]), 32)), " "),
+		Flags:              uint(p.flags),
+		LibraryDescription: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&p.libraryDescription[0]), 32)), " "),
+		LibraryVersion:     toVersion(p.libraryVersion),
+	}
+	return i, toError(e)
+}
+
+// GetSlotList obtains a list of slots in the system.
+func (c *Ctx) GetSlotList(tokenPresent bool) ([]uint, error) {
+	var (
+		slotList C.CK_ULONG_PTR
+		ulCount  C.CK_ULONG
+	)
+	e := C.GetSlotList(c.ctx, cBBool(tokenPresent), &slotList, &ulCount)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	l := toList(slotList, ulCount)
+	return l, nil
+}
+
+// GetSlotInfo obtains information about a particular slot in the system.
+func (c *Ctx) GetSlotInfo(slotID uint) (SlotInfo, error) {
+	var csi C.CK_SLOT_INFO
+	e := C.GetSlotInfo(c.ctx, C.CK_ULONG(slotID), &csi)
+	s := SlotInfo{
+		SlotDescription: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&csi.slotDescription[0]), 64)), " "),
+		ManufacturerID:  strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&csi.manufacturerID[0]), 32)), " "),
+		Flags:           uint(csi.flags),
+		HardwareVersion: toVersion(csi.hardwareVersion),
+		FirmwareVersion: toVersion(csi.firmwareVersion),
+	}
+	return s, toError(e)
+}
+
+// GetTokenInfo obtains information about a particular token
+// in the system.
+func (c *Ctx) GetTokenInfo(slotID uint) (TokenInfo, error) {
+	var cti C.CK_TOKEN_INFO
+	e := C.GetTokenInfo(c.ctx, C.CK_ULONG(slotID), &cti)
+	s := TokenInfo{
+		Label:              strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.label[0]), 32)), " "),
+		ManufacturerID:     strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.manufacturerID[0]), 32)), " "),
+		Model:              strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.model[0]), 16)), " "),
+		SerialNumber:       strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.serialNumber[0]), 16)), " "),
+		Flags:              uint(cti.flags),
+		MaxSessionCount:    uint(cti.ulMaxSessionCount),
+		SessionCount:       uint(cti.ulSessionCount),
+		MaxRwSessionCount:  uint(cti.ulMaxRwSessionCount),
+		RwSessionCount:     uint(cti.ulRwSessionCount),
+		MaxPinLen:          uint(cti.ulMaxPinLen),
+		MinPinLen:          uint(cti.ulMinPinLen),
+		TotalPublicMemory:  uint(cti.ulTotalPublicMemory),
+		FreePublicMemory:   uint(cti.ulFreePublicMemory),
+		TotalPrivateMemory: uint(cti.ulTotalPrivateMemory),
+		FreePrivateMemory:  uint(cti.ulFreePrivateMemory),
+		HardwareVersion:    toVersion(cti.hardwareVersion),
+		FirmwareVersion:    toVersion(cti.firmwareVersion),
+		UTCTime:            strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.utcTime[0]), 16)), " "),
+	}
+	return s, toError(e)
+}
+
+// GetMechanismList obtains a list of mechanism types supported by a token.
+func (c *Ctx) GetMechanismList(slotID uint) ([]*Mechanism, error) {
+	var (
+		mech    C.CK_ULONG_PTR // in pkcs#11 we're all CK_ULONGs \o/
+		mechlen C.CK_ULONG
+	)
+	e := C.GetMechanismList(c.ctx, C.CK_ULONG(slotID), &mech, &mechlen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	// Although the function returns only type, cast them back into real
+	// attributes as this is used in other functions.
+	m := make([]*Mechanism, int(mechlen))
+	for i, typ := range toList(mech, mechlen) {
+		m[i] = NewMechanism(typ, nil)
+	}
+	return m, nil
+}
+
+// GetMechanismInfo obtains information about a particular
+// mechanism possibly supported by a token.
+func (c *Ctx) GetMechanismInfo(slotID uint, m []*Mechanism) (MechanismInfo, error) {
+	var cm C.CK_MECHANISM_INFO
+	e := C.GetMechanismInfo(c.ctx, C.CK_ULONG(slotID), C.CK_MECHANISM_TYPE(m[0].Mechanism),
+		C.CK_MECHANISM_INFO_PTR(&cm))
+	mi := MechanismInfo{
+		MinKeySize: uint(cm.ulMinKeySize),
+		MaxKeySize: uint(cm.ulMaxKeySize),
+		Flags:      uint(cm.flags),
+	}
+	return mi, toError(e)
+}
+
+// InitToken initializes a token. The label must be 32 characters
+// long, it is blank padded if it is not. If it is longer it is capped
+// to 32 characters.
+func (c *Ctx) InitToken(slotID uint, pin string, label string) error {
+	p := C.CString(pin)
+	defer C.free(unsafe.Pointer(p))
+	ll := len(label)
+	for ll < 32 {
+		label += " "
+		ll++
+	}
+	l := C.CString(label[:32])
+	defer C.free(unsafe.Pointer(l))
+	e := C.InitToken(c.ctx, C.CK_ULONG(slotID), p, C.CK_ULONG(len(pin)), l)
+	return toError(e)
+}
+
+// InitPIN initializes the normal user's PIN.
+func (c *Ctx) InitPIN(sh SessionHandle, pin string) error {
+	p := C.CString(pin)
+	defer C.free(unsafe.Pointer(p))
+	e := C.InitPIN(c.ctx, C.CK_SESSION_HANDLE(sh), p, C.CK_ULONG(len(pin)))
+	return toError(e)
+}
+
+// SetPIN modifies the PIN of the user who is logged in.
+func (c *Ctx) SetPIN(sh SessionHandle, oldpin string, newpin string) error {
+	old := C.CString(oldpin)
+	defer C.free(unsafe.Pointer(old))
+	new := C.CString(newpin)
+	defer C.free(unsafe.Pointer(new))
+	e := C.SetPIN(c.ctx, C.CK_SESSION_HANDLE(sh), old, C.CK_ULONG(len(oldpin)), new, C.CK_ULONG(len(newpin)))
+	return toError(e)
+}
+
+// OpenSession opens a session between an application and a token.
+func (c *Ctx) OpenSession(slotID uint, flags uint) (SessionHandle, error) {
+	var s C.CK_SESSION_HANDLE
+	e := C.OpenSession(c.ctx, C.CK_ULONG(slotID), C.CK_ULONG(flags), C.CK_SESSION_HANDLE_PTR(&s))
+	return SessionHandle(s), toError(e)
+}
+
+// CloseSession closes a session between an application and a token.
+func (c *Ctx) CloseSession(sh SessionHandle) error {
+	if c.ctx == nil {
+		return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
+	}
+	e := C.CloseSession(c.ctx, C.CK_SESSION_HANDLE(sh))
+	return toError(e)
+}
+
+// CloseAllSessions closes all sessions with a token.
+func (c *Ctx) CloseAllSessions(slotID uint) error {
+	if c.ctx == nil {
+		return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
+	}
+	e := C.CloseAllSessions(c.ctx, C.CK_ULONG(slotID))
+	return toError(e)
+}
+
+// GetSessionInfo obtains information about the session.
+func (c *Ctx) GetSessionInfo(sh SessionHandle) (SessionInfo, error) {
+	var csi C.CK_SESSION_INFO
+	e := C.GetSessionInfo(c.ctx, C.CK_SESSION_HANDLE(sh), &csi)
+	s := SessionInfo{SlotID: uint(csi.slotID),
+		State:       uint(csi.state),
+		Flags:       uint(csi.flags),
+		DeviceError: uint(csi.ulDeviceError),
+	}
+	return s, toError(e)
+}
+
+// GetOperationState obtains the state of the cryptographic operation in a session.
+func (c *Ctx) GetOperationState(sh SessionHandle) ([]byte, error) {
+	var (
+		state    C.CK_BYTE_PTR
+		statelen C.CK_ULONG
+	)
+	e := C.GetOperationState(c.ctx, C.CK_SESSION_HANDLE(sh), &state, &statelen)
+	defer C.free(unsafe.Pointer(state))
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	b := C.GoBytes(unsafe.Pointer(state), C.int(statelen))
+	return b, nil
+}
+
+// SetOperationState restores the state of the cryptographic operation in a session.
+func (c *Ctx) SetOperationState(sh SessionHandle, state []byte, encryptKey, authKey ObjectHandle) error {
+	e := C.SetOperationState(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&state[0])),
+		C.CK_ULONG(len(state)), C.CK_OBJECT_HANDLE(encryptKey), C.CK_OBJECT_HANDLE(authKey))
+	return toError(e)
+}
+
+// Login logs a user into a token.
+func (c *Ctx) Login(sh SessionHandle, userType uint, pin string) error {
+	p := C.CString(pin)
+	defer C.free(unsafe.Pointer(p))
+	e := C.Login(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_USER_TYPE(userType), p, C.CK_ULONG(len(pin)))
+	return toError(e)
+}
+
+// Logout logs a user out from a token.
+func (c *Ctx) Logout(sh SessionHandle) error {
+	if c.ctx == nil {
+		return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
+	}
+	e := C.Logout(c.ctx, C.CK_SESSION_HANDLE(sh))
+	return toError(e)
+}
+
+// CreateObject creates a new object.
+func (c *Ctx) CreateObject(sh SessionHandle, temp []*Attribute) (ObjectHandle, error) {
+	var obj C.CK_OBJECT_HANDLE
+	arena, t, tcount := cAttributeList(temp)
+	defer arena.Free()
+	e := C.CreateObject(c.ctx, C.CK_SESSION_HANDLE(sh), t, tcount, C.CK_OBJECT_HANDLE_PTR(&obj))
+	e1 := toError(e)
+	if e1 == nil {
+		return ObjectHandle(obj), nil
+	}
+	return 0, e1
+}
+
+// CopyObject copies an object, creating a new object for the copy.
+func (c *Ctx) CopyObject(sh SessionHandle, o ObjectHandle, temp []*Attribute) (ObjectHandle, error) {
+	var obj C.CK_OBJECT_HANDLE
+	arena, t, tcount := cAttributeList(temp)
+	defer arena.Free()
+
+	e := C.CopyObject(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), t, tcount, C.CK_OBJECT_HANDLE_PTR(&obj))
+	e1 := toError(e)
+	if e1 == nil {
+		return ObjectHandle(obj), nil
+	}
+	return 0, e1
+}
+
+// DestroyObject destroys an object.
+func (c *Ctx) DestroyObject(sh SessionHandle, oh ObjectHandle) error {
+	e := C.DestroyObject(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(oh))
+	return toError(e)
+}
+
+// GetObjectSize gets the size of an object in bytes.
+func (c *Ctx) GetObjectSize(sh SessionHandle, oh ObjectHandle) (uint, error) {
+	var size C.CK_ULONG
+	e := C.GetObjectSize(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(oh), &size)
+	return uint(size), toError(e)
+}
+
+// GetAttributeValue obtains the value of one or more object attributes.
+func (c *Ctx) GetAttributeValue(sh SessionHandle, o ObjectHandle, a []*Attribute) ([]*Attribute, error) {
+	// copy the attribute list and make all the values nil, so that
+	// the C function can (allocate) fill them in
+	pa := make([]C.CK_ATTRIBUTE, len(a))
+	for i := 0; i < len(a); i++ {
+		pa[i]._type = C.CK_ATTRIBUTE_TYPE(a[i].Type)
+	}
+	e := C.GetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), &pa[0], C.CK_ULONG(len(a)))
+	if err := toError(e); err != nil {
+		return nil, err
+	}
+	a1 := make([]*Attribute, len(a))
+	for i, c := range pa {
+		x := new(Attribute)
+		x.Type = uint(c._type)
+		if int(c.ulValueLen) != -1 {
+			buf := unsafe.Pointer(C.getAttributePval(&c))
+			x.Value = C.GoBytes(buf, C.int(c.ulValueLen))
+			C.free(buf)
+		}
+		a1[i] = x
+	}
+	return a1, nil
+}
+
+// SetAttributeValue modifies the value of one or more object attributes
+func (c *Ctx) SetAttributeValue(sh SessionHandle, o ObjectHandle, a []*Attribute) error {
+	arena, pa, palen := cAttributeList(a)
+	defer arena.Free()
+	e := C.SetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), pa, palen)
+	return toError(e)
+}
+
+// FindObjectsInit initializes a search for token and session
+// objects that match a template.
+func (c *Ctx) FindObjectsInit(sh SessionHandle, temp []*Attribute) error {
+	arena, t, tcount := cAttributeList(temp)
+	defer arena.Free()
+	e := C.FindObjectsInit(c.ctx, C.CK_SESSION_HANDLE(sh), t, tcount)
+	return toError(e)
+}
+
+// FindObjects continues a search for token and session
+// objects that match a template, obtaining additional object
+// handles. Calling the function repeatedly may yield additional results until
+// an empty slice is returned.
+//
+// The returned boolean value is deprecated and should be ignored.
+func (c *Ctx) FindObjects(sh SessionHandle, max int) ([]ObjectHandle, bool, error) {
+	var (
+		objectList C.CK_OBJECT_HANDLE_PTR
+		ulCount    C.CK_ULONG
+	)
+	e := C.FindObjects(c.ctx, C.CK_SESSION_HANDLE(sh), &objectList, C.CK_ULONG(max), &ulCount)
+	if toError(e) != nil {
+		return nil, false, toError(e)
+	}
+	l := toList(C.CK_ULONG_PTR(unsafe.Pointer(objectList)), ulCount)
+	// Make again a new list of the correct type.
+	// This is copying data, but this is not an often used function.
+	o := make([]ObjectHandle, len(l))
+	for i, v := range l {
+		o[i] = ObjectHandle(v)
+	}
+	return o, ulCount > C.CK_ULONG(max), nil
+}
+
+// FindObjectsFinal finishes a search for token and session objects.
+func (c *Ctx) FindObjectsFinal(sh SessionHandle) error {
+	e := C.FindObjectsFinal(c.ctx, C.CK_SESSION_HANDLE(sh))
+	return toError(e)
+}
+
+// EncryptInit initializes an encryption operation.
+func (c *Ctx) EncryptInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
+	arena, mech := cMechanism(m)
+	defer arena.Free()
+	e := C.EncryptInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
+	return toError(e)
+}
+
+// Encrypt encrypts single-part data.
+func (c *Ctx) Encrypt(sh SessionHandle, message []byte) ([]byte, error) {
+	var (
+		enc    C.CK_BYTE_PTR
+		enclen C.CK_ULONG
+	)
+	e := C.Encrypt(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &enc, &enclen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	s := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
+	C.free(unsafe.Pointer(enc))
+	return s, nil
+}
+
+// EncryptUpdate continues a multiple-part encryption operation.
+func (c *Ctx) EncryptUpdate(sh SessionHandle, plain []byte) ([]byte, error) {
+	var (
+		part    C.CK_BYTE_PTR
+		partlen C.CK_ULONG
+	)
+	e := C.EncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(plain), C.CK_ULONG(len(plain)), &part, &partlen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
+	C.free(unsafe.Pointer(part))
+	return h, nil
+}
+
+// EncryptFinal finishes a multiple-part encryption operation.
+func (c *Ctx) EncryptFinal(sh SessionHandle) ([]byte, error) {
+	var (
+		enc    C.CK_BYTE_PTR
+		enclen C.CK_ULONG
+	)
+	e := C.EncryptFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &enc, &enclen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
+	C.free(unsafe.Pointer(enc))
+	return h, nil
+}
+
+// DecryptInit initializes a decryption operation.
+func (c *Ctx) DecryptInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
+	arena, mech := cMechanism(m)
+	defer arena.Free()
+	e := C.DecryptInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
+	return toError(e)
+}
+
+// Decrypt decrypts encrypted data in a single part.
+func (c *Ctx) Decrypt(sh SessionHandle, cipher []byte) ([]byte, error) {
+	var (
+		plain    C.CK_BYTE_PTR
+		plainlen C.CK_ULONG
+	)
+	e := C.Decrypt(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &plain, &plainlen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	s := C.GoBytes(unsafe.Pointer(plain), C.int(plainlen))
+	C.free(unsafe.Pointer(plain))
+	return s, nil
+}
+
+// DecryptUpdate continues a multiple-part decryption operation.
+func (c *Ctx) DecryptUpdate(sh SessionHandle, cipher []byte) ([]byte, error) {
+	var (
+		part    C.CK_BYTE_PTR
+		partlen C.CK_ULONG
+	)
+	e := C.DecryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
+	C.free(unsafe.Pointer(part))
+	return h, nil
+}
+
+// DecryptFinal finishes a multiple-part decryption operation.
+func (c *Ctx) DecryptFinal(sh SessionHandle) ([]byte, error) {
+	var (
+		plain    C.CK_BYTE_PTR
+		plainlen C.CK_ULONG
+	)
+	e := C.DecryptFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &plain, &plainlen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(plain), C.int(plainlen))
+	C.free(unsafe.Pointer(plain))
+	return h, nil
+}
+
+// DigestInit initializes a message-digesting operation.
+func (c *Ctx) DigestInit(sh SessionHandle, m []*Mechanism) error {
+	arena, mech := cMechanism(m)
+	defer arena.Free()
+	e := C.DigestInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech)
+	return toError(e)
+}
+
+// Digest digests message in a single part.
+func (c *Ctx) Digest(sh SessionHandle, message []byte) ([]byte, error) {
+	var (
+		hash    C.CK_BYTE_PTR
+		hashlen C.CK_ULONG
+	)
+	e := C.Digest(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &hash, &hashlen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(hash), C.int(hashlen))
+	C.free(unsafe.Pointer(hash))
+	return h, nil
+}
+
+// DigestUpdate continues a multiple-part message-digesting operation.
+func (c *Ctx) DigestUpdate(sh SessionHandle, message []byte) error {
+	e := C.DigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)))
+	if toError(e) != nil {
+		return toError(e)
+	}
+	return nil
+}
+
+// DigestKey continues a multi-part message-digesting
+// operation, by digesting the value of a secret key as part of
+// the data already digested.
+func (c *Ctx) DigestKey(sh SessionHandle, key ObjectHandle) error {
+	e := C.DigestKey(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(key))
+	if toError(e) != nil {
+		return toError(e)
+	}
+	return nil
+}
+
+// DigestFinal finishes a multiple-part message-digesting operation.
+func (c *Ctx) DigestFinal(sh SessionHandle) ([]byte, error) {
+	var (
+		hash    C.CK_BYTE_PTR
+		hashlen C.CK_ULONG
+	)
+	e := C.DigestFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &hash, &hashlen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(hash), C.int(hashlen))
+	C.free(unsafe.Pointer(hash))
+	return h, nil
+}
+
+// SignInit initializes a signature (private key encryption)
+// operation, where the signature is (will be) an appendix to
+// the data, and plaintext cannot be recovered from the signature.
+func (c *Ctx) SignInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
+	arena, mech := cMechanism(m)
+	defer arena.Free()
+	e := C.SignInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
+	return toError(e)
+}
+
+// Sign signs (encrypts with private key) data in a single part, where the signature
+// is (will be) an appendix to the data, and plaintext cannot be recovered from the signature.
+func (c *Ctx) Sign(sh SessionHandle, message []byte) ([]byte, error) {
+	var (
+		sig    C.CK_BYTE_PTR
+		siglen C.CK_ULONG
+	)
+	e := C.Sign(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &sig, &siglen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	s := C.GoBytes(unsafe.Pointer(sig), C.int(siglen))
+	C.free(unsafe.Pointer(sig))
+	return s, nil
+}
+
+// SignUpdate continues a multiple-part signature operation,
+// where the signature is (will be) an appendix to the data,
+// and plaintext cannot be recovered from the signature.
+func (c *Ctx) SignUpdate(sh SessionHandle, message []byte) error {
+	e := C.SignUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)))
+	return toError(e)
+}
+
+// SignFinal finishes a multiple-part signature operation returning the signature.
+func (c *Ctx) SignFinal(sh SessionHandle) ([]byte, error) {
+	var (
+		sig    C.CK_BYTE_PTR
+		siglen C.CK_ULONG
+	)
+	e := C.SignFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &sig, &siglen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(sig), C.int(siglen))
+	C.free(unsafe.Pointer(sig))
+	return h, nil
+}
+
+// SignRecoverInit initializes a signature operation, where the data can be recovered from the signature.
+func (c *Ctx) SignRecoverInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
+	arena, mech := cMechanism(m)
+	defer arena.Free()
+	e := C.SignRecoverInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
+	return toError(e)
+}
+
+// SignRecover signs data in a single operation, where the data can be recovered from the signature.
+func (c *Ctx) SignRecover(sh SessionHandle, data []byte) ([]byte, error) {
+	var (
+		sig    C.CK_BYTE_PTR
+		siglen C.CK_ULONG
+	)
+	e := C.SignRecover(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(data), C.CK_ULONG(len(data)), &sig, &siglen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(sig), C.int(siglen))
+	C.free(unsafe.Pointer(sig))
+	return h, nil
+}
+
+// VerifyInit initializes a verification operation, where the
+// signature is an appendix to the data, and plaintext cannot
+// be recovered from the signature (e.g. DSA).
+func (c *Ctx) VerifyInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
+	arena, mech := cMechanism(m)
+	defer arena.Free()
+	e := C.VerifyInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
+	return toError(e)
+}
+
+// Verify verifies a signature in a single-part operation,
+// where the signature is an appendix to the data, and plaintext
+// cannot be recovered from the signature.
+func (c *Ctx) Verify(sh SessionHandle, data []byte, signature []byte) error {
+	e := C.Verify(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(data), C.CK_ULONG(len(data)), cMessage(signature), C.CK_ULONG(len(signature)))
+	return toError(e)
+}
+
+// VerifyUpdate continues a multiple-part verification
+// operation, where the signature is an appendix to the data,
+// and plaintext cannot be recovered from the signature.
+func (c *Ctx) VerifyUpdate(sh SessionHandle, part []byte) error {
+	e := C.VerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)))
+	return toError(e)
+}
+
+// VerifyFinal finishes a multiple-part verification
+// operation, checking the signature.
+func (c *Ctx) VerifyFinal(sh SessionHandle, signature []byte) error {
+	e := C.VerifyFinal(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(signature), C.CK_ULONG(len(signature)))
+	return toError(e)
+}
+
+// VerifyRecoverInit initializes a signature verification
+// operation, where the data is recovered from the signature.
+func (c *Ctx) VerifyRecoverInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
+	arena, mech := cMechanism(m)
+	defer arena.Free()
+	e := C.VerifyRecoverInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
+	return toError(e)
+}
+
+// VerifyRecover verifies a signature in a single-part
+// operation, where the data is recovered from the signature.
+func (c *Ctx) VerifyRecover(sh SessionHandle, signature []byte) ([]byte, error) {
+	var (
+		data    C.CK_BYTE_PTR
+		datalen C.CK_ULONG
+	)
+	e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(signature), C.CK_ULONG(len(signature)), &data, &datalen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(data), C.int(datalen))
+	C.free(unsafe.Pointer(data))
+	return h, nil
+}
+
+// DigestEncryptUpdate continues a multiple-part digesting and encryption operation.
+func (c *Ctx) DigestEncryptUpdate(sh SessionHandle, part []byte) ([]byte, error) {
+	var (
+		enc    C.CK_BYTE_PTR
+		enclen C.CK_ULONG
+	)
+	e := C.DigestEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)), &enc, &enclen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
+	C.free(unsafe.Pointer(enc))
+	return h, nil
+}
+
+// DecryptDigestUpdate continues a multiple-part decryption and digesting operation.
+func (c *Ctx) DecryptDigestUpdate(sh SessionHandle, cipher []byte) ([]byte, error) {
+	var (
+		part    C.CK_BYTE_PTR
+		partlen C.CK_ULONG
+	)
+	e := C.DecryptDigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
+	C.free(unsafe.Pointer(part))
+	return h, nil
+}
+
+// SignEncryptUpdate continues a multiple-part signing and encryption operation.
+func (c *Ctx) SignEncryptUpdate(sh SessionHandle, part []byte) ([]byte, error) {
+	var (
+		enc    C.CK_BYTE_PTR
+		enclen C.CK_ULONG
+	)
+	e := C.SignEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)), &enc, &enclen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
+	C.free(unsafe.Pointer(enc))
+	return h, nil
+}
+
+// DecryptVerifyUpdate continues a multiple-part decryption and verify operation.
+func (c *Ctx) DecryptVerifyUpdate(sh SessionHandle, cipher []byte) ([]byte, error) {
+	var (
+		part    C.CK_BYTE_PTR
+		partlen C.CK_ULONG
+	)
+	e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
+	C.free(unsafe.Pointer(part))
+	return h, nil
+}
+
+// GenerateKey generates a secret key, creating a new key object.
+func (c *Ctx) GenerateKey(sh SessionHandle, m []*Mechanism, temp []*Attribute) (ObjectHandle, error) {
+	var key C.CK_OBJECT_HANDLE
+	attrarena, t, tcount := cAttributeList(temp)
+	defer attrarena.Free()
+	mecharena, mech := cMechanism(m)
+	defer mecharena.Free()
+	e := C.GenerateKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, t, tcount, C.CK_OBJECT_HANDLE_PTR(&key))
+	e1 := toError(e)
+	if e1 == nil {
+		return ObjectHandle(key), nil
+	}
+	return 0, e1
+}
+
+// GenerateKeyPair generates a public-key/private-key pair creating new key objects.
+func (c *Ctx) GenerateKeyPair(sh SessionHandle, m []*Mechanism, public, private []*Attribute) (ObjectHandle, ObjectHandle, error) {
+	var (
+		pubkey  C.CK_OBJECT_HANDLE
+		privkey C.CK_OBJECT_HANDLE
+	)
+	pubarena, pub, pubcount := cAttributeList(public)
+	defer pubarena.Free()
+	privarena, priv, privcount := cAttributeList(private)
+	defer privarena.Free()
+	mecharena, mech := cMechanism(m)
+	defer mecharena.Free()
+	e := C.GenerateKeyPair(c.ctx, C.CK_SESSION_HANDLE(sh), mech, pub, pubcount, priv, privcount, C.CK_OBJECT_HANDLE_PTR(&pubkey), C.CK_OBJECT_HANDLE_PTR(&privkey))
+	e1 := toError(e)
+	if e1 == nil {
+		return ObjectHandle(pubkey), ObjectHandle(privkey), nil
+	}
+	return 0, 0, e1
+}
+
+// WrapKey wraps (i.e., encrypts) a key.
+func (c *Ctx) WrapKey(sh SessionHandle, m []*Mechanism, wrappingkey, key ObjectHandle) ([]byte, error) {
+	var (
+		wrappedkey    C.CK_BYTE_PTR
+		wrappedkeylen C.CK_ULONG
+	)
+	arena, mech := cMechanism(m)
+	defer arena.Free()
+	e := C.WrapKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(wrappingkey), C.CK_OBJECT_HANDLE(key), &wrappedkey, &wrappedkeylen)
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(wrappedkey), C.int(wrappedkeylen))
+	C.free(unsafe.Pointer(wrappedkey))
+	return h, nil
+}
+
+// UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object.
+func (c *Ctx) UnwrapKey(sh SessionHandle, m []*Mechanism, unwrappingkey ObjectHandle, wrappedkey []byte, a []*Attribute) (ObjectHandle, error) {
+	var key C.CK_OBJECT_HANDLE
+	attrarena, ac, aclen := cAttributeList(a)
+	defer attrarena.Free()
+	mecharena, mech := cMechanism(m)
+	defer mecharena.Free()
+	e := C.UnwrapKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(unwrappingkey), C.CK_BYTE_PTR(unsafe.Pointer(&wrappedkey[0])), C.CK_ULONG(len(wrappedkey)), ac, aclen, &key)
+	return ObjectHandle(key), toError(e)
+}
+
+// DeriveKey derives a key from a base key, creating a new key object.
+func (c *Ctx) DeriveKey(sh SessionHandle, m []*Mechanism, basekey ObjectHandle, a []*Attribute) (ObjectHandle, error) {
+	var key C.CK_OBJECT_HANDLE
+	attrarena, ac, aclen := cAttributeList(a)
+	defer attrarena.Free()
+	mecharena, mech := cMechanism(m)
+	defer mecharena.Free()
+	e := C.DeriveKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(basekey), ac, aclen, &key)
+	return ObjectHandle(key), toError(e)
+}
+
+// SeedRandom mixes additional seed material into the token's
+// random number generator.
+func (c *Ctx) SeedRandom(sh SessionHandle, seed []byte) error {
+	e := C.SeedRandom(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&seed[0])), C.CK_ULONG(len(seed)))
+	return toError(e)
+}
+
+// GenerateRandom generates random data.
+func (c *Ctx) GenerateRandom(sh SessionHandle, length int) ([]byte, error) {
+	var rand C.CK_BYTE_PTR
+	e := C.GenerateRandom(c.ctx, C.CK_SESSION_HANDLE(sh), &rand, C.CK_ULONG(length))
+	if toError(e) != nil {
+		return nil, toError(e)
+	}
+	h := C.GoBytes(unsafe.Pointer(rand), C.int(length))
+	C.free(unsafe.Pointer(rand))
+	return h, nil
+}
+
+// WaitForSlotEvent returns a channel which returns a slot event
+// (token insertion, removal, etc.) when it occurs.
+func (c *Ctx) WaitForSlotEvent(flags uint) chan SlotEvent {
+	sl := make(chan SlotEvent, 1) // hold one element
+	go c.waitForSlotEventHelper(flags, sl)
+	return sl
+}
+
+func (c *Ctx) waitForSlotEventHelper(f uint, sl chan SlotEvent) {
+	var slotID C.CK_ULONG
+	C.WaitForSlotEvent(c.ctx, C.CK_FLAGS(f), &slotID)
+	sl <- SlotEvent{uint(slotID)}
+	close(sl) // TODO(miek): Sending and then closing ...?
+}
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11.h b/vendor/github.com/miekg/pkcs11/pkcs11.h
new file mode 100644
index 000000000..0d78dd711
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/pkcs11.h
@@ -0,0 +1,265 @@
+/* Copyright (c) OASIS Open 2016. All Rights Reserved./
+ * /Distributed under the terms of the OASIS IPR Policy,
+ * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
+ * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
+ */
+        
+/* Latest version of the specification:
+ * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
+ */
+
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 5 platform-specific macros must be defined.  These
+ * macros are described below, and typical definitions for them
+ * are also given.  Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a Cryptoki library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 5 macros, the packing convention
+ * for Cryptoki structures should be set.  The Cryptoki
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, this might be done by using the following
+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, this might be done by using
+ * the following preprocessor directive before including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own for this.  You might
+ * not need to do (or be able to do!) anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object.  It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, it might be defined by:
+ *
+ * #define CK_PTR far *
+ *
+ * In a typical UNIX environment, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable Cryptoki library function declaration out of a
+ * return type and a function name.  It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * );
+ *
+ * If you're using Microsoft Developer Studio 5.0 to declare a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllimport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to declare a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a Cryptoki API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name.  It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a Cryptoki API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // Cryptoki API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to access
+ * functions in a Win32 Cryptoki .dll, in might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __declspec(dllimport) (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to access functions in a Win16 Cryptoki .dll, it might
+ * be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 4. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV.  It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to do Win32
+ * Cryptoki development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to do Win16 development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 5. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should best be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various Cryptoki types and #define'd values are in the
+ * file pkcs11t.h.
+ */
+#include "pkcs11t.h"
+
+#define __PASTE(x,y)      x##y
+
+
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  extern CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes.
+ */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points.  That is, for
+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes.
+ */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points.  A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's Cryptoki version
+ * and then a whole slew of function pointers to the routines in
+ * the library.  This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  __PASTE(CK_,name) name;
+
+struct CK_FUNCTION_LIST {
+
+  CK_VERSION    version;  /* Cryptoki version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes.
+ */
+#include "pkcs11f.h"
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKCS11_H_ */
+
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11f.h b/vendor/github.com/miekg/pkcs11/pkcs11f.h
new file mode 100644
index 000000000..ed90affc5
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/pkcs11f.h
@@ -0,0 +1,939 @@
+/* Copyright (c) OASIS Open 2016. All Rights Reserved./
+ * /Distributed under the terms of the OASIS IPR Policy,
+ * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
+ * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
+ */
+        
+/* Latest version of the specification:
+ * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
+ */
+
+/* This header file contains pretty much everything about all the
+ * Cryptoki function prototypes.  Because this information is
+ * used for more than just declaring function prototypes, the
+ * order of the functions appearing herein is important, and
+ * should not be altered.
+ */
+
+/* General-purpose */
+
+/* C_Initialize initializes the Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
+                            * cast to CK_C_INITIALIZE_ARGS_PTR
+                            * and dereferenced
+                            */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * Cryptoki library.
+ */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about Cryptoki. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_INFO_PTR   pInfo  /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
+                                            * function list
+                                            */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_BBOOL       tokenPresent,  /* only slots with tokens */
+  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
+  CK_ULONG_PTR   pulCount       /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID       slotID,  /* the ID of the slot */
+  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID        slotID,  /* ID of the token's slot */
+  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,          /* ID of token's slot */
+  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
+  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,  /* ID of the token's slot */
+  CK_MECHANISM_TYPE     type,    /* type of mechanism */
+  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID      slotID,    /* ID of the token's slot */
+  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
+  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
+  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
+  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
+  CK_ULONG          ulOldLen,  /* length of the old PIN */
+  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
+  CK_ULONG          ulNewLen   /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,        /* the slot's ID */
+  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
+  CK_VOID_PTR           pApplication,  /* passed to callback */
+  CK_NOTIFY             Notify,        /* callback function */
+  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID     slotID  /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE   hSession,  /* the session's handle */
+  CK_SESSION_INFO_PTR pInfo      /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,             /* session's handle */
+  CK_BYTE_PTR       pOperationState,      /* gets state */
+  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR      pOperationState,      /* holds state */
+  CK_ULONG         ulOperationStateLen,  /* holds state length */
+  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
+  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_USER_TYPE      userType,  /* the user type */
+  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
+  CK_ULONG          ulPinLen   /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
+  CK_ULONG          ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy.
+ */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
+  CK_ULONG             ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject    /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
+  CK_ULONG_PTR      pulSize    /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template.
+ */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
+  CK_ULONG          ulCount     /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles.
+ */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE    hSession,          /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
+ CK_ULONG             ulMaxObjectCount,  /* max handles to get */
+ CK_ULONG_PTR         pulObjectCount     /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects.
+ */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pData,               /* the plaintext data */
+  CK_ULONG          ulDataLen,           /* bytes of plaintext */
+  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pPart,              /* the plaintext data */
+  CK_ULONG          ulPartLen,          /* plaintext data len */
+  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,                /* session handle */
+  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
+  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
+  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
+  CK_BYTE_PTR       pData,              /* gets plaintext */
+  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
+  CK_ULONG          ulEncryptedPartLen,  /* input length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
+  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pData,        /* data to be digested */
+  CK_ULONG          ulDataLen,    /* bytes of data to digest */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* data to be digested */
+  CK_ULONG          ulPartLen  /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ * signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data,
+ * and plaintext cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* the data to sign */
+  CK_ULONG          ulPartLen  /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation,
+ * returning the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ * cannot be recovered from the signature (e.g. DSA).
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation,
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pData,          /* signed data */
+  CK_ULONG          ulDataLen,      /* length of signed data */
+  CK_BYTE_PTR       pSignature,     /* signature */
+  CK_ULONG          ulSignatureLen  /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* signed data */
+  CK_ULONG          ulPartLen  /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pSignature,     /* signature to verify */
+  CK_ULONG          ulSignatureLen  /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* signature to verify */
+  CK_ULONG          ulSignatureLen,  /* signature length */
+  CK_BYTE_PTR       pData,           /* gets signed data */
+  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
+  CK_ULONG             ulCount,     /* # of attrs in template */
+  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair,
+ * creating new key objects.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,                    /* session handle */
+  CK_MECHANISM_PTR     pMechanism,                  /* key-gen mech. */
+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template for pub. key */
+  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub. attrs. */
+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template for priv. key */
+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.  attrs. */
+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub. key handle */
+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets priv. key handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
+  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
+  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
+  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
+  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object.
+ */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
+  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
+  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
+  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
+  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pSeed,     /* the seed material */
+  CK_ULONG          ulSeedLen  /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_BYTE_PTR       RandomData,  /* receives the random data */
+  CK_ULONG          ulRandomLen  /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel.
+ */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur.
+ */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FLAGS flags,        /* blocking/nonblocking flag */
+  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
+  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
+);
+#endif
+
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11go.h b/vendor/github.com/miekg/pkcs11/pkcs11go.h
new file mode 100644
index 000000000..1b98bad21
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/pkcs11go.h
@@ -0,0 +1,33 @@
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+//
+
+#define CK_PTR *
+#ifndef NULL_PTR
+#define NULL_PTR 0
+#endif
+#define CK_DEFINE_FUNCTION(returnType, name) returnType name
+#define CK_DECLARE_FUNCTION(returnType, name) returnType name
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
+#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
+
+#include <unistd.h>
+#ifdef PACKED_STRUCTURES
+# pragma pack(push, 1)
+# include "pkcs11.h"
+# pragma pack(pop)
+#else
+# include "pkcs11.h"
+#endif
+
+// Copy of CK_INFO but with default alignment (not packed). Go hides unaligned
+// struct fields so copying to an aligned struct is necessary to read CK_INFO
+// from Go on Windows where packing is required.
+typedef struct ckInfo {
+	CK_VERSION cryptokiVersion;
+	CK_UTF8CHAR manufacturerID[32];
+	CK_FLAGS flags;
+	CK_UTF8CHAR libraryDescription[32];
+	CK_VERSION libraryVersion;
+} ckInfo, *ckInfoPtr;
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11t.h b/vendor/github.com/miekg/pkcs11/pkcs11t.h
new file mode 100644
index 000000000..321c3075a
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/pkcs11t.h
@@ -0,0 +1,2047 @@
+/* Copyright (c) OASIS Open 2016. All Rights Reserved./
+ * /Distributed under the terms of the OASIS IPR Policy,
+ * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
+ * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
+ */
+        
+/* Latest version of the specification:
+ * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
+ */
+
+/* See top of pkcs11.h for information about the macros that
+ * must be defined and the structure-packing conventions that
+ * must be set before including this file.
+ */
+
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+#define CRYPTOKI_VERSION_MAJOR          2
+#define CRYPTOKI_VERSION_MINOR          40
+#define CRYPTOKI_VERSION_AMENDMENT      0
+
+#define CK_TRUE         1
+#define CK_FALSE        0
+
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE CK_FALSE
+#endif
+#ifndef TRUE
+#define TRUE CK_TRUE
+#endif
+#endif
+
+/* an unsigned 8-bit value */
+typedef unsigned char     CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE           CK_CHAR;
+
+/* an 8-bit UTF-8 character */
+typedef CK_BYTE           CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE           CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+typedef long int          CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG          CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION      (~0UL)
+#define CK_EFFECTIVELY_INFINITE         0UL
+
+
+typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
+typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
+typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
+typedef void        CK_PTR   CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session
+ * handle or object handle
+ */
+#define CK_INVALID_HANDLE       0UL
+
+
+typedef struct CK_VERSION {
+  CK_BYTE       major;  /* integer portion of version number */
+  CK_BYTE       minor;  /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_FLAGS      flags;               /* must be zero */
+  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
+  CK_VERSION    libraryVersion;          /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR    CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * Cryptoki provides to an application
+ */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER           0UL
+#define CKN_OTP_CHANGED         1UL
+
+typedef CK_ULONG          CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
+  CK_FLAGS      flags;
+
+  CK_VERSION    hardwareVersion;  /* version of hardware */
+  CK_VERSION    firmwareVersion;  /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag              Mask        Meaning
+ */
+#define CKF_TOKEN_PRESENT     0x00000001UL  /* a token is there */
+#define CKF_REMOVABLE_DEVICE  0x00000002UL  /* removable devices*/
+#define CKF_HW_SLOT           0x00000004UL  /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+  CK_UTF8CHAR   label[32];           /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_UTF8CHAR   model[16];           /* blank padded */
+  CK_CHAR       serialNumber[16];    /* blank padded */
+  CK_FLAGS      flags;               /* see below */
+
+  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
+  CK_ULONG      ulSessionCount;        /* sess. now open */
+  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
+  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
+  CK_ULONG      ulMaxPinLen;           /* in bytes */
+  CK_ULONG      ulMinPinLen;           /* in bytes */
+  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
+  CK_ULONG      ulFreePublicMemory;    /* in bytes */
+  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
+  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
+  CK_VERSION    hardwareVersion;       /* version of hardware */
+  CK_VERSION    firmwareVersion;       /* version of firmware */
+  CK_CHAR       utcTime[16];           /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ *      Bit Flag                    Mask        Meaning
+ */
+#define CKF_RNG                     0x00000001UL  /* has random # generator */
+#define CKF_WRITE_PROTECTED         0x00000002UL  /* token is write-protected */
+#define CKF_LOGIN_REQUIRED          0x00000004UL  /* user must login */
+#define CKF_USER_PIN_INITIALIZED    0x00000008UL  /* normal user's PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED.  If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state
+ */
+#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020UL
+
+/* CKF_CLOCK_ON_TOKEN.  If it is set, that means
+ * that the token has some sort of clock.  The time on that
+ * clock is returned in the token info structure
+ */
+#define CKF_CLOCK_ON_TOKEN          0x00000040UL
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH.  If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the Cryptoki library itself
+ */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100UL
+
+/* CKF_DUAL_CRYPTO_OPERATIONS.  If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign)
+ */
+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200UL
+
+/* CKF_TOKEN_INITIALIZED. If it is true, the
+ * token has been initialized using C_InitializeToken or an
+ * equivalent mechanism outside the scope of PKCS #11.
+ * Calling C_InitializeToken when this flag is set will cause
+ * the token to be reinitialized.
+ */
+#define CKF_TOKEN_INITIALIZED       0x00000400UL
+
+/* CKF_SECONDARY_AUTHENTICATION. If it is
+ * true, the token supports secondary authentication for
+ * private key objects.
+ */
+#define CKF_SECONDARY_AUTHENTICATION  0x00000800UL
+
+/* CKF_USER_PIN_COUNT_LOW. If it is true, an
+ * incorrect user login PIN has been entered at least once
+ * since the last successful authentication.
+ */
+#define CKF_USER_PIN_COUNT_LOW       0x00010000UL
+
+/* CKF_USER_PIN_FINAL_TRY. If it is true,
+ * supplying an incorrect user PIN will it to become locked.
+ */
+#define CKF_USER_PIN_FINAL_TRY       0x00020000UL
+
+/* CKF_USER_PIN_LOCKED. If it is true, the
+ * user PIN has been locked. User login to the token is not
+ * possible.
+ */
+#define CKF_USER_PIN_LOCKED          0x00040000UL
+
+/* CKF_USER_PIN_TO_BE_CHANGED. If it is true,
+ * the user PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card.
+ */
+#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000UL
+
+/* CKF_SO_PIN_COUNT_LOW. If it is true, an
+ * incorrect SO login PIN has been entered at least once since
+ * the last successful authentication.
+ */
+#define CKF_SO_PIN_COUNT_LOW         0x00100000UL
+
+/* CKF_SO_PIN_FINAL_TRY. If it is true,
+ * supplying an incorrect SO PIN will it to become locked.
+ */
+#define CKF_SO_PIN_FINAL_TRY         0x00200000UL
+
+/* CKF_SO_PIN_LOCKED. If it is true, the SO
+ * PIN has been locked. SO login to the token is not possible.
+ */
+#define CKF_SO_PIN_LOCKED            0x00400000UL
+
+/* CKF_SO_PIN_TO_BE_CHANGED. If it is true,
+ * the SO PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card.
+ */
+#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000UL
+
+#define CKF_ERROR_STATE              0x01000000UL
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
+ * identifies a session
+ */
+typedef CK_ULONG          CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
+
+
+/* CK_USER_TYPE enumerates the types of Cryptoki users */
+typedef CK_ULONG          CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO                  0UL
+/* Normal user */
+#define CKU_USER                1UL
+/* Context specific */
+#define CKU_CONTEXT_SPECIFIC    2UL
+
+/* CK_STATE enumerates the session states */
+typedef CK_ULONG          CK_STATE;
+#define CKS_RO_PUBLIC_SESSION   0UL
+#define CKS_RO_USER_FUNCTIONS   1UL
+#define CKS_RW_PUBLIC_SESSION   2UL
+#define CKS_RW_USER_FUNCTIONS   3UL
+#define CKS_RW_SO_FUNCTIONS     4UL
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+  CK_SLOT_ID    slotID;
+  CK_STATE      state;
+  CK_FLAGS      flags;          /* see below */
+  CK_ULONG      ulDeviceError;  /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ *      Bit Flag                Mask        Meaning
+ */
+#define CKF_RW_SESSION          0x00000002UL /* session is r/w */
+#define CKF_SERIAL_SESSION      0x00000004UL /* no parallel    */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object
+ */
+typedef CK_ULONG          CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that Cryptoki recognizes.  It is defined
+ * as follows:
+ */
+typedef CK_ULONG          CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+#define CKO_DATA              0x00000000UL
+#define CKO_CERTIFICATE       0x00000001UL
+#define CKO_PUBLIC_KEY        0x00000002UL
+#define CKO_PRIVATE_KEY       0x00000003UL
+#define CKO_SECRET_KEY        0x00000004UL
+#define CKO_HW_FEATURE        0x00000005UL
+#define CKO_DOMAIN_PARAMETERS 0x00000006UL
+#define CKO_MECHANISM         0x00000007UL
+#define CKO_OTP_KEY           0x00000008UL
+
+#define CKO_VENDOR_DEFINED    0x80000000UL
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is a value that identifies the hardware feature type
+ * of an object with CK_OBJECT_CLASS equal to CKO_HW_FEATURE.
+ */
+typedef CK_ULONG          CK_HW_FEATURE_TYPE;
+
+/* The following hardware feature types are defined */
+#define CKH_MONOTONIC_COUNTER  0x00000001UL
+#define CKH_CLOCK              0x00000002UL
+#define CKH_USER_INTERFACE     0x00000003UL
+#define CKH_VENDOR_DEFINED     0x80000000UL
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+typedef CK_ULONG          CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA                 0x00000000UL
+#define CKK_DSA                 0x00000001UL
+#define CKK_DH                  0x00000002UL
+#define CKK_ECDSA               0x00000003UL /* Deprecated */
+#define CKK_EC                  0x00000003UL
+#define CKK_X9_42_DH            0x00000004UL
+#define CKK_KEA                 0x00000005UL
+#define CKK_GENERIC_SECRET      0x00000010UL
+#define CKK_RC2                 0x00000011UL
+#define CKK_RC4                 0x00000012UL
+#define CKK_DES                 0x00000013UL
+#define CKK_DES2                0x00000014UL
+#define CKK_DES3                0x00000015UL
+#define CKK_CAST                0x00000016UL
+#define CKK_CAST3               0x00000017UL
+#define CKK_CAST5               0x00000018UL /* Deprecated */
+#define CKK_CAST128             0x00000018UL
+#define CKK_RC5                 0x00000019UL
+#define CKK_IDEA                0x0000001AUL
+#define CKK_SKIPJACK            0x0000001BUL
+#define CKK_BATON               0x0000001CUL
+#define CKK_JUNIPER             0x0000001DUL
+#define CKK_CDMF                0x0000001EUL
+#define CKK_AES                 0x0000001FUL
+#define CKK_BLOWFISH            0x00000020UL
+#define CKK_TWOFISH             0x00000021UL
+#define CKK_SECURID             0x00000022UL
+#define CKK_HOTP                0x00000023UL
+#define CKK_ACTI                0x00000024UL
+#define CKK_CAMELLIA            0x00000025UL
+#define CKK_ARIA                0x00000026UL
+
+#define CKK_MD5_HMAC            0x00000027UL
+#define CKK_SHA_1_HMAC          0x00000028UL
+#define CKK_RIPEMD128_HMAC      0x00000029UL
+#define CKK_RIPEMD160_HMAC      0x0000002AUL
+#define CKK_SHA256_HMAC         0x0000002BUL
+#define CKK_SHA384_HMAC         0x0000002CUL
+#define CKK_SHA512_HMAC         0x0000002DUL
+#define CKK_SHA224_HMAC         0x0000002EUL
+
+#define CKK_SEED                0x0000002FUL
+#define CKK_GOSTR3410           0x00000030UL
+#define CKK_GOSTR3411           0x00000031UL
+#define CKK_GOST28147           0x00000032UL
+
+#define CKK_SHA3_224_HMAC       0x00000033UL
+#define CKK_SHA3_256_HMAC       0x00000034UL
+#define CKK_SHA3_384_HMAC       0x00000035UL
+#define CKK_SHA3_512_HMAC       0x00000036UL
+
+
+
+#define CKK_VENDOR_DEFINED      0x80000000UL
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type
+ */
+typedef CK_ULONG          CK_CERTIFICATE_TYPE;
+
+#define CK_CERTIFICATE_CATEGORY_UNSPECIFIED     0UL
+#define CK_CERTIFICATE_CATEGORY_TOKEN_USER      1UL
+#define CK_CERTIFICATE_CATEGORY_AUTHORITY       2UL
+#define CK_CERTIFICATE_CATEGORY_OTHER_ENTITY    3UL
+
+#define CK_SECURITY_DOMAIN_UNSPECIFIED     0UL
+#define CK_SECURITY_DOMAIN_MANUFACTURER    1UL
+#define CK_SECURITY_DOMAIN_OPERATOR        2UL
+#define CK_SECURITY_DOMAIN_THIRD_PARTY     3UL
+
+
+/* The following certificate types are defined: */
+#define CKC_X_509               0x00000000UL
+#define CKC_X_509_ATTR_CERT     0x00000001UL
+#define CKC_WTLS                0x00000002UL
+#define CKC_VENDOR_DEFINED      0x80000000UL
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type
+ */
+typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
+
+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
+ * consists of an array of values.
+ */
+#define CKF_ARRAY_ATTRIBUTE     0x40000000UL
+
+/* The following OTP-related defines relate to the CKA_OTP_FORMAT attribute */
+#define CK_OTP_FORMAT_DECIMAL           0UL
+#define CK_OTP_FORMAT_HEXADECIMAL       1UL
+#define CK_OTP_FORMAT_ALPHANUMERIC      2UL
+#define CK_OTP_FORMAT_BINARY            3UL
+
+/* The following OTP-related defines relate to the CKA_OTP_..._REQUIREMENT
+ * attributes
+ */
+#define CK_OTP_PARAM_IGNORED            0UL
+#define CK_OTP_PARAM_OPTIONAL           1UL
+#define CK_OTP_PARAM_MANDATORY          2UL
+
+/* The following attribute types are defined: */
+#define CKA_CLASS              0x00000000UL
+#define CKA_TOKEN              0x00000001UL
+#define CKA_PRIVATE            0x00000002UL
+#define CKA_LABEL              0x00000003UL
+#define CKA_APPLICATION        0x00000010UL
+#define CKA_VALUE              0x00000011UL
+#define CKA_OBJECT_ID          0x00000012UL
+#define CKA_CERTIFICATE_TYPE   0x00000080UL
+#define CKA_ISSUER             0x00000081UL
+#define CKA_SERIAL_NUMBER      0x00000082UL
+#define CKA_AC_ISSUER          0x00000083UL
+#define CKA_OWNER              0x00000084UL
+#define CKA_ATTR_TYPES         0x00000085UL
+#define CKA_TRUSTED            0x00000086UL
+#define CKA_CERTIFICATE_CATEGORY        0x00000087UL
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088UL
+#define CKA_URL                         0x00000089UL
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008AUL
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008BUL
+#define CKA_NAME_HASH_ALGORITHM         0x0000008CUL
+#define CKA_CHECK_VALUE                 0x00000090UL
+
+#define CKA_KEY_TYPE           0x00000100UL
+#define CKA_SUBJECT            0x00000101UL
+#define CKA_ID                 0x00000102UL
+#define CKA_SENSITIVE          0x00000103UL
+#define CKA_ENCRYPT            0x00000104UL
+#define CKA_DECRYPT            0x00000105UL
+#define CKA_WRAP               0x00000106UL
+#define CKA_UNWRAP             0x00000107UL
+#define CKA_SIGN               0x00000108UL
+#define CKA_SIGN_RECOVER       0x00000109UL
+#define CKA_VERIFY             0x0000010AUL
+#define CKA_VERIFY_RECOVER     0x0000010BUL
+#define CKA_DERIVE             0x0000010CUL
+#define CKA_START_DATE         0x00000110UL
+#define CKA_END_DATE           0x00000111UL
+#define CKA_MODULUS            0x00000120UL
+#define CKA_MODULUS_BITS       0x00000121UL
+#define CKA_PUBLIC_EXPONENT    0x00000122UL
+#define CKA_PRIVATE_EXPONENT   0x00000123UL
+#define CKA_PRIME_1            0x00000124UL
+#define CKA_PRIME_2            0x00000125UL
+#define CKA_EXPONENT_1         0x00000126UL
+#define CKA_EXPONENT_2         0x00000127UL
+#define CKA_COEFFICIENT        0x00000128UL
+#define CKA_PUBLIC_KEY_INFO    0x00000129UL
+#define CKA_PRIME              0x00000130UL
+#define CKA_SUBPRIME           0x00000131UL
+#define CKA_BASE               0x00000132UL
+
+#define CKA_PRIME_BITS         0x00000133UL
+#define CKA_SUBPRIME_BITS      0x00000134UL
+#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
+
+#define CKA_VALUE_BITS         0x00000160UL
+#define CKA_VALUE_LEN          0x00000161UL
+#define CKA_EXTRACTABLE        0x00000162UL
+#define CKA_LOCAL              0x00000163UL
+#define CKA_NEVER_EXTRACTABLE  0x00000164UL
+#define CKA_ALWAYS_SENSITIVE   0x00000165UL
+#define CKA_KEY_GEN_MECHANISM  0x00000166UL
+
+#define CKA_MODIFIABLE         0x00000170UL
+#define CKA_COPYABLE           0x00000171UL
+
+#define CKA_DESTROYABLE        0x00000172UL
+
+#define CKA_ECDSA_PARAMS       0x00000180UL /* Deprecated */
+#define CKA_EC_PARAMS          0x00000180UL
+
+#define CKA_EC_POINT           0x00000181UL
+
+#define CKA_SECONDARY_AUTH     0x00000200UL /* Deprecated */
+#define CKA_AUTH_PIN_FLAGS     0x00000201UL /* Deprecated */
+
+#define CKA_ALWAYS_AUTHENTICATE  0x00000202UL
+
+#define CKA_WRAP_WITH_TRUSTED    0x00000210UL
+#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211UL)
+#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212UL)
+#define CKA_DERIVE_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000213UL)
+
+#define CKA_OTP_FORMAT                0x00000220UL
+#define CKA_OTP_LENGTH                0x00000221UL
+#define CKA_OTP_TIME_INTERVAL         0x00000222UL
+#define CKA_OTP_USER_FRIENDLY_MODE    0x00000223UL
+#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224UL
+#define CKA_OTP_TIME_REQUIREMENT      0x00000225UL
+#define CKA_OTP_COUNTER_REQUIREMENT   0x00000226UL
+#define CKA_OTP_PIN_REQUIREMENT       0x00000227UL
+#define CKA_OTP_COUNTER               0x0000022EUL
+#define CKA_OTP_TIME                  0x0000022FUL
+#define CKA_OTP_USER_IDENTIFIER       0x0000022AUL
+#define CKA_OTP_SERVICE_IDENTIFIER    0x0000022BUL
+#define CKA_OTP_SERVICE_LOGO          0x0000022CUL
+#define CKA_OTP_SERVICE_LOGO_TYPE     0x0000022DUL
+
+#define CKA_GOSTR3410_PARAMS            0x00000250UL
+#define CKA_GOSTR3411_PARAMS            0x00000251UL
+#define CKA_GOST28147_PARAMS            0x00000252UL
+
+#define CKA_HW_FEATURE_TYPE             0x00000300UL
+#define CKA_RESET_ON_INIT               0x00000301UL
+#define CKA_HAS_RESET                   0x00000302UL
+
+#define CKA_PIXEL_X                     0x00000400UL
+#define CKA_PIXEL_Y                     0x00000401UL
+#define CKA_RESOLUTION                  0x00000402UL
+#define CKA_CHAR_ROWS                   0x00000403UL
+#define CKA_CHAR_COLUMNS                0x00000404UL
+#define CKA_COLOR                       0x00000405UL
+#define CKA_BITS_PER_PIXEL              0x00000406UL
+#define CKA_CHAR_SETS                   0x00000480UL
+#define CKA_ENCODING_METHODS            0x00000481UL
+#define CKA_MIME_TYPES                  0x00000482UL
+#define CKA_MECHANISM_TYPE              0x00000500UL
+#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501UL
+#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502UL
+#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503UL
+#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600UL)
+
+#define CKA_VENDOR_DEFINED              0x80000000UL
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute
+ */
+typedef struct CK_ATTRIBUTE {
+  CK_ATTRIBUTE_TYPE type;
+  CK_VOID_PTR       pValue;
+  CK_ULONG          ulValueLen;  /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
+  CK_CHAR       month[2];  /* the month ("01" - "12") */
+  CK_CHAR       day[2];    /* the day   ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type
+ */
+typedef CK_ULONG          CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000UL
+#define CKM_RSA_PKCS                   0x00000001UL
+#define CKM_RSA_9796                   0x00000002UL
+#define CKM_RSA_X_509                  0x00000003UL
+
+#define CKM_MD2_RSA_PKCS               0x00000004UL
+#define CKM_MD5_RSA_PKCS               0x00000005UL
+#define CKM_SHA1_RSA_PKCS              0x00000006UL
+
+#define CKM_RIPEMD128_RSA_PKCS         0x00000007UL
+#define CKM_RIPEMD160_RSA_PKCS         0x00000008UL
+#define CKM_RSA_PKCS_OAEP              0x00000009UL
+
+#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000AUL
+#define CKM_RSA_X9_31                  0x0000000BUL
+#define CKM_SHA1_RSA_X9_31             0x0000000CUL
+#define CKM_RSA_PKCS_PSS               0x0000000DUL
+#define CKM_SHA1_RSA_PKCS_PSS          0x0000000EUL
+
+#define CKM_DSA_KEY_PAIR_GEN           0x00000010UL
+#define CKM_DSA                        0x00000011UL
+#define CKM_DSA_SHA1                   0x00000012UL
+#define CKM_DSA_SHA224                 0x00000013UL
+#define CKM_DSA_SHA256                 0x00000014UL
+#define CKM_DSA_SHA384                 0x00000015UL
+#define CKM_DSA_SHA512                 0x00000016UL
+#define CKM_DSA_SHA3_224               0x00000018UL
+#define CKM_DSA_SHA3_256               0x00000019UL
+#define CKM_DSA_SHA3_384               0x0000001AUL
+#define CKM_DSA_SHA3_512               0x0000001BUL
+
+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020UL
+#define CKM_DH_PKCS_DERIVE             0x00000021UL
+
+#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030UL
+#define CKM_X9_42_DH_DERIVE            0x00000031UL
+#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032UL
+#define CKM_X9_42_MQV_DERIVE           0x00000033UL
+
+#define CKM_SHA256_RSA_PKCS            0x00000040UL
+#define CKM_SHA384_RSA_PKCS            0x00000041UL
+#define CKM_SHA512_RSA_PKCS            0x00000042UL
+#define CKM_SHA256_RSA_PKCS_PSS        0x00000043UL
+#define CKM_SHA384_RSA_PKCS_PSS        0x00000044UL
+#define CKM_SHA512_RSA_PKCS_PSS        0x00000045UL
+
+#define CKM_SHA224_RSA_PKCS            0x00000046UL
+#define CKM_SHA224_RSA_PKCS_PSS        0x00000047UL
+
+#define CKM_SHA512_224                 0x00000048UL
+#define CKM_SHA512_224_HMAC            0x00000049UL
+#define CKM_SHA512_224_HMAC_GENERAL    0x0000004AUL
+#define CKM_SHA512_224_KEY_DERIVATION  0x0000004BUL
+#define CKM_SHA512_256                 0x0000004CUL
+#define CKM_SHA512_256_HMAC            0x0000004DUL
+#define CKM_SHA512_256_HMAC_GENERAL    0x0000004EUL
+#define CKM_SHA512_256_KEY_DERIVATION  0x0000004FUL
+
+#define CKM_SHA512_T                   0x00000050UL
+#define CKM_SHA512_T_HMAC              0x00000051UL
+#define CKM_SHA512_T_HMAC_GENERAL      0x00000052UL
+#define CKM_SHA512_T_KEY_DERIVATION    0x00000053UL
+
+#define CKM_SHA3_256_RSA_PKCS          0x00000060UL
+#define CKM_SHA3_384_RSA_PKCS          0x00000061UL
+#define CKM_SHA3_512_RSA_PKCS          0x00000062UL
+#define CKM_SHA3_256_RSA_PKCS_PSS      0x00000063UL
+#define CKM_SHA3_384_RSA_PKCS_PSS      0x00000064UL
+#define CKM_SHA3_512_RSA_PKCS_PSS      0x00000065UL
+#define CKM_SHA3_224_RSA_PKCS          0x00000066UL
+#define CKM_SHA3_224_RSA_PKCS_PSS      0x00000067UL
+
+#define CKM_RC2_KEY_GEN                0x00000100UL
+#define CKM_RC2_ECB                    0x00000101UL
+#define CKM_RC2_CBC                    0x00000102UL
+#define CKM_RC2_MAC                    0x00000103UL
+
+#define CKM_RC2_MAC_GENERAL            0x00000104UL
+#define CKM_RC2_CBC_PAD                0x00000105UL
+
+#define CKM_RC4_KEY_GEN                0x00000110UL
+#define CKM_RC4                        0x00000111UL
+#define CKM_DES_KEY_GEN                0x00000120UL
+#define CKM_DES_ECB                    0x00000121UL
+#define CKM_DES_CBC                    0x00000122UL
+#define CKM_DES_MAC                    0x00000123UL
+
+#define CKM_DES_MAC_GENERAL            0x00000124UL
+#define CKM_DES_CBC_PAD                0x00000125UL
+
+#define CKM_DES2_KEY_GEN               0x00000130UL
+#define CKM_DES3_KEY_GEN               0x00000131UL
+#define CKM_DES3_ECB                   0x00000132UL
+#define CKM_DES3_CBC                   0x00000133UL
+#define CKM_DES3_MAC                   0x00000134UL
+
+#define CKM_DES3_MAC_GENERAL           0x00000135UL
+#define CKM_DES3_CBC_PAD               0x00000136UL
+#define CKM_DES3_CMAC_GENERAL          0x00000137UL
+#define CKM_DES3_CMAC                  0x00000138UL
+#define CKM_CDMF_KEY_GEN               0x00000140UL
+#define CKM_CDMF_ECB                   0x00000141UL
+#define CKM_CDMF_CBC                   0x00000142UL
+#define CKM_CDMF_MAC                   0x00000143UL
+#define CKM_CDMF_MAC_GENERAL           0x00000144UL
+#define CKM_CDMF_CBC_PAD               0x00000145UL
+
+#define CKM_DES_OFB64                  0x00000150UL
+#define CKM_DES_OFB8                   0x00000151UL
+#define CKM_DES_CFB64                  0x00000152UL
+#define CKM_DES_CFB8                   0x00000153UL
+
+#define CKM_MD2                        0x00000200UL
+
+#define CKM_MD2_HMAC                   0x00000201UL
+#define CKM_MD2_HMAC_GENERAL           0x00000202UL
+
+#define CKM_MD5                        0x00000210UL
+
+#define CKM_MD5_HMAC                   0x00000211UL
+#define CKM_MD5_HMAC_GENERAL           0x00000212UL
+
+#define CKM_SHA_1                      0x00000220UL
+
+#define CKM_SHA_1_HMAC                 0x00000221UL
+#define CKM_SHA_1_HMAC_GENERAL         0x00000222UL
+
+#define CKM_RIPEMD128                  0x00000230UL
+#define CKM_RIPEMD128_HMAC             0x00000231UL
+#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232UL
+#define CKM_RIPEMD160                  0x00000240UL
+#define CKM_RIPEMD160_HMAC             0x00000241UL
+#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242UL
+
+#define CKM_SHA256                     0x00000250UL
+#define CKM_SHA256_HMAC                0x00000251UL
+#define CKM_SHA256_HMAC_GENERAL        0x00000252UL
+#define CKM_SHA224                     0x00000255UL
+#define CKM_SHA224_HMAC                0x00000256UL
+#define CKM_SHA224_HMAC_GENERAL        0x00000257UL
+#define CKM_SHA384                     0x00000260UL
+#define CKM_SHA384_HMAC                0x00000261UL
+#define CKM_SHA384_HMAC_GENERAL        0x00000262UL
+#define CKM_SHA512                     0x00000270UL
+#define CKM_SHA512_HMAC                0x00000271UL
+#define CKM_SHA512_HMAC_GENERAL        0x00000272UL
+#define CKM_SECURID_KEY_GEN            0x00000280UL
+#define CKM_SECURID                    0x00000282UL
+#define CKM_HOTP_KEY_GEN               0x00000290UL
+#define CKM_HOTP                       0x00000291UL
+#define CKM_ACTI                       0x000002A0UL
+#define CKM_ACTI_KEY_GEN               0x000002A1UL
+
+#define CKM_SHA3_256                   0x000002B0UL
+#define CKM_SHA3_256_HMAC              0x000002B1UL
+#define CKM_SHA3_256_HMAC_GENERAL      0x000002B2UL
+#define CKM_SHA3_256_KEY_GEN           0x000002B3UL
+#define CKM_SHA3_224                   0x000002B5UL
+#define CKM_SHA3_224_HMAC              0x000002B6UL
+#define CKM_SHA3_224_HMAC_GENERAL      0x000002B7UL
+#define CKM_SHA3_224_KEY_GEN           0x000002B8UL
+#define CKM_SHA3_384                   0x000002C0UL
+#define CKM_SHA3_384_HMAC              0x000002C1UL
+#define CKM_SHA3_384_HMAC_GENERAL      0x000002C2UL
+#define CKM_SHA3_384_KEY_GEN           0x000002C3UL
+#define CKM_SHA3_512                   0x000002D0UL
+#define CKM_SHA3_512_HMAC              0x000002D1UL
+#define CKM_SHA3_512_HMAC_GENERAL      0x000002D2UL
+#define CKM_SHA3_512_KEY_GEN           0x000002D3UL
+
+#define CKM_CAST_KEY_GEN               0x00000300UL
+#define CKM_CAST_ECB                   0x00000301UL
+#define CKM_CAST_CBC                   0x00000302UL
+#define CKM_CAST_MAC                   0x00000303UL
+#define CKM_CAST_MAC_GENERAL           0x00000304UL
+#define CKM_CAST_CBC_PAD               0x00000305UL
+#define CKM_CAST3_KEY_GEN              0x00000310UL
+#define CKM_CAST3_ECB                  0x00000311UL
+#define CKM_CAST3_CBC                  0x00000312UL
+#define CKM_CAST3_MAC                  0x00000313UL
+#define CKM_CAST3_MAC_GENERAL          0x00000314UL
+#define CKM_CAST3_CBC_PAD              0x00000315UL
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST5_KEY_GEN              0x00000320UL
+#define CKM_CAST128_KEY_GEN            0x00000320UL
+#define CKM_CAST5_ECB                  0x00000321UL
+#define CKM_CAST128_ECB                0x00000321UL
+#define CKM_CAST5_CBC                  0x00000322UL /* Deprecated */
+#define CKM_CAST128_CBC                0x00000322UL
+#define CKM_CAST5_MAC                  0x00000323UL /* Deprecated */
+#define CKM_CAST128_MAC                0x00000323UL
+#define CKM_CAST5_MAC_GENERAL          0x00000324UL /* Deprecated */
+#define CKM_CAST128_MAC_GENERAL        0x00000324UL
+#define CKM_CAST5_CBC_PAD              0x00000325UL /* Deprecated */
+#define CKM_CAST128_CBC_PAD            0x00000325UL
+#define CKM_RC5_KEY_GEN                0x00000330UL
+#define CKM_RC5_ECB                    0x00000331UL
+#define CKM_RC5_CBC                    0x00000332UL
+#define CKM_RC5_MAC                    0x00000333UL
+#define CKM_RC5_MAC_GENERAL            0x00000334UL
+#define CKM_RC5_CBC_PAD                0x00000335UL
+#define CKM_IDEA_KEY_GEN               0x00000340UL
+#define CKM_IDEA_ECB                   0x00000341UL
+#define CKM_IDEA_CBC                   0x00000342UL
+#define CKM_IDEA_MAC                   0x00000343UL
+#define CKM_IDEA_MAC_GENERAL           0x00000344UL
+#define CKM_IDEA_CBC_PAD               0x00000345UL
+#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350UL
+#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360UL
+#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362UL
+#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363UL
+#define CKM_XOR_BASE_AND_DATA          0x00000364UL
+#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365UL
+#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370UL
+#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371UL
+#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372UL
+
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373UL
+#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374UL
+#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375UL
+#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376UL
+#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377UL
+
+#define CKM_TLS_PRF                    0x00000378UL
+
+#define CKM_SSL3_MD5_MAC               0x00000380UL
+#define CKM_SSL3_SHA1_MAC              0x00000381UL
+#define CKM_MD5_KEY_DERIVATION         0x00000390UL
+#define CKM_MD2_KEY_DERIVATION         0x00000391UL
+#define CKM_SHA1_KEY_DERIVATION        0x00000392UL
+
+#define CKM_SHA256_KEY_DERIVATION      0x00000393UL
+#define CKM_SHA384_KEY_DERIVATION      0x00000394UL
+#define CKM_SHA512_KEY_DERIVATION      0x00000395UL
+#define CKM_SHA224_KEY_DERIVATION      0x00000396UL
+#define CKM_SHA3_256_KEY_DERIVE        0x00000397UL
+#define CKM_SHA3_224_KEY_DERIVE        0x00000398UL
+#define CKM_SHA3_384_KEY_DERIVE        0x00000399UL
+#define CKM_SHA3_512_KEY_DERIVE        0x0000039AUL
+#define CKM_SHAKE_128_KEY_DERIVE       0x0000039BUL
+#define CKM_SHAKE_256_KEY_DERIVE       0x0000039CUL
+
+#define CKM_PBE_MD2_DES_CBC            0x000003A0UL
+#define CKM_PBE_MD5_DES_CBC            0x000003A1UL
+#define CKM_PBE_MD5_CAST_CBC           0x000003A2UL
+#define CKM_PBE_MD5_CAST3_CBC          0x000003A3UL
+#define CKM_PBE_MD5_CAST5_CBC          0x000003A4UL /* Deprecated */
+#define CKM_PBE_MD5_CAST128_CBC        0x000003A4UL
+#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5UL /* Deprecated */
+#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5UL
+#define CKM_PBE_SHA1_RC4_128           0x000003A6UL
+#define CKM_PBE_SHA1_RC4_40            0x000003A7UL
+#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8UL
+#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9UL
+#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AAUL
+#define CKM_PBE_SHA1_RC2_40_CBC        0x000003ABUL
+
+#define CKM_PKCS5_PBKD2                0x000003B0UL
+
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0UL
+
+#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0UL
+#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1UL
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2UL
+#define CKM_WTLS_PRF                        0x000003D3UL
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4UL
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5UL
+
+#define CKM_TLS10_MAC_SERVER                0x000003D6UL
+#define CKM_TLS10_MAC_CLIENT                0x000003D7UL
+#define CKM_TLS12_MAC                       0x000003D8UL
+#define CKM_TLS12_KDF                       0x000003D9UL
+#define CKM_TLS12_MASTER_KEY_DERIVE         0x000003E0UL
+#define CKM_TLS12_KEY_AND_MAC_DERIVE        0x000003E1UL
+#define CKM_TLS12_MASTER_KEY_DERIVE_DH      0x000003E2UL
+#define CKM_TLS12_KEY_SAFE_DERIVE           0x000003E3UL
+#define CKM_TLS_MAC                         0x000003E4UL
+#define CKM_TLS_KDF                         0x000003E5UL
+
+#define CKM_KEY_WRAP_LYNKS             0x00000400UL
+#define CKM_KEY_WRAP_SET_OAEP          0x00000401UL
+
+#define CKM_CMS_SIG                    0x00000500UL
+#define CKM_KIP_DERIVE                 0x00000510UL
+#define CKM_KIP_WRAP                   0x00000511UL
+#define CKM_KIP_MAC                    0x00000512UL
+
+#define CKM_CAMELLIA_KEY_GEN           0x00000550UL
+#define CKM_CAMELLIA_ECB               0x00000551UL
+#define CKM_CAMELLIA_CBC               0x00000552UL
+#define CKM_CAMELLIA_MAC               0x00000553UL
+#define CKM_CAMELLIA_MAC_GENERAL       0x00000554UL
+#define CKM_CAMELLIA_CBC_PAD           0x00000555UL
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556UL
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557UL
+#define CKM_CAMELLIA_CTR               0x00000558UL
+
+#define CKM_ARIA_KEY_GEN               0x00000560UL
+#define CKM_ARIA_ECB                   0x00000561UL
+#define CKM_ARIA_CBC                   0x00000562UL
+#define CKM_ARIA_MAC                   0x00000563UL
+#define CKM_ARIA_MAC_GENERAL           0x00000564UL
+#define CKM_ARIA_CBC_PAD               0x00000565UL
+#define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566UL
+#define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567UL
+
+#define CKM_SEED_KEY_GEN               0x00000650UL
+#define CKM_SEED_ECB                   0x00000651UL
+#define CKM_SEED_CBC                   0x00000652UL
+#define CKM_SEED_MAC                   0x00000653UL
+#define CKM_SEED_MAC_GENERAL           0x00000654UL
+#define CKM_SEED_CBC_PAD               0x00000655UL
+#define CKM_SEED_ECB_ENCRYPT_DATA      0x00000656UL
+#define CKM_SEED_CBC_ENCRYPT_DATA      0x00000657UL
+
+#define CKM_SKIPJACK_KEY_GEN           0x00001000UL
+#define CKM_SKIPJACK_ECB64             0x00001001UL
+#define CKM_SKIPJACK_CBC64             0x00001002UL
+#define CKM_SKIPJACK_OFB64             0x00001003UL
+#define CKM_SKIPJACK_CFB64             0x00001004UL
+#define CKM_SKIPJACK_CFB32             0x00001005UL
+#define CKM_SKIPJACK_CFB16             0x00001006UL
+#define CKM_SKIPJACK_CFB8              0x00001007UL
+#define CKM_SKIPJACK_WRAP              0x00001008UL
+#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009UL
+#define CKM_SKIPJACK_RELAYX            0x0000100aUL
+#define CKM_KEA_KEY_PAIR_GEN           0x00001010UL
+#define CKM_KEA_KEY_DERIVE             0x00001011UL
+#define CKM_KEA_DERIVE                 0x00001012UL
+#define CKM_FORTEZZA_TIMESTAMP         0x00001020UL
+#define CKM_BATON_KEY_GEN              0x00001030UL
+#define CKM_BATON_ECB128               0x00001031UL
+#define CKM_BATON_ECB96                0x00001032UL
+#define CKM_BATON_CBC128               0x00001033UL
+#define CKM_BATON_COUNTER              0x00001034UL
+#define CKM_BATON_SHUFFLE              0x00001035UL
+#define CKM_BATON_WRAP                 0x00001036UL
+
+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040UL /* Deprecated */
+#define CKM_EC_KEY_PAIR_GEN            0x00001040UL
+
+#define CKM_ECDSA                      0x00001041UL
+#define CKM_ECDSA_SHA1                 0x00001042UL
+#define CKM_ECDSA_SHA224               0x00001043UL
+#define CKM_ECDSA_SHA256               0x00001044UL
+#define CKM_ECDSA_SHA384               0x00001045UL
+#define CKM_ECDSA_SHA512               0x00001046UL
+
+#define CKM_ECDH1_DERIVE               0x00001050UL
+#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051UL
+#define CKM_ECMQV_DERIVE               0x00001052UL
+
+#define CKM_ECDH_AES_KEY_WRAP          0x00001053UL
+#define CKM_RSA_AES_KEY_WRAP           0x00001054UL
+
+#define CKM_JUNIPER_KEY_GEN            0x00001060UL
+#define CKM_JUNIPER_ECB128             0x00001061UL
+#define CKM_JUNIPER_CBC128             0x00001062UL
+#define CKM_JUNIPER_COUNTER            0x00001063UL
+#define CKM_JUNIPER_SHUFFLE            0x00001064UL
+#define CKM_JUNIPER_WRAP               0x00001065UL
+#define CKM_FASTHASH                   0x00001070UL
+
+#define CKM_AES_KEY_GEN                0x00001080UL
+#define CKM_AES_ECB                    0x00001081UL
+#define CKM_AES_CBC                    0x00001082UL
+#define CKM_AES_MAC                    0x00001083UL
+#define CKM_AES_MAC_GENERAL            0x00001084UL
+#define CKM_AES_CBC_PAD                0x00001085UL
+#define CKM_AES_CTR                    0x00001086UL
+#define CKM_AES_GCM                    0x00001087UL
+#define CKM_AES_CCM                    0x00001088UL
+#define CKM_AES_CTS                    0x00001089UL
+#define CKM_AES_CMAC                   0x0000108AUL
+#define CKM_AES_CMAC_GENERAL           0x0000108BUL
+
+#define CKM_AES_XCBC_MAC               0x0000108CUL
+#define CKM_AES_XCBC_MAC_96            0x0000108DUL
+#define CKM_AES_GMAC                   0x0000108EUL
+
+#define CKM_BLOWFISH_KEY_GEN           0x00001090UL
+#define CKM_BLOWFISH_CBC               0x00001091UL
+#define CKM_TWOFISH_KEY_GEN            0x00001092UL
+#define CKM_TWOFISH_CBC                0x00001093UL
+#define CKM_BLOWFISH_CBC_PAD           0x00001094UL
+#define CKM_TWOFISH_CBC_PAD            0x00001095UL
+
+#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100UL
+#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101UL
+#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102UL
+#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103UL
+#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104UL
+#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105UL
+
+#define CKM_GOSTR3410_KEY_PAIR_GEN     0x00001200UL
+#define CKM_GOSTR3410                  0x00001201UL
+#define CKM_GOSTR3410_WITH_GOSTR3411   0x00001202UL
+#define CKM_GOSTR3410_KEY_WRAP         0x00001203UL
+#define CKM_GOSTR3410_DERIVE           0x00001204UL
+#define CKM_GOSTR3411                  0x00001210UL
+#define CKM_GOSTR3411_HMAC             0x00001211UL
+#define CKM_GOST28147_KEY_GEN          0x00001220UL
+#define CKM_GOST28147_ECB              0x00001221UL
+#define CKM_GOST28147                  0x00001222UL
+#define CKM_GOST28147_MAC              0x00001223UL
+#define CKM_GOST28147_KEY_WRAP         0x00001224UL
+
+#define CKM_DSA_PARAMETER_GEN          0x00002000UL
+#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001UL
+#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002UL
+#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN    0x00002003UL
+#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN    0x00002004UL
+
+#define CKM_AES_OFB                    0x00002104UL
+#define CKM_AES_CFB64                  0x00002105UL
+#define CKM_AES_CFB8                   0x00002106UL
+#define CKM_AES_CFB128                 0x00002107UL
+
+#define CKM_AES_CFB1                   0x00002108UL
+#define CKM_AES_KEY_WRAP               0x00002109UL     /* WAS: 0x00001090 */
+#define CKM_AES_KEY_WRAP_PAD           0x0000210AUL     /* WAS: 0x00001091 */
+
+#define CKM_RSA_PKCS_TPM_1_1           0x00004001UL
+#define CKM_RSA_PKCS_OAEP_TPM_1_1      0x00004002UL
+
+#define CKM_VENDOR_DEFINED             0x80000000UL
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism
+ */
+typedef struct CK_MECHANISM {
+  CK_MECHANISM_TYPE mechanism;
+  CK_VOID_PTR       pParameter;
+  CK_ULONG          ulParameterLen;  /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism
+ */
+typedef struct CK_MECHANISM_INFO {
+    CK_ULONG    ulMinKeySize;
+    CK_ULONG    ulMaxKeySize;
+    CK_FLAGS    flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ *      Bit Flag               Mask          Meaning */
+#define CKF_HW                 0x00000001UL  /* performed by HW */
+
+/* Specify whether or not a mechanism can be used for a particular task */
+#define CKF_ENCRYPT            0x00000100UL
+#define CKF_DECRYPT            0x00000200UL
+#define CKF_DIGEST             0x00000400UL
+#define CKF_SIGN               0x00000800UL
+#define CKF_SIGN_RECOVER       0x00001000UL
+#define CKF_VERIFY             0x00002000UL
+#define CKF_VERIFY_RECOVER     0x00004000UL
+#define CKF_GENERATE           0x00008000UL
+#define CKF_GENERATE_KEY_PAIR  0x00010000UL
+#define CKF_WRAP               0x00020000UL
+#define CKF_UNWRAP             0x00040000UL
+#define CKF_DERIVE             0x00080000UL
+
+/* Describe a token's EC capabilities not available in mechanism
+ * information.
+ */
+#define CKF_EC_F_P             0x00100000UL
+#define CKF_EC_F_2M            0x00200000UL
+#define CKF_EC_ECPARAMETERS    0x00400000UL
+#define CKF_EC_NAMEDCURVE      0x00800000UL
+#define CKF_EC_UNCOMPRESS      0x01000000UL
+#define CKF_EC_COMPRESS        0x02000000UL
+
+#define CKF_EXTENSION          0x80000000UL
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+/* CK_RV is a value that identifies the return value of a
+ * Cryptoki function
+ */
+typedef CK_ULONG          CK_RV;
+
+#define CKR_OK                                0x00000000UL
+#define CKR_CANCEL                            0x00000001UL
+#define CKR_HOST_MEMORY                       0x00000002UL
+#define CKR_SLOT_ID_INVALID                   0x00000003UL
+
+#define CKR_GENERAL_ERROR                     0x00000005UL
+#define CKR_FUNCTION_FAILED                   0x00000006UL
+
+#define CKR_ARGUMENTS_BAD                     0x00000007UL
+#define CKR_NO_EVENT                          0x00000008UL
+#define CKR_NEED_TO_CREATE_THREADS            0x00000009UL
+#define CKR_CANT_LOCK                         0x0000000AUL
+
+#define CKR_ATTRIBUTE_READ_ONLY               0x00000010UL
+#define CKR_ATTRIBUTE_SENSITIVE               0x00000011UL
+#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012UL
+#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013UL
+
+#define CKR_ACTION_PROHIBITED                 0x0000001BUL
+
+#define CKR_DATA_INVALID                      0x00000020UL
+#define CKR_DATA_LEN_RANGE                    0x00000021UL
+#define CKR_DEVICE_ERROR                      0x00000030UL
+#define CKR_DEVICE_MEMORY                     0x00000031UL
+#define CKR_DEVICE_REMOVED                    0x00000032UL
+#define CKR_ENCRYPTED_DATA_INVALID            0x00000040UL
+#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041UL
+#define CKR_FUNCTION_CANCELED                 0x00000050UL
+#define CKR_FUNCTION_NOT_PARALLEL             0x00000051UL
+
+#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054UL
+
+#define CKR_KEY_HANDLE_INVALID                0x00000060UL
+
+#define CKR_KEY_SIZE_RANGE                    0x00000062UL
+#define CKR_KEY_TYPE_INCONSISTENT             0x00000063UL
+
+#define CKR_KEY_NOT_NEEDED                    0x00000064UL
+#define CKR_KEY_CHANGED                       0x00000065UL
+#define CKR_KEY_NEEDED                        0x00000066UL
+#define CKR_KEY_INDIGESTIBLE                  0x00000067UL
+#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068UL
+#define CKR_KEY_NOT_WRAPPABLE                 0x00000069UL
+#define CKR_KEY_UNEXTRACTABLE                 0x0000006AUL
+
+#define CKR_MECHANISM_INVALID                 0x00000070UL
+#define CKR_MECHANISM_PARAM_INVALID           0x00000071UL
+
+#define CKR_OBJECT_HANDLE_INVALID             0x00000082UL
+#define CKR_OPERATION_ACTIVE                  0x00000090UL
+#define CKR_OPERATION_NOT_INITIALIZED         0x00000091UL
+#define CKR_PIN_INCORRECT                     0x000000A0UL
+#define CKR_PIN_INVALID                       0x000000A1UL
+#define CKR_PIN_LEN_RANGE                     0x000000A2UL
+
+#define CKR_PIN_EXPIRED                       0x000000A3UL
+#define CKR_PIN_LOCKED                        0x000000A4UL
+
+#define CKR_SESSION_CLOSED                    0x000000B0UL
+#define CKR_SESSION_COUNT                     0x000000B1UL
+#define CKR_SESSION_HANDLE_INVALID            0x000000B3UL
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4UL
+#define CKR_SESSION_READ_ONLY                 0x000000B5UL
+#define CKR_SESSION_EXISTS                    0x000000B6UL
+
+#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7UL
+#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8UL
+
+#define CKR_SIGNATURE_INVALID                 0x000000C0UL
+#define CKR_SIGNATURE_LEN_RANGE               0x000000C1UL
+#define CKR_TEMPLATE_INCOMPLETE               0x000000D0UL
+#define CKR_TEMPLATE_INCONSISTENT             0x000000D1UL
+#define CKR_TOKEN_NOT_PRESENT                 0x000000E0UL
+#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1UL
+#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2UL
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0UL
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1UL
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2UL
+#define CKR_USER_ALREADY_LOGGED_IN            0x00000100UL
+#define CKR_USER_NOT_LOGGED_IN                0x00000101UL
+#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102UL
+#define CKR_USER_TYPE_INVALID                 0x00000103UL
+
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104UL
+#define CKR_USER_TOO_MANY_TYPES               0x00000105UL
+
+#define CKR_WRAPPED_KEY_INVALID               0x00000110UL
+#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112UL
+#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113UL
+#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114UL
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115UL
+#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120UL
+
+#define CKR_RANDOM_NO_RNG                     0x00000121UL
+
+#define CKR_DOMAIN_PARAMS_INVALID             0x00000130UL
+
+#define CKR_CURVE_NOT_SUPPORTED               0x00000140UL
+
+#define CKR_BUFFER_TOO_SMALL                  0x00000150UL
+#define CKR_SAVED_STATE_INVALID               0x00000160UL
+#define CKR_INFORMATION_SENSITIVE             0x00000170UL
+#define CKR_STATE_UNSAVEABLE                  0x00000180UL
+
+#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190UL
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191UL
+#define CKR_MUTEX_BAD                         0x000001A0UL
+#define CKR_MUTEX_NOT_LOCKED                  0x000001A1UL
+
+#define CKR_NEW_PIN_MODE                      0x000001B0UL
+#define CKR_NEXT_OTP                          0x000001B1UL
+
+#define CKR_EXCEEDED_MAX_ITERATIONS           0x000001B5UL
+#define CKR_FIPS_SELF_TEST_FAILED             0x000001B6UL
+#define CKR_LIBRARY_LOAD_FAILED               0x000001B7UL
+#define CKR_PIN_TOO_WEAK                      0x000001B8UL
+#define CKR_PUBLIC_KEY_INVALID                0x000001B9UL
+
+#define CKR_FUNCTION_REJECTED                 0x00000200UL
+
+#define CKR_VENDOR_DEFINED                    0x80000000UL
+
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_NOTIFICATION   event,
+  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
+);
+
+
+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
+ * version and pointers of appropriate types to all the
+ * Cryptoki functions
+ */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object
+ */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object
+ */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex
+ */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize
+ */
+typedef struct CK_C_INITIALIZE_ARGS {
+  CK_CREATEMUTEX CreateMutex;
+  CK_DESTROYMUTEX DestroyMutex;
+  CK_LOCKMUTEX LockMutex;
+  CK_UNLOCKMUTEX UnlockMutex;
+  CK_FLAGS flags;
+  CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag                           Mask       Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001UL
+#define CKF_OS_LOCKING_OK                  0x00000002UL
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK     1
+
+/* CK_RSA_PKCS_MGF_TYPE  is used to indicate the Message
+ * Generation Function (MGF) applied to a message block when
+ * formatting a message block for the PKCS #1 OAEP encryption
+ * scheme.
+ */
+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
+
+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
+
+/* The following MGFs are defined */
+#define CKG_MGF1_SHA1         0x00000001UL
+#define CKG_MGF1_SHA256       0x00000002UL
+#define CKG_MGF1_SHA384       0x00000003UL
+#define CKG_MGF1_SHA512       0x00000004UL
+#define CKG_MGF1_SHA224       0x00000005UL
+
+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
+ * of the encoding parameter when formatting a message block
+ * for the PKCS #1 OAEP encryption scheme.
+ */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
+
+/* The following encoding parameter sources are defined */
+#define CKZ_DATA_SPECIFIED    0x00000001UL
+
+/* CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_OAEP mechanism.
+ */
+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+        CK_MECHANISM_TYPE hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+        CK_VOID_PTR pSourceData;
+        CK_ULONG ulSourceDataLen;
+} CK_RSA_PKCS_OAEP_PARAMS;
+
+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+/* CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_PSS mechanism(s).
+ */
+typedef struct CK_RSA_PKCS_PSS_PARAMS {
+        CK_MECHANISM_TYPE    hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_ULONG             sLen;
+} CK_RSA_PKCS_PSS_PARAMS;
+
+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+typedef CK_ULONG CK_EC_KDF_TYPE;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL                 0x00000001UL
+#define CKD_SHA1_KDF             0x00000002UL
+
+/* The following X9.42 DH key derivation functions are defined */
+#define CKD_SHA1_KDF_ASN1        0x00000003UL
+#define CKD_SHA1_KDF_CONCATENATE 0x00000004UL
+#define CKD_SHA224_KDF           0x00000005UL
+#define CKD_SHA256_KDF           0x00000006UL
+#define CKD_SHA384_KDF           0x00000007UL
+#define CKD_SHA512_KDF           0x00000008UL
+#define CKD_CPDIVERSIFY_KDF      0x00000009UL
+#define CKD_SHA3_224_KDF         0x0000000AUL
+#define CKD_SHA3_256_KDF         0x0000000BUL
+#define CKD_SHA3_384_KDF         0x0000000CUL
+#define CKD_SHA3_512_KDF         0x0000000DUL
+
+/* CK_ECDH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
+ * where each party contributes one key pair.
+ */
+typedef struct CK_ECDH1_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_ECDH1_DERIVE_PARAMS;
+
+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
+
+/*
+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs.
+ */
+typedef struct CK_ECDH2_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_ECDH2_DERIVE_PARAMS;
+
+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_ECMQV_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_ECMQV_DERIVE_PARAMS;
+
+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
+
+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms
+ */
+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
+
+/* CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
+ * contributes one key pair
+ */
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_X9_42_DH1_DERIVE_PARAMS;
+
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
+
+/* CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
+ * mechanisms, where each party contributes two key pairs
+ */
+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_X9_42_DH2_DERIVE_PARAMS;
+
+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_X9_42_MQV_DERIVE_PARAMS;
+
+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism
+ */
+typedef struct CK_KEA_DERIVE_PARAMS {
+  CK_BBOOL      isSender;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pRandomB;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
+ * holds the effective keysize
+ */
+typedef CK_ULONG          CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism
+ */
+typedef struct CK_RC2_CBC_PARAMS {
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+  CK_BYTE       iv[8];            /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism
+ */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms
+ */
+typedef struct CK_RC5_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism
+ */
+typedef struct CK_RC5_CBC_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+  CK_BYTE_PTR   pIv;         /* pointer to IV */
+  CK_ULONG      ulIvLen;     /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism
+ */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulWordsize;   /* wordsize in bits */
+  CK_ULONG      ulRounds;     /* number of rounds */
+  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
+ * the MAC
+ */
+typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[8];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[16];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism
+ */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+  CK_ULONG      ulPasswordLen;
+  CK_BYTE_PTR   pPassword;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+  CK_ULONG      ulPAndGLen;
+  CK_ULONG      ulQLen;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pPrimeP;
+  CK_BYTE_PTR   pBaseG;
+  CK_BYTE_PTR   pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+  CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism
+ */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+  CK_ULONG      ulOldWrappedXLen;
+  CK_BYTE_PTR   pOldWrappedX;
+  CK_ULONG      ulOldPasswordLen;
+  CK_BYTE_PTR   pOldPassword;
+  CK_ULONG      ulOldPublicDataLen;
+  CK_BYTE_PTR   pOldPublicData;
+  CK_ULONG      ulOldRandomLen;
+  CK_BYTE_PTR   pOldRandomA;
+  CK_ULONG      ulNewPasswordLen;
+  CK_BYTE_PTR   pNewPassword;
+  CK_ULONG      ulNewPublicDataLen;
+  CK_BYTE_PTR   pNewPublicData;
+  CK_ULONG      ulNewRandomLen;
+  CK_BYTE_PTR   pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+  CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+  CK_BYTE_PTR      pInitVector;
+  CK_UTF8CHAR_PTR  pPassword;
+  CK_ULONG         ulPasswordLen;
+  CK_BYTE_PTR      pSalt;
+  CK_ULONG         ulSaltLen;
+  CK_ULONG         ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism
+ */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+  CK_BYTE       bBC;     /* block contents byte */
+  CK_BYTE_PTR   pX;      /* extra data */
+  CK_ULONG      ulXLen;  /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+typedef struct CK_SSL3_RANDOM_DATA {
+  CK_BYTE_PTR  pClientRandom;
+  CK_ULONG     ulClientRandomLen;
+  CK_BYTE_PTR  pServerRandom;
+  CK_ULONG     ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+  CK_SSL3_RANDOM_DATA RandomInfo;
+  CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hClientMacSecret;
+  CK_OBJECT_HANDLE hServerMacSecret;
+  CK_OBJECT_HANDLE hClientKey;
+  CK_OBJECT_HANDLE hServerKey;
+  CK_BYTE_PTR      pIVClient;
+  CK_BYTE_PTR      pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_BBOOL                bIsExport;
+  CK_SSL3_RANDOM_DATA     RandomInfo;
+  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+typedef struct CK_TLS_PRF_PARAMS {
+  CK_BYTE_PTR  pSeed;
+  CK_ULONG     ulSeedLen;
+  CK_BYTE_PTR  pLabel;
+  CK_ULONG     ulLabelLen;
+  CK_BYTE_PTR  pOutput;
+  CK_ULONG_PTR pulOutputLen;
+} CK_TLS_PRF_PARAMS;
+
+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_RANDOM_DATA {
+  CK_BYTE_PTR pClientRandom;
+  CK_ULONG    ulClientRandomLen;
+  CK_BYTE_PTR pServerRandom;
+  CK_ULONG    ulServerRandomLen;
+} CK_WTLS_RANDOM_DATA;
+
+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
+
+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
+  CK_MECHANISM_TYPE   DigestMechanism;
+  CK_WTLS_RANDOM_DATA RandomInfo;
+  CK_BYTE_PTR         pVersion;
+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_WTLS_PRF_PARAMS {
+  CK_MECHANISM_TYPE DigestMechanism;
+  CK_BYTE_PTR       pSeed;
+  CK_ULONG          ulSeedLen;
+  CK_BYTE_PTR       pLabel;
+  CK_ULONG          ulLabelLen;
+  CK_BYTE_PTR       pOutput;
+  CK_ULONG_PTR      pulOutputLen;
+} CK_WTLS_PRF_PARAMS;
+
+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hMacSecret;
+  CK_OBJECT_HANDLE hKey;
+  CK_BYTE_PTR      pIV;
+} CK_WTLS_KEY_MAT_OUT;
+
+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_PARAMS {
+  CK_MECHANISM_TYPE       DigestMechanism;
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_ULONG                ulSequenceNumber;
+  CK_BBOOL                bIsExport;
+  CK_WTLS_RANDOM_DATA     RandomInfo;
+  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_WTLS_KEY_MAT_PARAMS;
+
+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
+
+typedef struct CK_CMS_SIG_PARAMS {
+  CK_OBJECT_HANDLE      certificateHandle;
+  CK_MECHANISM_PTR      pSigningMechanism;
+  CK_MECHANISM_PTR      pDigestMechanism;
+  CK_UTF8CHAR_PTR       pContentType;
+  CK_BYTE_PTR           pRequestedAttributes;
+  CK_ULONG              ulRequestedAttributesLen;
+  CK_BYTE_PTR           pRequiredAttributes;
+  CK_ULONG              ulRequiredAttributesLen;
+} CK_CMS_SIG_PARAMS;
+
+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+  CK_BYTE_PTR pData;
+  CK_ULONG    ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+  CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key
+ */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
+ * indicate the Pseudo-Random Function (PRF) used to generate
+ * key bits using PKCS #5 PBKDF2.
+ */
+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
+
+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR \
+                        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
+
+#define CKP_PKCS5_PBKD2_HMAC_SHA1          0x00000001UL
+#define CKP_PKCS5_PBKD2_HMAC_GOSTR3411     0x00000002UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA224        0x00000003UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA256        0x00000004UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA384        0x00000005UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA512        0x00000006UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA512_224    0x00000007UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA512_256    0x00000008UL
+
+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
+ * source of the salt value when deriving a key using PKCS #5
+ * PBKDF2.
+ */
+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
+
+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR \
+                        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
+
+/* The following salt value sources are defined in PKCS #5 v2.0. */
+#define CKZ_SALT_SPECIFIED        0x00000001UL
+
+/* CK_PKCS5_PBKD2_PARAMS is a structure that provides the
+ * parameters to the CKM_PKCS5_PBKD2 mechanism.
+ */
+typedef struct CK_PKCS5_PBKD2_PARAMS {
+        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
+        CK_VOID_PTR                                pSaltSourceData;
+        CK_ULONG                                   ulSaltSourceDataLen;
+        CK_ULONG                                   iterations;
+        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+        CK_VOID_PTR                                pPrfData;
+        CK_ULONG                                   ulPrfDataLen;
+        CK_UTF8CHAR_PTR                            pPassword;
+        CK_ULONG_PTR                               ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS;
+
+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PARAMS2 is a corrected version of the CK_PKCS5_PBKD2_PARAMS
+ * structure that provides the parameters to the CKM_PKCS5_PBKD2 mechanism
+ * noting that the ulPasswordLen field is a CK_ULONG and not a CK_ULONG_PTR.
+ */
+typedef struct CK_PKCS5_PBKD2_PARAMS2 {
+        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+        CK_VOID_PTR pSaltSourceData;
+        CK_ULONG ulSaltSourceDataLen;
+        CK_ULONG iterations;
+        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+        CK_VOID_PTR pPrfData;
+        CK_ULONG ulPrfDataLen;
+        CK_UTF8CHAR_PTR pPassword;
+        CK_ULONG ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS2;
+
+typedef CK_PKCS5_PBKD2_PARAMS2 CK_PTR CK_PKCS5_PBKD2_PARAMS2_PTR;
+
+typedef CK_ULONG CK_OTP_PARAM_TYPE;
+typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* backward compatibility */
+
+typedef struct CK_OTP_PARAM {
+    CK_OTP_PARAM_TYPE type;
+    CK_VOID_PTR pValue;
+    CK_ULONG ulValueLen;
+} CK_OTP_PARAM;
+
+typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR;
+
+typedef struct CK_OTP_PARAMS {
+    CK_OTP_PARAM_PTR pParams;
+    CK_ULONG ulCount;
+} CK_OTP_PARAMS;
+
+typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR;
+
+typedef struct CK_OTP_SIGNATURE_INFO {
+    CK_OTP_PARAM_PTR pParams;
+    CK_ULONG ulCount;
+} CK_OTP_SIGNATURE_INFO;
+
+typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR;
+
+#define CK_OTP_VALUE          0UL
+#define CK_OTP_PIN            1UL
+#define CK_OTP_CHALLENGE      2UL
+#define CK_OTP_TIME           3UL
+#define CK_OTP_COUNTER        4UL
+#define CK_OTP_FLAGS          5UL
+#define CK_OTP_OUTPUT_LENGTH  6UL
+#define CK_OTP_OUTPUT_FORMAT  7UL
+
+#define CKF_NEXT_OTP          0x00000001UL
+#define CKF_EXCLUDE_TIME      0x00000002UL
+#define CKF_EXCLUDE_COUNTER   0x00000004UL
+#define CKF_EXCLUDE_CHALLENGE 0x00000008UL
+#define CKF_EXCLUDE_PIN       0x00000010UL
+#define CKF_USER_FRIENDLY_OTP 0x00000020UL
+
+typedef struct CK_KIP_PARAMS {
+    CK_MECHANISM_PTR  pMechanism;
+    CK_OBJECT_HANDLE  hKey;
+    CK_BYTE_PTR       pSeed;
+    CK_ULONG          ulSeedLen;
+} CK_KIP_PARAMS;
+
+typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR;
+
+typedef struct CK_AES_CTR_PARAMS {
+    CK_ULONG ulCounterBits;
+    CK_BYTE cb[16];
+} CK_AES_CTR_PARAMS;
+
+typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
+
+typedef struct CK_GCM_PARAMS {
+    CK_BYTE_PTR       pIv;
+    CK_ULONG          ulIvLen;
+    CK_ULONG          ulIvBits;
+    CK_BYTE_PTR       pAAD;
+    CK_ULONG          ulAADLen;
+    CK_ULONG          ulTagBits;
+} CK_GCM_PARAMS;
+
+typedef CK_GCM_PARAMS CK_PTR CK_GCM_PARAMS_PTR;
+
+typedef struct CK_CCM_PARAMS {
+    CK_ULONG          ulDataLen;
+    CK_BYTE_PTR       pNonce;
+    CK_ULONG          ulNonceLen;
+    CK_BYTE_PTR       pAAD;
+    CK_ULONG          ulAADLen;
+    CK_ULONG          ulMACLen;
+} CK_CCM_PARAMS;
+
+typedef CK_CCM_PARAMS CK_PTR CK_CCM_PARAMS_PTR;
+
+/* Deprecated. Use CK_GCM_PARAMS */
+typedef struct CK_AES_GCM_PARAMS {
+  CK_BYTE_PTR pIv;
+  CK_ULONG ulIvLen;
+  CK_ULONG ulIvBits;
+  CK_BYTE_PTR pAAD;
+  CK_ULONG ulAADLen;
+  CK_ULONG ulTagBits;
+} CK_AES_GCM_PARAMS;
+
+typedef CK_AES_GCM_PARAMS CK_PTR CK_AES_GCM_PARAMS_PTR;
+
+/* Deprecated. Use CK_CCM_PARAMS */
+typedef struct CK_AES_CCM_PARAMS {
+    CK_ULONG          ulDataLen;
+    CK_BYTE_PTR       pNonce;
+    CK_ULONG          ulNonceLen;
+    CK_BYTE_PTR       pAAD;
+    CK_ULONG          ulAADLen;
+    CK_ULONG          ulMACLen;
+} CK_AES_CCM_PARAMS;
+
+typedef CK_AES_CCM_PARAMS CK_PTR CK_AES_CCM_PARAMS_PTR;
+
+typedef struct CK_CAMELLIA_CTR_PARAMS {
+    CK_ULONG          ulCounterBits;
+    CK_BYTE           cb[16];
+} CK_CAMELLIA_CTR_PARAMS;
+
+typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
+
+typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE           iv[16];
+    CK_BYTE_PTR       pData;
+    CK_ULONG          length;
+} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
+                                CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE           iv[16];
+    CK_BYTE_PTR       pData;
+    CK_ULONG          length;
+} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
+                                CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_DSA_PARAMETER_GEN_PARAM {
+    CK_MECHANISM_TYPE  hash;
+    CK_BYTE_PTR        pSeed;
+    CK_ULONG           ulSeedLen;
+    CK_ULONG           ulIndex;
+} CK_DSA_PARAMETER_GEN_PARAM;
+
+typedef CK_DSA_PARAMETER_GEN_PARAM CK_PTR CK_DSA_PARAMETER_GEN_PARAM_PTR;
+
+typedef struct CK_ECDH_AES_KEY_WRAP_PARAMS {
+    CK_ULONG           ulAESKeyBits;
+    CK_EC_KDF_TYPE     kdf;
+    CK_ULONG           ulSharedDataLen;
+    CK_BYTE_PTR        pSharedData;
+} CK_ECDH_AES_KEY_WRAP_PARAMS;
+
+typedef CK_ECDH_AES_KEY_WRAP_PARAMS CK_PTR CK_ECDH_AES_KEY_WRAP_PARAMS_PTR;
+
+typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN;
+
+typedef CK_ULONG CK_CERTIFICATE_CATEGORY;
+
+typedef struct CK_RSA_AES_KEY_WRAP_PARAMS {
+    CK_ULONG                      ulAESKeyBits;
+    CK_RSA_PKCS_OAEP_PARAMS_PTR   pOAEPParams;
+} CK_RSA_AES_KEY_WRAP_PARAMS;
+
+typedef CK_RSA_AES_KEY_WRAP_PARAMS CK_PTR CK_RSA_AES_KEY_WRAP_PARAMS_PTR;
+
+typedef struct CK_TLS12_MASTER_KEY_DERIVE_PARAMS {
+    CK_SSL3_RANDOM_DATA       RandomInfo;
+    CK_VERSION_PTR            pVersion;
+    CK_MECHANISM_TYPE         prfHashMechanism;
+} CK_TLS12_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_TLS12_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+                                CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_TLS12_KEY_MAT_PARAMS {
+    CK_ULONG                  ulMacSizeInBits;
+    CK_ULONG                  ulKeySizeInBits;
+    CK_ULONG                  ulIVSizeInBits;
+    CK_BBOOL                  bIsExport;
+    CK_SSL3_RANDOM_DATA       RandomInfo;
+    CK_SSL3_KEY_MAT_OUT_PTR   pReturnedKeyMaterial;
+    CK_MECHANISM_TYPE         prfHashMechanism;
+} CK_TLS12_KEY_MAT_PARAMS;
+
+typedef CK_TLS12_KEY_MAT_PARAMS CK_PTR CK_TLS12_KEY_MAT_PARAMS_PTR;
+
+typedef struct CK_TLS_KDF_PARAMS {
+    CK_MECHANISM_TYPE         prfMechanism;
+    CK_BYTE_PTR               pLabel;
+    CK_ULONG                  ulLabelLength;
+    CK_SSL3_RANDOM_DATA       RandomInfo;
+    CK_BYTE_PTR               pContextData;
+    CK_ULONG                  ulContextDataLength;
+} CK_TLS_KDF_PARAMS;
+
+typedef CK_TLS_KDF_PARAMS CK_PTR CK_TLS_KDF_PARAMS_PTR;
+
+typedef struct CK_TLS_MAC_PARAMS {
+    CK_MECHANISM_TYPE         prfHashMechanism;
+    CK_ULONG                  ulMacLength;
+    CK_ULONG                  ulServerOrClient;
+} CK_TLS_MAC_PARAMS;
+
+typedef CK_TLS_MAC_PARAMS CK_PTR CK_TLS_MAC_PARAMS_PTR;
+
+typedef struct CK_GOSTR3410_DERIVE_PARAMS {
+    CK_EC_KDF_TYPE            kdf;
+    CK_BYTE_PTR               pPublicData;
+    CK_ULONG                  ulPublicDataLen;
+    CK_BYTE_PTR               pUKM;
+    CK_ULONG                  ulUKMLen;
+} CK_GOSTR3410_DERIVE_PARAMS;
+
+typedef CK_GOSTR3410_DERIVE_PARAMS CK_PTR CK_GOSTR3410_DERIVE_PARAMS_PTR;
+
+typedef struct CK_GOSTR3410_KEY_WRAP_PARAMS {
+    CK_BYTE_PTR               pWrapOID;
+    CK_ULONG                  ulWrapOIDLen;
+    CK_BYTE_PTR               pUKM;
+    CK_ULONG                  ulUKMLen;
+    CK_OBJECT_HANDLE          hKey;
+} CK_GOSTR3410_KEY_WRAP_PARAMS;
+
+typedef CK_GOSTR3410_KEY_WRAP_PARAMS CK_PTR CK_GOSTR3410_KEY_WRAP_PARAMS_PTR;
+
+typedef struct CK_SEED_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE                   iv[16];
+    CK_BYTE_PTR               pData;
+    CK_ULONG                  length;
+} CK_SEED_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_SEED_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
+                                        CK_SEED_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+#endif /* _PKCS11T_H_ */
+
diff --git a/vendor/github.com/miekg/pkcs11/release.go b/vendor/github.com/miekg/pkcs11/release.go
new file mode 100644
index 000000000..4380f374d
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/release.go
@@ -0,0 +1,17 @@
+// +build release
+
+package pkcs11
+
+import "fmt"
+
+// Release is current version of the pkcs11 library.
+var Release = R{1, 0, 3}
+
+// R holds the version of this library.
+type R struct {
+	Major, Minor, Patch int
+}
+
+func (r R) String() string {
+	return fmt.Sprintf("%d.%d.%d", r.Major, r.Minor, r.Patch)
+}
diff --git a/vendor/github.com/miekg/pkcs11/softhsm.conf b/vendor/github.com/miekg/pkcs11/softhsm.conf
new file mode 100644
index 000000000..f95862b10
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/softhsm.conf
@@ -0,0 +1 @@
+0:hsm.db
diff --git a/vendor/github.com/miekg/pkcs11/softhsm2.conf b/vendor/github.com/miekg/pkcs11/softhsm2.conf
new file mode 100644
index 000000000..876990cdd
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/softhsm2.conf
@@ -0,0 +1,4 @@
+log.level = INFO
+objectstore.backend = file
+directories.tokendir = test_data
+slots.removable = false
diff --git a/vendor/github.com/miekg/pkcs11/types.go b/vendor/github.com/miekg/pkcs11/types.go
new file mode 100644
index 000000000..970db9061
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/types.go
@@ -0,0 +1,303 @@
+// Copyright 2013 Miek Gieben. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkcs11
+
+/*
+#include <stdlib.h>
+#include <string.h>
+#include "pkcs11go.h"
+
+CK_ULONG Index(CK_ULONG_PTR array, CK_ULONG i)
+{
+	return array[i];
+}
+
+static inline void putAttributePval(CK_ATTRIBUTE_PTR a, CK_VOID_PTR pValue)
+{
+	a->pValue = pValue;
+}
+
+static inline void putMechanismParam(CK_MECHANISM_PTR m, CK_VOID_PTR pParameter)
+{
+	m->pParameter = pParameter;
+}
+*/
+import "C"
+
+import (
+	"fmt"
+	"time"
+	"unsafe"
+)
+
+type arena []unsafe.Pointer
+
+func (a *arena) Allocate(obj []byte) (C.CK_VOID_PTR, C.CK_ULONG) {
+	cobj := C.calloc(C.size_t(len(obj)), 1)
+	*a = append(*a, cobj)
+	C.memmove(cobj, unsafe.Pointer(&obj[0]), C.size_t(len(obj)))
+	return C.CK_VOID_PTR(cobj), C.CK_ULONG(len(obj))
+}
+
+func (a arena) Free() {
+	for _, p := range a {
+		C.free(p)
+	}
+}
+
+// toList converts from a C style array to a []uint.
+func toList(clist C.CK_ULONG_PTR, size C.CK_ULONG) []uint {
+	l := make([]uint, int(size))
+	for i := 0; i < len(l); i++ {
+		l[i] = uint(C.Index(clist, C.CK_ULONG(i)))
+	}
+	defer C.free(unsafe.Pointer(clist))
+	return l
+}
+
+// cBBool converts a bool to a CK_BBOOL.
+func cBBool(x bool) C.CK_BBOOL {
+	if x {
+		return C.CK_BBOOL(C.CK_TRUE)
+	}
+	return C.CK_BBOOL(C.CK_FALSE)
+}
+
+func uintToBytes(x uint64) []byte {
+	ul := C.CK_ULONG(x)
+	return C.GoBytes(unsafe.Pointer(&ul), C.int(unsafe.Sizeof(ul)))
+}
+
+// Error represents an PKCS#11 error.
+type Error uint
+
+func (e Error) Error() string {
+	return fmt.Sprintf("pkcs11: 0x%X: %s", uint(e), strerror[uint(e)])
+}
+
+func toError(e C.CK_RV) error {
+	if e == C.CKR_OK {
+		return nil
+	}
+	return Error(e)
+}
+
+// SessionHandle is a Cryptoki-assigned value that identifies a session.
+type SessionHandle uint
+
+// ObjectHandle is a token-specific identifier for an object.
+type ObjectHandle uint
+
+// Version represents any version information from the library.
+type Version struct {
+	Major byte
+	Minor byte
+}
+
+func toVersion(version C.CK_VERSION) Version {
+	return Version{byte(version.major), byte(version.minor)}
+}
+
+// SlotEvent holds the SlotID which for which an slot event (token insertion,
+// removal, etc.) occurred.
+type SlotEvent struct {
+	SlotID uint
+}
+
+// Info provides information about the library and hardware used.
+type Info struct {
+	CryptokiVersion    Version
+	ManufacturerID     string
+	Flags              uint
+	LibraryDescription string
+	LibraryVersion     Version
+}
+
+// SlotInfo provides information about a slot.
+type SlotInfo struct {
+	SlotDescription string // 64 bytes.
+	ManufacturerID  string // 32 bytes.
+	Flags           uint
+	HardwareVersion Version
+	FirmwareVersion Version
+}
+
+// TokenInfo provides information about a token.
+type TokenInfo struct {
+	Label              string
+	ManufacturerID     string
+	Model              string
+	SerialNumber       string
+	Flags              uint
+	MaxSessionCount    uint
+	SessionCount       uint
+	MaxRwSessionCount  uint
+	RwSessionCount     uint
+	MaxPinLen          uint
+	MinPinLen          uint
+	TotalPublicMemory  uint
+	FreePublicMemory   uint
+	TotalPrivateMemory uint
+	FreePrivateMemory  uint
+	HardwareVersion    Version
+	FirmwareVersion    Version
+	UTCTime            string
+}
+
+// SessionInfo provides information about a session.
+type SessionInfo struct {
+	SlotID      uint
+	State       uint
+	Flags       uint
+	DeviceError uint
+}
+
+// Attribute holds an attribute type/value combination.
+type Attribute struct {
+	Type  uint
+	Value []byte
+}
+
+// NewAttribute allocates a Attribute and returns a pointer to it.
+// Note that this is merely a convenience function, as values returned
+// from the HSM are not converted back to Go values, those are just raw
+// byte slices.
+func NewAttribute(typ uint, x interface{}) *Attribute {
+	// This function nicely transforms *to* an attribute, but there is
+	// no corresponding function that transform back *from* an attribute,
+	// which in PKCS#11 is just an byte array.
+	a := new(Attribute)
+	a.Type = typ
+	if x == nil {
+		return a
+	}
+	switch v := x.(type) {
+	case bool:
+		if v {
+			a.Value = []byte{1}
+		} else {
+			a.Value = []byte{0}
+		}
+	case int:
+		a.Value = uintToBytes(uint64(v))
+	case uint:
+		a.Value = uintToBytes(uint64(v))
+	case string:
+		a.Value = []byte(v)
+	case []byte:
+		a.Value = v
+	case time.Time: // for CKA_DATE
+		a.Value = cDate(v)
+	default:
+		panic("pkcs11: unhandled attribute type")
+	}
+	return a
+}
+
+// cAttribute returns the start address and the length of an attribute list.
+func cAttributeList(a []*Attribute) (arena, C.CK_ATTRIBUTE_PTR, C.CK_ULONG) {
+	var arena arena
+	if len(a) == 0 {
+		return nil, nil, 0
+	}
+	pa := make([]C.CK_ATTRIBUTE, len(a))
+	for i, attr := range a {
+		pa[i]._type = C.CK_ATTRIBUTE_TYPE(attr.Type)
+		if len(attr.Value) != 0 {
+			buf, len := arena.Allocate(attr.Value)
+			// field is unaligned on windows so this has to call into C
+			C.putAttributePval(&pa[i], buf)
+			pa[i].ulValueLen = len
+		}
+	}
+	return arena, &pa[0], C.CK_ULONG(len(a))
+}
+
+func cDate(t time.Time) []byte {
+	b := make([]byte, 8)
+	year, month, day := t.Date()
+	y := fmt.Sprintf("%4d", year)
+	m := fmt.Sprintf("%02d", month)
+	d1 := fmt.Sprintf("%02d", day)
+	b[0], b[1], b[2], b[3] = y[0], y[1], y[2], y[3]
+	b[4], b[5] = m[0], m[1]
+	b[6], b[7] = d1[0], d1[1]
+	return b
+}
+
+// Mechanism holds an mechanism type/value combination.
+type Mechanism struct {
+	Mechanism uint
+	Parameter []byte
+	generator interface{}
+}
+
+// NewMechanism returns a pointer to an initialized Mechanism.
+func NewMechanism(mech uint, x interface{}) *Mechanism {
+	m := new(Mechanism)
+	m.Mechanism = mech
+	if x == nil {
+		return m
+	}
+
+	switch p := x.(type) {
+	case *GCMParams, *OAEPParams, *ECDH1DeriveParams:
+		// contains pointers; defer serialization until cMechanism
+		m.generator = p
+	case []byte:
+		m.Parameter = p
+	default:
+		panic("parameter must be one of type: []byte, *GCMParams, *OAEPParams, *ECDH1DeriveParams")
+	}
+
+	return m
+}
+
+func cMechanism(mechList []*Mechanism) (arena, *C.CK_MECHANISM) {
+	if len(mechList) != 1 {
+		panic("expected exactly one mechanism")
+	}
+	mech := mechList[0]
+	cmech := &C.CK_MECHANISM{mechanism: C.CK_MECHANISM_TYPE(mech.Mechanism)}
+	// params that contain pointers are allocated here
+	param := mech.Parameter
+	var arena arena
+	switch p := mech.generator.(type) {
+	case *GCMParams:
+		// uses its own arena because it has to outlive this function call (yuck)
+		param = cGCMParams(p)
+	case *OAEPParams:
+		param, arena = cOAEPParams(p, arena)
+	case *ECDH1DeriveParams:
+		param, arena = cECDH1DeriveParams(p, arena)
+	}
+	if len(param) != 0 {
+		buf, len := arena.Allocate(param)
+		// field is unaligned on windows so this has to call into C
+		C.putMechanismParam(cmech, buf)
+		cmech.ulParameterLen = len
+	}
+	return arena, cmech
+}
+
+// MechanismInfo provides information about a particular mechanism.
+type MechanismInfo struct {
+	MinKeySize uint
+	MaxKeySize uint
+	Flags      uint
+}
+
+// stubData is a persistent nonempty byte array used by cMessage.
+var stubData = []byte{0}
+
+// cMessage returns the pointer/length pair corresponding to data.
+func cMessage(data []byte) (dataPtr C.CK_BYTE_PTR) {
+	l := len(data)
+	if l == 0 {
+		// &data[0] is forbidden in this case, so use a nontrivial array instead.
+		data = stubData
+	}
+	return C.CK_BYTE_PTR(unsafe.Pointer(&data[0]))
+}
diff --git a/vendor/github.com/miekg/pkcs11/vendor.go b/vendor/github.com/miekg/pkcs11/vendor.go
new file mode 100644
index 000000000..83188e500
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/vendor.go
@@ -0,0 +1,127 @@
+package pkcs11
+
+// Vendor specific range for Ncipher network HSM.
+const (
+	NFCK_VENDOR_NCIPHER = 0xde436972
+	CKA_NCIPHER         = NFCK_VENDOR_NCIPHER
+	CKM_NCIPHER         = NFCK_VENDOR_NCIPHER
+	CKK_NCIPHER         = NFCK_VENDOR_NCIPHER
+)
+
+// Vendor specific mechanisms for HMAC on Ncipher HSMs where Ncipher does not allow use of generic_secret keys.
+const (
+	CKM_NC_SHA_1_HMAC_KEY_GEN  = CKM_NCIPHER + 0x3  /* no params */
+	CKM_NC_MD5_HMAC_KEY_GEN    = CKM_NCIPHER + 0x6  /* no params */
+	CKM_NC_SHA224_HMAC_KEY_GEN = CKM_NCIPHER + 0x24 /* no params */
+	CKM_NC_SHA256_HMAC_KEY_GEN = CKM_NCIPHER + 0x25 /* no params */
+	CKM_NC_SHA384_HMAC_KEY_GEN = CKM_NCIPHER + 0x26 /* no params */
+	CKM_NC_SHA512_HMAC_KEY_GEN = CKM_NCIPHER + 0x27 /* no params */
+)
+
+// Vendor specific range for Mozilla NSS.
+const (
+	NSSCK_VENDOR_NSS   = 0x4E534350
+	CKO_NSS            = CKO_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKK_NSS            = CKK_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKC_NSS            = CKC_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKA_NSS            = CKA_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKA_TRUST          = CKA_NSS + 0x2000
+	CKM_NSS            = CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKR_NSS            = CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKT_VENDOR_DEFINED = 0x80000000
+	CKT_NSS            = CKT_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+)
+
+// Vendor specific values for Mozilla NSS.
+const (
+	CKO_NSS_CRL                               = CKO_NSS + 1
+	CKO_NSS_SMIME                             = CKO_NSS + 2
+	CKO_NSS_TRUST                             = CKO_NSS + 3
+	CKO_NSS_BUILTIN_ROOT_LIST                 = CKO_NSS + 4
+	CKO_NSS_NEWSLOT                           = CKO_NSS + 5
+	CKO_NSS_DELSLOT                           = CKO_NSS + 6
+	CKK_NSS_PKCS8                             = CKK_NSS + 1
+	CKK_NSS_JPAKE_ROUND1                      = CKK_NSS + 2
+	CKK_NSS_JPAKE_ROUND2                      = CKK_NSS + 3
+	CKK_NSS_CHACHA20                          = CKK_NSS + 4
+	CKA_NSS_URL                               = CKA_NSS + 1
+	CKA_NSS_EMAIL                             = CKA_NSS + 2
+	CKA_NSS_SMIME_INFO                        = CKA_NSS + 3
+	CKA_NSS_SMIME_TIMESTAMP                   = CKA_NSS + 4
+	CKA_NSS_PKCS8_SALT                        = CKA_NSS + 5
+	CKA_NSS_PASSWORD_CHECK                    = CKA_NSS + 6
+	CKA_NSS_EXPIRES                           = CKA_NSS + 7
+	CKA_NSS_KRL                               = CKA_NSS + 8
+	CKA_NSS_PQG_COUNTER                       = CKA_NSS + 20
+	CKA_NSS_PQG_SEED                          = CKA_NSS + 21
+	CKA_NSS_PQG_H                             = CKA_NSS + 22
+	CKA_NSS_PQG_SEED_BITS                     = CKA_NSS + 23
+	CKA_NSS_MODULE_SPEC                       = CKA_NSS + 24
+	CKA_NSS_OVERRIDE_EXTENSIONS               = CKA_NSS + 25
+	CKA_NSS_JPAKE_SIGNERID                    = CKA_NSS + 26
+	CKA_NSS_JPAKE_PEERID                      = CKA_NSS + 27
+	CKA_NSS_JPAKE_GX1                         = CKA_NSS + 28
+	CKA_NSS_JPAKE_GX2                         = CKA_NSS + 29
+	CKA_NSS_JPAKE_GX3                         = CKA_NSS + 30
+	CKA_NSS_JPAKE_GX4                         = CKA_NSS + 31
+	CKA_NSS_JPAKE_X2                          = CKA_NSS + 32
+	CKA_NSS_JPAKE_X2S                         = CKA_NSS + 33
+	CKA_NSS_MOZILLA_CA_POLICY                 = CKA_NSS + 34
+	CKA_TRUST_DIGITAL_SIGNATURE               = CKA_TRUST + 1
+	CKA_TRUST_NON_REPUDIATION                 = CKA_TRUST + 2
+	CKA_TRUST_KEY_ENCIPHERMENT                = CKA_TRUST + 3
+	CKA_TRUST_DATA_ENCIPHERMENT               = CKA_TRUST + 4
+	CKA_TRUST_KEY_AGREEMENT                   = CKA_TRUST + 5
+	CKA_TRUST_KEY_CERT_SIGN                   = CKA_TRUST + 6
+	CKA_TRUST_CRL_SIGN                        = CKA_TRUST + 7
+	CKA_TRUST_SERVER_AUTH                     = CKA_TRUST + 8
+	CKA_TRUST_CLIENT_AUTH                     = CKA_TRUST + 9
+	CKA_TRUST_CODE_SIGNING                    = CKA_TRUST + 10
+	CKA_TRUST_EMAIL_PROTECTION                = CKA_TRUST + 11
+	CKA_TRUST_IPSEC_END_SYSTEM                = CKA_TRUST + 12
+	CKA_TRUST_IPSEC_TUNNEL                    = CKA_TRUST + 13
+	CKA_TRUST_IPSEC_USER                      = CKA_TRUST + 14
+	CKA_TRUST_TIME_STAMPING                   = CKA_TRUST + 15
+	CKA_TRUST_STEP_UP_APPROVED                = CKA_TRUST + 16
+	CKA_CERT_SHA1_HASH                        = CKA_TRUST + 100
+	CKA_CERT_MD5_HASH                         = CKA_TRUST + 101
+	CKM_NSS_AES_KEY_WRAP                      = CKM_NSS + 1
+	CKM_NSS_AES_KEY_WRAP_PAD                  = CKM_NSS + 2
+	CKM_NSS_HKDF_SHA1                         = CKM_NSS + 3
+	CKM_NSS_HKDF_SHA256                       = CKM_NSS + 4
+	CKM_NSS_HKDF_SHA384                       = CKM_NSS + 5
+	CKM_NSS_HKDF_SHA512                       = CKM_NSS + 6
+	CKM_NSS_JPAKE_ROUND1_SHA1                 = CKM_NSS + 7
+	CKM_NSS_JPAKE_ROUND1_SHA256               = CKM_NSS + 8
+	CKM_NSS_JPAKE_ROUND1_SHA384               = CKM_NSS + 9
+	CKM_NSS_JPAKE_ROUND1_SHA512               = CKM_NSS + 10
+	CKM_NSS_JPAKE_ROUND2_SHA1                 = CKM_NSS + 11
+	CKM_NSS_JPAKE_ROUND2_SHA256               = CKM_NSS + 12
+	CKM_NSS_JPAKE_ROUND2_SHA384               = CKM_NSS + 13
+	CKM_NSS_JPAKE_ROUND2_SHA512               = CKM_NSS + 14
+	CKM_NSS_JPAKE_FINAL_SHA1                  = CKM_NSS + 15
+	CKM_NSS_JPAKE_FINAL_SHA256                = CKM_NSS + 16
+	CKM_NSS_JPAKE_FINAL_SHA384                = CKM_NSS + 17
+	CKM_NSS_JPAKE_FINAL_SHA512                = CKM_NSS + 18
+	CKM_NSS_HMAC_CONSTANT_TIME                = CKM_NSS + 19
+	CKM_NSS_SSL3_MAC_CONSTANT_TIME            = CKM_NSS + 20
+	CKM_NSS_TLS_PRF_GENERAL_SHA256            = CKM_NSS + 21
+	CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256      = CKM_NSS + 22
+	CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256     = CKM_NSS + 23
+	CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256   = CKM_NSS + 24
+	CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE    = CKM_NSS + 25
+	CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH = CKM_NSS + 26
+	CKM_NSS_CHACHA20_KEY_GEN                  = CKM_NSS + 27
+	CKM_NSS_CHACHA20_POLY1305                 = CKM_NSS + 28
+	CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN    = CKM_NSS + 29
+	CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN    = CKM_NSS + 30
+	CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN    = CKM_NSS + 31
+	CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN    = CKM_NSS + 32
+	CKR_NSS_CERTDB_FAILED                     = CKR_NSS + 1
+	CKR_NSS_KEYDB_FAILED                      = CKR_NSS + 2
+	CKT_NSS_TRUSTED                           = CKT_NSS + 1
+	CKT_NSS_TRUSTED_DELEGATOR                 = CKT_NSS + 2
+	CKT_NSS_MUST_VERIFY_TRUST                 = CKT_NSS + 3
+	CKT_NSS_NOT_TRUSTED                       = CKT_NSS + 10
+	CKT_NSS_TRUST_UNKNOWN                     = CKT_NSS + 5
+)